BIND 9.7.0 is now available.

Overview:

        BIND 9.7 includes a number of changes from BIND 9.6 and earlier
        releases.  Most are intended to simplify DNSSEC configuration
        and operation.

New features include:

    - Fully automatic signing of zones by "named".
    - Simplified configuration of DNSSEC Lookaside Validation (DLV).
    - Simplified configuration of Dynamic DNS, using the "ddns-confgen"
      command line tool or the "local" update-policy option.  (As a side
      effect, this also makes it easier to configure automatic zone
      re-signing.)
    - New named option "attach-cache" that allows multiple views to
      share a single cache.
    - DNS rebinding attack prevention.
    - New default values for dnssec-keygen parameters.
    - Support for RFC 5011 automated trust anchor maintenance
    - Smart signing: simplified tools for zone signing and key
      maintenance.
    - The "statistics-channels" option is now available on Windows.
    - A new DNSSEC-aware libdns API for use by non-BIND9 applications
    - On some platforms, named and other binaries can now print out
      a stack backtrace on assertion failure, to aid in debugging.
    - A "tools only" installation mode on Windows, which only installs
      dig, host, nslookup and nsupdate.
    - Improved PKCS#11 support, including Keyper support and explicit
      OpenSSL engine selection.

Known issues in this release:

    - A validating resolver that has been incorrectly configured with
      an invalid trust anchor will be unable to resolve names covered
      by that trust anchor.  In all current versions of BIND 9, such a
      resolver will also generate significant unnecessary DNS traffic
      while trying to validate.  The latter problem will be addressed
      in future BIND 9 releases.  In the meantime, to avoid these
      problems, exercise caution when configuring "trusted-keys": make
      sure all keys are correct and current when you add them, and
      update your configuration in a timely manner when keys roll over.

    - In rare cases, DNSSEC validation can leak memory.  When this 
      happens, it will cause an assertion failure when named exits,
      but is otherwise harmless.  A fix exists, but was too late for
      this release; it will be included in BIND 9.7.1.

Compatibility notes:

    - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
      ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
      you should ensure that all changes that are in progress have
      completed prior to upgrading to BIND 9.7.  BIND 9.7 implements
      those features in a way which is not backwards compatible.

    - Prior releases had a bug which caused HMAC-SHA* keys with long
      secrets to be used incorrectly.  Fixing this bug means that older
      versions of BIND 9 may fail to interoperate with this version
      when using TSIG keys.  If this occurs, the new "isc-hmac-fixup"
      tool will convert a key with a long secret into a form that works
      correctly with all versions of BIND 9.  See the "isc-hmac-fixup"
      man page for additional details.

    - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
      It is possible for the new key ID to collide with that of a
      different key.  Newly generated keys will not have this problem,
      as "dnssec-keygen" looks for potential collisions before
      generating keys, but exercise caution if using key revokation
      with keys that were generated by older versions of BIND 9.  See
      the Administrator's Reference Manual, section 4.10 ("Dynamic
      Trust Anchor Management") for more details.

    - A bug was fixed in which a key's scheduled inactivity date was
      stored incorectly.  Users who participated in the 9.7.0 BETA test
      and had DNSSEC keys with scheduled inactivity dates will need to
      reset those keys' dates using "dnssec-settime -I".


BIND 9.7.0 can be downloaded from:

        ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz

The PGP signature of the distribution is at:

        ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip
        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.debug.zip

The PGP signature of the binary kit is at:
        
        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip.sha512.asc
        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.debug.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.debug.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.debug.zip.sha512.asc

Changes since 9.7.0a1:

        --- 9.7.0 released ---

2849.   [bug]           Don't treat errors from the xml2 library as fatal.
                        [RT #20945]

2848.   [doc]           Moved README.dnssec, README.libdns, README.pkcs11 and
                        README.rfc5011 into the ARM. [RT #20899]

2847.   [cleanup]       Corrected usage message in dnssec-settime. [RT #20921]

2846.   [bug]           EOF on unix domain sockets was not being handled
                        correctly. [RT #20731]

2845.   [bug]           RFC 5011 client could crash on shutdown. [RT #20903]

2844.   [doc]           notify-delay default in ARM was wrong.  It should have
                        been five (5) seconds.

        --- 9.7.0rc2 released ---

2843.   [func]          Prevent dnssec-keygen and dnssec-keyfromlabel from
                        creating key files if there is a chance that the new
                        key ID will collide with an existing one after
                        either of the keys has been revoked.  (To override
                        this in the case of dnssec-keyfromlabel, use the -y
                        option.  dnssec-keygen will simply create a
                        different, noncolliding key, so an override is
                        not necessary.) [RT #20838]

2842.   [func]          Added "smartsign" and improved "autosign" and
                        "dnssec" regression tests. [RT #20865]

2841.   [bug]           Change 2836 was not complete. [RT #20883]

2840.   [bug]           Temporary fixed pkcs11-destroy usage check.
                        [RT #20760]

2839.   [bug]           A KSK revoked by named could not be deleted.
                        [RT #20881]

2838.   [placeholder]

2837.   [port]          Prevent Linux spurious warnings about fwrite().
                        [RT #20812]

2836.   [bug]           Keys that were scheduled to become active could
                        be delayed. [RT #20874]

2835.   [bug]           Key inactivity dates were inadvertently stored in
                        the private key file with the outdated tag
                        "Unpublish" rather than "Inactive".  This has been
                        fixed; however, any existing keys that had Inactive
                        dates set will now need to have them reset, using
                        'dnssec-settime -I'. [RT #20868]

2834.   [bug]           HMAC-SHA* keys that were longer than the algorithm
                        digest length were used incorrectly, leading to
                        interoperability problems with other DNS
                        implementations.  This has been corrected.
                        (Note: If an oversize key is in use, and
                        compatibility is needed with an older release of
                        BIND, the new tool "isc-hmac-fixup" can convert
                        the key secret to a form that will work with all
                        versions.) [RT #20751]

2833.   [cleanup]       Fix usage messages in dnssec-keygen and dnssec-settime.
                        [RT #20851]

2832.   [bug]           Modify "struct stat" in lib/export/samples/nsprobe.c
                        to avoid redefinition in some OSes [RT 20831]

2831.   [security]      Do not attempt to validate or cache
                        out-of-bailiwick data returned with a secure
                        answer; it must be re-fetched from its original
                        source and validated in that context. [RT #20819]

2830.   [bug]           Changing the OPTOUT setting could take multiple
                        passes. [RT #20813]

2829.   [bug]           Fixed potential node inconsistency in rbtdb.c.
                        [RT #20808]

2828.   [security]      Cached CNAME or DNAME RR could be returned to clients
                        without DNSSEC validation. [RT #20737]

2827.   [security]      Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2826.   [bug]           NSEC3->NSEC transitions could fail due to a lock not
                        being released.  [RT #20740]

2825.   [bug]           Changing the setting of OPTOUT in a NSEC3 chain that
                        was in the process of being created was not properly
                        recorded in the zone. [RT #20786]

2824.   [bug]           "rndc sign" was not being run by the correct task.
                        [RT #20759]

2823.   [bug]           rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2822.   [bug]           rbtdb.c:loadnode() could return the wrong result.
                        [RT #20802]

2821.   [doc]           Add note that named-checkconf doesn't automatically
                        read rndc.key and bind.keys [RT #20758]

2819.   [cleanup]       Removed unnecessary DNS_POINTER_MAXHOPS define.
                        [RT #20771]

2818.   [cleanup]       rndc could return an incorrect error code 
                        when a zone was not found. [RT #20767]

2817.   [cleanup]       Removed unnecessary isc_tasc_endexclusive() calls.
                        [RT #20768]

2816.   [bug]           previous_closest_nsec() could fail to return
                        data for NSEC3 nodes [RT #29730]

2815.   [bug]           Exclusively lock the task when freezing a zone.
                        [RT #19838]

2814.   [func]          Provide a definitive error message when a master
                        zone is not loaded. [RT #20757]
 
2813.   [bug]           Better handling of unreadable DNSSEC key files.
                        [RT #20710]

2812.   [bug]           Make sure updates can't result in a zone with
                        NSEC-only keys and NSEC3 records. [RT 20748]

2811.   [cleanup]       Add "rndc sign" to list of commands in rndc usage
                        output. [RT #20733]

2810.   [doc]           Clarified the process of transitioning an NSEC3 zone
                        to insecure. [RT #20746]

2809.   [cleanup]       Restored accidentally-deleted text in usage output
                        in dnssec-settime and dnssec-revoke [RT #20739]

2808.   [bug]           Remove the attempt to install atomic.h from lib/isc.
                        atomic.h is correctly installed by the architecture
                        specific subdirectories.  [RT #20722]

2807.   [bug]           Fixed a possible ASSERT when reconfiguring zone
                        keys. [RT #20720]

        --- 9.7.0rc1 released ---

2806.   [bug]           "rdnc sign" could delay re-signing the DNSKEY
                        when it had changed. [RT #20703]

2805.   [bug]           Fixed namespace problems encountered when building
                        external programs using non-exported BIND9 libraries
                        (i.e., built without --enable-exportlib). [RT #20679]

2804.   [bug]           Send notifies when a zone is signed with "rndc sign"
                        or as a result of a scheduled key change. [RT #20700]

2803.   [port]          win32: Install named-journalprint, nsec3hash, arpaname
                        and genrandom under windows. [RT #20670]

2802.   [cleanup]       Rename journalprint to named-journalprint. [RT #20670]

2801.   [func]          Detect and report records that are different according
                        to DNSSEC but are sematically equal according to plain
                        DNS.  Apply plain DNS comparisons rather than DNSSEC
                        comparisons when processing UPDATE requests.
                        dnssec-signzone now removes such semantically duplicate
                        records prior to signing the RRset.

                        named-checkzone -r {ignore|warn|fail} (default warn)
                        named-compilezone -r {ignore|warn|fail} (default warn)
                        
                        named.conf: check-dup-records {ignore|warn|fail};

2800.   [func]          Reject zones which have NS records which refer to
                        CNAMEs, DNAMEs or don't have address record (class IN
                        only).  Reject UPDATEs which would cause the zone
                        to fail the above checks if committed. [RT #20678]

2799.   [cleanup]       Changed the "secure-to-insecure" option to
                        "dnssec-secure-to-insecure", and "dnskey-ksk-only"
                        to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

2798.   [bug]           Addressed bugs in managed-keys initialization 
                        and rollover. [RT #20683]

2797.   [bug]           Don't decrement the dispatch manager's maxbuffers.
                        [RT #20613]

2796.   [bug]           Missing dns_rdataset_disassociate() call in
                        dns_nsec3_delnsec3sx(). [RT #20681]

2795.   [cleanup]       Add text to differentiate "update with no effect"
                        log messages. [RT #18889]

2794.   [bug]           Install <isc/namespace.h>.  [RT #20677]

2793.   [func]          Add "autosign" and "metadata" tests to the
                        automatic tests. [RT #19946]

2792.   [func]          "filter-aaaa-on-v4" can now be set in view
                        options (if compiled in).  [RT #20635]

2791.   [bug]           The installation of isc-config.sh was broken.
                        [RT #20667]

2790.   [bug]           Handle DS queries to stub zones. [RT #20440]

2789.   [bug]           Fixed an INSIST in dispatch.c [RT #20576]

2788.   [bug]           dnssec-signzone could sign with keys that were
                        not requested [RT #20625]

2787.   [bug]           Spurious log message when zone keys were
                        dynamically reconfigured. [RT #20659]

2786.   [bug]           Additional could be promoted to answer. [RT #20663]

        --- 9.7.0b3 released ---

2785.   [bug]           Revoked keys could fail to self-sign [RT #20652]

2784.   [bug]           TC was not always being set when required glue was
                        dropped. [RT #20655]

2783.   [func]          Return minimal responses to EDNS/UDP queries with a UDP
                        buffer size of 512 or less.  [RT #20654]

2782.   [port]          win32: use getaddrinfo() for hostname lookups.
                        [RT #20650]

2781.   [bug]           Inactive keys could be used for signing. [RT #20649]

2780.   [bug]           dnssec-keygen -A none didn't properly unset the
                        activation date in all cases. [RT #20648]

2779.   [bug]           Dynamic key revokation could fail. [RT #20644]

2778.   [bug]           dnssec-signzone could fail when a key was revoked
                        without deleting the unrevoked version. [RT #20638]

2777.   [contrib]       DLZ MYSQL auto reconnect support discovery was wrong.

2776.   [bug]           Change #2762 was not correct. [RT #20647]

2775.   [bug]           Accept RSASHA256 and RSASHA512 as NSEC3 compatible
                        in dnssec-keyfromlabel. [RT #20643]

2774.   [bug]           Existing cache DB wasn't being reused after
                        reconfiguration. [RT #20629]

2773.   [bug]           In autosigned zones, the SOA could be signed
                        with the KSK. [RT #20628]

2772.   [security]      When validating, track whether pending data was from
                        the additional section or not and only return it if
                        validates as secure. [RT #20438]

2771.   [bug]           dnssec-signzone: DNSKEY records could be
                        corrupted when importing from key files [RT #20624]

2770.   [cleanup]       Add log messages to resolver.c to indicate events
                        causing FORMERR responses. [RT #20526]

2769.   [cleanup]       Change #2742 was incomplete. [RT #19589]

2768.   [bug]           dnssec-signzone: -S no longer implies -g [RT #20568]

2767.   [bug]           named could crash on startup if a zone was
                        configured with auto-dnssec and there was no
                        key-directory. [RT #20615]

2766.   [bug]           isc_socket_fdwatchpoke() should only update the
                        socketmgr state if the socket is not pending on a
                        read or write.  [RT #20603]

2765.   [bug]           Skip masters for which the TSIG key cannot be found.
                        [RT #20595]

2764.   [bug]           "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]

2763.   [bug]           "rndc sign" didn't create an NSEC chain. [RT #20591]

2762.   [bug]           DLV validation failed with a local slave DLV zone.
                        [RT #20577]

2761.   [cleanup]       Enable internal symbol table for backtrace only for
                        systems that are known to work.  Currently, BSD
                        variants, Linux and Solaris are supported. [RT# 20202]

2760.   [cleanup]       Corrected named-compilezone usage summary. [RT #20533]

2759.   [doc]           Add information about .jbk/.jnw files to
                        the ARM. [RT #20303]

2758.   [bug]           win32: Added a workaround for a windows 2008 bug
                        that could cause the UDP client handler to shut
                        down. [RT #19176]

2757.   [bug]           dig: assertion failure could occur in connect
                        timeout. [RT #20599]

2756.   [bug]           Fixed corrupt logfile message in update.c. [RT# 20597]

2755.   [placeholder]

2754.   [bug]           Secure-to-insecure transitions failed when zone
                        was signed with NSEC3. [RT #20587]

2753.   [bug]           Removed an unnecessary warning that could appear when
                        building an NSEC chain. [RT #20589]

2752.   [bug]           Locking violation. [RT #20587]

2751.   [bug]           Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]

2750.   [bug]           dig: assertion failure could occur when a server
                        didn't have an address. [RT #20579]

2749.   [bug]           ixfr-from-differences generated a non-minimal ixfr
                        for NSEC3 signed zones. [RT #20452]

2748.   [func]          Identify bad answers from GTLD servers and treat them
                        as referrals. [RT #18884]

2747.   [bug]           Journal roll forwards failed to set the re-signing
                        time of RRSIGs correctly. [RT #20541]

2746.   [port]          hpux: address signed/unsigned expansion mismatch of
                        dns_rbtnode_t.nsec. [RT #20542]

2745.   [bug]           configure script didn't probe the return type of
                        gai_strerror(3) correctly. [RT #20573]

2744.   [func]          Log if a query was over TCP. [RT #19961]

2743.   [bug]           RRSIG could be incorrectly set in the NSEC3 record
                        for a insecure delegation.

        --- 9.7.0b2 released ---

2742.   [cleanup]       Clarify some DNSSEC-related log messages in
                        validator.c. [RT #19589]

2741.   [func]          Allow the dnssec-keygen progress messages to be
                        suppressed (dnssec-keygen -q).  Automatically
                        suppress the progress messages when stdin is not
                        a tty. [RT #20474]

2740.   [placeholder]

2739.   [cleanup]       Clean up API for initializing and clearing trust
                        anchors for a view. [RT #20211]

2738.   [func]          Add RSASHA256 and RSASHA512 tests to the dnssec system
                        test. [RT #20453]

2737.   [func]          UPDATE requests can leak existance information.
                        [RT #17261]

2736.   [func]          Improve the performance of NSEC signed zones with
                        more than a normal amount of glue below a delegation.
                        [RT #20191]

2735.   [bug]           dnssec-signzone could fail to read keys
                        that were specified on the command line with
                        full paths, but weren't in the current
                        directory. [RT #20421]

2734.   [port]          cygwin: arpaname did not compile. [RT #20473]

2733.   [cleanup]       Clean up coding style in pkcs11-* tools. [RT #20355]

2732.   [func]          Add optional filter-aaaa-on-v4 option, available
                        if built with './configure --enable-filter-aaaa'.
                        Filters out AAAA answers to clients connecting
                        via IPv4.  (This is NOT recommended for general
                        use.) [RT #20339]

2731.   [func]          Additional work on change 2709.  The key parser
                        will now ignore unrecognized fields when the
                        minor version number of the private key format
                        has been increased.  It will reject any key with
                        the major version number increased. [RT #20310]

2730.   [func]          Have dnssec-keygen display a progress indication
                        a la 'openssl genrsa' on standard error. Note
                        when the first '.' is followed by a long stop
                        one has the choice between slow generation vs.
                        poor random quality, i.e., '-r /dev/urandom'.
                        [RT #20284]

2729.   [func]          When constructing a CNAME from a DNAME use the DNAME
                        TTL. [RT #20451]

2728.   [bug]           dnssec-keygen, dnssec-keyfromlabel and
                        dnssec-signzone now warn immediately if asked to
                        write into a nonexistent directory. [RT #20278]

2727.   [func]          The 'key-directory' option can now specify a relative
                        path. [RT #20154]

2726.   [func]          Added support for SHA-2 DNSSEC algorithms,
                        RSASHA256 and RSASHA512. [RT #20023]

2725.   [doc]           Added information about the file "managed-keys.bind"
                        to the ARM. [RT #20235]

2724.   [bug]           Updates to a existing node in secure zone using NSEC
                        were failing. [RT #20448]

2723.   [bug]           isc_base32_totext(), isc_base32hex_totext(), and
                        isc_base64_totext(), didn't always mark regions of
                        memory as fully consumed after conversion.  [RT #20445]

2722.   [bug]           Ensure that the memory associated with the name of
                        a node in a rbt tree is not altered during the life
                        of the node. [RT #20431]

2721.   [port]          Have dst__entropy_status() prime the random number
                        generator. [RT #20369]

2720.   [bug]           RFC 5011 trust anchor updates could trigger an
                        assert if the DNSKEY record was unsigned. [RT #20406]

2719.   [func]          Skip trusted/managed keys for unsupported algorithms.
                        [RT #20392]

2718.   [bug]           The space calculations in opensslrsa_todns() were
                        incorrect. [RT #20394]

2717.   [bug]           named failed to update the NSEC/NSEC3 record when
                        the last private type record was removed as a result
                        of completing the signing the zone with a key.
                        [RT #20399]

2716.   [bug]           nslookup debug mode didn't return the ttl. [RT #20414]

        --- 9.7.0b1 released ---

2715.   [bug]           Require OpenSSL support to be explicitly disabled.
                        [RT #20288]

2714.   [port]          aix/powerpc: 'asm("ics");' needs non standard assembler
                        flags.

2713.   [bug]           powerpc: atomic operations missing asm("ics") /
                        __isync() calls.

2712.   [func]          New 'auto-dnssec' zone option allows zone signing
                        to be fully automated in zones configured for
                        dynamic DNS.  'auto-dnssec allow;' permits a zone
                        to be signed by creating keys for it in the
                        key-directory and using 'rndc sign <zone>'.
                        'auto-dnssec maintain;' allows that too, plus it
                        also keeps the zone's DNSSEC keys up to date
                        according to their timing metadata. [RT #19943]

2711.   [port]          win32: Add the bin/pkcs11 tools into the full
                        build. [RT #20372]

2710.   [func]          New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
                        zone option cause a zone to be signed with only KSKs
                        signing the DNSKEY RRset, not ZSKs.  This reduces
                        the size of a DNSKEY answer.  [RT #20340]

2709.   [func]          Added some data fields, currently unused, to the
                        private key file format, to allow implementation
                        of explicit key rollover in a future release
                        without impairing backward or forward compatibility.
                        [RT #20310]

2708.   [func]          Insecure to secure and NSEC3 parameter changes via
                        update are now fully supported and no longer require
                        defines to enable.  We now no longer overload the
                        NSEC3PARAM flag field, nor the NSEC OPT bit at the
                        apex.  Secure to insecure changes are controlled by
                        by the named.conf option 'secure-to-insecure'.

                        Warning: If you had previously enabled support by
                        adding defines at compile time to BIND 9.6 you should
                        ensure that all changes that are in progress have
                        completed prior to upgrading to BIND 9.7.  BIND 9.7
                        is not backwards compatible.

2707.   [func]          dnssec-keyfromlabel no longer require engine name
                        to be specified in the label if there is a default
                        engine or the -E option has been used.  Also, it
                        now uses default algorithms as dnssec-keygen does
                        (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
                        [RT #20371]

2706.   [bug]           Loading a zone with a very large NSEC3 salt could
                        trigger an assert. [RT #20368]

2705.   [placeholder]

2704.   [bug]           Serial of dynamic and stub zones could be inconsistent
                        with their SOA serial.  [RT #19387]

2703.   [func]          Introduce an OpenSSL "engine" argument with -E
                        for all binaries which can take benefit of
                        crypto hardware. [RT #20230]

2702.   [func]          Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

2701.   [doc]           Correction to ARM: hmac-md5 is no longer the only
                        supported TSIG key algorithm. [RT #18046]

2700.   [doc]           The match-mapped-addresses option is discouraged.
                        [RT #12252]

2699.   [bug]           Missing lock in rbtdb.c. [RT #20037]

2698.   [placeholder]

2697.   [port]          win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
                        S_IFREG are defined after including <isc/stat.h>.
                        [RT #20309]

2696.   [bug]           named failed to successfully process some valid
                        acl constructs. [RT #20308]

2695.   [func]          DHCP/DDNS - update fdwatch code for use by
                        DHCP.  Modify the api to isc_sockfdwatch_t (the
                        callback funciton for isc_socket_fdwatchcreate)
                        to include information about the direction (read
                        or write) and add isc_socket_fdwatchpoke.
                        [RT #20253]

2694.   [bug]           Reduce default NSEC3 iterations from 100 to 10.
                        [RT #19970]

2693.   [port]          Add some noreturn attributes. [RT #20257]

2692.   [port]          win32: 32/64 bit cleanups. [RT #20335]

2691.   [func]          dnssec-signzone: retain the existing NSEC or NSEC3
                        chain when re-signing a previously-signed zone.
                        Use -u to modify NSEC3 parameters or switch
                        between NSEC and NSEC3. [RT #20304]

2690.   [bug]           win32: fix isc_thread_key_getspecific() prototype.
                        [RT #20315]

2689.   [bug]           Correctly handle snprintf result. [RT #20306]

2688.   [bug]           Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
                        to decide to fetch the destination address. [RT #20305]

2687.   [bug]           Fixed dnssec-signzone -S handling of revoked keys.
                        Also, added warnings when revoking a ZSK, as this is
                        not defined by protocol (but is legal).  [RT #19943]

2686.   [bug]           dnssec-signzone should clean the old NSEC chain when
                        signing with NSEC3 and vice versa. [RT #20301]

2685.   [contrib]       Update contrib/zkt to version 0.99c. [RT #20054]

2684.   [cleanup]       dig: formalize +ad and +cd as synonyms for
                        +adflag and +cdflag.  [RT #19305]

2683.   [bug]           dnssec-signzone should clean out old NSEC3 chains when
                        the NSEC3 parameters used to sign the zone change.
                        [RT #20246]

2682.   [bug]           "configure --enable-symtable=all" failed to
                        build. [RT #20282]

2681.   [bug]           IPSECKEY RR of gateway type 3 was not correctly
                        decoded. [RT #20269]

2680.   [func]          Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]

2679.   [func]          dig -k can now accept TSIG keys in named.conf
                        format.  [RT #20031]

2678.   [func]          Treat DS queries as if "minimal-response yes;"
                        was set. [RT #20258]

2677.   [func]          Changes to key metadata behavior:
                        - Keys without "publish" or "active" dates set will
                          no longer be used for smart signing.  However,
                          those dates will be set to "now" by default when
                          a key is created; to generate a key but not use
                          it yet, use dnssec-keygen -G.
                        - New "inactive" date (dnssec-keygen/settime -I)
                          sets the time when a key is no longer used for
                          signing but is still published.
                        - The "unpublished" date (-U) is deprecated in
                          favor of "deleted" (-D).
                        [RT #20247]

2676.   [bug]           --with-export-installdir should have been
                        --with-export-includedir. [RT #20252]

2675.   [bug]           dnssec-signzone could crash if the key directory
                        did not exist. [RT #20232]

        --- 9.7.0a3 released ---

2674.   [bug]           "dnssec-lookaside auto;" crashed if named was built
                        without openssl. [RT #20231]

2673.   [bug]           The managed-keys.bind zone file could fail to
                        load due to a spurious result from sync_keyzone()
                        [RT #20045]

2672.   [bug]           Don't enable searching in 'host' when doing reverse
                        lookups. [RT #20218]

2671.   [bug]           Add support for PKCS#11 providers not returning
                        the public exponent in RSA private keys
                        (OpenCryptoki for instance) in
                        dnssec-keyfromlabel. [RT #19294]

2670.   [bug]           Unexpected connect failures failed to log enough
                        information to be useful. [RT #20205]

2669.   [func]          Update PKCS#11 support to support Keyper HSM.
                        Update PKCS#11 patch to be against openssl-0.9.8i.

2668.   [func]          Several improvements to dnssec-* tools, including:
                        - dnssec-keygen and dnssec-settime can now set key
                          metadata fields 0 (to unset a value, use "none")
                        - dnssec-revoke sets the revocation date in
                          addition to the revoke bit
                        - dnssec-settime can now print individual metadata
                          fields instead of always printing all of them,
                          and can print them in unix epoch time format for
                          use by scripts
                        [RT #19942]

2667.   [func]          Add support for logging stack backtrace on assertion
                        failure (not available for all platforms). [RT #19780]

2666.   [func]          Added an 'options' argument to dns_name_fromstring()
                        (API change from 9.7.0a2). [RT #20196]

2665.   [func]          Clarify syntax for managed-keys {} statement, add
                        ARM documentation about RFC 5011 support. [RT #19874]

2664.   [bug]           create_keydata() and minimal_update() in zone.c
                        didn't properly check return values for some
                        functions.  [RT #19956]

2663.   [func]          win32:  allow named to run as a service using
                        "NT AUTHORITY\LocalService" as the account. [RT #19977]

2662.   [bug]           lwres_getipnodebyname() and lwres_getipnodebyaddr()
                        returned a misleading error code when lwresd was
                        down. [RT #20028]

2661.   [bug]           Check whether socket fd exceeds FD_SETSIZE when
                        creating lwres context. [RT #20029]

2660.   [func]          Add a new set of DNS libraries for non-BIND9
                        applications.  See README.libdns. [RT #19369]

2659.   [doc]           Clarify dnssec-keygen doc: key name must match zone
                        name for DNSSEC keys. [RT #19938]

2658.   [bug]           dnssec-settime and dnssec-revoke didn't process
                        key file paths correctly. [RT #20078]

2657.   [cleanup]       Lower "journal file <path> does not exist, creating it"
                        log level to debug 1. [RT #20058]

2656.   [func]          win32: add a "tools only" check box to the installer
                        which causes it to only install dig, host, nslookup,
                        nsupdate and relevant DLLs.  [RT #19998]

2655.   [doc]           Document that key-directory does not affect
                        bind.keys, rndc.key or session.key.  [RT #20155]

2654.   [bug]           Improve error reporting on duplicated names for
                        deny-answer-xxx. [RT #20164]

2653.   [bug]           Treat ENGINE_load_private_key() failures as key
                        not found rather than out of memory.  [RT #18033]

2652.   [func]          Provide more detail about what record is being
                        deleted. [RT #20061]

2651.   [bug]           Dates could print incorrectly in K*.key files on
                        64-bit systems. [RT #20076]

2650.   [bug]           Assertion failure in dnssec-signzone when trying
                        to read keyset-* files. [RT #20075]

2649.   [bug]           Set the domain for forward only zones. [RT #19944]

2648.   [port]          win32: isc_time_seconds() was broken. [RT #19900]

2647.   [bug]           Remove unnecessary SOA updates when a new KSK is
                        added. [RT #19913]

2646.   [bug]           Incorrect cleanup on error in socket.c. [RT #19987]

2645.   [port]          "gcc -m32" didn't work on amd64 and x86_64 platforms
                        which default to 64 bits. [RT #19927]

        --- 9.7.0a2 released ---

2644.   [bug]           Change #2628 caused a regression on some systems;
                        named was unable to write the PID file and would
                        fail on startup. [RT #20001]

2643.   [bug]           Stub zones interacted badly with NSEC3 support.
                        [RT #19777]

2642.   [bug]           nsupdate could dump core on solaris when reading
                        improperly formatted key files.  [RT #20015]

2641.   [bug]           Fixed an error in parsing update-policy syntax,
                        added a regression test to check it. [RT #20007]

2640.   [security]      A specially crafted update packet will cause named
                        to exit. [RT #20000]

2639.   [bug]           Silence compiler warnings in gssapi code. [RT #19954]

2638.   [bug]           Install arpaname. [RT #19957]

2637.   [func]          Rationalize dnssec-signzone's signwithkey() calling.
                        [RT #19959]

2636.   [func]          Simplify zone signing and key maintenance with the
                        dnssec-* tools.  Major changes:
                        - all dnssec-* tools now take a -K option to
                          specify a directory in which key files will be
                          stored
                        - DNSSEC can now store metadata indicating when
                          they are scheduled to be published, activated,
                          revoked or removed; these values can be set by
                          dnssec-keygen or overwritten by the new
                          dnssec-settime command
                        - dnssec-signzone -S (for "smart") option reads key
                          metadata and uses it to determine automatically
                          which keys to publish to the zone, use for
                          signing, revoke, or remove from the zone
                        [RT #19816]

2635.   [bug]           isc_inet_ntop() incorrectly handled 0.0/16 addresses.
                        [RT #19716]

2634.   [port]          win32: Add support for libxml2, enable
                        statschannel. [RT #19773]

2633.   [bug]           Handle 15 bit rand() functions. [RT #19783]

2632.   [func]          util/kit.sh: warn if documentation appears to be out of
                        date.  [RT #19922]

2631.   [bug]           Handle "//", "/./" and "/../" in mkdirpath().
                        [RT #19926 ]

2630.   [func]          Improved syntax for DDNS autoconfiguration:  use
                        "update-policy local;" to switch on local DDNS in a
                        zone. (The "ddns-autoconf" option has been removed.)
                        [RT #19875]

2629.   [port]          Check for seteuid()/setegid(), use setresuid()/
                        setresgid() if not present. [RT #19932]

2628.   [port]          linux: Allow /var/run/named/named.pid to be opened
                        at startup with reduced capabilities in operation.
                        [RT #19884]

2627.   [bug]           Named aborted if the same key was included in
                        trusted-keys more than once. [RT #19918]

2626.   [bug]           Multiple trusted-keys could trigger an assertion
                        failure. [RT #19914]

2625.   [bug]           Missing UNLOCK in rbtdb.c. [RT #19865]

2624.   [func]          'named-checkconf -p' will print out the parsed
                        configuration. [RT #18871]

2623.   [bug]           Named started seaches for DS non-optimally. [RT #19915]

2622.   [bug]           Printing of named.conf grammar was broken. [RT #19919]

2621.   [doc]           Made copyright boilterplate consistent.  [RT #19833]

2620.   [bug]           Delay thawing the zone until the reload of it has
                        completed successfully.  [RT #19750]

2619.   [func]          Add support for RFC 5011, automatic trust anchor
                        maintenance.  The new "managed-keys" statement can
                        be used in place of "trusted-keys" for zones which
                        support this protocol.  (Note: this syntax is
                        expected to change prior to 9.7.0 final.) [RT #19248]

2618.   [bug]           The sdb and sdlz db_interator_seek() methods could
                        loop infinitely. [RT #19847]

2617.   [bug]           ifconfig.sh failed to emit an error message when
                        run from the wrong location. [RT #19375]

2616.   [bug]           'host' used the nameservers from resolv.conf even
                        when a explicit nameserver was specified. [RT #19852]

2615.   [bug]           "__attribute__((unused))" was in the wrong place
                        for ia64 gcc builds. [RT #19854]

2614.   [port]          win32: 'named -v' should automatically be executed
                        in the foreground. [RT #19844]

2613.   [placeholder]

        --- 9.7.0a1 released ---

2612.   [func]          Add default values for the arguments to
                        dnssec-keygen.  Without arguments, it will now
                        generate a 1024-bit RSASHA1 zone-signing key,
                        or with the -f KSK option, a 2048-bit RSASHA1
                        key-signing key. [RT #19300]

2611.   [func]          Add -l option to dnssec-dsfromkey to generate
                        DLV records instead of DS records. [RT #19300]

2610.   [port]          sunos: Change #2363 was not complete. [RT #19796]

2609.   [func]          Simplify the configuration of dynamic zones:
                        - add ddns-confgen command to generate
                          configuration text for named.conf
                        - add zone option "ddns-autoconf yes;", which
                          causes named to generate a TSIG session key
                          and allow updates to the zone using that key
                        - add '-l' (localhost) option to nsupdate, which
                          causes nsupdate to connect to a locally-running
                          named process using the session key generated
                          by named
                        [RT #19284]

2608.   [func]          Perform post signing verification checks in
                        dnssec-signzone.  These can be disabled with -P.

                        The post sign verification test ensures that for each
                        algorithm in use there is at least one non revoked
                        self signed KSK key.  That all revoked KSK keys are
                        self signed.  That all records in the zone are signed
                        by the algorithm.  [RT #19653]

2607.   [bug]           named could incorrectly delete NSEC3 records for
                        empty nodes when processing a update request.
                        [RT #19749]

2606.   [bug]           "delegation-only" was not being accepted in
                        delegation-only type zones. [RT #19717]

2605.   [bug]           Accept DS responses from delegation only zones.
                        [RT # 19296]

2604.   [func]          Add support for DNS rebinding attack prevention through
                        new options, deny-answer-addresses and
                        deny-answer-aliases.  Based on contributed code from
                        JD Nurmi, Google. [RT #18192]

2603.   [port]          win32: handle .exe extension of named-checkzone and
                        named-comilezone argv[0] names under windows.
                        [RT #19767]

2602.   [port]          win32: fix debugging command line build of libisccfg.
                        [RT #19767]

2601.   [doc]           Mention file creation mode mask in the
                        named manual page.

2600.   [doc]           ARM: miscellaneous reformatting for different
                        page widths. [RT #19574]

2599.   [bug]           Address rapid memory growth when validation fails.
                        [RT #19654]

2598.   [func]          Reserve the -F flag. [RT #19657]

2597.   [bug]           Handle a validation failure with a insecure delegation
                        from a NSEC3 signed master/slave zone.  [RT #19464]

2596.   [bug]           Stale tree nodes of cache/dynamic rbtdb could stay
                        long, leading to inefficient memory usage or rejecting
                        newer cache entries in the worst case. [RT #19563]

2595.   [bug]           Fix unknown extended rcodes in dig. [RT #19625]

2594.   [func]          Have rndc warn if using its default configuration
                        file when the key file also exists. [RT #19424]

2593.   [bug]           Improve a corner source of SERVFAILs [RT #19632]

2592.   [bug]           Treat "any" as a type in nsupdate. [RT #19455]

2591.   [bug]           named could die when processing a update in
                        removed_orphaned_ds(). [RT #19507]

2590.   [func]          Report zone/class of "update with no effect".
                        [RT #19542]

2589.   [bug]           dns_db_unregister() failed to clear '*dbimp'.
                        [RT #19626]

2588.   [bug]           SO_REUSEADDR could be set unconditionally after failure
                        of bind(2) call.  This should be rare and mostly
                        harmless, but may cause interference with other
                        processes that happen to use the same port. [RT #19642]

2587.   [func]          Improve logging by reporting serial numbers for
                        when zone serial has gone backwards or unchanged.
                        [RT #19506]

2586.   [bug]           Missing cleanup of SIG rdataset in searching a DLZ DB
                        or SDB. [RT #19577]

2585.   [bug]           Uninitialized socket name could be referenced via a
                        statistics channel, triggering an assertion failure in
                        XML rendering. [RT #19427]

2584.   [bug]           alpha: gcc optimization could break atomic operations.
                        [RT #19227]

2583.   [port]          netbsd: provide a control to not add the compile
                        date to the version string, -DNO_VERSION_DATE.

2582.   [bug]           Don't emit warning log message when we attempt to
                        remove non-existent journal. [RT #19516]

2581.   [contrib]       dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
                        Requires MySQL 5.0.19 or later. [RT #19084]

2580.   [bug]           UpdateRej statistics counter could be incremented twice
                        for one rejection. [RT #19476]

2579.   [bug]           DNSSEC lookaside validation failed to handle unknown
                        algorithms. [RT #19479]

2578.   [bug]           Changed default sig-signing-type to 65534, because
                        65535 turns out to be reserved.  [RT #19477]

2577.   [doc]           Clarified some statistics counters. [RT #19454]

2576.   [bug]           NSEC record were not being correctly signed when
                        a zone transitions from insecure to secure.
                        Handle such incorrectly signed zones. [RT #19114]

2575.   [func]          New functions dns_name_fromstring() and
                        dns_name_tostring(), to simplify conversion
                        of a string to a dns_name structure and vice
                        versa. [RT #19451]

2574.   [doc]           Document nsupdate -g and -o. [RT #19351]

2573.   [bug]           Replacing a non-CNAME record with a CNAME record in a
                        single transaction in a signed zone failed. [RT #19397]

2572.   [func]          Simplify DLV configuration, with a new option
                        "dnssec-lookaside auto;"  This is the equivalent
                        of "dnssec-lookaside . trust-anchor dlv.isc.org;"
                        plus setting a trusted-key for dlv.isc.org.

                        Note: The trusted key is hard-coded into named,
                        but is also stored in (and can be overridden
                        by) $sysconfdir/bind.keys.  As the ISC DLV key
                        rolls over it can be kept up to date by replacing
                        the bind.keys file with a key downloaded from
                        https://www.isc.org/solutions/dlv. [RT #18685]

2571.   [func]          Add a new tool "arpaname" which translates IP addresses
                        to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
                        [RT #18976]

2570.   [func]          Log the destination address the query was sent to.
                        [RT #19209]

2569.   [func]          Move journalprint, nsec3hash, and genrandom
                        commands from bin/tests into bin/tools;
                        "make install" will put them in $sbindir. [RT #19301]

2568.   [bug]           Report when the write to indicate a otherwise
                        successful start fails. [RT #19360]

2567.   [bug]           dst__privstruct_writefile() could miss write errors.
                        write_public_key() could miss write errors.
                        dnssec-dsfromkey could miss write errors.
                        [RT #19360]

2566.   [cleanup]       Clarify logged message when an insecure DNSSEC
                        response arrives from a zone thought to be secure:
                        "insecurity proof failed" instead of "not
                        insecure". [RT #19400]

2565.   [func]          Add support for HIP record.  Includes new functions
                        dns_rdata_hip_first(), dns_rdata_hip_next()
                        and dns_rdata_hip_current().  [RT #19384]

2564.   [bug]           Only take EDNS fallback steps when processing timeouts.
                        [RT #19405]

2563.   [bug]           Dig could leak a socket causing it to wait forever
                        to exit. [RT #19359]

2562.   [doc]           ARM: miscellaneous improvements, reorganization,
                        and some new content.

2561.   [doc]           Add isc-config.sh(1) man page. [RT #16378]

2560.   [bug]           Add #include <config.h> to iptable.c. [RT #18258]

2559.   [bug]           dnssec-dsfromkey could compute bad DS records when
                        reading from a K* files.  [RT #19357]

2558.   [func]          Set the ownership of missing directories created
                        for pid-file if -u has been specified on the command
                        line. [RT #19328]

2557.   [cleanup]       PCI compliance:
                        * new libisc log module file
                        * isc_dir_chroot() now also changes the working
                          directory to "/".
                        * additional INSISTs
                        * additional logging when files can't be removed.

2556.   [port]          Solaris: mkdir(2) on tmpfs filesystems does not do the
                        error checks in the correct order resulting in the
                        wrong error code sometimes being returned. [RT #19249]

2555.   [func]          dig: when emitting a hex dump also display the
                        corresponding characters. [RT #19258]

2554.   [bug]           Validation of uppercase queries from NSEC3 zones could
                        fail. [RT #19297]

2553.   [bug]           Reference leak on DNSSEC validation errors. [RT #19291]

2552.   [bug]           zero-no-soa-ttl-cache was not being honoured.
                        [RT #19340]

2551.   [bug]           Potential Reference leak on return. [RT #19341]

2550.   [bug]           Check --with-openssl=<path> finds <openssl/opensslv.h>.
                        [RT #19343]

2549.   [port]          linux: define NR_OPEN if not currently defined.
                        [RT #19344]

2548.   [bug]           Install iterated_hash.h. [RT #19335]

2547.   [bug]           openssl_link.c:mem_realloc() could reference an
                        out-of-range area of the source buffer.  New public
                        function isc_mem_reallocate() was introduced to address
                        this bug. [RT #19313]

2546.   [func]          Add --enable-openssl-hash configure flag to use
                        OpenSSL (in place of internal routine) for hash
                        functions (MD5, SHA[12] and HMAC). [RT #18815]

2545.   [doc]           ARM: Legal hostname checking (check-names) is
                        for SRV RDATA too. [RT #19304]

2544.   [cleanup]       Removed unused structure members in adb.c. [RT #19225]

2543.   [contrib]       Update contrib/zkt to version 0.98. [RT #19113]

2542.   [doc]           Update the description of dig +adflag. [RT #19290]

2541.   [bug]           Conditionally update dispatch manager statistics.
                        [RT #19247]

2540.   [func]          Add a nibble mode to $GENERATE. [RT #18872]

2539.   [security]      Update the interaction between recursion, allow-query,
                        allow-query-cache and allow-recursion.  [RT #19198]

2538.   [bug]           cache/ADB memory could grow over max-cache-size,
                        especially with threads and smaller max-cache-size
                        values. [RT #19240]

2537.   [func]          Added more statistics counters including those on socket
                        I/O events and query RTT histograms. [RT #18802]

2536.   [cleanup]       Silence some warnings when -Werror=format-security is
                        specified. [RT #19083]

2535.   [bug]           dig +showsearch and +trace interacted badly. [RT #19091]

2534.   [func]          Check NAPTR records regular expressions and
                        replacement strings to ensure they are syntactically
                        valid and consistant. [RT #18168]

2533.   [doc]           ARM: document @ (at-sign). [RT #17144]

2532.   [bug]           dig: check the question section of the response to
                        see if it matches the asked question. [RT #18495]

2531.   [bug]           Change #2207 was incomplete. [RT #19098]

2530.   [bug]           named failed to reject insecure to secure transitions
                        via UPDATE. [RT #19101]

2529.   [cleanup]       Upgrade libtool to silence complaints from recent
                        version of autoconf. [RT #18657]

2528.   [cleanup]       Silence spurious configure warning about
                        --datarootdir [RT #19096]

2527.   [placeholder]

2526.   [func]          New named option "attach-cache" that allows multiple
                        views to share a single cache to save memory and
                        improve lookup efficiency.  Based on contributed code
                        from Barclay Osborn, Google. [RT #18905]

2525.   [func]          New logging category "query-errors" to provide detailed
                        internal information about query failures, especially
                        about server failures. [RT #19027]

2524.   [port]          sunos: dnssec-signzone needs strtoul(). [RT #19129]

2523.   [bug]           Random type rdata freed by dns_nsec_typepresent().
                        [RT #19112]

2522.   [security]      Handle -1 from DSA_do_verify() and EVP_VerifyFinal().

2521.   [bug]           Improve epoll cross compilation support. [RT #19047]

2520.   [bug]           Update xml statistics version number to 2.0 as change
                        #2388 made the schema incompatible to the previous
                        version. [RT #19080]

2519.   [bug]           dig/host with -4 or -6 didn't work if more than two
                        nameserver addresses of the excluded address family
                        preceded in resolv.conf. [RT #19081]

2518.   [func]          Add support for the new CERT types from RFC 4398.
                        [RT #19077]

2517.   [bug]           dig +trace with -4 or -6 failed when it chose a
                        nameserver address of the excluded address type.
                        [RT #18843]

2516.   [bug]           glue sort for responses was performed even when not
                        needed. [RT #19039]

2515.   [port]          win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
                        [RT #19063]

2514.   [bug]           dig/host failed with -4 or -6 when resolv.conf contains
                        a nameserver of the excluded address family.
                        [RT #18848]

2513.   [bug]           Fix windows cli build. [RT #19062]

2512.   [func]          Print a summary of the cached records which make up
                        the negative response.  [RT #18885]

2511.   [cleanup]       dns_rdata_tofmttext() add const to linebreak.
                        [RT #18885]

2510.   [bug]           "dig +sigchase" could trigger REQUIRE failures.
                        [RT #19033]

2509.   [bug]           Specifying a fixed query source port was broken.
                        [RT #19051]

2508.   [placeholder]

2507.   [func]          Log the recursion quota values when killing the
                        oldest query or refusing to recurse due to quota.
                        [RT #19022]

2506.   [port]          solaris: Check at configure time if
                        hack_shutup_pthreadonceinit is needed. [RT #19037]

2505.   [port]          Treat amd64 similarly to x86_64 when determining
                        atomic operation support. [RT #19031]

2504.   [bug]           Address race condition in the socket code. [RT #18899]

2503.   [port]          linux: improve compatibility with Linux Standard
                        Base. [RT #18793]

2502.   [cleanup]       isc_radix: Improve compliance with coding style,
                        document function in <isc/radix.h>. [RT #18534]

2501.   [func]          $GENERATE now supports all rdata types.  Multi-field
                        rdata types need to be quoted.  See the ARM for
                        details. [RT #18368]

2500.   [contrib]       contrib/sdb/pgsql/zonetodb.c called non-existent
                        function. [RT #18582]

2499.   [port]          solaris: lib/lwres/getaddrinfo.c namespace clash.
                        [RT #18837]


-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to