We forgot to keep ChangeLog in sync in previous updates.

Bring in the mission changes up to 4.2.4.
Also bring in doc/RELNOTES.
Both changes ease the process of syncing with upstream.
OK sthen

1 files changed, 1930 insertions, 0 deletions

diff --git a/usr.sbin/nsd/doc/RELNOTES b/usr.sbin/nsd/doc/RELNOTES
new file mode 100644
index 00000000000..d4f1dc66b8e
--- /dev/null
+++ b/usr.sbin/nsd/doc/RELNOTES
@@ -0,0 +1,1930 @@
+NSD RELEASE NOTES
+
+4.2.4
+================
+FEATURES:
+	- Fix #48: Add make distclean that removes config.h made by configure.
+	  And add maintainer-clean that removes bison and flex output.
+BUG FIXES:
+	- Detect fixed time memcmp for openssl 0.9.8 compatibility.
+	- Detect EC_KEY_new_by_curve_name for openssl 0.9.8.
+	- include limits.h for UINT_MAX.
+	- If no recvmmsg, dont use msg_flags member, but errno for error,
+	  where our fallback function left it, msg_flags also does not exist
+	  on some systems.
+	- Remove unused variable warning for portability.
+	- Fix #52: do not log transient network full errors unless higher
+	  verbosity is set.
+	- Fix regressions in configparser.y where global variables were not
+	  set for minimal-responses, round-robin and log-time-ascii.
+
+
+4.2.3
+================
+FEATURES:
+	- For #39: confine-to-zone configures NSD to not return out-of-zone
+	  additional information. Contributed by Greg Bock.
+	- For #21: pidfile "" allows to run NSD without a pidfile, for
+	  startup management tools like daemontools.
+	- For #21 add
+	  contrib/patch_for_s6_startup_and_other_service_supervisors.diff
+	  that adds support for readiness notification with READY_FD from
+	  Cameron Nemo.
+BUG FIXES:
+	- Fix #35: excessive logging of ixfr failures, it stops the log when
+	  fallback to axfr is possible. log is enabled at high verbosity.
+	- Fixup warnings during --disable-ipv6 compile.
+	- The nsd.conf includes are sorted ascending, for include statements
+	  with a '*' from glob.
+	- Fix #38: log address and failure reason with tls handshake errors,
+	  squelches (the same as unbound) some unless high verbosity is used.
+	- Fixup clang analysis warning in xfrd_parse_received_xfr_packet
+	  master dereference.
+CHANGES:
+	- Number of different UDP handlers has been reduced to one. recvmmsg
+	  and sendmmsg implementations are now used on all platforms.
+	  Compatible implementations are in place for systems that lack the
+	  system calls.
+	- Socket options are now set in designated functions for easy reuse.
+	- Socket setup has been simplified for easy reuse.
+	- Configuration parser is now aware of the context in which an option
+	  was specified.
+	- Fix #44: document that remote-control is a top-level nsd.conf
+	  attribute.
+
+
+4.2.2
+================
+BUG FIXES:
+	- Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
+	  dname_concatenate() function.  Reported by Frederic Cambus.
+	  It causes the zone parser to crash on a malformed zone file,
+	  with assertions enabled, an assertion catches it.
+	- Fix #19: Out-of-bounds read caused by improper validation of
+	  array index.  Reported by Frederic Cambus.  The zone parser
+	  fails on type SIG because of mismatched definition with RRSIG.
+	- PR #23: Fix typo in nsd.conf man-page.
+	- Fix that NSD warns for wrong length of the hash in SSHFP records.
+	- Fix #25: NSD doesn't refresh zones after extended downtime,
+	  it refreshes the old zones.
+	- Set no renegotiation on the SSL context to stop client
+	  session renegotiation.
+	- Fix #29: SSHFP check NULL pointer dereference.
+	- Fix #30: SSHFP check failure due to missing domain name.
+	- Fix to timeval_add in minievent for remaining second in microseconds.
+	- PR #31: nsd-control: Add missing stdio header.
+	- PR #32: tsig: Fix compilation without HAVE_SSL.
+	- Cleanup tls context on xfrd exit.
+	- Fix #33: Fix segfault in service of remaining streams on exit.
+	- Fix error message for out of zone data to have more information.
+
+
+4.2.1
+================
+FEATURES:
+	- Added num.tls and num.tls6 stat counters.
+	- PR #12: send-buffer-size, receive-buffer-size,
+	  tcp-reject-overflow options for nsd.conf, from Jeroen Koekkoek.
+	- Fix #14, tcp connections have 1/10 to be active and have to work
+	  every second, and then they get time to complete during a reload,
+	  this is a process that lingers with the old version during a version
+	  update.
+BUG FIXES:
+	- Fix #13: Stray dot at the end of some log entries, removes dot
+	  after updated serial number in log entry.
+	- Fix TLS cipher selection, the previous was redundant, prefers
+	  CHACHA20-POLY1305 over AESGCM and was not as readable as it
+	  could be.
+	- Consolidate server tls context create and remote control context
+	  create, with hardening for the remote control tls context too.
+	- Fix to init event structure for reassignment.
+	- Fix to init event not pointer, in reassignment.
+	- Fix #15: crash in SSL library, initialize variables for TCP access
+	  when TLS is configured.
+	- Fix tls handshake event callback function mistake, reported
+	  by Mykhailo Danylenko.
+	- Initialize event structures before event_set, to stop uninitialized
+	  values from setting event library lists and assertions, that would
+	  sometimes also show after event_del.
+	- Do not use symbol from libc, instead use own replacement, if not
+	  available, for accept4.
+	- Fix output of nsd-checkconf -h.
+
+
+4.2.0
+================
+FEATURES:
+	- Print IP address when bind socket fails with error.
+	- Fix #4249: The option hide-identity: yes stops NSD from responding
+	  with the hostname for chaos class queries.  Implements the RFC4892
+	  security considerations.
+	- Patch to add support for TCP Fast Open, from Sara
+	  Dickinson (Sinodun).
+	- Patch to add support for tls service on a specified tls port,
+	  from Sara Dickinson (Sinodun).
+	- Use travis for build check, initial unit test and clang analysis.
+	- TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
+	  patch from Andreas Schulze.
+BUG FIXES:
+	- Fix to delete unused zparser.default_apex member.
+	- Fix that the TLS handshake routine sets the correct event to
+	  continue when done.
+	- Fix that TLS renegotiation calls the read and write routines again
+	  with the same parameters when the desired event has been satisfied.
+	- Fix that TCP Fastopen has better error message and supports OSX.
+	- Fix to avoid buffer alloc with global buffer in tls write handler.
+	- Fix to initialize event structure when accepting TCP connection.
+	- Disable TLS1.0, TLS1.1 and weak ciphers, enable
+	  CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze.
+	- further setup ssl ctx after the keys are loaded, for ECDH.
+	- Fix #10: Fix memory leaks caused by duplicate rr and include
+	  instructions.
+	- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
+
+
+4.1.27
+================
+FEATURES:
+	- Deny ANY with only one RR in response, by default.  Patch from
+	  Daisuke Higashi.  The deny-any statement in nsd.conf sets ANY
+	  queries over UDP to be further moved to TCP as well.
+	  Also no additional section processing for type ANY, reducing
+	  the response size.
+	- Fix #4215: on-the-fly change of TSIG keys with patch from Igor, adds
+	  nsd-control print_tsig, update_tsig, add_tsig, assoc_tsig
+	  and del_tsig.  These changes are gone after reload, edit the
+	  config file (or a file included from it) to make changes that
+	  last after restart.
+BUG FIXES:
+	- Fix #4213: disable-ipv6 and dnstap compile error.
+	- Fix to reduce region_log_stats if condition, this removes a
+	  debug statement.
+        - Fix for FreeBSD port with dnstap enabled.
+	- Fix to remove unused code.
+	- Fix #6: nsd-control-setup: Change validity time to a shorter
+	  period (<2038).
+	- Fix unused definition in header remote.h.
+	- Fix #4236: IPV4_MINIMAL_RESPONSE_SIZE=1480 is slightly too big.
+	- Fix #4235: IP_PMTUDISC_OMIT on IPv4/UDP sockets.
+	- Fixed radtree_insert memory leak.
+	- Fixed access recycled variable.
+
+
+4.1.26
+================
+FEATURES:
+	- DNSTAP support for NSD, --enable-dnstap and then config in nsd.conf.
+	- Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes
+	  option in nsd.conf.
+	- Added nsd-control changezone.  nsd-control changezone name pattern
+	  allows the change of a zone pattern option without downtime for
+	  the zone, in one operation.
+BUG FIXES:
+	- Fix #4194: Zone file parser derailed by non-FQDN names in RHS of
+	  DNSSEC RRs.
+	- Fix #4202: nsd-control delzone incorrect exit code on error.
+	- Tab style fix to use tab for 8 spaces, from Xiaobo Liu.
+	- Fix #4205: enable-recvmmsg in mixed IPv4/IPv6 environment fails.
+	  This sets the msg_hdr.msg_namelen correctly after receipt.
+	- Fix to not set GLOB_NOSORT so the nsd.conf include: files are
+	  sorted and in a predictable order.
+	- Fix #3433: document that reconfig does not change per-zone stats.
+
+
+4.1.25
+================
+FEATURES:
+	- nsd-control prints neater errors for file failures.
+BUG FIXES:
+	- Fix that nsec3 precompile deletion happens before the RRs of
+	  the zone are deleted.
+	- Fix printout of accepted remote control connection for unix sockets.
+	- Fix use_systemd typo/leftover in remote.c.
+	- Fix codingstyle in nsd-checkconf.c in patch from Sharp Liu.
+	- append_trailing_slash has one implementation and is not repeated
+	  differently.
+	- Fix coding style in nsd.c
+	- Fix to combine the same error function into one, from Xiaobo Liu.
+	- Fix initialisation in remote.c.
+	- please clang analyzer and fix parse of IPSECKEY with bad gateway.
+	- Fix nsd-checkconf fail on bad zone name.
+	- Annotate exit functions with noreturn.
+	- Remove unused if clause during server service startup.
+	- Fix #4156: Fix systemd service manager state change notification
+	  When it is compiled, systemd readiness signalling is enabled.
+	  The option in nsd.conf is not used, it is ignored when read.
+
+
+4.1.24
+================
+FEATURES:
+	- #4102: control interface via local socket.
+	  configure it with control-interface: "/path/nsd.ctl"  The path
+	  has to start with a / to separate it from an IP address.
+	  The local socket does not use SSL, but unencrypted traffic, use
+	  file and containing directory permissions to restrict access.
+	- configure --enable-systemd (needs pkg-config and libsystemd) can
+	  be used to then use-systemd: yes in nsd.conf and have readiness
+	  signalling with systemd.
+	- RFC8162 support, for record type SMIMEA.
+BUG FIXES:
+	- Patch to fix openwrt for mac os build darwin detection in configure.
+	- Fix that first control-interface determines if TLS is used.  Warn
+	  when IP address interfaces are used without TLS.
+	- #4106: Fix that stats printed from nsd-control are recast from
+	  unsigned long to unsigned (remote.c).
+	- Fix that type CAA (and URI) in the zone file can contain
+	  dots when not in quotes.
+	- #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM
+	  chain, NSD leniently attempts to find a working NSEC3PARAM.
+
+
+4.1.23
+================
+BUG FIXES:
+	- Fix NSD time sensitive TSIG compare vulnerability.
+
+
+4.1.22
+================
+FEATURES:
+	- refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
+	  and allows TCP queries like normal.
+	- Use accept4 to speed up answer of TCP queries, on Linux, FreeBSD
+	  and OpenBSD.
+BUG FIXES:
+	- Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.
+	- Fix to use same condition for nsec3 hash allocation and free.
+
+
+4.1.21
+================
+FEATURES:
+	- --enable-memclean cleans up memory for use with memory checkers,
+	  eg. valgrind.
+	- refuse-any nsd.conf option that refuses queries of type ANY.
+	- lower memory usage for tcp connections, so tcp-count can be higher.
+BUG FIXES:
+	- Fix unused variable warnings and uninit variable in statistics
+	  printout from clang analyzer.
+	- Fix spelling error in xfr-inspect.
+	- Fix #3562: explain build error when flex missing.
+	- Fix buffer size warnings from compiler on filename lengths.
+	- Fix #4093: Release notes not using 2018.
+
+
+4.1.20
+================
+BUG FIXES:
+	- Fix memory leak in zone file read of unknown rr formatted RRs.
+	- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
+	  in the selectively allocated precompiled nsec3 hashes.
+
+
+4.1.19
+================
+BUG FIXES:
+	- ignore fallthrough compiler warning in flex EOF rule.
+	- Fix warnings emitted by clang for --enable-packed.  Alignment is not
+	  a problem for x86_64, don't enable packed when the platform
+	  requires aligned access.
+	- Fix spelling error in xfr-inspect.
+	- Fix 3392: Fix regression in 4.1.18 for notify lists with ip4
+	  and ip6 targets.
+	- Add test for support of -Wno-address-of-packed-member for
+	  --enable-packed.
+
+
+4.1.18
+================
+FEATURES:
+	- xfr-inspect, it is not installed, it prints xfr files from /tmp
+	  made with 'make xfr-inspect' in the source dir.
+	- retry timeout between sending notifies dropped from 15 to 3 sec.
+	- NSD sends 16 notifies simultaneously.
+	- configure --enable-packed reduces memory usage, at expense of
+	  unaligned reads.  Saves about 17%.
+	- Save memory by selectively allocate precompiled nsec3 hashes,
+	  saves about 16% memory.
+	- make ip-transparent option work on OpenBSD.
+	- Save about 2% memory by changing usage count size in name tree.
+	- Fix #2871: Increase number of sockets for xfrd transfers.
+BUG FIXES:
+	- Fix gcc 7.1.1 warnings.
+	- Fix writev compile warning on FreeBSD.
+	- Fix #1446: A corrupted zone file "propagates" to good ones.
+	- nsd-control zonestatus prints wait time between attempts, for zones
+	  that are in that waiting time.
+	- Fix collision printout of nsec3 to print name, hash and reverse.
+	- Fix #1567: Change crit to err log level for gettimeofday failure.
+	  Add defines for compile without syslog.
+	- Fix crash for DS query when parent and child zones both configured
+	  in nsd.conf and parent zone has not loaded properly.
+
+
+4.1.17
+================
+FEATURES:
+	- zone parser parses type AVC (it has TXT format).
+	- Fix #1272: use writev to put tcp length field with data for outgoing
+	  zone transfer requests.
+BUG FIXES:
+	- Fix potential null pointer in nsec3 adjustment tree.
+	- Fix text format of deletes for CDS and CDNSKEY, single 0 to represent
+	  empty base64 or hex string.
+
+
+4.1.16
+================
+FEATURES:
+	- zone parser can parse acronyms for algorithms ED25519 and ED448.
+	- Fix 1243: Option to make NSD emit really minimal responses,
+	  minimal-responses: yes in nsd.conf.
+BUG FIXES:
+	- Calculate new udb index after growing the array, fix from
+	  Chaofeng Liu.
+	- Fix missing _t to _type conversion for disable-radix-tree option.
+	- Printout serial error with hint it may be too big.
+	- Fix 1228: OpenSSL include is not guarded with HAVE_SSL
+	- Patch for expire state in multi-master when masters includes
+	  broken master, from Manabu Sonoda.
+	- minor manpage fix.
+
+
+4.1.15
+================
+BUG FIXES:
+	- Fix nsd-control and ipv6 only.
+	- Squelch zone transfer error address family not supported by protocol
+	  at low verbosity levels.
+	- Fix #1195: Fix so that NSD fails on non-compliant values for Serial.
+	- Fix to rename _t typedefs because POSIX reserves them.
+	- Fix that nsec3 hash collisions only reported on verbosity level 3.
+
+
+4.1.14
+================
+FEATURES:
+	- Fix #1132 for SERVFAIL zones perform backoff, and remembers the
+	  timeout on next startup.
+BUG FIXES:
+	- Fix null memcpy for radixtree with single link element.
+	- Robust fix against missing master in tcp_open for xfrd.
+	- Fix wildcards in include: config statements with chroot enabled.
+	- suppress compile warning in lex files.
+	- Fix to try every master once, then wait for timeout or notify.
+	- Save backoff timeout into xfrd.state file, this file has a higher
+	  version number now.  Old files are skipped silently (causes
+	  refresh) and created as new files upon exit.
+	- Fix restart of zone transfers when new config becomes available.
+
+
+4.1.13
+================
+FEATURES:
+	- multi-master-check: yes can be used to check all masters for the
+	  last version, using the higher version from the configured masters,
+	  from Manabu Sonoda.
+	- Support RR type OPENPGPKEY from RFC 7929.
+	- Can config key algorithms with the digest name, eg. 'sha256'.
+	- configure --disable-radix-tree for about 15% lower memory usage.
+	- for type SRV add A/AAAA to the additional section (if possible),
+	  just like we already do for type MX.
+	- more extensible edns option handling.
+BUG FIXES:
+	- Fix compile warnings about unused result from write and strtol.
+	  and signcompare in minmax retrytime.
+	- Fix #812: fix that make depend fails after distribution.
+	- Fix #817: xfrd update failed loop.
+	- Add robustness against unallocated data in nsec3 trees.
+	- Fix README spelling error of BSD license (reported by Joerg Jung).
+	- Fix multimaster for not tried full zone transfer for a expired zone.
+	- Fix #827: fix compile with openssl 1.1.0 with api=1.1.0.
+
+
+4.1.12
+================
+BUG FIXES:
+	- Fix malformed edns query assertion failure, reported by
+	  Michal Kepien (NASK).
+
+
+4.1.11
+================
+FEATURES:
+	- When tcp is more than half full, use short timeout for tcp session.
+	- Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
+	- Fix #790: size-limit-xfr can stop NSD from downloading infinite zone
+	  transfer data size, from Toshifumi Sakaguchi.  Fixes CVE-2016-6173
+	  JVN#63359718 JPCERT#91251865.
+BUG FIXES:
+	- Fix build without IPv6, patch from Zdenek Kaspar.
+	- Fix #783: Trying to run a root server without having configured it
+	  silently gives wrong answers.
+	- Fix #782: Serve DS record but parent zone has no NS record.
+	- Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
+
+
+4.1.10
+================
+FEATURES:
+	- ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket option
+	  for Linux, binds to interfaces and addresses that are down.
+	- NSD includes AAAA before A for queries over IPV6 (in delegations).
+	  And TC is set if no glue can be provided with a delegation because
+	  of packet size.
+	- print notice that nsd is starting before taking off.
+BUG FIXES:
+	- Fix for openssl 1.1.0, HMAC_CTX size not exported from openssl.
+	- Fix #751: NSD fails to occlude names below a DNAME.
+	- If set without nsd.db print "" as the default in the man pages.
+	- Fix #755: NSD spins after a zone update and a lot of TCP queries.
+	- Fix for NSEC3 with zone signed without exact match for empty
+	  nonterminals, the answer for that domain gets closest encloser.
+	- #772 Document that recvmmsg has IPv6 problems on some linux kernels.
+
+
+4.1.9
+================
+BUG FIXES:
+	- Change the nsd.db file version because of nanosecond precision fix.
+
+
+4.1.8
+================
+FEATURES:
+	- #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch
+	  from Daisuke Higashi.
+	- #739: zonefile changes when mtime is small are detected on reload,
+	  if filesystem supports precision mtime values.
+	- RR type CSYNC (RFC7477) syntax is supported.
+BUG FIXES:
+	- take advantage of arc4random_uniform if available, patch from
+	  Loganaden Velvindron.
+	- Fix flto check for OSX clang.
+	- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux.
+	- Fix #736: segfault during zone transfer.
+	- Fix #744: Fix that NSD replies for configured but unloaded zone
+	  with SERVFAIL, not REFUSED.
+
+
+4.1.7
+================
+FEATURES:
+	- support configure --with-dbfile="" for nodb mode by default, where
+	  there is no binary database, but nsd reads and writes zonefiles.
+	- reuseport: no is the default, because the feature is not troublefree.
+	- configure --enable-ratelimit-default-is-off with --enable-ratelimit
+	  to set the default ratelimit to disabled but available in nsd.conf.
+	- version: "string" option to set chaos version query reply string.
+BUG FIXES:
+	- Fix zones updates from nsd parent event loop when there are a lot
+	  of interfaces.
+	- portability fixes.
+	- patch from Doug Hogan for SSL_OP_NO_SSLvx options, for the new
+	  defaults in the ssl libraries.
+	- updated contrib/nsd.spec, from Bálint Szigeti, with new configure
+	  options.
+	- Allocate less memory for TSIG digest.
+	- Fix #721: Fix wrong error code (FORMERR) returned for unknown
+	  opcode.  NOTIMP expected.
+	- Fix zonec ttl mismatch printout to include more information.
+	- Fix TCP responses when REUSEPORT is in use by turning it off.
+	- Document default in manpage for rrl-slip, ip4 and 6 prefixlength.
+	- Explain rrl-slip better in documentation.
+	- Document that ratelimit qps and slip are updated in reconfig.
+	- Fix up defaults in manpage.
+
+
+4.1.6
+================
+BUG FIXES:
+	- Fix #701: Fix that AD=1 set in a BADVERS response.
+	- Fix typo in zonec.c inside error message.
+	- Fix #711: Document that debug-mode yes is used for staying
+	  attached to the supervisor console.
+	- Document verbosity 3 prints more information.
+	- nsd-checkconf warns for master zones with no zonefile statement.
+	- Fix start failure when many file descriptors are in use.
+	- The servfail rcode is not printed with a space in the middle.
+	- print failed token for config syntax error or parse error.
+
+
+4.1.5
+================
+BUG FIXES:
+	- Fix #706: default port 53 not opened on ip4 because of getaddrinfo
+	  hints initialisation failure.
+
+
+4.1.4
+================
+FEATURES:
+	- RFC7553 RR Type URI support.
+	- removed hardcoded interface limit, --with-max-ips removed.
+	- SO_REUSEPORT support, by default on Linux, or with reuseport: yes.
+	- Admitted axfrs are logged at verbosity 1.  Refused at verbosity 2.
+	- --enable-pie and --enable-relro-now options for a safer executable.
+BUG FIXES:
+	- Fix NSID response for short edns sizes.
+	- Fix that for expired zones NSD performs an AXFR and accepts newer
+	  and older serial numbers.
+	- Document that minimal responses only minimizes responses to fit
+	  in one datagram.  It does not minimize smaller responses.
+	- Fix #618: documented need to list ip-addresses separately in
+	  nsd.conf if there are multiple, because the source address of
+	  replies can otherwise go wrong.
+	- Fix that notify from nsd-control contains soa serial.
+	- Fix #698 formatting errors and typos in nsd.8.in.
+
+
+4.1.3
+================
+FEATURES:
+	- nsd-control addzones and delzones read list of zones from stdin.
+	- hmac sha224, sha384 and sha512 support, patch from David Gwynne.
+	- max-interfaces raised to 32.
+BUG FIXES:
+	- Fix #665: when removing subdomain, nsd does not reparse parent zone.
+	- Fix task and zonestat files to be stored in a subdirectory in tmp
+	  to stop privilege elevation.
+	- Fix crash in zone parser for relative dname after error in origin.
+	- Fix that formerrors are ratelimited.
+
+
+4.1.2
+================
+FEATURES:
+	- Incoming notifies have serial number logged (at verbosity 1).
+BUG FIXES:
+	- Remove some duplicate header includes (from Brad Smith).
+	- Fix tcp waiting list for zone transfers where the bind and connect
+	  calls fail.
+	- Fix segfault in zone reader on invalid input. (thanks John Van de
+	  Meulebrouck Brendgard)
+	- Fix segfault on double origin in zone reader (thanks John Van de
+	  Meulebrouck Brendgard).
+	- Fix b64pton out of bounds error on invalid zonefile input.
+	  (thanks John Van de Meulebrouck Brendgard)
+	- Fix origin directive from unused old value and subdomain parser
+	  failure, reported by John Van de Meulebrouck Brendgard.
+	- Fix use after free after zonefile syntax error followed by ttl
+	  or origin directive, reported by John Van de Meulebrouck Brendgard.
+	- Fix syntax error followed by too many TXT elements parse crash
+	  reported by John Van de Meulebrouck Brendgard.
+	- Fix buffer overflow in config parse of domain name,
+	  reported by John Van de Meulebrouck Brendgard.
+	- Use reallocarray for integer overflow protection, patch submitted
+	  by Loganaden Velvindron.
+	- Fix allocation integer overflow checks.
+	- Fix #654: Fix contradiction in notify logging verbosity level.
+	- Fix #655: Fix contradiction in verbosity for zone transfers.
+	- Made log message more consistent, changed 'axfr refused' log message
+	  to be more consistent with other messages.  Also notify refused.
+	- verbosity 2 logs axfr refused and notify refused.
+	  verbosity 1 contains less log messages.
+
+
+4.1.1
+================
+FEATURES:
+	- RFC 7344: CDS and CDNSKEY (read record types).
+	- per zone statistics with --enable-zone-stats, config zone with
+	  zonestats: "name", zones configured with the same string are added.
+	- Disabled use of SSLv3 in nsd-control.
+	- nsd-checkconf -f prints out full name of pidfile (with dir).
+	- Synthesize CNAMEs with same TTL as DNAME.
+BUG FIXES:
+	- Fix that expired zones stay expired after a server restart.
+	- Fix "xfrd_handle_ipc: bad mode" log errors when compiled 
+	  with --disable-bind8-stats.
+	- Fix #616: retry xfer for zones with no content after command.
+	- Fix char used as array index warnings on NetBSD.
+	- Fix that queries for noname CH TXT are REFUSED instead of nodata.
+	- Fixes for wildcard addition and deletion, speedup for some cases.
+	- Fix that failure to add tcp to tcp base does not leak the socket.
+	- Patch nsd_munin_ from Philip Paeps to use type ABSOLUTE.
+	- Fix spinning NSD with lots of failing transfers, due to pointer
+	  comparison using void pointer subtraction (from Otto Moerbeek).
+	- Fix bug#637: fix that nsd.db grows limitlessly, an off by one
+	  on one megabyte free chunks, created during AXFRs of large zones,
+	  that caused the one megabyte chunk to be leaked.
+	- Fix casts for ctype functions (from Todd Miller).
+	- correct some hyphen-used-as-minus-sign (from Andreas Schulze) in
+	  man pages.
+	- Fix zonesdir chroot error message.
+
+
+4.1.0
+================
+FEATURES:
+	- database: "" starts without mmap of database.  Less memory is used,
+	  zones are read from text zonefile.
+	- optimised zonefile parse code and zonefile write code.
+	- zonefiles-write option in nsd.conf, enabled when database is "".
+	  The server writes changed zonefiles to disk every hour.
+	- xfrdfile: "" disables xfrd.state.  If enabled, zones that are
+	  same as before are not checked for a serial update at server start.
+	- include: "foo/nsd.d/*.conf" works, wildcard glob on includes.
+	- nsd shuts down during init process if given signal.
+	- log-time-ascii option, default yes, with readable timestamp in log.
+	- nsd-control addzone reports if zone already exists.
+	- Fix #564: add nsd-checkzone tool to check zonefile correctness.
+	- Increased default --with-max-ips from 8 to 16, this increases the
+	  number of interfaces you can specify in nsd.conf to listen to.
+BUG FIXES:
+	- Fixed shutdown message sporadically not printed on exit
+	  (Thanks Anand Buddhdev).
+	- Documented zonefile %s syntax in nsd.conf man page.
+	- Fix manpage to put colon after zonefiles check and write.
+	- Change from 'Zone" to "zone" with ".. serial .. is updated" log
+	  message.
+	- Changed maxbackoff for no-content secondary zones from 4h to 24h.
+	- Fix print filename of encompassing config file on read failure.
+	- Fix delete or rename of a lot of zones and make it take a
+	  non-enormous time.
+	- Speed up deletion of zone contents a lot, (56s to 1s), speeds up
+	  delete, rename and AXFR for zones.
+	- Fix #571: unused variable and incompatible pointer warnings when
+	  compiled on a system without INET6.
+	- Fix write_socket return value check in server.c (Thanks Brad Smith,
+	  Mark Kettenis).
+	- Fix that xfrd reaps children also if the signal is lost.
+	- Fix #577: makefile incorrectly installed manpages from srcdir.
+	- Fix #587: Default value for statistics is 0.
+	- Fix #553: Improve TXT parsing.
+	- Fix #590: rrl log does not print wildcard as a star but escaped.
+	- Fix #591: rrl log messages at verbosity level 1.
+	- fix strptime implicit declaration error on OpenBSD.
+	- Fix -O3 compile flag to -O2 to avoid miscompilations.
+	- Allow user to override the -g -O2 CFLAGS in ./configure.
+	- Fix endian.h include for OpenBSD.
+	- Fix #600: document that provide-xfr provides AXFR and not IXFR.
+	- Fix rising-load-average or memory-leaks in OSes (Linux since 2.6),
+	  that keep track of all past process parents, or leak memory
+	  for them.  Fix makes it so there is no very deep string of
+	  process parents.
+	- Remove .LP after .SH in man pages.
+
+
+4.0.3
+================
+BUG FIXES:
+	- Fix nsd.db unclean close check.  Previous databases are considered
+	  unclean by the code and are created anew.
+	- Adds nsd.db larger than 400Tb check for sanity. Also test if
+	  filesize as documented in the file is correct.
+	- nsd waits for tasks to complete on stop, prevents nsd.db corruption.
+	- fix to not delete tmpdir too early in shutdown process.
+	- disabled udb checking functionality that made it very slow,
+	  this was enabled when enable-checking was turned on.
+
+
+4.0.2
+================
+FEATURES:
+	- Return REFUSED for queries to non-hosted zones.
+
+BUG FIXES:
+	- Fix expired zones to give SERVFAIL, also when parent zone loaded.
+	- documented nsd-control zonestatus output in nsd-control manpage.
+	- remove mention of nsdc from nsd-checkconf manpage.
+	- Disabled recvmmsg and sendmmsg usage by default because kernel
+	  versions have implementation issues: ipv6 ignored, security issues.
+	- Detect libevent2 install automatically by configure, and use
+	  event2 header files if necessary.
+	- Fix #551: change Regent to Copyright holder in the LICENSE,
+	  to match the definition on opensource.org for the BSD License.
+	- Fix #552: zonefile loads on nsd-control reconfig when the name
+	  of the file has changed.
+	- Fix leak of zone name after zonefile read and fix malloc too
+	  large that would be leaked in the radix tree.
+	- Fix from 3.2: make SOA RDATA comparisons in XFR more lenient (only
+	  check serial).
+	- Fix that NSD will delete and recreate not-clean-closed databases.
+
+
+4.0.1
+================
+FEATURES:
+	- recognizes ip-address and interface as synonyms for convenience.
+	- Support for EUI48 and EUI64 RR types enabled by default (RFC 7043).
+	- Support for CAA RRtype (RFC 6844).
+	- NSID can be set with "ascii_somestring" in ascii.
+	
+BUG FIXES:
+	- Fix xfrd when zone transfer TCP contains zero length packets.
+	- Fix for NSEC3 zones where parent zone is co-hosted, also NSEC3,
+	  because AXFRs overwrote nsec3 administration in the child zone.
+   	- Fix that bad IXFR updates do not result in double SOA records,
+	  and that an AXFR is started (attempted) when the zone state seems
+	  to be inconsistent with the master's zone state.
+	- Log ip address for sendto and sendmmsg failures.
+	- Fix segfaults after read of zones with rr type WKS from zonefile.
+	- Seed PRNG for openssl at start of daemon, fixes SSL connection issue.
+	- Bugfix #534: IXFR query loop over UDP for zones that are unchanged.
+	- (same as in 3.2.16): fix wildcard cname to nxdomain repeated rrset.
+	- (same as in 3.2.16): Bugfix #542: Match RRSIG TTL with SOA TTL in
+	  negative response.
+	- Check if configure in srcdir collides with outofdir build.
+	- Fix #546:  output format errors in nsd_munin_ (Thanks Tom Hendrikx).
+	- Fix printout of high-chars in TXT on NetBSD.
+
+4.0.0	NSD 4.0
+===============
+FEATURES:
+	- documented in doc/NSD-4-features. Change configuration without
+	  restart, direct nameserver control with nsd-control, support a
+	  higher number of zones. Higher performance (compared to NSD3).
+	- nsdc is gone. Use kill -HUP for reload (also checks if zonefiles
+	  have changed and rereads them), and kill -TERM for quit. Or use
+	  nsd-control for detailed control.
+	- cron job for nsdcpatch is gone. nsd-control write creates zonefiles.
+	- nsd.db has a new format that compacts itself when it is changed,
+	  thus nsdc patch is no longer necessary.
+	- nsd.db is memory mapped, NSD needs (part of) that mmap in ram.
+	- tcp-count can go above 1000; epoll/kqueue support with libevent.
+	- nsd-control reconfig for updates with no restart (zones, keys, ..)
+	- nsd-control-setup to create keys for nsd-control (enable nsd-control
+	  with remote-control: yes in nsd.conf).
+	- the NSD 3 feature of special zone stats are not ported to 4 yet,
+	  as it would entail a complete reimplementation of the feature.
+FEATURES (incremental from BETA5):
+	- configure --disable-recvmmsg for compat with older Linux kernels,
+	  by default it autodetects support in the kernel on the buildmachine.
+	- Fix time at 2038, uint32s changed to time_t, support 64bit time_t.
+	- Fix use of 32bit time, for 2038, thanks to Theo de Raadt for patch.
+BUG FIXES (incremental from BETA5):
+	- Bugfix #518 Incorrect RRL prefix length option names in nsd.conf
+	  man page from Ville Mattila.
+	- Fix that xfrd, and nsd-control, does not stop responding when reload
+	  errors out. The pid is sent like it should by server_main.
+	- Fix that EOF in quoted string error does not cause reload to exit.
+	- Fixup errors from the stack code checker.
+	- Removed use of random when arc4random is available. Thus, random
+	  and srandom are then not linked with the executable.
+	- Fix segfault with no logfile and chroot (Thanks Patrik Lundin).
+
+4.0.0b5   BETA 5 release of NSD 4.0
+==================================
+FEATURES:
+	- Optimizations for startup, qps and tcp speed, beta bug fixes and
+	  merge with code changes with NSD 3.2.16.
+	- nsd-mem tool (make nsd-mem) to estimate memory usage.
+	- Same as NSD 3.2.16: --enable-draft-rrtypes(EUI48, EUI64), rr-slip,
+	  rrl-ipv[46]-prefix-length, ip-transparent config options.
+	- configure option --disable-flto.
+	- improved RRL logging (query details that caused blockage).
+	- nsd-control status prints out ratelimit if ratelimit is enabled.
+	- nsd-control verbosity prints out verbosity level without argument.
+	- Fix #491: pick program name (of executable) as syslog identity.
+	- printout percentage for long activities (to log).  After about 5
+	  seconds have passed.
+BUG FIXES:
+	- The same fixes up to NSD 3.2.16.
+	- Fix that old zonefile does not override newer AXFR for slave zones.
+	- Nicer printout of notify.
+	- Fix tcp zonetransfer pipeline lookup function.
+	- Fix compile on bigendian netbsd alpha.
+	- Fixup the growth and shrinkage of nsd.db.  This should use less
+	  calls to remap and change the file and mmap size.
+	- notify information is logged at correct verbosity level, 1.
+	- Fix memory statistics in nsd_munin_.
+	- faster nsec3 updates.
+	- Fixup contrib/bug390.patch for 4.0.0b4.
+	- remove leak of nsec3.
+	- allocate radixtree in region for small (5%) total savings and
+	  about 15% savings in the radixtree itself (due to many small alloc
+	  savings in region).
+	- Patch from Lukas Wunner that makes nsd.conf include files work
+	  inside chroot/etc environments on repattern and reconfig.
+	- Fix race on exit of nsd, for restarts, so that the pidfile-pid
+	  process waits until port53 has been closed before exiting.
+	- Patch from Lukas Wunner that makes chroot more consistent.
+	  Make all paths absolute with the chrootdir in front, or use
+	  an absolute zonesdir with other paths relative to that.
+	- Fix segfault on repeated reconfigs, double free of zone apex name.
+	- Fix zone parser allocations are put in the db region.
+	- Fix memory leak in zone parser for txt record.
+	- Optimizations: -O3 if possible (user can override CFLAGS), udp
+	  buffers are set to 1m by default (if socket options exist),
+	  use recvmmsg and sendmmsg, or only recvmmsg, or recvfrom.
+	- nsd.db 12% smaller, no nsec3 hash storage.  Also ups udb version
+	  because of the format change.  The nsd.db is recreated when a 
+	  different version number is detected on startup.
+	- Fix region-allocator for speedup of load and change of large data.
+	- Increase tcpbacklog default to 256 (silently capped to 128 on BSD).
+	  For remote control keep it at 16, it has less TCP load.
+	  It does not actually increase TCP performance (some except), but
+	  reduces connection loss when there is a spike in TCP connections.
+	- unlink xfr file if transfer is stopped, timeouted or interrupted.
+	  And unlink xfr file in progress when the zone is deleted.
+
+4.0.0b4   BETA 4 release of NSD 4.0
+==================================
+BUG FIXES:
+	- remove -fwhole-program gcc flag usage.  We cannot reliably detect
+	  if it works without failure.
+	- fix zonefiles-check: entry in nsd.conf
+	- fix gcc warning, do not use uninit value for rng init.
+	- remove printout of "bad transfer" to the log for notimpl.
+	- printout log less verbosely, not every axfr packet.
+	- RRL documented in nsd.conf.sample
+	- Fix is_apex flag for zones read from udb.
+	- Fix that nsec3 zones are precompiled when read from udb.  This
+	  caused assertion failures.
+	- Less printout of 'bad transfer'.
+	- Fix AXFR of NSEC3 slave zone.
+	- Fix that old zonefile does not override newer AXFR for slave zones.
+	- Nicer printout of notify on verbosity 2.
+
+4.0.0b3   BETA 3 release of NSD 4.0
+==================================
+BUG FIXES:
+	- applied patch from Robin Hack to remove double pid file truncation.
+	- repattern is called reconfig (because most config options are
+	  picked up, except for superuser options (chroot, logfile, port))
+	- document that the zonefile attribute can be empty.
+	- documented that the _implicit_ pattern names are used internally.
+	- Added zonefiles-check option, default yes, check mtimes of zone files
+	  on sighup and startup (from Robin Hack).
+	- Fix spurious assertion failure for some rrl blocks.
+	- Tabs and spaces nicer in nsd.conf.sample.
+	- List libevent in README.
+	- Fix configure for gentoo gcc and headers.
+	- do-ip4 and do-ip6 nsd.conf options just like unbound.
+	- do not leave task files in /tmp if nsd fails to startup because
+	  of file permissions.
+	- create xfrdir on make install (does not remove on make uninstall,
+	  because this could be /tmp).
+	- Fix segv if xfrdir does not exit.
+	- log ip address with tcp failure.
+	- Fix time calculation of zone transfer.
+
+4.0.0b2   BETA 2 release of NSD 4.0
+==================================
+FEATURES:
+	- Add and remove zones from nsd.conf with nsd-control repattern.
+	- Merge changes from 3.2.15 (such as xname-rcode fix).
+
+BUG FIXES:
+	- Fix for use with libev.
+	- 'nsd-control start' runs an absolute path to start sbin/nsd.
+	- Fix for use with libevent-2.1.2.
+	- --with-logfile sets the logfile inside the example documentation.
+	- Fixed addzone and delzone inside chroot (thanks Will Pressly).
+	- Fix make outside of source directory.
+
+4.0.0b1   BETA 1 release of NSD 4.0
+==================================
+FEATURES:
+	- add and remove zones without restart.
+	- nsdc is gone, use nsd-control for direct server control.
+	- performance increases
+	- support lots of zones
+	- and more ...
+	- longer desc in doc/NSD-4-features
+
+BUG FIXES:
+	- core code is fixed like 3.2.15r3763 (12 dec 2012).
+
+
+3.2.16 (development branch)
+=================================
+
+FEATURES:
+	- New config option "ip-transparent:" to allow NSD to bind to
+	  non local addresses. Default no.
+	- Use IPV6 minimum MTU settings with TCP to reduce failures that
+	  are caused by delays in learning working PMTU when communicating
+	  through a tunnel.
+	- Bugfix #496: Support for EUI48 and EUI64 RR types. Experimental,
+	  turned off by default. Enable with --enable-draft-rrtypes.
+	- New config option "rrl-slip:" to set the average number of
+	  packets discarded before we send back a truncated response.
+	- New config option "rrl-ipv4-prefix-length:" and
+	  "rrl-ipv6-prefix-length:" to set the prefix lengths.
+	- Improved RRL logging, also print triggering query src address and
+	  QTYPE.
+	- Provide RRL documentation in nsd.conf.sample.
+
+BUG FIXES:
+	- Bugfix #357: Parent process waits until children closed down
+	  sockets, to prevent NSD failing to bind to sockets when restarting.
+	- Bugfix #487: lookup3.c determine endianness for BSD systems.
+	- Bugfix #491: pick program name (0th argument) as syslog identity.
+	- Bugfix #494: Exit with return code 1 if socket code fails.
+	- RRtypes ASFDB, RP, RT should not compress dnames.
+	- Fix outgoing-interface: Don't fail if family is IPv6 but
+	  only IPv4 outgoing-interface is set, or vice versa.
+	- RRtypes ASFDB, RP, RT should not compress dnames.
+	- Check that zone directory is within chroot directory.
+	- Better XFR checking, fallback to AXFR (if allowed) if three
+	  malformed XFR packets have been seen.
+
+
+3.2.15
+=================================
+
+FEATURES:
+	- Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
+	- RRL, --enable-ratelimit at configure time and config options.
+	- TSIG initialization only fails when there is no digest found
+	  at all.
+
+BUG FIXES:
+	- Bugfix #478: Declaration after statement (for gcc 2.95).
+	- Bugfix #483: Better error message in case of TSIG error.
+	- Bugfix #485: TTL should not be greater than 2^31 - 1.
+	- Fix RCODE when CNAME loop final answer does not exist, should
+	  return NXDOMAIN as stated by RFC 6604.
+	- Fix --disable-full-prehash bug, where after multiple incoming
+	  IXFRs, NSEC3 can be removed unjustified.
+
+3.2.14
+================
+
+FEATURES:
+	- TCP writev support.
+
+BUG FIXES:
+	- Fix build on OpenBSD (thanks Oliver Peter).
+	- Prioritize notify sender for requesting XFR (thanks Ilya Bakulin).
+	- Fix crash in zonec if TXT string too long  (thanks Ilya Bakulin).
+	- tzset before chroot for correct timezone (thanks Camiel Dobbelaar).
+	- Fix --disable-full-prehash bug when nsdc patch happens while ixfr too,
+	  it did not rehash the new database.
+	- Bugfix #464: Conditionally define MAXHOSTNAMELEN.
+
+3.2.13
+================
+
+BUG FIXES:
+	- Fix for nsd-patch segfault if zone has been removed from nsd.conf
+	  (thanks Ilya Bakulin).
+	- Bugfix #460: man page correction - identity.
+	- Bugfix #461: NSD child segfaults when asked for out-of-zone data
+	  with --enable-zone-stats. [VU#517036 CVE-2012-2979]
+
+
+3.2.12
+================
+
+BUG FIXES:
+	- Fix for VU#624931 CVE-2012-2978: NSD denial of service 
+	  vulnerability from non-standard DNS packet from any host
+	  on the internet.
+	  http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt
+
+
+3.2.11
+================
+
+FEATURES:
+	- Fallback to AXFR if IXFR is unknown at the primary. NSD considers
+	  IXFR unknown at the primary if there is a negative response for the
+	  IXFR RRtype. This does not override the value for
+	  'allow-axfr-fallback'.
+	- Allow for reading in new DNSKEY algorithm mnemonics (RFC5155,
+	  RFC5702, RFC5933, and RFC6605 (ECDSA)).
+	- Zone statistics, enable with --enable-zone-stats. This stores the
+	  BIND8 stats per zone in a configurable statistics file. This option
+	  does not scale and should therefore not be enabled when serving
+	  many zones.
+	- Support for TLSA RRtype (DANE).
+
+BUG FIXES:
+	- Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't
+	  add the wildcard domain NSEC into the answer section. Instead,
+	  put the wildcard expanded NSEC into the answer section and keep the
+	  wildcard domain NSEC in the authority section.
+	- Fix for accept spinning reported by OpenBSD.
+	- Fix restart failed due to bad ixfr packet because of zone removed
+	  from nsd.conf.
+	- Bugfix #453: typo in nsdc man page.
+
+OPERATIONAL NOTES:
+	- NSD uses the query name for dname compression again (Fix #235 
+	  had as side effect that this didn't happen anymore and is hereby
+	  undone).
+
+
+3.2.10
+================
+
+BUG FIXES:
+	- Bugfix #421: Truncate pidfile on shutdown, before unlink.
+	- Bugfix #423: Fix slow zone transfer processing due to
+	  'Fix is_existing flag for ENT' bugfix.
+	- Fix bug #430: segfault when MAX_INTERFACES set to more than 65K.
+	- Fix configure.ac strptime check for gcc 4.6.2, acx_nlnetlabs update.
+
+
+3.2.9
+================
+
+FEATURES:
+	- Minimize responses to reduce truncation: NSD will only add optional
+	  records to the authority and additional sections when the response
+	  size does not exceed the minimal response size.
+
+	  The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4),
+	  1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is
+	  smaller than the EDNS default. 
+
+	  The feature is enabled by default. You can disable it by configuring 
+	  NSD with --disable-minimal-responses.
+
+	- Less NSEC3 prehashing. This will make NSD handle zone transfers
+	  faster, but will decrease the performance of NXDOMAIN and wildcard
+	  NODATA responses. Full prehashing is enabled by default. If you want
+	  less NSEC3 prehashing, configure NSD with --disable-full-prehash.
+	  Thanks Secure64 for the patch.
+
+BUG FIXES:
+	- Bugfix #302: nsd accepts XFR but refuses to re-read the slave zone.
+	- Bugfix #365: set patch style and zonec verbose for nsdc.
+	- First step of bug #369: RRSIG DNSKEY sets zone to be treated DNSSEC.
+	- Bugfix #375: typos in nsd.conf.5.
+	- Bugfix #381: Binary escaped and transfers.
+	- Bugfix #397: Don't allow relative domain names as origin in $INCLUDE
+	  directives.
+	- Fix printout of IPSECKEY by nsd-patch.
+	- Fix is_existing flag for ENT when domain that has a shared ENT
+	  is deleted by IXFR. (ENT == Empty Non-Terminal)
+	- Fix bug if the zonefile is changed for a secondary but stored
+	  transfers are applied, and stop it from applying ixfr to empty zone.
+	  The zone is flagged with error and AXFR-ed.
+	- Fix to have no authority NS set processing for CNAMEs.
+	- Fix nsd-checkconf to check tsig algorithms properly.
+	- Set the AA bit on responses that have an authoritative CNAME.
+	- Fix denial of existence response for empty non-terminal that looks
+	  like a NSEC3-only domain (but has data below it).
+
+OPERATIONAL NOTES:
+	- nsd.db version number increased because NSD 3.2.7 and earlier
+	  zonec is not compatible due to the TXT strings change. Please
+	  run nsdc rebuild before running NSD 3.2.9 and later versions.
+
+
+3.2.8
+=============
+
+BUG FIXES:
+	- Do setusercontext() before chroot(), otherwise login.conf etc. are
+	  required inside chroot.
+	- Bugfix #216: Fix leak of compressiontable when the domain table increases
+	  in size.
+	- Bugfix #348: Don't include header/library path if OpenSSL is in /usr
+	- Bugfix #350: Refused notifies should log client ip.
+	- Bugfix #352: Fix hard coded paths in man pages.
+	- Bugfix #354: The realclean target deletes a bit too much.	
+	- Bugfix #357, make xfrd quit with many zones.
+	- Bugfix #362: outgoing-interface and v4 vs. v6 leads to spurious
+	  warning messages.
+	- Bugfix #363: nsd-checkconf -v does not print outgoing-interface ok.
+	- Bugfix: nsd-checkconf -o outgoing-interface omits NOKEY.
+
+OPERATIONAL NOTES:
+	- Use 'make clean' to clean up files that make created.
+	- Use 'make realclean' to also clean up files that were generated by
+	  running ./configure.
+	- Use 'make devclean' to also clean up autoconf, autoheader files.
+
+3.2.7
+=============
+
+BUG FIXES:
+	- Bugfix #253: Don't put NS RRs in a response with QTYPE=DS.	
+	- Bugfix #320: use arcrandom(4) for QID generation if available.
+	- Bugfix #328: nsd-checkconf overrun.
+	- Bugfix #343: nsdc update fix.
+	- Bugfix #347: Wrong NSEC3 returned for nodata response QTYPE=DS no delegation.
+	- Bugfix: Allow for huge amount of strings in TXT (and other) records.
+	- Bugfix: nsdc can now deal with tsig algorithms other than hmac-md5.
+	- Fixed several parts in the documentation, including #306, #345.
+
+3.2.6
+=============
+
+BUG FIXES:
+	- Bugfix #314: correctly print NSEC next field, escape spaces and
+	  fix label overflows.
+
+FEATURES:
+	- Expand command line option '-a' and config option 'ip-address:'
+	  with port number.
+
+OPERATIONAL NOTES:
+	- Configure options --disable-dnssec, --disable-nsid, --disable-tsig
+	  are removed.
+	- Configure option --max-interfaces is renamed to --max-ips.
+
+3.2.5
+=============
+BUG FIXES:
+	- NSD will not start if chroot is configured, but changing root is
+	  not possible (it used to ignore the badly configured chroot).
+	- Make use of the more secure strl* functions.
+	- Bugfix #303: spelling error.
+
+FEATURES:
+	- New option 'nsid:', to specify the NSID (Bugfix #298).
+	- The default chroot can be set with --with-chroot=<dir>.
+	  If not set, by default chroot will not be used (thanks Jakob Schlyter).
+	- Optimized zonec and b64_pton compatibility code (thanks Martin Svec).
+	- Optimized memory allocations. Use mmap/munmap instead of malloc/free.
+		Experimental, by default off. Enable it at build time with
+		--enable-mmap (thanks Martin Svec).
+
+OPERATIONAL NOTES:
+	- NSID support is now enabled by default.
+
+3.2.4
+=============
+BUG FIXES:
+	- Bugfix #269: Additional C99 syntax.
+	- Bugfix #276: Zonec prints debug data to stderr.
+	- Bugfix #286: Document verbosity levels in nsd.conf manual page.
+	- Bugfix #288: Ignore SIGHUP to child processes.
+	- Fix typo in include file for setusercontext.
+
+FEATURES:
+	- Support DLV records.
+	- New option 'tcp-query-count:', to limit the maximum number of
+		DNS queries on a single tcp connection.
+	- New option 'tcp-timeout:', to override the default tcp timeout.
+		The default can also be set at build time, --with-tcp-timeout=<number>.
+	- New option 'notify-retry:', to configure how many times NSD should retry
+		a NOTIFY message.
+	- New options 'ipv4-edns-size:' and 'ipv6-edns-size:'. to set your preferred
+		EDNS buffer size.
+
+OPERATIONAL NOTES:
+	- UDP/IPv4 sockets have new options set that will disable the DF flag in IP
+		packets.
+
+3.2.3
+=============
+BUG FIXES:
+	- Bugfix #236: Allow RRs before the SOA in a zonefile.
+	- Bugfix #249: Remove the C99 code.
+	- Bugfix #253: Don't put NS RRs in a response with QTYPE=DNSKEY.
+	- Bugfix #263: Make TSIG algorithm comparison case insensitive.
+	- Bugfix #266: Build failed on systems without strptime.
+	- Bugfix: install hickup.
+	- Fix to use 4096 EDNS limit for IPv6 on Linux.
+
+3.2.2
+=============
+BUG FIXES:
+	- Off-by-one buffer overflow fix while processing the QUESTION section.
+	- Return BADVERS when NSD does not implement the VERSION level of the 
+	  request, instead of 0x1<FORMERR>.
+	- Bugfix #234.
+	- Bugfix #235.
+	- Reset 'error occurred' after notifying an error occurred at the $TTL or
+		$ORIGIN directive (Otherwise, the whole zone is skipped because the
+		error is reset after reading the SOA).
+	- Minor bugfixes.
+
+3.2.1
+=============
+OPERATIONAL NOTES:
+	- NSD will now fallback to AXFR, only if the master does not support IXFR.
+	- You can adjust nsdc patch to skip textfile patching. This will 
+	  increase the patching process, but will not output to zonefiles 
+	  anymore. By default, this is off.
+
+BUG FIXES:
+	- When configuring, don't do strptime test when cross-compiling.
+	- Bug #230: Output non-error messages to stdout.
+	- Better error message when ixfr.db old file format is read.
+	- Bug #218: shared UDP query for all interfaces.
+	- Bug #222: Remove bashism from nsdc script.
+	- Nicer check for SHA-256 functionality.
+	- Fixed some minor memory leaks that occurred on reload.
+	- nsdc: check if a lockfile has not gone stale, when lock failed.
+	- Bugfix strptime compatibility function
+
+FEATURES:
+	- New configuration option 'allow-afxr-fallback', "yes" by default. If
+		set to "no", NSD will never do AXFR fallback, even if the master 
+		does not support IXFR.
+	- Allow file rotation on nsd.log.
+	- The new nsd-patch options -s and -o allows you to skip writing 
+		zonefiles and store the output directly to a database file, 
+		respectively.
+
+3.2.0
+=============
+OPERATIONAL NOTES:
+	- Format of ixfr.db has changed. When you are planning an upgrade to the 
+	  new NSD release, make sure to process the old ixfr.db before starting 
+	  the new release (by running nsdc patch).
+	- IXFR is transmitted over TCP by default instead of UDP. If you want to 
+	  continue the use of IXFR/UDP, please modify your zone configuration 
+	  file to:
+		request-xfr: UDP 1.2.3.4 tsigkey
+	  We strongly recommend to enable TSIG if you send IXFR over UDP.
+	  When all masters fail to transmit IXFR/UDP, slave will fallback to 
+		IXFR/TCP and eventually AXFR/TCP.
+	- nsd-patch prints errors to stderr instead of stdout.
+
+BUG FIXES:
+	- Only normalize dnames in rdatas when rrtype is listed in RFC 4034, 
+	  section 6.2: Canonical RR Form, following
+	  draft-ietf-dnsext-dnssec-bis-updates (affects RRSIG and NSEC records).
+	- Typo in zonec manpage.
+	- Bugfix in log_finalize.
+	- Fix race condition between nsdc patch and server reload.
+
+FEATURES:
+	- AXFR/TCP fallback in case of failing IXFR zone transfers.
+	- RFC 4635: support for hmac-sha1 and hmac-sha256 TSIG algorithm 
+		identifiers, "Bugfix #130".
+	- Configure the source ip-address for notifies (master) and zone
+		requests (slave) in nsd.conf, "Bugfix #148".
+	- nsd-notify and nsd-xfer allow you to configure the outgoing 
+		hostname and source port, in addition to the source address.
+	- Additional debug and verbose log messages.
+
+3.1.1
+=============
+BUG FIXES:
+	- Try to avoid race conditions with NSD reloading and nsdc running, 
+		by writing pidfile before closing old parent process.
+	- Fixed NSEC3 memory leak in the case NSEC3 is not needed.
+	- Fixed some memory leaks that happened on error, mostly on
+		zone transfer errors.
+	- Bugfix #191: nsd-checkconf allowed only (max_interfaces-1) interfaces.
+
+FEATURES:
+	- The number of maximum interfaces allowed is configurable with
+		--with-max_interfaces=<number> (thanks John Lightsey).
+
+3.1.0
+=============
+OPERATIONAL NOTES:
+	- Default locations of nsd.db, ixfr.db & xfrd.state are changed to
+          the /var/db/nsd directory.
+
+BUG FIXES:
+	- Zone compiler gives more sane error messages when out of
+	  diskspace and bug #172: when compiling single zone file.
+	- Changed man pages format from mdoc to mansun, to support the Solaris OS.
+	- Log tcp read error only when connection not reset by peer or when 
+	  verbosity level is high.
+	- RRs are compared without checking the TTL value.
+
+FEATURES:
+	- NSD is now NSEC3 enabled by default. You can disable it by configuring 
+		NSD with --disable-nsec3.
+	- Added "hide-version" configuration setting. Enabling this feature 
+		stops NSD from answering to CHAOS class version requests.
+	- Added bind2nsd 0.5.0 (http://bind2nsd.sourceforge.net) in contrib/.
+	- Report source and zone for denied AXFR attempts.
+
+3.0.8
+=============
+FEATURES:
+	- Better logging for nsd-notify (show 'broken' zone)
+	- Add configuration for chkconfig to control nsd service.
+
+BUG FIXES:
+	- Fixed nsdc start when nsd already running: do not initialize server, 
+		since it is already running.
+	- Fixup bug where data related files are looked up in the wrong
+	  directory when chrooted with chrootdir ending with a slash.
+	- Fixup bug where nsd would return FORMERR if received an edns
+	  query with version set to zero and rdlen larger than zero.
+	- Fixed strptime, so that zonec will also work on systems with broken 
+		strptime (like leopard :-))
+	- Do not answer nsec3 wildcard information when DO bit is not set
+	- Better logging when creating database failed.
+	- Various spelling errors
+
+3.0.7
+=============
+BUG FIXES:
+	- Error handling for malformed IXFRs improved.
+	- Fixed man pages, consistent syntax.
+
+3.0.6
+=============
+FEATURES:
+	- Report source and zone for denied AXFR attempts.
+
+BUG FIXES:
+	- More elegant handling of malformed nsec3 records from a zone 
+	  transfer.
+	- Fixup ignored return value in region-allocator.
+        - Added bind2nsd 0.5.0 (http://bind2nsd.sourceforge.net) in contrib/.
+
+3.0.5
+=============
+BUG FIXES:
+	- Fixed problem with reload waiting very long. If the OS has a 
+	  raging herd problem, NSD could block in a UDP operation and
+	  that process would stop reload from finishing. Made UDP sockets 
+	  nonblocking. 
+	- Made TCP listen sockets nonblocking. NSD could block in accept.
+	- Handle the new CERT RDATA types defined in RFC 4398 (submitted by 
+	  Mans Nilsson).
+	- Fixed a bug where zonec would choke on unknown CERT RDATA types.
+	- Change nsd-notify retry timer from linear into exponential
+	  backoff (submitted by Mans Nilsson).
+	- Debug flag (-d) behavior changed. Nsd now also forks children when 
+	  run in debug mode.
+	- Added verbosity mode (-V <level>) for extra operational logging.
+	- zonesdir default is /etc/nsd.  This can be overridden in nsd.conf.
+	- if clients drop the tcp connection this does not result in a logfile
+	  entry, unless verbosity is set 2 or more.
+
+3.0.4
+=============
+BUG FIXES:
+	- zonec will print an error when other data is put next to a CNAME.
+	- Fixup unaligned memory access that could occur when reading ixfr.db
+	  with a partial transfer inside.
+	- Fixup for the WKS RR type printout by nsd-patch and nsd-xfer.
+	- Error message 'could not read database CRC' now only given on error.
+	- ./configure --zonesdir=<directory for zone files> now works to
+	  set a default value for the zonesdir: <dir> nsd.conf directive.
+	  Set zonesdir: "" to disable the change of directory.
+	- Bug: reload crashes with log message 'continuing with old database',
+	  and after that no more zone updates. Manual fix is to kill -HUP,
+	  but now fixed in software to try to reload again (and again).
+	- Small speedup where xfrd could briefly be busy-waiting.
+	- If master sends IXFR with glue that is already present in the zone
+	  this is silently accepted. Printed in debug mode -L 2. To make
+	  the log file smaller.
+	- Exponential backoff for zones that never worked to max of 4 hours.
+	  For expired zones the SOA retry values are used.
+	- allow-notify acl entries 'NOKEY' match only queries without TSIG.
+	- Answers to valid notifies contained wrong RR counts in the header.
+	  The notifies were processed correctly, but now the acknowledgement
+	  reply is in correct DNS format.
+FEATURES:
+	- Added contrib/nsd.zones2nsd.conf python script to convert NSD 2 to
+	  NSD 3 config files, contributed by Stephane Bortzmeyer.
+	- The nsdc control script will print 'nsd startup failed' if the nsd
+	  executable does not start (due to bad permissions, bad config, ...).
+
+3.0.3
+=============
+BUG FIXES:
+	- Bug #152: NSD would not use the identity from nsd.conf, fixed.
+	- Bug #153: When running with thousands of secondary zones, NSD would
+	  run out of UDP sockets. Caused crash on FreeBSD, errors on Linux
+	  ('out of file descriptors'), depending on ulimits. Fixed.
+	- Fixed getaddrinfo error message to be more descriptive.
+	- Fallback to ip4 if getaddrinfo fails for ip6.
+	- Will no longer lose a notify message during reloads (IPC).
+	- Will no longer lose transfer in progress when notified for that zone.
+	- Nicer error when operator forgets to rebuild after deleting a zone.
+
+3.0.2
+=============
+BUG FIXES:
+	- Nice error from zonec on a wrong configuration zone name.
+	- Nicer warning from zonec when starting secondary zone with
+	  no zone file for the first time.
+	- nsdc makes more portable use of 'which' (for SunOS5.9/bash2.05).
+	- Bug #143: Improved handling of zonesdir: directive and relative 
+	  pidfile, database, diff file, xfrdfile paths in nsdc.sh and 
+	  nsd-patch. They would not find the files.
+	- Bug #144: LOC RRtype default values for precision wrong. Fixed.
+	- Bug #145: NSD failed to reload cases of simultaneous zone transfer.
+	- Bug #146: NSD fails to write to xfrdfile when chrooted. Fixed.
+		Also fix for difffile when chrooted.
+	- Bug #147: NSD runs out of memory. Fixed, memory is reused.
+	  Occurred when running NSD with very big zones and large updates.
+	- nsd -L 1 logging is smaller, -L 2 contains all debug information.
+	  (only available for debug compiles).
+	- Bug #149: Fixed text for NOTAUTH error code. When notify is not
+	  authorised REFUSED error code returned instead.
+
+3.0.1
+=============
+BUG FIXES:
+	- nsd-patch prints SOA record at start of zone files.
+
+3.0.0
+=============
+FEATURES:
+	- AXFR/IXFR zone transfer supported.
+		- NSD requests but does not provide IXFR transfers.
+		- NSD keeps track of SOA timeouts for secondary zones.
+	- TSIG authentication supported.
+		- For queries, for notifies, for zone transfers.
+	- NOTIFY messages of zone updates, incoming and outgoing.
+	- DNAME type is supported, including CNAME synthesis.
+	- config file, nsd.conf(5), place to put TSIG keys, server settings,
+	  and lists of ip-addresses/ranges for AXFR/IXFR and NOTIFY.
+	- prepared for NSEC3 (--enable-nsec3), experimental code for testing
+	  in workshops.
+	- prepared for NSID (--enable-nsid), experimental code for testing in 
+	  workshops.
+
+OPERATIONAL NOTES:
+	- config file needed, nsd.conf(5) supersedes nsd.zones and nsdc.conf.
+	- AXFR transfers are denied by default. Allow in config file.
+	- Zones only become secondary with "request-xfr:" items in config file.
+	- NSD produces "ixfr.db" file with a journal of zone transfers.
+	  Use nsdc patch to merge changes back to zone files and remake db.
+	- NSD produces "xfrd.state" file with zone timeout information.
+	  The file is text formatted.
+	- NSD sends notifies automatically,
+	  nsd-notify is deprecated and will be removed from the package. 
+	- NSD requests AXFR/IXFR and reloads the updates automatically, 
+	  nsd-xfer is deprecated and will be removed from the package.
+	- Check your config file with nsd-checkconf.
+
+BUG FIXES: 
+	- contains all bug fixes from 2.3.5 and before.
+	- The sighandler() bug is fixed more thoroughly,
+	  by using pipes for interprocess communication.
+	- CNAMEs are followed by the server to different zones and
+	  information from that zone is returned. This saves a followup
+	  query.
+	- bug fixes (ported) 2.3.6.
+		- nsd-notify will retry max 15 times 5 second retries.
+		- Bug #105: nsdc lacks locking, fixed locking for root user.
+		- Bug #134: nsd: make -N <large number> work again
+		- Bug #135: Typo in locking code for nsdc, fixed.
+		- uninitialised variable fixed.
+		- unaligned memory access (on Solaris SPARC), in zonec 
+		  LOC parsing, fixed.
+		- Bug #138: nsd aborts trying to bind all interfaces if ip6 
+		  is not enabled, instead it will fallback to ip4.
+		- Bug #139: resync timer for stats to whole minute.
+		- Bug #140: NSD did not clear CD bit on authoritative answers.
+		- Bug #141: NSD did not clear flags on a formerror reply.
+
+2.3.5
+=============
+BUG FIXES:
+        - Bug #132: regression, nsd: fix compile with --disable-ipv6
+        - Makefile: remove gnuisms
+
+2.3.4
+=============
+BUG FIXES:
+        - Unknown type codes for type code numbers > 48 and < 97 work again.       
+          (this implies --enable-checking can be enabled again)
+        - nsd: sighandler() fixes
+	- Bug #118: nsd: nsd_notify waits for a response. Will retry the notify
+	  after a timeout.
+        - Bug #124: $(DESTDIR) was added to Makefile.in. 
+	- Bug #128: zonec: parser can handle \\ at the end of a string.
+        - zonec: lexer: add \r to the newline delimeter
+        - zonec: use strtol with an explicit base 10 as parameter.
+          (Scott Rose, Roy Arends)
+        - nsd-xfer: print human readable error codes. Change logging to 
+          be more in line with the rest
+
+2.3.3
+=============
+BUG FIXES:
+        - Apply the correct patch to nsdc.sh.in. 
+
+2.3.2
+=============
+FEATURES:
+        - Bug #101: add support for the SPF record.
+
+BUG FIXES:
+        - Bug #100: replaced non-portable use of timegm(3) with
+          portable implementation (mktime_from_utc).
+        - Bug #103: nsd: trim the SOA's TTL to the MINIMUM value when returning a 
+          negative answer.
+        - Bug #104: nsd: add a time_t timestamp to the log when logging to
+          a file.
+        - Bug #105: nsdc: use a lock file when rebuilding the database (patch by
+          Jakob Schlyter/Ted Lindgreen/Sebastian/Ondrej Sury).
+        - Bug #106: zonec: don't walk all 256 NSEC windows when that is not
+          needed.
+        - Bug #107: zonec: fixed a crash when encountering bad unknown rdata.
+        - nsd: Don't print: "error: nsd is already running as <pid>, stopping"
+          when in fact NSD continues to run.
+        - nsd: Minimize the race window in sig_handler().
+
+2.3.1
+=============
+BUG FIXES:
+        - zonec: Don't crash when generating error messages outside of zone
+          files.
+        - nsd: when logging to a file the pid is now printed.
+        - nsd: Reset 'boot' time in statistics when reloading the database,
+          since the statistics are reset to 0 on a reload.
+        - nsd-xfer.c: Added '-a' option to specify local address to connect
+          from.  Original patch supplied by Walter Hop <nsd@walter.transip.nl>.
+        - Bug #98: Allow mnemonics for DS and RRSIG algorithm field.
+
+2.3.0
+=============
+FEATURES:
+        - DNSSEC is now enabled by default. NSD should be fully
+          compliant with RFC4033, RFC4034, and RFC4035.
+
+BUG FIXES:
+        - nsd: Ensure that the number of -a flags does not exceed the
+          maximum specified by MAX_INTERFACES in config.h.
+        - nsd-xfer: Use serial number arithmetic (RFC1982) for the
+          zone serial check
+        - nsdc: Don't pass (fake) serial number to nsd-xfer if the
+          zone file does not exist.
+        - zonec: Loading many zones would cause namedb_find_zone to
+          slow down, performance patch by Kazunori Fujiwara.
+        - Bug #96: nsd-xfer did not handle 8-bit domain names
+          correctly.
+
+2.2.1
+=============
+FEATURES:
+        - The message priority is now included when logging to a file.
+
+BUG FIXES:
+        - Zero length RDATA using the unknown RR notation was not
+          working (except for the APL RR type).
+        - Bug #93: './configure' error message containing a comma must
+          be properly bracketed.
+        - Bug #94: nsd-xfer: Handle unexpected EOF when receiving AXFR
+          data.  Timeout if no data is received for more than 120
+          seconds (see the TCP_TIMEOUT parameter in config.h).
+        - Bug #95: An owner starting with an asterisk label ("*") was
+          being treated as its own wildcard child.
+
+2.2.0
+=============
+FEATURES:
+        - nsd-xfer: replacement program for named-xfer to perform zone
+          transfers using AXFR. TSIG is supported by nsd-xfer but not
+          yet by the nsd server. DNSSEC is also supported.  TSIG
+          requires OpenSSL version 0.9.7 or higher, configure using
+          --disable-tsig if you do not have OpenSSL installed.
+          Configure using --with-ssl=path if OpenSSL is not installed
+          at a standard location.
+
+CODE CHANGES:
+        - New data structure 'buffer_type' for representing binary
+          buffers that can be read, written, and resized.  Data in
+          these buffers is stored in network byte order.  This data
+          structure replaces the iobuf field of 'struct query'.
+
+BUG FIXES:
+        - Fixed endian problem in WKS record.
+        - Protocol can now be specified numerically in WKS record.
+        - Allow escape sequences (\DDD) in TTL, RR class, and RR type.
+        - The zone compiler now accepts many more characters in
+          unquoted strings such as domain name labels.  The characters
+          no longer need to be escaped with a backslash.
+        - Close included files after reading.
+        - Maximum TCP message size is now 65535 bytes.  AXFR response
+          packets are still limited to 16383 bytes for optimal
+          compression of dnames.
+        - The TSIG key for AXFRs can now also be stored in the file
+          <zonename>.tsiginfo.  This makes it possible to use TSIG
+          with multiple master servers.
+        - Signals are no longer blocked while performing I/O so the
+          server should respond quicker to signals.
+        - Fixed parsing of LOC rdata.  Fractions and altitude were not
+          handled correctly.
+
+2.1.5
+=============
+BUG FIXES:
+        - Bug #90: handle \000 in TXT records correctly
+        - Fixed undefined behavior in the use of vsnprintf when
+          logging messages.  This caused crashes on Linux/PPC.
+
+2.1.4
+=============
+BUG FIXES:
+        - nsdc: Fixed a typo that caused AXFRs to stop working.
+
+2.1.3
+=============
+FEATURES:
+        - nsd: The pidfile can be specified using the '-P' option.
+
+BUG FIXES:
+        - Bug #87: allow @ in the rdata
+        - Bug #88: allow ::FFFF:ipv4addr in AAAA records
+        - Bug #89: Count the number of queries received over TCP,
+          instead of the number of TCP connections.
+        - Zonec: when - is used as input, set the filename to 'STDIN'.
+        - The nsdc script handles failed AXFRs more gracefully.
+        - NSD emits an error when it sees bitlabels (RFC 2673).
+        - Only copy the CD bit when DNSSEC is enabled.
+
+2.1.2
+=============
+FEATURES:
+        - NSD now fully supports unknown record types using the
+          notation specified in RFC3597.
+        - Support for the following RR types has been added: WKS, X25,
+          ISDN, RT, NSAP, PX, NAPTR, KX, CERT, DNAME, and APL.  DNAME
+          special processing is not supported.
+
+BUG FIXES:
+        - Bug #84: NSD now uses SIGUSR1 instead of SIGILL to report stats.
+        - Bug #85: Support for WKS records.
+        - Bug #86: The characters "#%&^[]?" can now be used without
+          backslash in zone file domain names.
+        - Plugin callback return type fixed.
+        - The maximum message length for IPv6 UDP packets is now
+          limited to the IPv6 minimum MTU (1280) unless the
+          IPV6_USE_MIN_MTU socket option is supported.
+
+2.1.1
+=============
+BUG FIXES:
+        - Bug #81: Handle unknown types correctly.
+        - Bug #82: Zonec: don't report "0 errors" unless -v is
+          specified.
+        - Bug #83: Close zone files after parsing.
+        - Handle AFSDB RR type.
+
+2.1.0
+=============
+FEATURES:
+        - New networking code allows a single server to handle both
+          UDP and TCP connections.  By default up to 10 simultaneous
+          TCP connections are supported.  Use the '-n' flag to change
+          the default.
+
+2.0.2
+=============
+BUG FIXES:
+        - Allow the use of a mnemonic for the algorithm field of a
+          DNSKEY record.
+        - Behavior of the zonec -v flag has been modified.  By default
+          zonec will only print a single line with a summary of the
+          error count.
+        - Bug #75: Fixed typo in previous "fix".
+
+2.0.1
+=============
+BUG FIXES:
+        - Queries for QTYPE DS (DNSSEC) were not handled correctly in
+          certain cases.
+        - Partial support for unknown RRs.  Known RR types with
+          unknown RR data format is not yet supported.
+        - Bug #75: Fixed bad error message when nsdc update is run for
+          the first time.
+        - Bug #78: Multiple zones, each with include directives, are
+          now compiled correctly.
+
+2.0.0
+=============
+FEATURES:
+        - Experimental DNSSEC support implemented, but disabled by
+          default.  Enable using the --enable-dnssec configuration
+          option.
+        - IPv6 enabled by default.  Disable using the --disable-ipv6
+          configuration option.
+
+BUG FIXES:
+        - Bug #47: Domain name is now logged when a notify is
+          received.
+        - Bug #70: First include all A records in the additional
+          section, followed by AAAA records.
+        - Bug #77: Check length of domain name and label.
+        - LOC records are supported again.
+
+1.4.0-alpha1
+=============
+FEATURES:
+        - New database format that is much more compact and portable
+          across architectures.
+        - The new zone compiler is now the default and the old zone
+          compiler has been removed.
+        - Name compression is done dynamically, removing one other
+          difference with BIND in the responses generated (the full
+          query name is now used for compression).
+        - CNAME target records are now generated from wildcard
+          records if necessary.
+
+REGRESSIONS:
+        - mmap(2) isn't currently supported.
+        - Not all RR types are supported by zonec (such as LOC).
+
+1.3.0-alpha1
+=============
+FEATURES:
+        - New name lookup algorithm.  This required a change to the
+          database format.  Performance should increase at the expense
+          of database size and memory usage.
+        - New zone compiler (zonec2) based on flex and yacc, fully RFC
+          compliant (still in alpha).
+        - Database can be loaded using mmap(2) (use the --enable-mmap
+          configure option to enable).  This is useful on operating
+          systems such as Solaris that do not allow memory overcommit.
+        - Region based memory allocation and resource management.
+        - New internal format for storing domain names.  Each dname
+          now includes an array of label offsets within the domain
+          name.
+        - Updates to the plugin API.
+
+BUG FIXES:
+        - Bug #65: The syslog facility is now a compile time option
+          (--with-facility=FACILITY).  The default facility is DAEMON.
+        - Bug #66: Automatic periodic dumping of the statistics (using
+          the -s option) is now continued after a database reload.
+
+1.2.4
+=============
+BUG FIXES:
+        - Bug #72: If an RRset for a child domain is defined before
+          the RRset of the parent domain the parent's RRset would be
+          "lost".
+
+1.2.3
+=============
+BUG FIXES:
+        - Bug #65: The syslog facility is now a compile time option
+          (--with-facility=FACILITY).  The default facility is DAEMON.
+        - Bug #66: Automatic periodic dumping of the statistics (using
+          the -s option) is now continued after a database reload.
+        - NSD would try to kill pid -1 on startup if forking of a child
+          process failed.
+        - Do not log EAGAIN errors on calls to recvfrom.  These errors
+          should be harmless.
+
+1.2.2
+=============
+BUG FIXES:
+        - Bug #59: NSD returns FORMERR when the query name is >= 246
+          bytes.
+        - Bug #60: Zonec runs out of file descriptors with many zones.
+        - Bug #61: nsdc uses /bin/sh hardwired (and should not).
+        - Bug #62: NSD is not able to log to a file.
+        - Bug #63: nsdc update and zonec are too talkative.
+        - Bug #64: Answer for request of a host resolved by a
+          wildcard-resource-record is not understandable by dig.
+
+1.2.1
+=============
+BUG FIXES:
+        - AXFR terminates early if a zone contains a CNAME pointing
+          the the zone's domain name (SOA record) (bug #56).
+        - During an AXFR memory above the top of the stack was
+          accessed.  This could lead to occasional AXFR errors (bad
+          packets).
+        - NSD now prints its version number and exits when invoked
+          with the -v flag (bug #57).
+        - NSD prints help information and exits when invoked with the
+          -h flag.
+
+1.2.0
+=============
+FEATURES:
+        - NSD is now a single parent process (handling child
+          termination and database reloads) plus multiple UDP and TCP
+          child processes handling queries.  Before the parent process
+          also handled UDP queries.  This change simplifies the parent
+          and child processes and allows the use of multiple
+          concurrent UDP servers.
+        - Experimental plugin support.  This required a minor,
+          incompatible change to the database format.  Make sure you
+          recompile your database.  Use --enable-plugins to enable.
+        - Full IPv6 support (for multi-homing and for Linux, thanks to
+          Colm MacCárthaigh and Jun-ichiro itojun Hagino).  Use
+          --enable-ipv6 to enable.
+        - Support for multi-homing with TCP connections.
+        - Support for SunOS 4.x has been dropped.
+
+CODE CHANGES:
+        - NSD should now conform to the Single Unix Specification
+          (http://www.unix.org/).
+        - Const correctness for strings and some other data types.
+        - Removed code for Berkeley DB, hash tables, and mmap(2).
+        - Separate preprocessor flags from code flags (CPPFLAGS and
+          CFLAGS).
+        - Use uint8_t instead of u_char, uint{16,32}_t instead of
+          u_int{16,32}_t.
+        - Fixed warnings from mixing signed and unsigned types.
+        - Use sigaction(2) instead of signal(2).
+        - The query_process function has been split up for clarity.
+
+BUG FIXES:
+        - CHAOS TXT queries failed on big-endian machines.
+        - Portability fixes for Tru64 (thanks to Stephane Bortzmeyer),
+          HP-UX, and MacOS X (thanks to Ronald van der Pol).
+        - Removed compile time limit on maximum number of TCP child
+          servers.
+        - Support for debugging UDP and TCP queries.
+        - Always ensure there is enough room for the EDNS record when
+          answering a query with EDNS enabled.
+
+1.1
+=============
+FEATURES:
+        - ANSI C
+        - autoconf/configure
+        - new parser
+        - support for various RR types in zonec
+        - support for UNKN RR types
+
+BUG FIXES:
+        - lots of zone parsing errors eliminated
+        - empty node matching bug gives NXDOMAIN
+
+1.0.3
+=============
+This release is a bug fix release and does not add any new features.
+
+BUG FIXES:
+        - Ignore SIGPIPE errors (bug #43).
+        - Keep track of TCP child servers and restart if necessary.
+          (bug #55)
+        - Handle database reload failures correctly.
+        - Close UDP sockets in TCP child servers.
+        - Handle escaped characters (besides \.) in labels.
+        - Preserve the query's RD flag in the answer.
+
+1.0.2
+=============
+FEATURES:
+        - -DBIND8_STATS to enable bind8 like [NX]STATS
+        - -t flag to make nsd chroot to a certain directory
+        - -s flag to make nsd produce statistics every s seconds
+        - /etc/nsd/nsdc.conf to overwrite default variables
+          for nsdc.sh
+        - less loggin and more radical tcp connection (mis)handling
+        - prefork -n processes to handle tcp connections
+        - multiple -a flags
+
+CHANGES:
+        - named.stats file functionality is removed
+
+BUG FIXES:
+        - couple of pedantic fixes in C code
+        - last zone in database axfr bug fixed
+        - nsdc update wont update bug fixed
+
+1.0.1
+=============
+
+FEATURES:
+        - NSD drops permissions after binding the sockets
+        - ``cache'' zones are no longer allowed
+        - ID.Server & Version.Server compile time options
+        - AXFR implemented (with tcpwrapper for access control)
+        - nsdc update and nsdc notify functionality
+        - using named-xfer with TSIG for inbound axfr
+
+
+CHANGES:
+        - the order of records in the database is from now
+          on significant
+        - since Berkeley DB doesnt define order for sequential
+          access it is no longer supported
+
+BUG FIXES:
+        - white space problem in zonec is fixed
+
+KNOWN BUGS:
+        - please see appropriate man pages for the known bugs
+
+1.0.0 RELEASE
+=============
+
+KNOWN BUGS:
+
+- Although NSD allows one to configure a zone without SOA record and
+  use it as so called ``cached'' non-authoritative data, it is decided
+  that having this functionality is wrong, dangerous and will be removed
+  from the further versions.
+
+- If while processing EDNS(0) OPT record NSD encounters bad EDNS(0)
+  version it will answer with Format Error instead of EDNS(0) BADVERS
+
+PLATFORMS:
+
+        Tested and working on i386 FreeBSD-4.4, i386 Linux, dec alpha Linux,
+        sparc SunOS 4.x
+
+
+1.0.0-BETA2
+===========
+
+FIXES:
+        - wildcards bug fixed
+        - AA bit for class ANY bug fixed
+        - minor coredumps with really broken zones in zonec fixed
+        - linux & SunOS port
+
+1.0-ALPHA2
+==========
+FIXES:
+        - IPv6 transport support added by Jun-ichiro itojun Hagino (Use -DINET6)
+        - Makefile modified for easier compile time configuration
+        - EDNS(0) bug fixed
+        - Default database changed to all lowercase, red-black tree to make nsd
+          DNSSEC ready
+        - REQUIREMENTS are cleaned up and updated
+        - Signal names changed in nsdc.sh.in
+        - Default compile options dont include -DMIMIC_BIND8