Question on security
Mark Andrews
Mark_Andrews at isc.org
Thu Sep 23 22:02:39 UTC 2004
> Hi all,
> I was looking all over trying to find the security fixes and patches between
> BIND 9.2.3 and 9.3.0 and couldn't find anything anywhere. Could anyone please
> direct me to a page or something ?
>
> Thanks,
>
> p.s. Also, could it be possible to get a features page ?
>
> Martin Timbro - Conseiller technologies UNIX
> CGI
Take the 9.3.0 CHANGES and the 9.2.3 CHANGES and compare the
differences. Most (but not all) of 9.3.0 is functional changes.
There are some bug fixes for things which required the API to
be extended.
If you are running a threaded build you will want to upgrade to
one of BIND 9.2.4/9.3.0.
969. [func] dig now supports the undocumented dig 8 feature
of allowing arbitrary labels, not just dotted
decimal quads, with the -x option. This can be
used to conveniently look up RFC2317 names as in
"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
970. [func] 'max-journal-size' can now be used to set a target
size for a journal.
976. [func] named-checkconf can now test load master zones
(named-checkconf -z). [RT #1468]
979. [func] Incremental master file dumping. dns_master_dumpinc(),
dns_master_dumptostreaminc(), dns_dumpctx_attach(),
dns_dumpctx_detach(), dns_dumpctx_cancel(),
dns_dumpctx_db() and dns_dumpctx_version().
981. [func] The dnssec tools can now take multiple '-r randomfile'
arguments.
982. [func] If "memstatistics-file" is set in options the memory
statistics will be written to it.
983. [func] The server now supports generating IXFR difference
sequences for non-dynamic zones by comparing zone
versions, when enabled using the new config
option "ixfr-from-differences". [RT #1727]
985. [func] Consider network interfaces to be up iff they have
a nonzero IP address rather than based on the
IFF_UP flag. [RT #1160]
991. [func] Lower UDP refresh timeout messages to level
debug 1.
993. [func] dig: -v now reports the version.
994. [func] Treat non-authoritative responses to queries for type
NS as referrals even if the NS records are in the
answer section, because BIND 8 servers incorrectly
send them that way. This is necessary for DNSSEC
validation of the NS records of a secure zone to
succeed when the parent is a BIND 8 server. [RT #1706]
996. [func] Issue warning if the configuration filename contains
the chroot path.
997. [func] Add support for RSA-SHA1 keys (RFC3110).
998. [func] named-checkzone now has arguments to specify the
chroot directory (-t) and working directory (-w).
[RT #1755]
999. [func] "rndc retransfer zone [class [view]]" added.
[RT #1752]
1003. [func] Add the +retry option to dig.
1007. [port] config.guess, config.sub from autoconf-2.52.
1008. [port] libtool.m4, ltmain.sh from libtool-1.4.2.
1009. [port] OpenUNIX 8 support. [RT #1728]
1011. [cleanup] Removed isc_dir_current().
1023. [func] Accept hints without TTLs.
1024. [port] Compilation failed on HP-UX 11.11 due to
incompatible use of the SIOCGLIFCONF macro
name. [RT #1831]
1032. [func] hostname.bind/txt/chaos now returns the name of
the machine hosting the nameserver. This is useful
in diagnosing problems with anycast servers.
1034. [bug] Ignore the RD bit on multicast queries as specified
in RFC 1123. [RT #137]
1035. [bug] If we respond to multicast queries (which we
currently do not), respond from a unicast address
as specified in RFC 1123. [RT #137]
1036. [func] Silently drop requests received via multicast as
long as there is no final multicast DNS standard.
1037. [bug] Negative responses whose authority section contain
SOA or NS records whose owner names are not equal
equal to or parents of the query name should be
rejected. [RT #1862]
1049. [func] "pid-file none;" will disable writing a pid file.
[RT #1848]
1055. [func] Version and hostname queries can now be disabled
using "version none;" and "hostname none;",
respectively.
1058. [func] Limited lifetime ticker timers are now available,
isc_timertype_limited.
1059. [func] dns_request now support will now retry UDP queries,
dns_request_createvia2() and dns_request_createraw2().
1060. [func] Move refresh, stub and notify UDP retry processing
into dns_request.
1065. [func] Runtime support to select new / old style interface
scanning using ioctls.
1067. [func] Allow quotas to be soft, isc_quota_soft().
1073. [bug] The ADB cache cleaning should also be space driven.
[RT #1915, #1938]
1077. [func] Do not accept further recursive clients when
the total number of recursive lookups being
processed exceeds max-recursive-clients, even
if some of the lookups are internally generated.
[RT #1915, #1938]
1079. [bug] BIND 8 compatibility: accept bare elements at top
level of sort list treating them as if they were
a single element list. [RT #1963]
1080. [bug] BIND 8 compatibility: accept bare IP prefixes
as the second element of a two-element top level
sort list statement. [RT #1964]
1105. [port] OpenUNIX 8 enable threads by default. [RT #1970]
1110. [bug] dig should only accept valid abbreviations of +options.
[RT #2003]
1115. [func] Set maximum values for cleaning-interval,
heartbeat-interval, interface-interval,
max-transfer-idle-in, max-transfer-idle-out,
max-transfer-time-in, max-transfer-time-out,
statistics-interval of 28 days and
sig-validity-interval of 3660 days. [RT #2002]
1119. [func] Added support in Win32 for NTFS file/directory ACL's
for access control.
1127. [func] rndc: If the server to contact has multiple addresses,
try all of them.
1128. [func] sdb drivers can now provide RR data in either text
or wire format, the latter using the new functions
dns_sdb_putrdata() and dns_sdb_putnamedrdata().
1132. [func] Improve UPDATE prerequisite failure diagnostic messages.
1135. [func] You can now override the default syslog() facility for
named/lwresd at compile time. [RT #1982]
1137. [func] It is now possible to flush a given name from the
ADB by calling the new function dns_adb_flushname().
1138. [func] It is now possible to flush a given name from the
cache by calling the new function
dns_cache_flushname().
1139. [func] It is now possible to flush a given name from the
cache(s) via 'rndc flushname name [view]'. [RT #2051]
1143. [bug] When a trusted-keys statement was present and named
was built without crypto support, it would leak memory.
1145. [func] "host" no longer reports a NOERROR/NODATA response
by printing nothing. [RT #2065]
1146. [func] Allow IPV6_IPV6ONLY to be set/cleared on a socket if
supported by the OS by a new function
isc_socket_ipv6only().
1147. [func] Set IPV6_V6ONLY on IPv6 sockets if supported by
the OS. listen-on-v6 { any; }; should no longer
result in IPv4 queries be accepted. Similarly
control { inet :: ... }; should no longer result
in IPv4 connections being accepted. This can be
overridden at compile time by defining
ISC_ALLOW_MAPPED=1.
1148. [func] 'rndc-confgen -a' now provides positive feedback.
1149. [func] New function isc_parse_uint32().
1150. [bug] named incorrectly accepted TTL values
containing plus or minus signs, such as
1d+1h-1s.
1151. [bug] nslookup failed to check that the arguments to
the port, timeout, and retry options were
valid integers and in range. [RT #2099]
1153. [func] 'rndc {stop|halt} -p' now reports the process id
of the instance of named being shutdown.
1155. [func] Recover from master files being removed from under
us.
1157. [func] match-clients and match-destinations now accept
keys. [RT #2045]
1158. [func] Report the client's address when logging notify
messages.
1159. [bug] MD and MF are not permitted to be loaded by RFC1123.
1163. [func] isc_time_formattimestamp() now includes the year.
1169. [func] Identify recursive queries in the query log.
1171. [func] Added function isc_region_compare(), updated files in
lib/dns to use this function instead of local one.
1177. [func] Report view when loading zones if it is not a
standard view (_default or _bind). [RT #2270]
1179. [func] Add SIG(0) support to nsupdate.
1180. [func] dnssec-keygen should always generate keys with
protocol 3 (DNSSEC), since it's less confusing
that way.
1181. [func] Add the "key-directory" configuration statement,
which allows the server to look for online signing
keys in alternate directories.
1187. [bug] named was incorrectly returning DNSSEC records
in negative responses when the DO bit was not set.
1190. [func] Add the "rndc freeze" and "rndc unfreeze" commands.
[RT #2394]
1192. [bug] The seconds fields in LOC records were restricted
to three decimal places. More decimal places should
be allowed but warned about.
1202. [func] New functions: cfg_obj_line() and cfg_obj_file().
1203. [func] Report locations of previous acl and zone definitions
when a duplicate is detected.
1213. [func] Report view associated with client if it is not a
standard view (_default or _bind).
1217. [func] Report locations of previous key definition when a
duplicate is detected.
1219. [func] Named now reports the TSIG extended error code when
signature verification fails. [RT #1651]
1220. [func] Support for APL rdata type.
1223. [func] 'rrset-order' partially works 'cyclic' and 'random'
are supported.
1224. [bug] 'rrset-order' and 'sortlist' should be additive
not exclusive.
1225. [func] dns_message_setopt() no longer requires that
dns_message_renderbegin() to have been called.
1226. [func] Use EDNS for zone refresh queries. [RT #2551]
1233. [bug] The flags field of a KEY record can be expressed in
hex as well as decimal.
1234. [bug] contrib/sdb: 'zonetodb' failed to call
dns_result_register(). DNS_R_SEENINCLUDE should not
be fatal.
1235. [func] Report 'out of memory' errors from openssl.
1243. [bug] It was possible to trigger a REQUIRE() in
dns_message_findtype(). [RT #2659]
1246. [func] New functions isc_sockaddr_issitelocal(),
isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
and isc_netaddr_islinklocal().
1247. [bug] Don't reset the interface index for link/site local
addresses. [RT #2576]
1250. [func] Nsupdate will report the address the update was
sent to.
1254. [func] preferred-glue option from BIND 8.3.
1267. [func] isc_file_openunique() now creates file using mode
0666 rather than 0600.
1271. [bug] "recursion available: {denied,approved}" was too
confusing.
1277. [func] You can now create your own customized printing
styles: dns_master_stylecreate() and
dns_master_styledestroy().
1278. [func] dig: now supports +[no]cl +[no]ttlid.
1281. [func] Log zone when unable to get private keys to update
zone. Log zone when NXT records are missing from
secure zone.
1283. [func] Use "dataready" accept filter if available.
1285. [func] lwres: probe the system to see what address families
are currently in use.
1290. [func] "dig axfr" now reports the number of messages
as well as the number of records.
1291. [func] Enable IPv6 support when using sysctl style interface
scanning.
1292. [func] Enable IPv6 support when using ioctl style interface
scanning and OS supports SIOCGLIFADDR using struct
if_laddrreq.
1293. [func] Entropy can now be retrieved from EGDs. [RT #2438]
1300. [port] Compaq Trucluster support.
1301. [func] New category 'update-security'.
1302. [func] Extended rndc dumpdb to support dumping of zones and
view selection: 'dumpdb [-all|-zones|-cache] [view]'.
1303. [func] Option 'flush-zones-on-shutdown <boolean>;'.
1304. [func] New function: dns_zone_name().
1308. [func] DS (delegation signer) support.
1309. [func] Log that a zone transfer was covered by a TSIG.
1312. [func] Log TSIG key used w/ outgoing zone transfers.
1313. [func] Query log now says if the query was signed (S) or
if EDNS was used (E).
1321. [bug] If the last RRset in a zone is glue, dnssec-signzone
would incorrectly duplicate its output and sign it.
1322. [bug] dnssec-signzone usage message was misleading.
1328. [bug] The validator could incorrectly verify an invalid
negative proof.
1329. [func] named-checkzone will now check if nameservers that
appear to be IP addresses. Available modes "fail",
"warn" (default) and "ignore" the results of the
check.
1331. [func] Generate DNSSEC wildcard proofs.
1332. [func] Report the current serial with periodic commits when
rolling forward the journal.
1336. [func] Nibble lookups under IP6.ARPA are now supported by
dns_byaddr_create(). dns_byaddr_createptrname() is
deprecated, use dns_byaddr_createptrname2() instead.
1339. [func] dig, host and nslookup now use IP6.ARPA for nibble
lookups. Bit string lookups are no longer attempted.
1341. [func] Allow a rate limiter to be stalled.
1342. [func] Log remote address with TCP dispatch failures.
1343. [func] Log successful notifies received (info). Adjust log
level for failed notifies to notice.
1344. [func] Log if the serial number on the master has gone
backwards.
If you have multiple machines specified in the masters
clause you may want to set 'multi-master yes;' to
suppress this warning.
1355. [bug] Fix DNSSEC wildcard proof for CNAME/DNAME.
1361. [func] log the reason for rejecting a server when resolving
queries.
1362. [bug] remove IFF_RUNNING test when scanning interfaces.
1363. [func] Listen-on-v6 now supports specific addresses.
1364. [func] Log file name when unable to open memory statistics
and dump database files. [RT# 3437]
1365. [func] "localhost" and "localnets" acls now include IPv6
addresses / prefixes.
1367. [func] Use response times to select forwarders.
1368. [func] remove support for bitstring labels.
1371. [bug] notify-source-v6, transfer-source-v6 and
query-source-v6 with explicit addresses and using the
same ports as named was listening on could interfere
with named's ability to answer queries sent to those
addresses.
1374. [func] dns_adb_dump() now logs the lame zones associated
with each server.
1375. [func] 'rndc dumpdb' now dumps the adb cache along with the
data cache.
1376. [func] New function dns_zone_logc() to log to specified
category.
1377. [func] dns_zone_load{new}() now reports if the zone was
loaded, queued for loading to up to date.
1378. [func] Improved positive feedback for 'rndc {reload|refresh}.
1379. [func] 'rndc status' now reports tcp and recursion quota
states.
1380. [func] 'rndc recursing' dump recursing queries to
'recursing-file = "named.recursing";'.
1383. [func] Track the serial number in a IXFR response and log if
a mismatch occurs. This is a more specific error than
"not exact". [RT #3445]
1386. [bug] named-checkzone -z stopped on errors in a zone.
[RT #3653]
1390. [func] host now supports ixfr.
1391. [func] Add support for IPv6 scoped addresses in named.
1392. [bug] named-checkzone: update usage.
1393. [port] Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
is not available in the kernel to prevent accidently
listening on IPv4 interfaces.
1394. [func] It is now possible to check if a particular element is
in a acl. Remove duplicate entries from the localnets
acl.
1396. [func] dnssec-signzone: adjust the default signing time by
1 hour to allow for clock skew.
1398. [doc] ARM: notify-also should have been also-notify.
[RT #4345]
1400. [bug] Block the addition of wildcard NS records by IXFR
or UPDATE. [RT #3502]
1402. [cleanup] A6 has been moved to experimental and is no longer
fully supported.
1403. [func] dnssec-signzone, dnssec-keygen, dnssec-makekeyset
dnssec-signkey now report their version in the
usage message.
1404. [bug] libbind: ns_name_ntol() could overwrite a zero length
buffer.
1409. [bug] DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
1410. [func] Handle records that live in the parent zone, e.g. DS.
1412. [func] You can now specify servers to be tried if a nameserver
has IPv6 address and you only support IPv4 or the
reverse. See dual-stack-servers.
1413. [func] Explictly request the (re-)generation of DS records from
keysets (dnssec-signzone -g).
1414. [func] Support for KSK flag.
1415. [func] DS TTL now derived from NS ttl. NXT TTL now derived
from SOA MINIMUM.
1417. [func] ID.SERVER/CHAOS is now a built in zone.
See "server-id" for how to configure.
1421. [func] Differentiate updates that don't succeed due to
prerequisites (unsuccessful) vs other reasons
(failed).
1422. [func] Log name/type/class when denying a query. [RT #4663]
1430. [port] linux: IPv6 interface scanning support.
1432. [func] The advertised EDNS UDP buffer size can now be set
via named.conf (edns-udp-size).
1433. [bug] named could trigger a REQUIRE failure if it could
not get a file descriptor when attempting to write
a master file. [RT #4347]
1436. [func] dns_zonemgr_resumexfrs() can be used to restart
stalled transfers.
1438. [func] Log TSIG (if any) when logging NOTIFY requests.
1440. [func] It is now possible to tell named to avoid using
certain source ports (avoid-v4-udp-ports,
avoid-v6-udp-ports).
1441. [func] It is now possible to tell dig to bind to a specific
source port.
1442. [func] New functions for manipulating port lists:
dns_portlist_create(), dns_portlist_add(),
dns_portlist_remove(), dns_portlist_match(),
dns_portlist_attach() and dns_portlist_detach().
1443. [func] Masters lists can now be specified and referenced
in zone masters clauses and other masters lists.
1444. [func] dns_view_findzonecut2() allows you to specify if the
cache should be searched for zone cuts.
1446. [func] Implemented undocumented alternate transfer sources
from BIND 8. See use-alt-transfer-source,
alt-transfer-source and alt-transfer-source-v6.
SECURITY: use-alt-transfer-source is ENABLED unless
you are using views. This may cause a security risk
resulting in accidental disclosure of wrong zone
content if the master supplying different source
content based on IP address. If you are not certain
ISC recommends setting use-alt-transfer-source no;
1454. [port] Use getifaddrs() if available for interface scanning.
--disable-getifaddrs to override. Glibc currently
has a getifaddrs() that does not support IPv6.
Use --enable-getifaddrs=glibc to force the use of
this version under linux machines.
1457. [port] Provide strlcat() and strlcpy() for platforms without
them.
1458. [cleanup] sprintf() -> snprintf().
1467. [func] $GENERATES now supports optional class and ttl.
1468. [func] Internal zones are no longer counted for
'rndc status'. [RT #4706]
1469. [func] Log end of outgoing zone transfer at same level
as the start of transfer is logged. [RT #4441]
1474. [port] Provide strtoul() and memmove() for platforms
without them.
1475. [port] Probe for old sprintf().
1500. [bug] host failed to lookup MX records. Also look up
AAAA records.
1501. [func] Allow TCP queue length to be specified via
named.conf, tcp-listen-queue.
1502. [bug] nsupdate: adjust timeouts for UPDATE requests over TCP.
1515. [func] Allow transfer source to be set in a server statement.
[RT #6496]
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
1517. [port] Support for IPv6 interface scanning on HP/UX and
TrueUNIX 5.1.
1519. [bug] dnssec-signzone:nsec_setbit() computed the wrong
length of the new bitmap.
1520. [protocol] Add SSHFP (SSH Finger Print) type.
1521. [bug] dns_view_createresolver() failed to check the
result from isc_mem_create(). [RT# 9294]
1527. [cleanup] Reduce the number of gettimeofday() calls without
losing necessary timer granularity.
1528. [cleanup] Simplify some dns_name_ functions based on the
deprecation of bitstring labels.
1537. [func] New option "querylog". If set specify whether query
logging is to be enabled or disabled at startup.
1541. [func] NSEC now uses new bitmap format.
1548. [bug] When parsing APL records it was possible to silently
accept out of range ADDRESSFAMILY values. [RT# 9979]
1549. [func] named-checkzone can now write out the zone contents
in a easily parsable format (-D and -o).
1554. [bug] dig, host, nslookup failed when no nameservers
were specified in /etc/resolv.conf. [RT #8232]
1555. [func] 'rrset-order cyclic' no longer has a random starting
point. [RT #7572]
1557. [func] Implement missing DNSSEC tests for
* NOQNAME proof with wildcard answers.
* NOWILDARD proof with NXDOMAIN.
Cache and return NOQNAME with wildcard answers.
1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
child zones for which we don't have a supported
algorithm. Such child zones are treated as unsigned.
1560. [port] FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
and EAI_NONAME to the same value.
1564. [func] Attempt to provide a fallback entropy source to be
used if named is running chrooted and named is unable
to open entropy source within the chroot area.
[RT #10133]
1565. [bug] CD flag should be copied to outgoing queries unless
the query is under a secure entry point in which case
CD should be set.
1569. [func] nsupdate new command 'answer' which displays the
complete answer message to the last update.
1575. [func] Log TSIG name on TSIG verify failure. [RT #4404]
1581. [func] Disable DNSSEC support by default. To enable
DNSSEC specify "dnssec-enable yes;" in named.conf.
1586. [func] "check-names" is now implemented.
1589. [func] DNSSEC lookaside validation.
1594. [bug] 'rndc dumpdb' could prevent named from answering
queries while the dump was in progress. [RT #10565]
1598. [func] Specify that certain parts of the namespace must
be secure (dnssec-must-be-secure).
1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
1606. [bug] DLV insecurity proof was failing.
1608. [func] dig and host now accept -4/-6 to select IP transport
to use when making queries.
1609. [func] dig now has support to chase DNSSEC signature chains.
Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
1611. [bug] solaris: IPv6 interface scanning failed to cope with
no active IPv6 interfaces.
1612. [bug] check-names at the option/view level could trigger
an INSIST. [RT# 11116]
1613. [bug] Builds would fail on machines w/o a if_nametoindex().
Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
[RT #11119]
1618. [bug] Fencepost errors in dns_name_ishostname() and
dns_name_ismailbox() could trigger a INSIST().
1620. [func] When loading a zone report if it is signed. [RT #11149]
1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is
available, and suppress wildcard binding if not.
1624. [bug] zonemgr_putio() call should be locked. [RT# 11163]
1625. [bug] named failed to load/transfer RFC2535 signed zones
which contained CNAMES. [RT# 11237]
1626. [bug] --enable-getifaddrs was broken. [RT#11259]
1628. [bug] Typo in Compaq Trucluster support. [RT# 11264]
1629. [func] dig now supports IPv6 scoped addresses with the
extended format in the local-server part. [RT #8753]
1630. [contrib] queryperf: add support for IPv6 transport.
1631. [bug] dns_journal_compact() could sometimes corrupt the
journal. [RT #11124]
1635. [bug] Memory leak on error in query_addds().
1636. [bug] The dump done callback could get ISC_R_SUCCESS even if
a error had occured. The database version no longer
matched the version of the database that was dumped.
1637. [bug] Node reference leak on error in addnoqname().
1638. [bug] "ixfr-from-differences" could generate a REQUIRE
failure if the journal open failed. [RT #11347]
1639. [func] Initial dlv system test.
1641. [bug] Update the check-names description in ARM. [RT #11389]
1642. [port] Support OpenSSL implementations which don't have
DSA support. [RT #11360]
1645. [bug] named could trigger a REQUIRE failure if multiple
masters with keys are specified.
1647. [bug] It was possible trigger a INSIST when chasing a DS
record that required walking back over a empty node.
[RT #11445]
1648. [func] Update dnssec-lookaside named.conf syntax to support
multiple dnssec-lookaside namespaces (not yet
implemented).
1651. [bug] dig: process multiple dash options.
1652. [bug] TKEY still uses KEY.
1653. [func] Add key type checking to dst_key_fromfilename(),
DST_TYPE_KEY should be used to read TSIG, TKEY and
SIG(0) keys.
1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC
DNSKEY and RRSIG. [RT #11542]
1657. [doc] ARM: document query log output.
1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
and DH. Tighten which options apply to KEY and
DNSKEY records.
1659. [cleanup] Cleanup some messages that were referring to KEY vs
DNSKEY, NXT vs NSEC and SIG vs RRSIG.
1661. [bug] Restore dns_name_concatenate() call in
adb.c:set_target(). [RT #11582]
1662. [bug] Change #1658 failed to change one use of 'type'
to 'keytype'.
1663. [func] Look for OpenSSL by default.
1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY.
1666. [bug] The optional port on hostnames in dual-stack-servers
was being ignored.
1667. [port] linux: not all versions have IF_NAMESIZE.
1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core.
1670. [func] Log UPDATE requests to slave zones without an acl as
"disabled" at debug level 3. [RT# 11657]
1673. [port] linux: issue a error messages if IPv6 interface
scans fails.
1674. [port] linux: increase buffer size used to scan
/proc/net/if_inet6.
1675. [bug] named would sometimes add extra NSEC records to
the authority section.
1677. [bug] dig: +aaonly didn't work, +aaflag undocumented.
1678. [bug] RRSIG should use TYPEXXXXX for unknown types.
1683. [bug] dig +sigchase could leak memory. [RT #11445]
1693. [bug] max-journal-size was not effective for master zones
with ixfr-from-differences set. [RT# 12024]
1695. [bug] DS records when forwarding require special handling.
[RT #12133]
1696. [bug] dnssec-signzone failed to clean out nodes that
consisted of only NSEC and RRSIG records.
[RT #12154]
1697. [bug] xxx-source{,-v6} was not effective when it
specified one of listening addresses and a
different port than the listening port. [RT #12257]
1699. [bug] dnssec-signzone can generate "not exact" errors
when resigning. [RT #12281]
1702. [bug] also-notify should not be applied to builtin zones.
[RT #12323]
1703. [bug] named would loop sending NOTIFY messages when it
failed to receive a response. [RT #12322]
1706. [bug] 'rndc stop' failed to cause zones to be flushed
sometimes. [RT #12328]
1711. [func] 'rndc unfreeze' has been deprecated by 'rndc thaw'.
1712. [bug] Missing FULLCHECK for "trusted-key" in dig.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list