--- 9.1.3 released ---
--- 9.1.3rc3 released ---
911. [bug] Fail gracefully with multiple hint zones. [RT #1433]
910. [port] Some pre-RFC2133 IPv6 implementations do not define
IN6ADDR_ANY_INIT. [RT #1416]
--- 9.1.3rc2 released ---
904. [bug] The server would leak memory if attempting to use
an expired TSIG key. [RT #1406]
903. [bug] dig should not crash when receiving a TCP packet
of length 0.
902. [bug] The -d option was ignored if both -t and -g were also
specified.
901. [cleanup] The man pages no longer have empty lines outside of
literal blocks.
898. [bug] "dig" failed to set a nonzero exit status
on UDP query timeout. [RT #1323]
894. [bug] When using the DNSSEC tools, a message intended to warn
when the keyboard was being used because of the lack
of a suitable random device was not being printed.
892. [bug] The server could attempt to refresh a zone that
was being loaded, causing an assertion failure.
[RT #1335]
891. [bug] Return an error when a SIG(0) signed response to
an unsigned query is seen. This should actually
do the verification, but it's not currently
possible. [RT #1391]
888. [bug] Don't die when using TKEY to delete a nonexistent
TSIG key. [RT #1392]
860. [interop] Drop cross class glue in zone transfers.
852. [bug] Handle responses from servers which do not
now about IXFR.
850. [bug] dns_rbt_findnode() would not find nodes that were
split on a bitstring label somewhere other than in
the last label of the node. [RT #1351]
705. [port] Work out resource limit type for use where rlim_t is
not available. [RT #695]
704. [port] RLIMIT_NOFILE is not available on all platforms.
703. [port] sys/select.h is needed on older platforms. [RT #695]
--- 9.1.3rc1 released ---
831. [bug] The configure script tried to determine
endianness before making its final decision on
which C compiler to use, causing Solaris/x86
systems with gcc to be incorrectly identified
as big-endian. [RT #1315]
827. [bug] When an IXFR protocol error occurs, the slave
should retry with AXFR.
826. [bug] Some IXFR protocol errors were not detected.
825. [bug] zone.c:ns_query() detached from the wrong zone
reference. [RT #1264]
824. [bug] Correct line numbers reported by dns_master_load().
[RT #1263]
822. [bug] Sending nxrrset prerequisites would crash nsupdate.
[RT #1248]
806. [bug] DNS_R_SEENINCLUDE was failing to propagate back up
the calling stack to the zone maintence level, causing
zones to not reload when an included file was touched
but the top-level zone file was not.
771. [cleanup] TSIG errors related to unsynchronized clocks
are logged better. [RT #919]
734. [bug] An attempt to re-lock the zone lock could occur if
the server was shutdown during a zone tranfer.
[RT #830]
712. [bug] Sending a large signed update message caused an
assertion failure. [RT #718]
669. [bug] dnssec-keygen now makes the public key file
non-world-readable for symmetric keys. [RT #403]
--- 9.1.2 released ---
--- 9.1.2rc1 released ---
820. [bug] Name server address lookups failed to follow
A6 chains into the glue of local authoritative
zones.
819. [bug] In certain cases, the resolver's attempts to
restart an address lookup at the root could cause
the fetch to deadlock (with itself) instead of
restarting. [RT #1225]
818. [bug] Certain pathological responses to ANY queries could
cause an assertion failure. [RT #1218]
816. [bug] Report potential problems with log file accessibility
at configuration time, since such problems can't
reliably be reported at the time they actually occur.
815. [bug] If a log file was specified with a path separator
character (i.e. "/") in its name and the directory
did not exist, the log file's name was treated as
though it were the directory name. [RT #1189]
814. [bug] Socket objects left over from accept() failures
were incorrectly destroyed, causing corruption
of socket manager data structures.
813. [bug] File descriptors exceeding FD_SETSIZE were handled
badly. [RT #1192]
812. [bug] dig sometimes printed incomplete IXFR responses
due to an uninitialized variable. [RT #1188]
811. [bug] Parentheses were not quoted in zone dumps. [RT #1194]
810. [bug] The signer name in SIG records was not properly
downcased when signing/verifying records. [RT #1186]
807. [bug] When setting up TCP connections for incoming zone
transfers, the transfer-source port was not
ignored like it should be.
804. [bug] Attempting to obtain entropy could fail in some
situations. This would be most common on systems
with user-space threads. [RT #1131]
802. [bug] DNSSEC key tags were computed incorrectly in almost
all cases. [RT #1146]
801. [bug] nsupdate should treat lines beginning with ';' as
comments. [RT #1139]
800. [bug] dnssec-signzone produced incorrect statistics for
large zones. [RT #1133]
799. [bug] The ADB didn't find AAAA glue in a zone unless A6
glue was also present.
--- 9.1.1rc7 released ---
791. [bug] The control channel did not work over IPv6.
790. [bug] Wildcards created using dynamic update or IXFR
could fail to match. [RT #1111]
787. [bug] The DNSSEC tools failed to downcase domain
names when mapping them into file names.
786. [bug] When DNSSEC signing/verifying data, owner names were
not properly downcased.
--- 9.1.1rc6 released ---
785. [bug] A race condition in the resolver could cause
an assertion failure. [RT #673, #872, #1048]
784. [bug] nsupdate and other programs would not quit properly
if some signals were blocked by the caller. [RT #1081]
783. [bug] Following CNAMEs could cause an assertion failure
when either using an sdb database or under very
rare conditions.
780. [bug] Error handling code dealing with out of memory or
other rare errors could lead to assertion failures
by calling functions on unitialized names. [RT #1065]
--- 9.1.1rc5 released ---
778. [bug] When starting cache cleaning, cleaning_timer_action()
returned without first pausing the iterator, which
could cause deadlock. [RT #998]
777. [bug] An empty forwarders list in a zone failed to override
global forwarders. [RT #995]
775. [bug] Address match lists with invalid netmasks caused
the configuration parser to abort with an assertion
failure. [RT #996]
772. [bug] Owner names could be incorrectly omitted from cache
dumps in the presence of negative caching entries.
[RT #991]
686. [bug] dig and nslookup can now be properly aborted during
blocking operations. [RT #568]
--- 9.1.1rc4 released ---
767. [bug] The configuration parser handled invalid ports badly.
[RT #961]
766. [bug] A few cases in query_find() could leak fname.
This would trigger the mpctx->allocated == 0
assertion when the server exited.
[RT #739, #776, #798, #812, #818, #821, #845,
#892, #935, #966]
759. [bug] The resolver didn't turn off "avoid fetches" mode
when restarting, possibly causing resolution
to fail when it should not. This bug only affected
platforms which support both IPv4 and IPv6. [RT #927]
758. [bug] The "avoid fetches" code did not treat negative
cache entries correctly, causing fetches that would
be useful to be avoided. This bug only affected
platforms which support both IPv4 and IPv6. [RT #927]
756. [bug] dns_zone_load() could "return" success when no master
file was configured.
755. [bug] Fix incorrectly formatted log messages in zone.c.
709. [bug] ANY or SIG queries for data with a TTL of 0
would return SERVFAIL. [RT #620]
--- 9.1.1rc3 released ---
754. [bug] Certain failure conditions sending UDP packets
could cause the server to retry the transmission
indefinitely. [RT #902]
753. [bug] dig, host, and nslookup would fail to contact a
remote server if getaddrinfo() returned an IPv6
address on a system that doesn't support IPv6.
[RT #917]
750. [bug] A query should not match a DNAME whose trust level
is pending. [RT #916]
749. [bug] When a query matched a DNAME in a secure zone, the
server did not return the signature of the DNAME.
[RT #915]
747. [bug] The code to determine whether an IXFR was possible
did not properly check for a database that could
not have a journal. [RT #865, #908]
746. [bug] The sdb didn't clone rdatasets properly, causing
a crash when the server followed delegations. [RT #905]
744. [bug] When returning DNS_R_CNAME or DNS_R_DNAME as the
result of an ANY or SIG query, the resolver failed
to setup the return event's rdatasets, causing an
assertion failure in the query code. [RT #881]
743. [bug] Receiving a large number of certain malformed
answers could cause named to stop responding.
[RT #861]
742. [bug] dig +domain did not work. [RT #850]
738. [bug] If a non-threadsafe sdb driver supported AXFR and
received an AXFR request, it would deadlock or die
with an assertion failure. [RT #852]
737. [port] stdtime.c failed to compile on certain platforms.
648. [port] Add support for pre-RFC2133 IPv6 implementations.
--- 9.1.1rc2 released ---
733. [bug] Reference counts of dns_acl_t objects need to be
locked but were not. [RT #801, #821]
708. [bug] When building with --with-openssl, the openssl headers
included with BIND 9 should not be used. [RT #702]
(change id 727 is very important).
hack: package version number is set to 9.1.0.1, as 9.1.1rc1 is prior to 9.1.1.
729. [port] pthread_setconcurrency() needs to be called on Solaris.
727. [port] Work around OS bug where accept() succeeds but
fails to fill in the peer address of the accepted
connection, by treating it as an error rather than
an assertion failure. [RT #809]
723. [bug] Referrals whose NS RRs had a 0 TTL caused the resolver
to return DNS_R_SERVFAIL. [RT #783]
720. [bug] Server could enter infinite loop in
dispatch.c:do_cancel(). [RT #743]
719. [bug] Rapid reloads could trigger an assertion failure.
[RT #743, #763]
717. [bug] Certain TKEY processing failure modes could
reference an uninitialized variable, causing the
server to crash. [RT #750]
716. [bug] The first line of a $INCLUDE master file was lost if
an origin was specified. [RT #744]
715. [bug] Resolving some A6 chains could cause an assertion
failure in adb.c. [RT #738]
711. [bug] The libisc and liblwres implementations of
inet_ntop contained an off by one error.
706. [bug] Zones with an explicit "allow-update { none; };"
were considered dynamic and therefore not reloaded
on SIGHUP or "rndc reload".
700. [bug] $GENERATE range check was wrong. [RT #688]
698. [bug] Aborting nsupdate with ^C would lead to several
race conditions.
699. [bug] The lexer mishandled empty quoted strings. [RT #694]
694. [bug] $GENERATE did not produce the last entry.
[RT #682, #683]
693. [bug] An empty lwres statement in named.conf caused
the server to crash while loading.
692. [bug] Deal with systems that have getaddrinfo() but not
gai_strerror(). [RT #679]
691. [bug] Configuring per-view forwarders caused an assertion
failure. [RT #675, #734]
out of date - it was based on a.out OBJECT_FMT, and added entries in the
generated PLISTs to reflect the symlinks that ELF packages uses. It also
tried to be clever, and removed and recreated any symbolic links that were
created, which has resulted in some fun, especially with packages which
use dlopen(3) to load modules. Some recent changes to our ld.so to bring
it more into line with other Operating Systems also exposed some cracks.
+ Modify bsd.pkg.mk and its shared object handling, so that PLISTs now contain
the ELF symlinks.
+ Don't mess about with file system entries when handling shared objects in
bsd.pkg.mk, since it's likely that libtool and the BSD *.mk processing will
have got it right, and have a much better idea than we do.
+ Modify PLISTs to contain "ELF symlinks"
+ On a.out platforms, delete any "ELF symlinks" from the generated PLISTs
+ On ELF platforms, no extra processing needs to be done in bsd.pkg.mk
+ Modify print-PLIST target in bsd.pkg.mk to add dummy symlink entries on
a.out platforms
+ Update the documentation in Packages.txt
With many thanks to Thomas Klausner for keeping me honest with this.
--- 9.0.1 released ---
547. [bug] dnssafe doesn't correctly handle RSA keys longer
than 2000 bits. Disable support for long keys.
--- 9.0.1rc2 released ---
527. [bug] When a hint zone was configured, the spurious warning
messages "Hint zones do not have a forward field" and
"Hint zones do not have a forwarders field" were
printed. [RT #439]
--- 9.0.1rc1 released ---
526. [bug] nsupdate incorrectly refused to add RRs with a TTL
of 0.
523. [doc] The source to the Administrator Reference Manual is
now an XML file using the DocBook DTD, and is included
in the distribution. The plain text version of the
ARM is temporarily unavailable while we figure out
how to generate readable plain text from the XML.
520. [bug] Upgraded libtool to 1.3.5, which makes shared
library builds almost work on AIX (and possibly
others).
519. [bug] dns_name_split() would improperly split some bitstring
labels, zeroing a few of the least signficant bits in
the prefix part. When such an improperly created
prefix was returned to the RBT database, the bogus
label was dutifully stored, corrupting the tree.
[RT #369]
518. [bug] The resolver did not realize that a DNAME which was
"the answer" to the client's query was "the answer",
and such queries would fail. [RT #399]
517. [bug] The resolver's DNAME code would trigger an assertion
if there was more than one DNAME in the chain.
[RT #399]
516. [bug] Cache lookups which had a NULL node pointer, e.g.
those by dns_view_find(), and which would match a
DNAME, would trigger an INSIST(!search.need_cleanup)
assertion. [RT #399]
515. [bug] The ssu table was not being attached / detached
by dns_zone_[sg]etssutable. [RT#397]
511. [bug] The message code could throw an assertion on an
out of memory failure. [RT #392]
510. [bug] Remove spurious view notify warning. [RT #376]
505. [bug] nsupdate was printing "unknown result code". [RT #373]
502. [func] On a SERVFAIL reply, DiG will now try the next server
in the list, unless the +fail option is specified.
501. [bug] Incorrect port numbers were being displayed by
nslookup. [RT #352]
500. [func] Nearly useless +details option removed from DiG.
499. [func] In DiG, specifying a class with -c or type with -t
changes command-line parsing so that classes and
types are only recognized if following -c or -t.
This allows hosts with the same name as a class or
type to be looked up.
498. [doc] There is now a man page for "dig"
in doc/man/bin/dig.1.
495. [bug] nsupdate was unable to handle large records. [RT #368]
491. [bug] nsupdate would segfault when sending certain
prerequisites with empty RDATA. [RT #356]
488. [bug] Locks weren't properly destroyed in some cases.
486. [bug] nslookup: "set all" and "server" commands showed
the incorrect port number if a port other than 53
was specified. [RT #352]
485. [func] When dig had more than one server to query, it would
send all of the messages at the same time. Add
rate limiting of the transmitted messages.
483. [bug] nslookup: "set all" showed a "search" option but it
was not settable.
482. [bug] nslookup: a plain "server" or "lserver" should be
treated as a lookup.
481. [bug] nslookup:get_next_command() stack size could exceed
per thread limit.
480. [bug] strtok() is not thread safe. [RT #349]
476. [bug] A zone could expire while a zone transfer was in
progress triggering a INSIST failure. [RT #329]
475. [bug] query_getzonedb() sometimes returned a non-null version
on failure. This caused assertion failures when
generating query responses where names subject to
additional section processing pointed to a zone
to which access had been denied by means of the
allow-query option. [RT #336]
474. [bug] The mnemonic of the CHAOS class is CH according to
RFC1035, but it was printed and read only as CHAOS.
We now accept both forms as input, and print it
as CH. [RT #305]
473. [bug] nsupdate overran the end of the list of name servers
when no servers could be reached, typically causing
it to print the error message "dns_request_create:
not implemented".
472. [bug] Off-by-one error caused isc_time_add() to sometimes
produce invalid time values.
471. [bug] nsupdate didn't compile on HP/UX 10.20
463. [bug] nsupdate sent malformed SOA queries to the second
and subsequent name servers in resolv.conf if the
query sent to the first one failed.
459. [bug] Nslookup processed the "set" command incorrectly.
458. [bug] Nslookup didn't properly check class and type values.
[RT #305]
457. [bug] Dig/host/hslookup didn't properly handle connect
timeouts in certain situations, causing an
unnecessary warning message to be printed.
447. [bug] Dig didn't properly retry in TCP mode after
a truncated reply. [RT #277]
403. [bug] "host" did not use the search list.
395. [bug] nslookup printed incorrect RR type mnemonics
for RRs of type >= 21 [RT #237].
388. [func] dig and host can now do reverse ipv6 lookups.
387. [func] Add dns_byaddr_createptrname(), which converts
an address into the name used by a PTR query.
379. [func] New library function isc_sockaddr_anyofpf().
347. [bug] Don't crash if an argument is left off options in dig.
346. [func] Add support for .digrc config file, in the
user's current directory
345. [bug] Large-scale changes/cleanups to dig:
* Significantly improve structure handling
* Don't pre-load entire batch files
* Add name/rr counting/limiting
* Fix SIGINT handling
* Shorten timeouts to match v8's behavior
--- 9.0.0 released ---
makes patch-ab unnecessary:
* A typo in the HS A code caused an assertion failure.
* lwres_gethostbyname() and company set lwres_h_errno
to a random value on success.
* If named was shut down early in the startup
process, ns_omapi_shutdown() would attempt to lock
an unintialized mutex. [RT #262]
* stub zones could leak memory and reference counts if
all the masters were unreachable.
* isc_rwlock_lock() would needlessly block
readers when it reached the read quota even
if no writers were waiting.
* Log messages were occasionally lost or corrupted
due to a race condition in isc_log_doit().
* The request library didn't completely work with IPv6.
* Check for IPV6_RECVPKTINFO and use it instead of
IPV6_PKTINFO if found. [RT #229]
for finding this.
Update bind to 9.0.0rc4. Changes and fixes are:
* "host" did not use the search list.
* Treat undefined acls as errors, rather than
warning and then later throwing an assertion.
* SIG(0) signing and verifying was done incorrectly.
* When reloading the server with a config file
containing a syntax error, it could catch an
assertion failure trying to perform zone
maintenance on, or sending notifies from,
tentatively created zones whose views were
never fully configured and lacked an address
database and request manager.
* "dig" sometimes caught an assertion failure when
using TSIG, depending on the key length.
* Many debugging messages were partially formatted
even when debugging was turned off, causing a
significant decrease in query performance.
* There is now a man page for "nsupdate"
* nslookup printed incorrect RR type mnemonics
for RRs of type >= 21
* Attempting to send a reqeust over IPv6 using
dns_request_create() on a system without IPv6
support caused an assertion failure [RT #235].
* Missing strdup() of ACL name caused random
ACL matching failures [RT #228].
* nsupdate was incorrectly limiting TTLs to 65535 instead
of 2147483647.
* When writing a master file, print the SOA and NS
records (and their SIGs) before other records.
* named -u failed on many Linux systems where the
libc provided kernel headers do not match
the current kernel.
* nsupdate didn't work with IPv6.
add patch to help 2292bis environment (= latest KAME, Solaris8).
--- rc1 -> rc2
--- 9.0.0rc2 released ---
377. [bug] When additional data lookups were refused due to
"allow-query", the databases were still being
attached causing reference leaks.
376. [bug] The server should always use good entropy when
performing cryptographic functions needing entropy.
375. [bug] Per-zone allow-query did not properly override the
view/global one for CNAME targets and additional
data [RT #220].
374. [bug] SOA in authoritative negative responses had wrong TTL.
373. [func] nslookup is now installed by "make install".
372. [bug] Deal with Microsoft DNS servers appending two bytes of
garbage to zone transfer requests.
371. [bug] At high debug levels, doing an outgoing zone transfer
of a very large RRset could cause an assertion failure
during logging.
370. [bug] The error messages for rollforward failures were
overly terse.
367. [bug] Allow proper selection of server on nslookup command
line.
365. [bug] nsupdate -k leaked memory.
362. [bug] rndc no longer aborts if the configuration file is
missing an options statement. [RT #209]
359. [bug] dnssec-signzone occasionally signed glue records.
357. [bug] The zone file parser crashed if the argument
to $INCLUDE was a quoted string.
354. [doc] Man pages for the dnssec tools are now included in
the distribution, in doc/man/dnssec.
353. [bug] double increment in lwres/gethost.c:copytobuf().
(RT# 187)
352. [bug] Race condition in dns_client_t startup could cause
an assertion failure.
351. [bug] Constructing a response with rcode SERVFAIL to a TSIG
signed query could crash the server.
350. [bug] Also-notify lists specified in the global options
block were not correctly reference counted, causing
a memory leak.
349. [bug] Processing a query with the CD bit set now works
as expected.
344. [bug] When shutting down, lwresd sometimes tried
to shut down its client tasks twice,
triggering an assertion.
343. [bug] Although zone maintenance SOA queries and
notify requests were signed with TSIG keys
when configured for the server in case,
the TSIG was not verified on the response.
342. [bug] The wrong name was being passed to
dns_name_dup() when generating a TSIG
key using TKEY.
340. [bug] The top-level COPYRIGHT file was missing from
the distribution.
339. [bug] DNSSEC validation of the response to an ANY
query at a name with a CNAME RR in a secure
zone triggered an assertion failure.
337. [bug] "dig" did not recognize "nsap-ptr" as an RR type
on the command line.
336. [bug] "dig -f" used 64 k of memory for each line in
the file. It now uses much less, though still
proportionally to the file size.
335. [bug] named would occasionally attempt recursion when
it was disallowed or undesired.
333. [bug] The resolver incorrectly accepted referrals to
domains that were not parents of the query name,
causing assertion failures.
331. [bug] Only log "recursion denied" if RD is set. (RT #178)
Changes are too numerous to list here in detail, but highlights are:
The communication between "rndc" and "named" is now
authenticated using digital signatures. Because of
this, rndc now requires a configuration file "rndc.conf"
containing a shared secret, with a corresponding
"controls" clause in named.conf.
When the server is chrooted using the -t option,
it no longer needs copies of the passwd and group
files in the chroot environment.
Various bug fixes and cleanups, especially
in the dig, host, nslookup, and nsupdate
programs.
There are a few known bugs:
The option "query-source * port 53;" will not work as
expected. Instead of the wildcard address "*", you need
to use an explicit source IP address.
On some systems, IPv6 and IPv4 sockets interact in
unexpected ways. For details, see doc/misc/ipv6.
To reduce the impact of these problems, the server
no longer listens for requests on IPv6 addresses
by default. If you need to accept DNS queries over
IPv6, you must specify "listen-on-v6 { any; };"
in the named.conf options statement.
There are known problems with thread signal handling
under Solaris 2.6.
Changes: This is still _not_ a release candidate for BIND 9.0.0;
More configuration options can be specified separately for each
view, including the "key" and "server" statements; Fixed:
Numerous bugs have been fixed and the code has been cleaned
up. Added: Stub zones have been implemented; Additional
configuration options have been implemented, such as
"max-cache-ttl" and "max-ncache-ttl".
The "dig" and "host" tools have been completely rewritten and
are included in the base distribution. Fixed: Most bugs reported
against beta 2. Added: The server now supports "views", a
mechanism for answering DNS queries differently to different
requestors. This will make split DNS setups much easier to build;
NOTIFY (RFC1996) has been implemented; Basic support for validation
of DNSSEC signatures has been implemented (for details, see
"doc/misc/dnssec").
Many more config file options
implemented (see doc/misc/options for a
summary of the current implementation
status), portability improvements, (works
much better than beta 1 on FreeBSD 3.4),
and bugfixes (almost all bugs reported
against beta 1 have been fixed).
be most useful to advanced users working with IPv6 or DNSSEC.
BIND 9.0.0b1 is not functionally complete, and is not a release
candidate for BIND 9.0.0. The ISC anticipates a number of additional
beta releases between now and May, when BIND 9.0.0 is scheduled to
be released.
The ISC does not recommend using BIND 9.0.0b1 for "production"
services.
