From owner-svn-src-head@FreeBSD.ORG Thu Aug 22 08:15:04 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6FDD89FB; Thu, 22 Aug 2013 08:15:04 +0000 (UTC) (envelope-from erwin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 59EC027BB; Thu, 22 Aug 2013 08:15:04 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r7M8F4o6040878; Thu, 22 Aug 2013 08:15:04 GMT (envelope-from erwin@svn.freebsd.org) Received: (from erwin@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r7M8F4SN040876; Thu, 22 Aug 2013 08:15:04 GMT (envelope-from erwin@svn.freebsd.org) Message-Id: <201308220815.r7M8F4SN040876@svn.freebsd.org> From: Erwin Lansing Date: Thu, 22 Aug 2013 08:15:04 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r254651 - in head: contrib/bind9 contrib/bind9/bin contrib/bind9/bin/check contrib/bind9/bin/confgen contrib/bind9/bin/dig contrib/bind9/bin/dig/include/dig contrib/bind9/bin/dnssec con... X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Aug 2013 08:15:04 -0000 Author: erwin Date: Thu Aug 22 08:15:03 2013 New Revision: 254651 URL: http://svnweb.freebsd.org/changeset/base/254651 Log: Update Bind to 9.9.3-P2 Notable new features: * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Approved by: delphij (mentor) MFC after: 3 days Sponsored by: DK Hostmaster A/S Added: head/contrib/bind9/bin/dnssec/dnssec-verify.8 - copied unchanged from r254322, vendor/bind9/dist/bin/dnssec/dnssec-verify.8 head/contrib/bind9/bin/dnssec/dnssec-verify.c - copied unchanged from r254322, vendor/bind9/dist/bin/dnssec/dnssec-verify.c head/contrib/bind9/bin/dnssec/dnssec-verify.docbook - copied unchanged from r254322, vendor/bind9/dist/bin/dnssec/dnssec-verify.docbook head/contrib/bind9/bin/dnssec/dnssec-verify.html - copied unchanged from r254322, vendor/bind9/dist/bin/dnssec/dnssec-verify.html head/contrib/bind9/bin/named/bind9.ver3.xsl - copied unchanged from r254322, vendor/bind9/dist/bin/named/bind9.ver3.xsl head/contrib/bind9/bin/named/bind9.ver3.xsl.h - copied unchanged from r254322, vendor/bind9/dist/bin/named/bind9.ver3.xsl.h head/contrib/bind9/doc/arm/man.dnssec-verify.html - copied unchanged from r254322, vendor/bind9/dist/doc/arm/man.dnssec-verify.html head/contrib/bind9/lib/dns/clientinfo.c - copied unchanged from r254322, vendor/bind9/dist/lib/dns/clientinfo.c head/contrib/bind9/lib/dns/include/dns/clientinfo.h - copied unchanged from r254322, vendor/bind9/dist/lib/dns/include/dns/clientinfo.h head/contrib/bind9/lib/dns/include/dns/update.h - copied unchanged from r254322, vendor/bind9/dist/lib/dns/include/dns/update.h head/contrib/bind9/lib/dns/rdata/generic/naptr_35.c - copied unchanged from r254322, vendor/bind9/dist/lib/dns/rdata/generic/naptr_35.c head/contrib/bind9/lib/dns/rdata/generic/naptr_35.h - copied unchanged from r254322, vendor/bind9/dist/lib/dns/rdata/generic/naptr_35.h head/contrib/bind9/lib/dns/update.c - copied unchanged from r254322, vendor/bind9/dist/lib/dns/update.c head/contrib/bind9/lib/isc/include/isc/pool.h - copied unchanged from r254322, vendor/bind9/dist/lib/isc/include/isc/pool.h head/contrib/bind9/lib/isc/include/isc/queue.h - copied unchanged from r254322, vendor/bind9/dist/lib/isc/include/isc/queue.h head/contrib/bind9/lib/isc/pool.c - copied unchanged from r254322, vendor/bind9/dist/lib/isc/pool.c head/usr.sbin/dnssec-verify/ head/usr.sbin/dnssec-verify/Makefile (contents, props changed) Deleted: head/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c head/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h Modified: head/contrib/bind9/CHANGES head/contrib/bind9/COPYRIGHT head/contrib/bind9/HISTORY head/contrib/bind9/Makefile.in head/contrib/bind9/README head/contrib/bind9/bin/Makefile.in head/contrib/bind9/bin/check/check-tool.c head/contrib/bind9/bin/check/check-tool.h head/contrib/bind9/bin/check/named-checkconf.c head/contrib/bind9/bin/check/named-checkzone.8 head/contrib/bind9/bin/check/named-checkzone.c head/contrib/bind9/bin/check/named-checkzone.docbook head/contrib/bind9/bin/check/named-checkzone.html head/contrib/bind9/bin/confgen/ddns-confgen.c head/contrib/bind9/bin/confgen/rndc-confgen.c head/contrib/bind9/bin/dig/Makefile.in head/contrib/bind9/bin/dig/dig.1 head/contrib/bind9/bin/dig/dig.c head/contrib/bind9/bin/dig/dig.docbook head/contrib/bind9/bin/dig/dig.html head/contrib/bind9/bin/dig/dighost.c head/contrib/bind9/bin/dig/host.c head/contrib/bind9/bin/dig/include/dig/dig.h head/contrib/bind9/bin/dig/nslookup.c head/contrib/bind9/bin/dnssec/Makefile.in head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html head/contrib/bind9/bin/dnssec/dnssec-keygen.8 head/contrib/bind9/bin/dnssec/dnssec-keygen.c head/contrib/bind9/bin/dnssec/dnssec-keygen.docbook head/contrib/bind9/bin/dnssec/dnssec-keygen.html head/contrib/bind9/bin/dnssec/dnssec-revoke.c head/contrib/bind9/bin/dnssec/dnssec-revoke.docbook head/contrib/bind9/bin/dnssec/dnssec-settime.8 head/contrib/bind9/bin/dnssec/dnssec-settime.c head/contrib/bind9/bin/dnssec/dnssec-settime.docbook head/contrib/bind9/bin/dnssec/dnssec-settime.html head/contrib/bind9/bin/dnssec/dnssec-signzone.8 head/contrib/bind9/bin/dnssec/dnssec-signzone.c head/contrib/bind9/bin/dnssec/dnssec-signzone.docbook head/contrib/bind9/bin/dnssec/dnssec-signzone.html head/contrib/bind9/bin/dnssec/dnssectool.c head/contrib/bind9/bin/dnssec/dnssectool.h head/contrib/bind9/bin/named/Makefile.in head/contrib/bind9/bin/named/builtin.c head/contrib/bind9/bin/named/client.c head/contrib/bind9/bin/named/config.c head/contrib/bind9/bin/named/control.c head/contrib/bind9/bin/named/controlconf.c head/contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h head/contrib/bind9/bin/named/include/named/client.h head/contrib/bind9/bin/named/include/named/control.h head/contrib/bind9/bin/named/include/named/globals.h head/contrib/bind9/bin/named/include/named/interfacemgr.h head/contrib/bind9/bin/named/include/named/server.h head/contrib/bind9/bin/named/include/named/zoneconf.h head/contrib/bind9/bin/named/interfacemgr.c head/contrib/bind9/bin/named/logconf.c head/contrib/bind9/bin/named/main.c head/contrib/bind9/bin/named/named.8 head/contrib/bind9/bin/named/named.conf.5 head/contrib/bind9/bin/named/named.conf.docbook head/contrib/bind9/bin/named/named.conf.html head/contrib/bind9/bin/named/named.docbook head/contrib/bind9/bin/named/named.html head/contrib/bind9/bin/named/query.c head/contrib/bind9/bin/named/server.c head/contrib/bind9/bin/named/statschannel.c head/contrib/bind9/bin/named/unix/Makefile.in head/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c head/contrib/bind9/bin/named/unix/os.c head/contrib/bind9/bin/named/update.c head/contrib/bind9/bin/named/xfrout.c head/contrib/bind9/bin/named/zoneconf.c head/contrib/bind9/bin/nsupdate/Makefile.in head/contrib/bind9/bin/nsupdate/nsupdate.1 head/contrib/bind9/bin/nsupdate/nsupdate.c head/contrib/bind9/bin/nsupdate/nsupdate.docbook head/contrib/bind9/bin/nsupdate/nsupdate.html head/contrib/bind9/bin/rndc/rndc.c head/contrib/bind9/bin/tools/genrandom.8 head/contrib/bind9/bin/tools/genrandom.docbook head/contrib/bind9/bin/tools/genrandom.html head/contrib/bind9/bin/tools/nsec3hash.c head/contrib/bind9/config.h.in head/contrib/bind9/config.threads.in head/contrib/bind9/configure.in head/contrib/bind9/doc/arm/Bv9ARM-book.xml head/contrib/bind9/doc/arm/Bv9ARM.ch01.html head/contrib/bind9/doc/arm/Bv9ARM.ch03.html head/contrib/bind9/doc/arm/Bv9ARM.ch04.html head/contrib/bind9/doc/arm/Bv9ARM.ch05.html head/contrib/bind9/doc/arm/Bv9ARM.ch06.html head/contrib/bind9/doc/arm/Bv9ARM.ch07.html head/contrib/bind9/doc/arm/Bv9ARM.ch08.html head/contrib/bind9/doc/arm/Bv9ARM.ch09.html head/contrib/bind9/doc/arm/Bv9ARM.ch10.html head/contrib/bind9/doc/arm/Bv9ARM.html head/contrib/bind9/doc/arm/Bv9ARM.pdf head/contrib/bind9/doc/arm/dnssec.xml head/contrib/bind9/doc/arm/man.arpaname.html head/contrib/bind9/doc/arm/man.ddns-confgen.html head/contrib/bind9/doc/arm/man.dig.html head/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html head/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html head/contrib/bind9/doc/arm/man.dnssec-keygen.html head/contrib/bind9/doc/arm/man.dnssec-revoke.html head/contrib/bind9/doc/arm/man.dnssec-settime.html head/contrib/bind9/doc/arm/man.dnssec-signzone.html head/contrib/bind9/doc/arm/man.genrandom.html head/contrib/bind9/doc/arm/man.host.html head/contrib/bind9/doc/arm/man.isc-hmac-fixup.html head/contrib/bind9/doc/arm/man.named-checkconf.html head/contrib/bind9/doc/arm/man.named-checkzone.html head/contrib/bind9/doc/arm/man.named-journalprint.html head/contrib/bind9/doc/arm/man.named.html head/contrib/bind9/doc/arm/man.nsec3hash.html head/contrib/bind9/doc/arm/man.nsupdate.html head/contrib/bind9/doc/arm/man.rndc-confgen.html head/contrib/bind9/doc/arm/man.rndc.conf.html head/contrib/bind9/doc/arm/man.rndc.html head/contrib/bind9/doc/arm/pkcs11.xml head/contrib/bind9/doc/misc/options head/contrib/bind9/lib/bind9/api head/contrib/bind9/lib/bind9/check.c head/contrib/bind9/lib/dns/Makefile.in head/contrib/bind9/lib/dns/acache.c head/contrib/bind9/lib/dns/acl.c head/contrib/bind9/lib/dns/adb.c head/contrib/bind9/lib/dns/api head/contrib/bind9/lib/dns/byaddr.c head/contrib/bind9/lib/dns/cache.c head/contrib/bind9/lib/dns/callbacks.c head/contrib/bind9/lib/dns/client.c head/contrib/bind9/lib/dns/db.c head/contrib/bind9/lib/dns/dbtable.c head/contrib/bind9/lib/dns/diff.c head/contrib/bind9/lib/dns/dispatch.c head/contrib/bind9/lib/dns/dns64.c head/contrib/bind9/lib/dns/dnssec.c head/contrib/bind9/lib/dns/dst_api.c head/contrib/bind9/lib/dns/dst_internal.h head/contrib/bind9/lib/dns/dst_openssl.h head/contrib/bind9/lib/dns/dst_parse.c head/contrib/bind9/lib/dns/ecdb.c head/contrib/bind9/lib/dns/gssapi_link.c head/contrib/bind9/lib/dns/gssapictx.c head/contrib/bind9/lib/dns/hmac_link.c head/contrib/bind9/lib/dns/include/dns/Makefile.in head/contrib/bind9/lib/dns/include/dns/acache.h head/contrib/bind9/lib/dns/include/dns/acl.h head/contrib/bind9/lib/dns/include/dns/adb.h head/contrib/bind9/lib/dns/include/dns/cache.h head/contrib/bind9/lib/dns/include/dns/callbacks.h head/contrib/bind9/lib/dns/include/dns/db.h head/contrib/bind9/lib/dns/include/dns/dispatch.h head/contrib/bind9/lib/dns/include/dns/dlz_dlopen.h head/contrib/bind9/lib/dns/include/dns/dnssec.h head/contrib/bind9/lib/dns/include/dns/events.h head/contrib/bind9/lib/dns/include/dns/journal.h head/contrib/bind9/lib/dns/include/dns/log.h head/contrib/bind9/lib/dns/include/dns/master.h head/contrib/bind9/lib/dns/include/dns/masterdump.h head/contrib/bind9/lib/dns/include/dns/nsec.h head/contrib/bind9/lib/dns/include/dns/nsec3.h head/contrib/bind9/lib/dns/include/dns/private.h head/contrib/bind9/lib/dns/include/dns/rdata.h head/contrib/bind9/lib/dns/include/dns/rdataset.h head/contrib/bind9/lib/dns/include/dns/resolver.h head/contrib/bind9/lib/dns/include/dns/result.h head/contrib/bind9/lib/dns/include/dns/rpz.h head/contrib/bind9/lib/dns/include/dns/rriterator.h head/contrib/bind9/lib/dns/include/dns/sdb.h head/contrib/bind9/lib/dns/include/dns/sdlz.h head/contrib/bind9/lib/dns/include/dns/time.h head/contrib/bind9/lib/dns/include/dns/types.h head/contrib/bind9/lib/dns/include/dns/view.h head/contrib/bind9/lib/dns/include/dns/zone.h head/contrib/bind9/lib/dns/include/dns/zt.h head/contrib/bind9/lib/dns/include/dst/dst.h head/contrib/bind9/lib/dns/iptable.c head/contrib/bind9/lib/dns/journal.c head/contrib/bind9/lib/dns/key.c head/contrib/bind9/lib/dns/keytable.c head/contrib/bind9/lib/dns/log.c head/contrib/bind9/lib/dns/lookup.c head/contrib/bind9/lib/dns/master.c head/contrib/bind9/lib/dns/masterdump.c head/contrib/bind9/lib/dns/message.c head/contrib/bind9/lib/dns/nsec.c head/contrib/bind9/lib/dns/nsec3.c head/contrib/bind9/lib/dns/openssldh_link.c head/contrib/bind9/lib/dns/openssldsa_link.c head/contrib/bind9/lib/dns/opensslecdsa_link.c head/contrib/bind9/lib/dns/opensslgost_link.c head/contrib/bind9/lib/dns/opensslrsa_link.c head/contrib/bind9/lib/dns/private.c head/contrib/bind9/lib/dns/rbt.c head/contrib/bind9/lib/dns/rbtdb.c head/contrib/bind9/lib/dns/rdata.c head/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c head/contrib/bind9/lib/dns/rdata/generic/cert_37.c head/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c head/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c head/contrib/bind9/lib/dns/rdata/generic/ds_43.c head/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c head/contrib/bind9/lib/dns/rdata/generic/key_25.c head/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c head/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c head/contrib/bind9/lib/dns/rdata/generic/nsec3_50.h head/contrib/bind9/lib/dns/rdata/generic/opt_41.c head/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c head/contrib/bind9/lib/dns/rdata/generic/sig_24.c head/contrib/bind9/lib/dns/rdata/generic/soa_6.c head/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c head/contrib/bind9/lib/dns/rdata/generic/tkey_249.c head/contrib/bind9/lib/dns/rdata/generic/uri_256.c head/contrib/bind9/lib/dns/rdata/generic/uri_256.h head/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c head/contrib/bind9/lib/dns/resolver.c head/contrib/bind9/lib/dns/sdb.c head/contrib/bind9/lib/dns/sdlz.c head/contrib/bind9/lib/dns/validator.c head/contrib/bind9/lib/dns/view.c head/contrib/bind9/lib/dns/xfrin.c head/contrib/bind9/lib/dns/zone.c head/contrib/bind9/lib/dns/zt.c head/contrib/bind9/lib/irs/api head/contrib/bind9/lib/isc/Makefile.in head/contrib/bind9/lib/isc/api head/contrib/bind9/lib/isc/include/isc/heap.h head/contrib/bind9/lib/isc/include/isc/list.h head/contrib/bind9/lib/isc/include/isc/mem.h head/contrib/bind9/lib/isc/include/isc/namespace.h head/contrib/bind9/lib/isc/include/isc/radix.h head/contrib/bind9/lib/isc/include/isc/socket.h head/contrib/bind9/lib/isc/include/isc/task.h head/contrib/bind9/lib/isc/include/isc/taskpool.h head/contrib/bind9/lib/isc/log.c head/contrib/bind9/lib/isc/radix.c head/contrib/bind9/lib/isc/socket_api.c head/contrib/bind9/lib/isc/task.c head/contrib/bind9/lib/isc/task_api.c head/contrib/bind9/lib/isc/task_p.h head/contrib/bind9/lib/isc/taskpool.c head/contrib/bind9/lib/isc/unix/socket.c head/contrib/bind9/lib/isccc/api head/contrib/bind9/lib/isccfg/api head/contrib/bind9/lib/isccfg/namedconf.c head/contrib/bind9/lib/lwres/api head/contrib/bind9/lib/lwres/man/lwres_config.3 head/contrib/bind9/lib/lwres/man/lwres_config.docbook head/contrib/bind9/lib/lwres/man/lwres_config.html head/contrib/bind9/lib/lwres/man/lwres_context.3 head/contrib/bind9/lib/lwres/man/lwres_context.docbook head/contrib/bind9/lib/lwres/man/lwres_context.html head/contrib/bind9/lib/lwres/man/lwres_gabn.3 head/contrib/bind9/lib/lwres/man/lwres_gabn.docbook head/contrib/bind9/lib/lwres/man/lwres_gabn.html head/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3 head/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook head/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html head/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3 head/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook head/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html head/contrib/bind9/lib/lwres/man/lwres_gethostent.3 head/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook head/contrib/bind9/lib/lwres/man/lwres_gethostent.html head/contrib/bind9/lib/lwres/man/lwres_getipnode.3 head/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook head/contrib/bind9/lib/lwres/man/lwres_getipnode.html head/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3 head/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook head/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html head/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3 head/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook head/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html head/contrib/bind9/lib/lwres/man/lwres_gnba.3 head/contrib/bind9/lib/lwres/man/lwres_gnba.docbook head/contrib/bind9/lib/lwres/man/lwres_gnba.html head/contrib/bind9/lib/lwres/man/lwres_hstrerror.3 head/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook head/contrib/bind9/lib/lwres/man/lwres_hstrerror.html head/contrib/bind9/lib/lwres/man/lwres_inetntop.3 head/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook head/contrib/bind9/lib/lwres/man/lwres_inetntop.html head/contrib/bind9/lib/lwres/man/lwres_noop.3 head/contrib/bind9/lib/lwres/man/lwres_noop.docbook head/contrib/bind9/lib/lwres/man/lwres_noop.html head/contrib/bind9/lib/lwres/man/lwres_packet.3 head/contrib/bind9/lib/lwres/man/lwres_packet.docbook head/contrib/bind9/lib/lwres/man/lwres_packet.html head/contrib/bind9/lib/lwres/man/lwres_resutil.3 head/contrib/bind9/lib/lwres/man/lwres_resutil.docbook head/contrib/bind9/lib/lwres/man/lwres_resutil.html head/contrib/bind9/lib/lwres/print_p.h head/contrib/bind9/lib/lwres/strtoul.c head/contrib/bind9/lib/lwres/unix/Makefile.in head/contrib/bind9/lib/lwres/unix/include/Makefile.in head/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in head/contrib/bind9/lib/lwres/unix/include/lwres/net.h head/contrib/bind9/lib/lwres/version.c head/contrib/bind9/make/Makefile.in head/contrib/bind9/make/includes.in head/contrib/bind9/make/rules.in head/contrib/bind9/mkinstalldirs head/contrib/bind9/version head/lib/bind/config.h head/lib/bind/dns/Makefile head/lib/bind/dns/code.h head/lib/bind/dns/dns/rdatastruct.h head/lib/bind/isc/Makefile head/share/doc/bind9/Makefile head/usr.bin/nslookup/Makefile head/usr.bin/nsupdate/Makefile head/usr.sbin/Makefile Directory Properties: head/contrib/bind9/ (props changed) Modified: head/contrib/bind9/CHANGES ============================================================================== --- head/contrib/bind9/CHANGES Thu Aug 22 07:43:36 2013 (r254650) +++ head/contrib/bind9/CHANGES Thu Aug 22 08:15:03 2013 (r254651) @@ -1,15 +1,15 @@ - --- 9.8.5-P2 released --- + --- 9.9.3-P2 released --- 3621. [security] Incorrect bounds checking on private type 'keydata' can lead to a remotely triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] - --- 9.8.5-P1 released --- + --- 9.9.3-P1 released --- 3584. [security] Caching data from an incompletely signed zone could trigger an assertion failure in resolver.c [RT #33690] - --- 9.8.5 released --- + --- 9.9.3 released --- 3568. [cleanup] Add a product description line to the version file, to be reported by named -v/-V. [RT #33366] @@ -21,7 +21,7 @@ 3561. [bug] dig: issue a warning if an EDNS query returns FORMERR or NOTIMP. Adjust usage message. [RT #33363] - --- 9.8.5rc1 released --- + --- 9.9.3rc2 released --- 3560. [bug] isc-config.sh did not honor includedir and libdir when set via configure. [RT #33345] @@ -31,6 +31,8 @@ 3558. [bug] IXFR of a DLZ stored zone was broken. [RT #33331] +3557. [bug] Reloading redirect zones was broken. [RT #33292] + 3556. [maint] Added AAAA for D.ROOT-SERVERS.NET. 3555. [bug] Address theoretical race conditions in acache.c @@ -51,9 +53,7 @@ 3547. [bug] Some malformed unknown rdata records were not properly detected and rejected. [RT #33129] -3056. [func] Added support for URI resource record. [RT #23386] - - --- 9.8.5rc1 released --- + --- 9.9.3rc1 released --- 3546. [func] Add EUI48 and EUI64 types. [RT #33082] @@ -64,8 +64,6 @@ 3543. [bug] Update socket structure before attaching to socket manager after accept. [RT #33084] -3542. [bug] masterformat system test was broken. [RT #33086] - 3541. [bug] Parts of libdns were not properly initialized when built in libexport mode. [RT #33028] @@ -94,6 +92,17 @@ 3530. [contrib] Better RTT tracking in queryperf. [RT #30128] +3528. [func] New "dnssec-coverage" command scans the timing + metadata for a set of DNSSEC keys and reports if a + lapse in signing coverage has been scheduled + inadvertently. (Note: This tool depends on python; + it will not be built or installed on systems that + do not have a python interpreter.) [RT #28098] + +3527. [compat] Add a URI to allow applications to explicitly + request a particular XML schema from the statistics + channel, returning 404 if not supported. [RT #32481] + 3526. [cleanup] Set up dependencies for unit tests correctly during build. [RT #32803] @@ -102,7 +111,7 @@ 3520. [bug] 'mctx' was not being referenced counted in some places where it should have been. [RT #32794] - --- 9.8.5b2 released --- + --- 9.9.3b2 released --- 3517. [bug] Reorder destruction to avoid shutdown race. [RT #32777] @@ -114,6 +123,8 @@ to 1024 bits for hmac-sha384 and hmac-sha512. [RT #32753] +3511. [doc] Improve documentation of redirect zones. [RT #32756] + 3509. [cleanup] Added a product line to version file to allow for easy naming of different products (BIND vs BIND ESV, for example). [RT #32755] @@ -121,8 +132,24 @@ 3508. [contrib] queryperf was incorrectly rejecting the -T option. [RT #32338] +3507. [bug] Statistics channel XSL (when built with + --enable-newstats) had a glitch when attempting + to chart query data before any queries had been + received. [RT #32620] + +3505. [bug] When setting "max-cache-size" and "max-acache-size", + larger values than 4 gigabytes could not be set + explicitly, though larger sizes were available + when setting cache size to 0. This has been + corrected; the full range is now available. + [RT #32358] + 3503. [doc] Clarify size_spec syntax. [RT #32449] +3501. [func] zone-statistics now takes three options: full, + terse, and none. "yes" and "no" are retained as + synonyms for full and terse, respectively. [RT #29165] + 3500. [security] Support NAPTR regular expression validation on all platforms without using libregex, which can be vulnerable to memory exhaustion attack @@ -141,6 +168,15 @@ NSIP and NSDNAME checking. --enable-rpz-nsip and --enable-rpz-nsdname are now the default. [RT #32251] +3493. [contrib] Added BDBHPT dynamically-lodable DLZ module, + contributed by Mark Goldfinch. [RT #32549] + +3492. [bug] Fixed a regression in zone loading performance + due to lock contention. [RT #30399] + +3491. [bug] Slave zones using inline-signing must specify a + file name. [RT #31946] + 3489. [bug] --enable-developer now turns on ISC_LIST_CHECKINIT. When cloning a rdataset do not copy the link contents. [RT #32651] @@ -156,8 +192,14 @@ 3485. [cleanup] Only compile openssl_gostlink.c if we support GOST. +3483. [bug] Corrected XSL code in use with --enable-newstats. + [RT #32587] + 3481. [cleanup] Removed use of const const in atf. +3480. [bug] Silence logging noise when setting up zone + statistics. [RT #32525] + 3479. [bug] Address potential memory leaks in gssapi support code. [RT #32405] @@ -167,10 +209,18 @@ 3474. [bug] nsupdate could assert when the local and remote address families didn't match. [RT #22897] +3473. [bug] dnssec-signzone/verify could incorrectly report + an error condition due to an empty node above an + opt-out delegation lacking an NSEC3. [RT #32072] + +3471. [bug] The number of UDP dispatches now defaults to + the number of CPUs even if -n has been set to + a higher value. [RT #30964] + 3470. [bug] Slave zones could fail to dump when successfully refreshing after an initial failure. [RT #31276] - --- 9.8.5b1 released --- + --- 9.9.3b1 released --- 3468. [security] RPZ rules to generate A records (but not AAAA records) could trigger an assertion failure when used in @@ -179,6 +229,9 @@ 3467. [bug] Added checks in dnssec-keygen and dnssec-settime to check for delete date < inactive date. [RT #31719] +3466. [contrib] Corrected the DNS_CLIENTINFOMETHODS_VERSION check + in DLZ example driver. [RT #32275] + 3465. [bug] Handle isolated reserved ports. [RT #31778] 3464. [maint] Updates to PKCS#11 openssl patches, supporting @@ -192,6 +245,8 @@ 3461. [bug] Negative responses could incorrectly have AD=1 set. [RT #32237] +3460. [bug] Only link against readline where needed. [RT #29810] + 3458. [bug] Return FORMERR when presented with a overly long domain named in a request. [RT #29682] @@ -203,6 +258,9 @@ 3454. [port] sparc64: improve atomic support. [RT #25182] +3453. [bug] 'rndc addzone' of a zone with 'inline-signing yes;' + failed. [RT #31960] + 3452. [bug] Accept duplicate singleton records. [RT #32329] 3451. [port] Increase per thread stack size from 64K to 1M. @@ -266,9 +324,19 @@ 3427. [bug] dig +trace incorrectly displayed name server addresses instead of names. [RT #31641] +3426. [bug] dnssec-checkds: Clearer output when records are not + found. [RT #31968] + 3425. [bug] "acacheentry" reference counting was broken resulting in use after free. [RT #31908] +3424. [func] dnssec-dsfromkey now emits the hash without spaces. + [RT #31951] + +3423. [bug] "rndc signing -nsec3param" didn't accept the full + range of possible values. Address portability issues. + [RT #31938] + 3422. [bug] Added a clear error message for when the SOA does not match the referral. [RT #31281] @@ -279,9 +347,22 @@ 3419. [bug] Memory leak on validation cancel. [RT #31869] +3417. [func] Optional new XML schema (version 3.0) for the + statistics channel adds query type statistics at the + zone level, and flattens the XML tree and uses + compressed format to optimize parsing. Includes new XSL + that permits charting via the Google Charts API on + browsers that support javascript in XSL. To enable, + build with "configure --enable-newstats". [RT #30023] + +3416. [bug] Named could die on shutdown if running with 128 UDP + dispatches per interface. [RT #31743] + 3415. [bug] named could die with a REQUIRE failure if a validation was canceled. [RT #31804] +3414. [bug] Address locking issues found by Coverity. [RT #31626] + 3412. [bug] Copy timeval structure from control message data. [RT #31548] @@ -295,6 +376,11 @@ (DNS-based Authentication of Named Entities). [RT #30513] +3408. [bug] Some DNSSEC-related options (update-check-ksk, + dnssec-loadkeys-interval, dnssec-dnskey-kskonly) + are now legal in slave zones as long as + inline-signing is in use. [RT #31078] + 3406. [bug] mem.c: Fix compilation errors when building with ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled. Also, ISC_MEM_DEBUG is no longer optional. [RT #31559] @@ -316,6 +402,13 @@ in the "srcid" file in the build tree and normally set to the most recent git hash. [RT #31494] +3399. [port] netbsd: rename 'bool' parameter to avoid namespace + clash. [RT #31515] + +3398. [bug] SOA parameters were not being updated with inline + signed zones if the zone was modified while the + server was offline. [RT #29272] + 3397. [bug] dig crashed when using +nssearch with +tcp. [RT #25298] 3396. [bug] OPT records were incorrectly removed from signed, @@ -348,11 +441,10 @@ 3386. [bug] Address locking violation when generating new NSEC / NSEC3 chains. [RT #31224] -3384. [bug] Improved logging of crypto errors. [RT #30963] +3385. [bug] named-checkconf didn't detect missing master lists + in also-notify clauses. [RT #30810] -3383. [security] A certain combination of records in the RBT could - cause named to hang while populating the additional - section of a response. [RT #31090] +3384. [bug] Improved logging of crypto errors. [RT #30963] 3382. [bug] SOA query from slave used use-v6-udp-ports range, if set, regardless of the address family in use. @@ -370,6 +462,9 @@ 3378. [bug] Handle missing 'managed-keys-directory' better. [RT #30625] +3377. [bug] Removed spurious newline from NSEC3 multiline + output. [RT #31044] + 3376. [bug] Lack of EDNS support was being recorded without a successful response. [RT #30811] @@ -386,19 +481,34 @@ add NS RRsets to the additional section or not. [RT #30479] - --- 9.8.4 released --- +3316. [tuning] Improved locking performance when recursing. + [RT #28836] + +3315. [tuning] Use multiple dispatch objects for sending upstream + queries; this can improve performance on busy + multiprocessor systems by reducing lock contention. + [RT #28605] + + --- 9.9.2 released --- + +3383. [security] A certain combination of records in the RBT could + cause named to hang while populating the additional + section of a response. [RT #31090] 3373. [bug] win32: open raw files in binary mode. [RT #30944] 3364. [security] Named could die on specially crafted record. [RT #30416] - --- 9.8.4rc1 released --- + --- 9.9.2rc1 released --- + +3370. [bug] Address use after free while shutting down. [RT #30241] 3369. [bug] nsupdate terminated unexpectedly in interactive mode if built with readline support. [RT #29550] -3368. [bug] and were not C++ safe. +3368. [bug] , and + were not C++ safe. 3367. [bug] dns_dnsseckey_create() result was not being checked. [RT #30685] @@ -417,6 +527,9 @@ could trigger an assertion failure on startup. [RT #27730] +3361. [bug] "rndc signing -nsec3param" didn't work correctly + when salt was set to '-' (no salt). [RT #30099] + 3360. [bug] 'host -w' could die. [RT #18723] 3359. [bug] An improperly-formed TSIG secret could cause a @@ -428,10 +541,12 @@ approaching their expiry, so they don't remain in caches after expiry. [RT #26429] - --- 9.8.4b1 released --- +3355. [port] Use more portable awk in verify system test. 3354. [func] Improve OpenSSL error logging. [RT #29932] + --- 9.9.2b1 released --- + 3353. [bug] Use a single task for task exclusive operations. [RT #29872] @@ -446,6 +561,8 @@ ISC_MEM_DEBUGCTX memory debugging flag is set. [RT #30240] +3349. [bug] Change #3345 was incomplete. [RT #30233] + 3348. [bug] Prevent RRSIG data from being cached if a negative record matching the covering type exists at a higher trust level. Such data already can't be retrieved from @@ -459,16 +576,42 @@ 3346. [security] Bad-cache data could be used before it was initialized, causing an assert. [RT #30025] +3345. [bug] Addressed race condition when removing the last item + or inserting the first item in an ISC_QUEUE. + [RT #29539] + +3344. [func] New "dnssec-checkds" command checks a zone to + determine which DS records should be published + in the parent zone, or which DLV records should be + published in a DLV zone, and queries the DNS to + ensure that it exists. (Note: This tool depends + on python; it will not be built or installed on + systems that do not have a python interpreter.) + [RT #28099] + 3342. [bug] Change #3314 broke saving of stub zones to disk resulting in excessive cpu usage in some cases. [RT #29952] +3341. [func] New "dnssec-verify" command checks a signed zone + to ensure correctness of signatures and of NSEC/NSEC3 + chains. [RT #23673] + +3339. [func] Allow the maximum supported rsa exponent size to be + specified: "max-rsa-exponent-size ;" [RT #29228] + +3338. [bug] Address race condition in units tests: asyncload_zone + and asyncload_zt. [RT #26100] + 3337. [bug] Change #3294 broke support for the multiple keys in controls. [RT #29694] 3335. [func] nslookup: return a nonzero exit code when unable to get an answer. [RT #29492] +3334. [bug] Hold a zone table reference while performing a + asynchronous load of a zone. [RT #28326] + 3333. [bug] Setting resolver-query-timeout too low can cause named to not recover if it loses connectivity. [RT #29623] @@ -504,7 +647,7 @@ 3317. [func] Add ECDSA support (RFC 6605). [RT #21918] - --- 9.8.3 released --- + --- 9.9.1 released --- 3318. [tuning] Reduce the amount of work performed while holding a bucket lock when finished with a fetch context. @@ -536,6 +679,8 @@ 3304. [bug] Use hmctx, not mctx when freeing rbtdb->heaps. [RT #28571] +3303. [bug] named could die when reloading. [RT #28606] + 3302. [bug] dns_dnssec_findmatchingkeys could fail to find keys if the zone name contained character that required special mappings. [RT #28600] @@ -549,22 +694,15 @@ 3299. [bug] Make SDB handle errors from database drivers better. [RT #28534] -3232. [bug] Zero zone->curmaster before return in - dns_zone_setmasterswithkeys(). [RT #26732] - -3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] - -3197. [bug] Don't try to log the filename and line number when - the config parser can't open a file. [RT #22263] - - --- 9.8.2 released --- - 3298. [bug] Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed. [RT #28419] 3297. [bug] Named could die on a malformed master file. [RT #28467] +3296. [bug] Named could die with a INSIST failure in + client.c:exit_check. [RT #28346] + 3295. [bug] Adjust isc_time_secondsastimet range check to be more portable. [RT # 26542] @@ -576,6 +714,16 @@ 3290. [bug] was not being installed. [RT #28169] +3273. [bug] AAAA responses could be returned in the additional + section even when filter-aaaa-on-v4 was in use. + [RT #27292] + + --- 9.9.0 released --- + + --- 9.9.0rc4 released --- + +3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036] + 3288. [bug] dlz_destroy() function wasn't correctly registered by the DLZ dlopen driver. [RT #28056] @@ -584,7 +732,7 @@ 3286. [bug] Managed key maintenance timer could fail to start after 'rndc reconfig'. [RT #26786] - --- 9.8.2rc2 released --- + --- 9.9.0rc3 released --- 3285. [bug] val-frdataset was incorrectly disassociated in proveunsecure after calling startfinddlvsep. @@ -607,24 +755,34 @@ 3280. [bug] Potential double free of a rdataset on out of memory with DNS64. [RT #27762] +3279. [bug] Hold a internal reference to the zone while performing + a asynchronous load. Address potential memory leak + if the asynchronous is cancelled. [RT #27750] + 3278. [bug] Make sure automatic key maintenance is started when "auto-dnssec maintain" is turned on during "rndc reconfig". [RT #26805] +3277. [bug] win32: isc_socket_dup is not implemented. [RT #27696] + 3276. [bug] win32: ns_os_openfile failed to return NULL on safe_open failure. [RT #27696] -3274. [bug] Log when a zone is not reusable. Only set loadtime - on successful loads. [RT #27650] - -3273. [bug] AAAA responses could be returned in the additional - section even when filter-aaaa-on-v4 was in use. - [RT #27292] +3275. [bug] Corrected rndc -h output; the 'rndc sync -clean' + option had been misspelled as '-clear'. (To avoid + future confusion, both options now work.) [RT #27173] 3271. [port] darwin: mksymtbl is not always stable, loop several times before giving up. mksymtbl was using non portable perl to covert 64 bit hex strings. [RT #27653] + --- 9.9.0rc2 released --- + +3270. [bug] "rndc reload" didn't reuse existing zones correctly + when inline-signing was in use. [RT #27650] + +3269. [port] darwin 11 and later now built threaded by default. + 3268. [bug] Convert RRSIG expiry times to 64 timestamps to work out the earliest expiry time. [RT #23311] @@ -636,14 +794,26 @@ DNSKEY RRset was not being properly computed. [RT #26543] +3265. [bug] Corrected a problem with lock ordering in the + inline-signing code. [RT #27557] + +3264. [bug] Automatic regeneration of signatures in an + inline-signing zone could stall when the server + was restarted. [RT #27344] + +3263. [bug] "rndc sync" did not affect the unsigned side of an + inline-signing zone. [RT #27337] + 3262. [bug] Signed responses were handled incorrectly by RPZ. [RT #27316] - --- 9.8.2rc1 released --- +3261. [func] RRset ordering now defaults to random. [RT #27174] 3260. [bug] "rrset-order cyclic" could appear not to rotate for some query patterns. [RT #27170/27185] + --- 9.9.0rc1 released --- + 3259. [bug] named-compilezone: Suppress "dump zone to " message when writing to stdout. [RT #27109] @@ -655,12 +825,21 @@ 3256. [bug] Disable empty zones for lwresd -C. [RT #27139] +3255. [func] No longer require that a empty zones be explicitly + enabled or that a empty zone is disabled for + RFC 1918 empty zones to be configured. [RT #27139] + 3254. [bug] Set isc_socket_ipv6only() on the IPv6 control channels. [RT #22249] 3253. [bug] Return DNS_R_SYNTAX when the input to a text field is too long. [RT #26956] +3252. [bug] When master zones using inline-signing were + updated while the server was offline, the source + zone could fall out of sync with the signed + copy. They can now resynchronize. [RT #26676] + 3251. [bug] Enforce a upper bound (65535 bytes) on the amount of memory dns_sdlz_putrr() can allocate per record to prevent run away memory consumption on ISC_R_NOSPACE. @@ -680,8 +859,34 @@ 3247. [bug] 'raw' format zones failed to preserve load order breaking 'fixed' sort order. [RT #27087] -3243. [port] netbsd,bsdi: the thread defaults were not being - properly set. +3246. [bug] Named failed to start with a empty also-notify list. + [RT #27087] + +3245. [bug] Don't report a error unchanged serials unless there + were other changes when thawing a zone with + ixfr-fromdifferences. [RT #26845] + +3244. [func] Added readline support to nslookup and nsupdate. + Also simplified nsupdate syntax to make "update" + and "prereq" optional. [RT #24659] + +3243. [port] freebsd,netbsd,bsdi: the thread defaults were not + being properly set. + +3242. [func] Extended the header of raw-format master files to + include the serial number of the zone from which + they were generated, if different (as in the case + of inline-signing zones). This is to be used in + inline-signing zones, to track changes between the + unsigned and signed versions of the zone, which may + have different serial numbers. + + (Note: raw zonefiles generated by this version of + BIND are no longer compatible with prior versions. + To generate a backward-compatible raw zonefile + using dnssec-signzone or named-compilezone, specify + output format "raw=0" instead of simply "raw".) + [RT #26587] 3241. [bug] Address race conditions in the resolver code. [RT #26889] @@ -696,10 +901,21 @@ 3237. [bug] dig -6 didn't work with +trace. [RT #26906] - --- 9.8.2b1 released --- +3236. [bug] Backed out changes #3182 and #3202, related to + EDNS(0) fallback behavior. [RT #26416] + +3235. [func] dns_db_diffx, a extended dns_db_diff which returns + the generated diff and optionally writes it to a + journal. [RT #26386] 3234. [bug] 'make depend' produced invalid makefiles. [RT #26830] +3233. [bug] 'rndc freeze/thaw' didn't work for inline zones. + [RT #26632] + +3232. [bug] Zero zone->curmaster before return in + dns_zone_setmasterswithkeys(). [RT #26732] + 3231. [bug] named could fail to send a incompressible zone. [RT #26796] @@ -717,14 +933,29 @@ 3226. [bug] Address minor resource leakages. [RT #26624] +3225. [bug] Silence spurious "setsockopt(517, IPV6_V6ONLY) failed" + messages. [RT #26507] + +3224. [bug] 'rndc signing' argument parsing was broken. [RT #26684] + +3223. [bug] 'task_test privilege_drop' generated false positives. + [RT #26766] + +3222. [cleanup] Replace dns_journal_{get,set}_bitws with + dns_journal_{get,set}_sourceserial. [RT #26634] + 3221. [bug] Fixed a potential core dump on shutdown due to referencing fetch context after it's been freed. [RT #26720] + --- 9.9.0b2 released --- + 3220. [bug] Change #3186 was incomplete; dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] +3219. [bug] Disable NOEDNS caching following a timeout. + 3218. [security] Cache lookup could return RRSIG data associated with nonexistent records, leading to an assertion failure. [RT #26590] @@ -733,12 +964,24 @@ 3216. [bug] resolver.c:validated() was not thread-safe. [RT #26478] +3215. [bug] 'rndc recursing' could cause a core dump. [RT #26495] + +3214. [func] Add 'named -U' option to set the number of UDP + listener threads per interface. [RT #26485] + 3213. [doc] Clarify ixfr-from-differences behavior. [RT #25188] 3212. [bug] rbtdb.c: failed to remove a node from the deadnodes list prior to adding a reference to it leading a possible assertion failure. [RT #23219] +3211. [func] dnssec-signzone: "-f -" prints to stdout; "-O full" + option prints in single-line-per-record format. + [RT #20287] + +3210. [bug] Canceling the oldest query due to recursive-client + overload could trigger an assertion failure. [RT #26463] + 3209. [func] Add "dnssec-lookaside 'no'". [RT #24858] 3208. [bug] 'dig -y' handle unknown tsig algorithm better. @@ -748,6 +991,11 @@ 3206. [cleanup] Add ISC information to log at start time. [RT #25484] +3205. [func] Upgrade dig's defaults to better reflect modern + nameserver behavior. Enable "dig +adflag" and + "dig +edns=0" by default. Enable "+dnssec" when + running "dig +trace". [RT #23497] + 3204. [bug] When a master server that has been marked as unreachable sends a NOTIFY, mark it reachable again. [RT #25960] @@ -755,12 +1003,24 @@ 3203. [bug] Increase log level to 'info' for validation failures from expired or not-yet-valid RRSIGs. [RT #21796] +3202. [bug] NOEDNS caching on timeout was too aggressive. + [RT #26416] + +3201. [func] 'rndc querylog' can now be given an on/off parameter + instead of only being used as a toggle. [RT #18351] + 3200. [doc] Some rndc functions were undocumented or were missing from 'rndc -h' output. [RT #25555] +3199. [func] When logging client information, include the name + being queried. [RT #25944] + 3198. [doc] Clarified that dnssec-settime can alter keyfile permissions. [RT #24866] +3197. [bug] Don't try to log the filename and line number when + the config parser can't open a file. [RT #22263] + 3196. [bug] nsupdate: return nonzero exit code when target zone doesn't exist. [RT #25783] @@ -789,10 +1049,50 @@ 3187. [port] win32: support for Visual Studio 2008. [RT #26356] + --- 9.9.0b1 released --- + 3186. [bug] Version/db mis-match in rpz code. [RT #26180] +3185. [func] New 'rndc signing' option for auto-dnssec zones: + - 'rndc signing -list' displays the current + state of signing operations + - 'rndc signing -clear' clears the signing state + records for keys that have fully signed the zone + - 'rndc signing -nsec3param' sets the NSEC3 + parameters for the zone + The 'rndc keydone' syntax is removed. [RT #23729] + +3184. [bug] named had excessive cpu usage when a redirect zone was + configured. [RT #26013] + +3183. [bug] Added RTLD_GLOBAL flag to dlopen call. [RT #26301] + +3182. [bug] Auth servers behind firewalls which block packets + greater than 512 bytes may cause other servers to + perform poorly. Now, adb retains edns information + and caches noedns servers. [RT #23392/24964] + +3181. [func] Inline-signing is now supported for master zones. + [RT #26224] + +3180. [func] Local copies of slave zones are now saved in raw + format by default, to improve startup performance. + 'masterfile-format text;' can be used to override + the default, if desired. [RT #25867] + 3179. [port] kfreebsd: build issues. [RT #26273] +3178. [bug] A race condition introduced by change #3163 could + cause an assertion failure on shutdown. [RT #26271] + +3177. [func] 'rndc keydone', remove the indicator record that + named has finished signing the zone with the + corresponding key. [RT #26206] + +3176. [doc] Corrected example code and added a README to the + sample external DLZ module in contrib/dlz/example. + [RT #26215] + 3175. [bug] Fix how DNSSEC positive wildcard responses from a NSEC3 signed zone are validated. Stop sending a unnecessary NSEC3 record when generating such @@ -803,9 +1103,14 @@ 3173. [port] Correctly validate root DS responses. [RT #25726] +3172. [port] darwin 10.* and freebsd [89] are now built threaded by + default. + 3171. [bug] Exclusively lock the task when adding a zone using 'rndc addzone'. [RT #25600] + --- 9.9.0a3 released --- + 3170. [func] RPZ update: - fix precedence among competing rules - improve ARM text including documenting rule precedence @@ -820,10 +1125,28 @@ 3169. [func] Catch db/version mis-matches when calling dns_db_*(). [RT #26017] +3168. [bug] Nxdomain redirection could trigger an assert with + a ANY query. [RT #26017] + 3167. [bug] Negative answers from forwarders were not being correctly tagged making them appear to not be cached. [RT #25380] +3166. [bug] Upgrading a zone to support inline-signing failed. + [RT #26014] + +3165. [bug] dnssec-signzone could generate new signatures when + resigning, even when valid signatures were already + present. [RT #26025] + +3164. [func] Enable DLZ modules to retrieve client information, + so that responses can be changed depending on the + source address of the query. [RT #25768] + +3163. [bug] Use finer-grained locking in client.c to address + concurrency problems with large numbers of threads. + [RT #26044] + 3162. [test] start.pl: modified to allow for "named.args" in ns*/ subdirectory to override stock arguments to named. Largely from RT#26044, but no separate ticket. @@ -831,24 +1154,52 @@ 3161. [bug] zone.c:del_sigs failed to always reset rdata leading assertion failures. [RT #25880] +3160. [bug] When printing out a NSEC3 record in multiline form + the newline was not being printed causing type codes + to be run together. [RT #25873] + +3159. [bug] On some platforms, named could assert on startup + when running in a chrooted environment without + /proc. [RT #25863] + +3158. [bug] Recursive servers would prefer a particular UDP + socket instead of using all available sockets. + [RT #26038] + 3157. [tuning] Reduce the time spent in "rndc reconfig" by parsing the config file before pausing the server. [RT #21373] +3156. [placeholder] + + --- 9.9.0a2 released --- + 3155. [bug] Fixed a build failure when using contrib DLZ drivers (e.g., mysql, postgresql, etc). [RT #25710] 3154. [bug] Attempting to print an empty rdataset could trigger an assert. [RT #25452] +3153. [func] Extend request-ixfr to zone level and remove the + side effect of forcing an AXFR. [RT #25156] + 3152. [cleanup] Some versions of gcc and clang failed due to incorrect use of __builtin_expect. [RT #25183] 3151. [bug] Queries for type RRSIG or SIG could be handled incorrectly. [RT #21050] +3150. [func] Improved startup and reconfiguration time by + enabling zones to load in multiple threads. [RT #25333] + +3149. [placeholder] + 3148. [bug] Processing of normal queries could be stalled when forwarding a UPDATE message. [RT #24711] +3147. [func] Initial inline signing support. [RT #23657] + + --- 9.9.0a1 released --- + 3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598] 3145. [test] Capture output of ATF unit tests in "./atf.out" if @@ -859,29 +1210,31 @@ 3143. [bug] Silence clang compiler warnings. [RT #25174] -3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321 - for the hashing algorithms (md5, sha1 - sha512, and - their hmac counterparts). [RT #25067] - - --- 9.8.1 released --- - - --- 9.8.1rc1 released --- +3142. [bug] NAPTR is class agnostic. [RT #25429] 3141. [bug] Silence spurious "zone serial (0) unchanged" messages associated with empty zones. [RT #25079] +3140. [func] New command "rndc flushtree " clears the + specified name from the server cache along with + all names under it. [RT #19970] + +3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321 + for the hashing algorithms (md5, sha1 - sha512, and + their hmac counterparts). [RT #25067] + 3138. [bug] Address memory leaks and out-of-order operations when shutting named down. [RT #25210] +3137. [func] Improve hardware scalability by allowing multiple + worker threads to process incoming UDP packets. + This can significantly increase query throughput + on some systems. [RT #22992] + 3136. [func] Add RFC 1918 reverse zones to the list of built-in empty zones switched on by the 'empty-zones-enable' option. [RT #24990] - Note: empty-zones-enable must be "yes;" or a empty - zone needs to be disabled in named.conf for RFC 1918 - zones to be activated. This requirement may be - removed in future releases. - 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing. See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307 [RT #24950] @@ -889,19 +1242,34 @@ 3134. [bug] Improve the accuracy of dnssec-signzone's signing statistics. [RT #16030] - --- 9.8.1b3 released --- - 3133. [bug] Change #3114 was incomplete. [RT #24577] +3132. [placeholder] + 3131. [tuning] Improve scalability by allocating one zone task per 100 zones at startup time, rather than using a fixed-size task table. [RT #24406] +3130. [func] Support alternate methods for managing a dynamic + zone's serial number. Two methods are currently + defined using serial-update-method, "increment" + (default) and "unixtime". [RT #23849] + 3129. [bug] Named could crash on 'rndc reconfig' when allow-new-zones was set to yes and named ACLs were used. [RT #22739] - --- 9.8.1b2 released --- +3128. [func] Inserting an NSEC3PARAM via dynamic update in an + auto-dnssec zone that has not been signed yet + will cause it to be signed with the specified NSEC3 + parameters when keys are activated. The + NSEC3PARAM record will not appear in the zone until + it is signed, but the parameters will be stored. + [RT #23684] + +3127. [bug] 'rndc thaw' will now remove a zone's journal file + if the zone serial number has been changed and + ixfr-from-differences is not in use. [RT #24687] 3126. [security] Using DNAME record to generate replacements caused RPZ to exit with a assertion failure. [RT #24766] @@ -941,6 +1309,12 @@ never-implemented 'auto-dnssec create' option. [RT #24533] +3116. [func] New 'dnssec-update-mode' option controls updates + of DNSSEC records in signed dynamic zones. Set to + 'no-resign' to disable automatic RRSIG regeneration + while retaining the ability to sign new or changed + data. [RT #24533] + 3115. [bug] Named could fail to return requested data when following a CNAME that points into the same zone. [RT #24455] @@ -951,8 +1325,6 @@ 3113. [doc] Document the relationship between serial-query-rate and NOTIFY messages. - --- 9.8.1b1 released --- - 3112. [doc] Add missing descriptions of the update policy name types "ms-self", "ms-subdomain", "krb5-self" and "krb5-subdomain", which allow machines to update @@ -965,9 +1337,23 @@ 3110. [bug] dnssec-signzone: Wrong error message could appear when attempting to sign with no KSK. [RT #24369] +3109. [func] The also-notify option now uses the same syntax + as a zone's masters clause. This means it is + now possible to specify a TSIG key to use when + sending notifies to a given server, or to include + an explicit named masters list in an also-notfiy + statement. [RT #23508] + +3108. [cleanup] dnssec-signzone: Clarified some error and + warning messages; removed #ifdef ALLOW_KSKLESS_ZONES + code (use -P instead). [RT #20852] + 3107. [bug] dnssec-signzone: Report the correct number of ZSKs when using -x. [RT #20852] +3106. [func] When logging client requests, include the name of + the TSIG key if any. [RT #23619] + 3105. [bug] GOST support can be suppressed by "configure --without-gost" [RT #24367] @@ -977,6 +1363,12 @@ instead of in the options statement could trigger an assertion failure in named-checkconf. [RT #24382] *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***