upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-24 07:41:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
30021 commits 18 branches 854 tags 440 MiB
Commit graph

2235 commits

Author SHA1 Message Date
Michał Kępień
e8bbb76620 [master] Correct the default value of print-time in ARM 2017-12-12 11:47:18 +01:00
Tinderbox User
71eec55e0d regen master 2017-12-09 01:09:51 +00:00
Evan Hunt
5ea0100639 [master] document "fixedpoint" 2017-12-07 18:59:52 -08:00
Tinderbox User
f9c3aba9b3 regen master 2017-12-06 17:32:49 +00:00
Tinderbox User
7308316d92 regen master 2017-12-06 01:09:54 +00:00
Mark Andrews
77f9623439 add [RT #46774] 2017-12-05 16:14:15 +11:00
Tinderbox User
6074bd498f regen master 2017-12-05 01:08:12 +00:00
Evan Hunt
b695f77533 [master] revised release note 2017-12-04 15:37:09 -08:00
Mark Andrews
9ff34db455 add note for [RT #46743] and [RT #46754] 2017-12-05 09:52:12 +11:00
Tinderbox User
a30f8d214d regenerate 2017-11-30 22:51:12 +00:00
Tinderbox User
0b315a0b25 regen master 2017-11-30 22:46:39 +00:00
Evan Hunt
e197a2bd15 [master] fix "allow-transfer" inheritance and clean up ACL configuration 
4836.	[bug]		Zones created using "rndc addzone" could
			temporarily fail to inherit an "allow-transfer"
			ACL that had been configured in the options
			statement. [RT #46603]
 2017-11-30 12:37:08 -08:00
Tinderbox User
0cba7ca6af regen master 2017-11-09 01:07:39 +00:00
Evan Hunt
f4b2356359 [master] remove extra comma 2017-11-08 09:31:25 -08:00
Tinderbox User
a1aa42b9cd regenerate 2017-11-08 17:28:38 +00:00
Tinderbox User
c999531fa4 regen master 2017-11-08 17:26:53 +00:00
Evan Hunt
00827f59d2 [master] revise incorrect release note 2017-11-08 09:18:29 -08:00
Tinderbox User
a41e41d6a4 regenerate 2017-11-07 21:48:23 +00:00
Tinderbox User
0e29543a3d regen master 2017-11-07 21:42:32 +00:00
Tinderbox User
72ddd51e74 regen master 2017-11-03 01:08:09 +00:00
Evan Hunt
c3d0ccdc8f [master] update logging categories in doc 2017-11-02 12:53:33 -07:00
Tinderbox User
f305a705c4 regenerate 2017-11-02 18:59:07 +00:00
Tinderbox User
490c321e25 regen master 2017-11-02 18:58:45 +00:00
Evan Hunt
e7b53943fe [master] copyrights 2017-11-02 11:50:43 -07:00
Evan Hunt
95dce4e68c [master] clarify doc on zone refresh and expiry 2017-11-01 23:06:20 -07:00
Evan Hunt
3b5718a8c9 [master] removed references to obsolete versions in documentation 2017-11-01 22:19:11 -07:00
Tinderbox User
40298d8bee regen master 2017-11-02 01:09:26 +00:00
Tinderbox User
9b3fc207df regen master 2017-11-01 01:09:07 +00:00
Tinderbox User
4ae8f28711 regen master 2017-10-30 01:08:21 +00:00
Mark Andrews
f5e1b555c5 4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside . 
trust-anchor dlv.isc.org;' now elicit warnings rather
                        than being fatal configuration errors. [RT #46410]
 2017-10-30 07:40:59 +11:00
Tinderbox User
497f3f913e regen master 2017-10-28 01:12:35 +00:00
Evan Hunt
c9f8165a06 [master] tag initializing keys 
4798.	[func]		Keys specified in "managed-keys" statements
			are tagged as "initializing" until they have been
			updated by a key refresh query. If initialization
			fails it will be visible from "rndc secroots".
			[RT #46267]
 2017-10-27 15:49:44 -07:00
Evan Hunt
1d57d460d4 [master] change rndc-confgen default algorithm 
this completes change 4785. the CHANGES note has been revised:

4785.	[func]		The hmac-md5 algorithm is no longer recommended for
			use with RNDC keys.  The default in rndc-confgen
			is now hmac-sha256. [RT #42272]
 2017-10-27 10:56:43 -07:00
Evan Hunt
959d294067 [master] remove isc-hmac-fixup 
4797.	[func]		Removed "isc-hmac-fixup", as the versions of BIND that
			had the bug it worked around are long past end of
			life. [RT #46411]
 2017-10-27 09:56:11 -07:00
Brian Conry
864bc6b56e [master] Increase the maximum TCP keepalive timeout to 65535 
4796.	[bug]		Increase the maximum configurable TCP keepalive
			timeout to 65535. [RT #44710]
 2017-10-27 14:58:48 +02:00
Evan Hunt
06049b1c6c [master] stats counter for priming queries 
4795.	[func]		A new statistics counter has been added to track
			priming queries. [RT #46313]
 2017-10-26 21:38:43 -07:00
Evan Hunt
3b4f23cdbf [master] dnssec-checkds -s 
4794.	[func]		"dnssec-checkds -s" specifies a file from which
			to read a DS set rather than querying the parent.
			[RT #44667]
 2017-10-26 21:05:11 -07:00
Tinderbox User
d3e8e9bdbb regen master 2017-10-26 01:09:30 +00:00
Evan Hunt
81570e84a2 [master] fix some documentation errors [RT #45527] 2017-10-25 11:02:26 -07:00
Evan Hunt
6a59e53a69 [master] fixed libdns doc 
4791.	[doc]		Fixed outdated documentation about export libraries.
			[RT #46341]
 2017-10-25 10:55:34 -07:00
Evan Hunt
eb2ef7b53e [master] check new-zones-directory 
4789.	[cleanup]	Check writability of new-zones-directory. [RT #46308]
 2017-10-25 01:19:46 -07:00
Evan Hunt
65314b0fd8 [master] "enable-filter-aaaa" no longer optional 
4786.	[func]		The "filter-aaaa-on-v4" and "filter-aaaa-on-v6"
			options are no longer conditionally compiled.
			[RT #46340]
 2017-10-25 00:33:51 -07:00
Tinderbox User
a53e03205a regen master 2017-10-25 01:08:58 +00:00
Evan Hunt
21761bfe79 [master] deprecate HMAC in dnssec-keygen, MD5 in rndc-confgen 
4785.	[func]		The hmac-md5 algorithm is no longer recommended for
			use with RNDC keys. For compatibility reasons, it
			it is still the default algorithm in rndc-confgen,
			but this will be changed to hmac-sha256 in a future
			release. [RT #42272]

4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
			deprecated in favor of tsig-keygen.  dnssec-keygen
			will print a warning when used for this purpose.
			All HMAC algorithms will be removed from
			dnssec-keygen in a future release. [RT #42272]
 2017-10-24 15:35:13 -07:00
Evan Hunt
b1042e011c [master] zone "file" option was undocumented 2017-10-23 19:39:56 -07:00
Tinderbox User
2e662cf514 regen master 2017-10-22 01:10:28 +00:00
Evan Hunt
321b8429f5 [master] doc nit: Base64 is capitalized and not hyphenated 2017-10-21 13:28:38 -07:00
Tinderbox User
0fc861dea9 regen master 2017-10-21 01:13:05 +00:00
Mark Andrews
807ad469fe use correct tag 
(cherry picked from commit 317330c25a)
 2017-10-20 19:06:28 +11:00
Tinderbox User
2115e319ba regen master 2017-10-20 01:09:53 +00:00
Mark Andrews
d8442c1a15 s/made/may/ 2017-10-20 10:29:24 +11:00
Mark Andrews
9e5439a6d8 note removal of <isc/util.h> from other header files 2017-10-20 10:25:45 +11:00
Tinderbox User
b7b8e298f6 regen master 2017-10-19 01:09:18 +00:00
Evan Hunt
d99d5249b7 [master] clarify releates notes about deprecated/ineffective options 2017-10-18 12:41:25 -07:00
Tinderbox User
208abf3fc7 regen master 2017-10-18 01:10:52 +00:00
Evan Hunt
30419509dd [master] README and relnote fixes 2017-10-17 13:47:33 -07:00
Tinderbox User
94d96121b9 regen master 2017-10-17 01:08:55 +00:00
Evan Hunt
31275c3f39 [master] fixes to release notes 
- some typos
- call out removed features in a "Removed Features" section
- mention TAT logging
 2017-10-16 17:46:12 -07:00
Evan Hunt
d63943f063 [master] fixes to release notes 
- fixed some typos
- call out feature removals in a "Removed Features" section
- TAT logging
 2017-10-16 17:45:08 -07:00
Tinderbox User
4b1eb6a502 regenerate 2017-10-12 18:28:32 +00:00
Tinderbox User
29d9488d16 regen master 2017-10-12 18:23:36 +00:00
Evan Hunt
3abcd7cd8a [master] Revert "[master] tag initializing keys so they can't be used for normal validation" 
This reverts commit 560d8b833e.

This change created a potential race between key refresh queries and
root zone priming queries which could leave the root name servers in
the bad-server cache.
 2017-10-12 10:53:35 -07:00
Tinderbox User
2bd2487f51 regenerate 2017-10-12 04:21:52 +00:00
Tinderbox User
cac4114e9d regen master 2017-10-12 04:19:20 +00:00
Evan Hunt
560d8b833e [master] tag initializing keys so they can't be used for normal validation 
4773.	[bug]		Keys specified in "managed-keys" statements
			can now only be used when validating key refresh
			queries during initialization of RFC 5011 key
			maintenance. If initialization fails, DNSSEC
			validation of normal queries will also fail.
			Previously, validation of normal queries could
			succeed using the initializing key, potentially
			masking problems with managed-keys. [RT #46077]
 2017-10-11 21:01:13 -07:00
Tinderbox User
77c7d1c555 regen master 2017-10-12 01:08:20 +00:00
Evan Hunt
16d6fab2e5 [master] make writable directory and managed-keys directory mandatory 
4769.   [bug]           The working directory and managed-keys directory has
                        to be writeable (and seekable). [RT #46077]
 2017-10-11 08:21:23 +02:00
Tinderbox User
005bdf067b regen master 2017-10-10 01:08:02 +00:00
Evan Hunt
bd08d94f8b [master] add dnssec-cds man page to ARM 2017-10-09 10:58:27 -07:00
Evan Hunt
c89f1bf1b6 [master] turn off memory fill by default 
4768.	[func]		By default, memory is no longer filled with tag values
			when it is allocated or freed; this improves
			performance but makes debugging of certain memory
			issues more difficult. "named -M fill" turns memory
			filling back on. (Building "configure
			--enable-developer", turns memory fill on by
			default again; it can then be disabled with
			"named -M nofill".) [RT #45123]
 2017-10-09 09:55:37 -07:00
Tinderbox User
8c3ee6e6a5 regen master 2017-10-09 01:08:14 +00:00
Evan Hunt
cd20cbc9c0 [master] add DOA to ARM 2017-10-07 19:34:13 -07:00
Tinderbox User
0f91b4097f regen master 2017-10-07 01:09:38 +00:00
Evan Hunt
995c41e8f0 [master] further restrict update-policy local 
4762.	[func]		"update-policy local" is now restricted to updates
			from local addresses. (Previously, other addresses
			were allowed so long as updates were signed by the
			local session key.) [RT #45492]
 2017-10-06 15:43:31 -07:00
Mark Andrews
b41c1aacbc 4759. [func] Add logging channel "trust-anchor-telementry" to 
record trust-anchor-telementry in incoming requests.
                        Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
                        are logged.  [RT #46124]
 2017-10-06 13:01:14 +11:00
Evan Hunt
99e0079380 [master] fix topology doc 
4758.	[doc]		Remove documentation of unimplemented "topology".
			[RT #46161]
 2017-10-05 18:49:33 -07:00
Tinderbox User
26cde05da4 regen master 2017-10-06 01:08:15 +00:00
Evan Hunt
ba37674d03 [master] dnssec-cds 
4757.   [func]          New "dnssec-cds" command creates a new parent DS
                        RRset based on CDS or CDNSKEY RRsets found in
                        a child zone, and generates either a dsset file
                        or stream of nsupdate commands to update the
                        parent. Thanks to Tony Finch. [RT #46090]
 2017-10-05 01:04:18 -07:00
Evan Hunt
c370305901 [master] 4754. [bug] dns_zone_setview needs a two stage commit to properly 
handle errors. [RT #45841]
 2017-10-04 23:44:15 -07:00
Evan Hunt
abaa9755d2 [master] fix tag 2017-10-04 18:43:35 -07:00
Evan Hunt
d227e15567 [master] remove spurious control character 2017-10-03 19:41:44 -07:00
Tinderbox User
ca0ae70046 update copyright notice / whitespace 2017-10-03 23:45:48 +00:00
Evan Hunt
e515fae2ae [master] dnssec-signzone can now add sync records 
4751.	[func]		"dnssec-signzone -S" can now automatically add parent
			synchronization records (CDS and CDNSKEY) according
			to key metadata set using the -Psync and -Dsync
			options to dnssec-keygen and dnssec-settime.
			[RT #46149]
 2017-10-03 01:11:36 -07:00
Evan Hunt
762dc8b871 [master] rndc managed-keys destroy 
4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
			maintenance and deletes the managed-keys database.
			If followed by "rndc reconfig" or a server restart,
			key maintenance is reinitialized from scratch.
			This is primarily intended for testing. [RT #32456]
 2017-10-03 01:05:46 -07:00
Evan Hunt
f29359299a [master] de-DLV 
4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			- No longer use ISC DLV by default in delv
			[RT #46155]
 2017-10-03 00:41:57 -07:00
Tinderbox User
7cb14b610e regen master 2017-10-03 01:07:20 +00:00
Mark Andrews
c85b467dc0 4747. [func] Synthesis of responses from DNSSEC-verified records. 
Stage 3 - synthesize NODATA responses. [RT #40138]
 2017-10-03 11:16:37 +11:00
Tinderbox User
5fbc5c9225 regen master 2017-09-29 01:08:37 +00:00
Evan Hunt
24172bd2ee [master] completed and corrected the crypto-random change 
4724.	[func]		By default, BIND now uses the random number
			functions provided by the crypto library (i.e.,
			OpenSSL or a PKCS#11 provider) as a source of
			randomness rather than /dev/random.  This is
			suitable for virtual machine environments
			which have limited entropy pools and lack
			hardware random number generators.

			This can be overridden by specifying another
			entropy source via the "random-device" option
			in named.conf, or via the -r command line option;
			however, for functions requiring full cryptographic
			strength, such as DNSSEC key generation, this
			cannot be overridden. In particular, the -r
			command line option no longer has any effect on
			dnssec-keygen.

			This can be disabled by building with
			"configure --disable-crypto-rand".
			[RT #31459] [RT #46047]
 2017-09-28 10:09:22 -07:00
Mark Andrews
e00fdad191 4742. [func] Synthesis of responses from DNSSEC-verified records. 
Stage 2 - synthesis of records from wildcard data.
                        If the dns64 or filter-aaaa* is configured then the
                        involved lookups are currently excluded. [RT #40138]
 2017-09-28 15:16:26 +10:00
Tinderbox User
81c9fdd472 regen master 2017-09-22 01:07:54 +00:00
Tinderbox User
8200eb4c60 update copyright notice / whitespace 2017-09-21 23:47:11 +00:00
Evan Hunt
2278a14b52 [master] fix typos 2017-09-21 10:12:53 -07:00
Tinderbox User
cd8e7e8bf8 regen master 2017-09-21 01:10:02 +00:00
Evan Hunt
7a2112ff7d [master] fix memory growth problem 
4733.	[bug]		Change #4706 introduced a bug causing TCP clients
			not be reused correctly, leading to unconstrained
			memory growth. [RT #46029]
 2017-09-20 12:12:02 -07:00
Tinderbox User
db22b3ea1f regen master 2017-09-20 01:08:59 +00:00
Mukund Sivaraman
32bcafc316 Change default minimal-responses setting to no-auth-recursive (#46016) 2017-09-19 19:49:02 +05:30
Mark Andrews
fb088a00cf remove unimplement rate-limit option [RT #46030] 2017-09-19 13:15:24 +10:00
Tinderbox User
e98d70750c regen master 2017-09-17 01:09:06 +00:00
Evan Hunt
61996344fe [master] clarify CHANGES, add relnote 2017-09-16 12:06:54 -07:00
Evan Hunt
1b186f7aac [master] use <command> consistently instead of occasionally using <option> 2017-09-15 23:11:23 -07:00
Evan Hunt
8bcd080677 [master] display < and > correctly 2017-09-15 23:09:39 -07:00
Tinderbox User
bdd3edceb9 regen master 2017-09-15 01:08:50 +00:00
Evan Hunt
0199666d39 [master] add thanks to APNIC and add missing note for serve-stale 2017-09-14 11:48:21 -07:00
Tinderbox User
e3bd90ee1b regen master 2017-09-14 01:12:10 +00:00
Evan Hunt
20502f35dd [master] allow CDS/CDNSKEY records to be signed with only KSK 
4721.	[func]		'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
			options now apply to CDNSKEY and DS records as well
			as DNSKEY. Thanks to Tony Finch. [RT #45689]
 2017-09-12 23:09:48 -07:00
Evan Hunt
30973087a0 [master] add prefetch stat counter 
4720.	[func]		Added a statistics counter to track prefetch
			queries. [RT #45847]
 2017-09-12 18:41:47 -07:00
Tinderbox User
28e80dd3bb regenerate 2017-09-12 00:44:10 +00:00
Tinderbox User
c6885311b7 regen master 2017-09-12 00:37:02 +00:00
Tinderbox User
8e58ea7157 regenerate 2017-09-12 00:26:30 +00:00
Tinderbox User
ce4c658f65 regen master 2017-09-12 00:16:47 +00:00
Mark Andrews
b96554b82e add missing end </command> tags 2017-09-12 10:05:16 +10:00
Tinderbox User
c7eb55a064 regenerate 2017-09-11 23:52:26 +00:00
Evan Hunt
d3ac0bcdb7 [master] clean up release notes and README for alpha 2017-09-11 16:44:39 -07:00
Evan Hunt
3363f3147a [master] DNS Response Policy Service API 
4713.	[func]		Added support for the DNS Response Policy Service
			(DNSRPS) API, which allows named to use an external
			response policy daemon when built with
			"configure --enable-dnsrps".  Thanks to Vernon
			Schryver and Farsight Security. [RT #43376]
 2017-09-11 11:57:43 -07:00
Tinderbox User
8334115783 regen master 2017-09-10 01:10:23 +00:00
Evan Hunt
bcb7c7fdad [master] fix tag 2017-09-08 18:22:12 -07:00
Evan Hunt
8eb88aafee [master] add libns and remove liblwres 
4708.   [cleanup]       Legacy Windows builds (i.e. for XP and earlier)
                        are no longer supported. [RT #45186]

4707.	[func]		The lightweight resolver daemon and library (lwresd
			and liblwres) have been removed. [RT #45186]

4706.	[func]		Code implementing name server query processing has
			been moved from bin/named to a new library "libns".
			Functions remaining in bin/named are now prefixed
			with "named_" rather than "ns_".  This will make it
			easier to write unit tests for name server code, or
			link name server functionality into new tools.
			[RT #45186]
 2017-09-08 13:47:34 -07:00
Tinderbox User
95bbb75143 regen master 2017-09-06 01:11:43 +00:00
Mark Andrews
df50751585 4700. [func] Serving of stale answers is now supported. This 
allows named to provide stale cached answers when
                        the authoritative server is under attack.
                        See max-stale-ttl, stale-answer-enable,
                        stale-answer-ttl. [RT #44790]
 2017-09-06 09:58:29 +10:00
Tinderbox User
e8a4edf0ed regen master 2017-09-05 01:10:49 +00:00
Mark Andrews
e2a737bcb8 4699. [func] Multiple cookie-secret clauses can now be specified. 
The first one specified is used to generate new
                        server cookies.  [RT #45672]
 2017-09-05 09:19:45 +10:00
Tinderbox User
e640ea9343 regen master 2017-09-01 01:11:29 +00:00
Evan Hunt
45afdb2672 [master] remove default algorithm in dnssec-keygen 
4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
			the signing algorithm must be specified on
			the command line with the "-a" option.  Signing
			scripts that rely on the existing default behavior
			will break; use "dnssec-keygen -a RSASHA1" to
			repair them. (The goal of this change is to make
			it easier to find scripts using RSASHA1 so they
			can be changed in the event of that algorithm
			being deprecated in the future.) [RT #44755]
 2017-08-30 18:51:11 -07:00
Tinderbox User
2bfc294f0a regen master 2017-08-31 01:11:54 +00:00
Mark Andrews
0aed466565 4693. [func] Synthesis of responses from DNSSEC-verified records. 
Stage 1 covers NXDOMAIN synthesis from NSEC records.
                        This is controlled by synth-from-dnssec and is enabled
                        by default. [RT #40138]
 2017-08-31 07:57:50 +10:00
Tinderbox User
a5d6b4c4c8 regen master 2017-08-30 01:12:14 +00:00
Michał Kępień
efe7977c4d [master] Add -4/-6 command line options to nsupdate and rndc 
4691.	[func]		Add -4/-6 command line options to nsupdate and rndc.
			[RT #45632]
 2017-08-29 10:21:54 +02:00
Tinderbox User
07675caf4f regen master 2017-08-25 01:10:48 +00:00
Mark Andrews
07741d43c8 4688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in 
messages. [RT #44804]
 2017-08-25 08:38:19 +10:00
Tinderbox User
2a08a599ee regen master 2017-08-22 01:11:12 +00:00
Tinderbox User
5fbe52fbce regen master 2017-08-18 01:11:45 +00:00
Tinderbox User
7655cd1fe5 regen master 2017-08-17 01:10:36 +00:00
Mark Andrews
1fe9f65dbb add more details 2017-08-16 13:22:35 +10:00
Tinderbox User
7df675188c regen master 2017-08-16 01:10:34 +00:00
Mark Andrews
52fd57c989 4681. [bug] Log messages from the validator now include the 
associated view unless the view is "_default/IN"
                        or "_dnsclient/IN". [RT #45770]
 2017-08-16 09:29:20 +10:00
Tinderbox User
4e22c61020 regen master 2017-08-11 01:12:23 +00:00
Evan Hunt
f8786917ac [master] revise CHANGES and release notes to say glue-cache is on by default 2017-08-09 21:48:51 -07:00
Mukund Sivaraman
b9532d9cf3 Turn on glue-cache by default 
- We decided to do this on the weekly BIND dev meeting
- Mark reviewed patch on Jabber
 2017-08-10 09:06:54 +05:30
Tinderbox User
20809d0a5a regen master 2017-08-10 01:11:49 +00:00
Evan Hunt
b2a5df8d4b [master] grammar error and missing reference to filter-aaaa-on-v6 2017-08-09 15:02:56 -07:00
Evan Hunt
c4cfb0b4dc [master] remove dig +sigchase 
4674.   [func]          "dig +sigchase", and related options "+topdown" and
                        "+trusted-keys", have been removed. Use "delv" for
                        queries with DNSSEC validation. [RT #42793]
 2017-08-09 11:03:27 -07:00
Tinderbox User
e1a2da2259 regen master 2017-08-05 01:14:25 +00:00
Evan Hunt
61367c604c [master] refactor resquery_response() and related functions 
4669.	[func]		Iterative query logic in resolver.c has been
			refactored into smaller functions and commented,
			for improved readability, maintainability and
			testability. [RT #45362]
 2017-08-04 16:08:11 -07:00
Tinderbox User
8cc38b581c regen master 2017-08-01 01:08:53 +00:00
Evan Hunt
913f7528fe [master] revise CHANGES note and add release note 2017-07-31 10:34:19 -07:00
Tinderbox User
93ae9a09a9 regen master 2017-07-29 01:10:15 +00:00
Evan Hunt
268cea9c12 [master] glue-cache option 
4664.	[func]		Add a "glue-cache" option to enable or disable the
			glue cache. The default is "no" to reduce memory
			usage, but enabling this option will improve
			performance in delegation-heavy zones. [RT #45125]
 2017-07-28 12:57:50 -07:00
Evan Hunt
cee0d603a3 [master] remove unnecessary acronym expansions 2017-07-28 12:22:31 -07:00
Tinderbox User
2f575e645b regen master 2017-07-16 01:07:52 +00:00
Evan Hunt
8abc9db6bf [master] update relnotes to mention termination of windows XP support 2017-07-15 13:56:34 -07:00
Tinderbox User
a28cf7bfb5 regen master 2017-07-12 01:09:15 +00:00
Mark Andrews
56d8312a48 note change in AD setting on some truncated answers 2017-07-11 13:29:19 +10:00
Mark Andrews
9987992232 add note about .local 2017-07-11 12:43:31 +10:00
Tinderbox User
c6a2d3a9e6 regen master 2017-06-28 01:09:32 +00:00
Evan Hunt
581c1526ab [master] address TSIG bypass/forgery vulnerabilities 
4643.	[security]	An error in TSIG handling could permit unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]
 2017-06-27 11:39:19 -07:00
Tinderbox User
d6b626e9a7 regen master 2017-06-14 01:08:21 +00:00
Evan Hunt
bf05e66bb3 [master] prevent reload failure due to LMDB database perms 
4638.	[bug]		Reloading or reconfiguring named could fail on
			some platforms when LMDB was in use. [RT #45203]
 2017-06-13 10:15:34 -07:00
Evan Hunt
0471530aae [master] nsec3hash -r 
4637.	[func]		"nsec3hash -r" option ("rdata order") takes arguments
			in the same order as they appear in NSEC3 or
			NSEC3PARAM records, so that NSEC3 parameters can
			be cut and pasted from an existing record. Thanks
			to Tony Finch for the contribution. [RT #45183]
 2017-06-13 00:39:10 -07:00
Tinderbox User
d37d9a6873 regen master 2017-05-31 01:08:13 +00:00
Evan Hunt
967a3b9419 [master] quote service registry paths 
4532.	[security]	The BIND installer on Windows used an unquoted
                        service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]
 2017-05-30 13:35:59 -07:00
Evan Hunt
2648c49be7 [master] fix rpz formerr loop 
4531.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]
 2017-05-30 12:30:28 -07:00
Tinderbox User
a014b329f2 regen master 2017-05-19 01:09:39 +00:00
Evan Hunt
ef9ab10ce0 [master] remove outdated reference to libbind 2017-05-18 15:35:06 -07:00
Tinderbox User
bdf087ba00 regen master 2017-05-12 01:09:53 +00:00
Mark Andrews
d4d73bca79 add warning about semicolon no longer being escaped 2017-05-11 11:02:35 +10:00
Tinderbox User
f9d602f35c regen master 2017-05-05 01:08:31 +00:00
Evan Hunt
3a554a444c [master] fix lmdb delzone 
4616.	[bug]		When using LMDB, zones deleted using "rndc delzone"
			were not correctly removed from the new-zone
			database. [RT #45185]
 2017-05-04 12:32:32 -07:00
Tinderbox User
51da560543 regen master 2017-05-04 01:08:23 +00:00
Mark Andrews
071fe723a1 fix tag mismatch 2017-05-03 11:15:14 +10:00
Evan Hunt
d39ab7440e [master] automatically tune max-journal-size 
4613.	[func]		By default, the maximum size of a zone journal file
			is now twice the size of the zone's contents (there
			is little benefit to a journal larger than this).
			This can be overridden by setting "max-journal-size"
			to "unlimited" or to an explicit value up to 2G.
			Thanks to Tony Finch. [RT #38324]
 2017-05-02 13:23:08 -07:00
Tinderbox User
57994a07f7 regen master 2017-04-27 00:43:03 +00:00
Mukund Sivaraman
241b49e611 Set a LMDB mapsize and also provide a config option to control it (#44954) 2017-04-26 23:51:26 +05:30
Tinderbox User
c118d16a1c regen master 2017-04-25 01:06:00 +00:00
Tinderbox User
18b7760b29 update copyright notice / whitespace 2017-04-24 23:45:33 +00:00
Evan Hunt
2dfb992349 [master] new-zones-directory option 
4610.	[func]		The "new-zones-directory" option specifies the
			location of NZF or NZD files for storing
			configuration of zones added by "rndc addzone".
			Thanks to Petr Menšík. [RT #44853]
 2017-04-23 23:16:53 -07:00
Tinderbox User
f5fa655319 regen master 2017-04-23 01:06:11 +00:00
Evan Hunt
3a10cf1f07 [master] add a release note for performance improvements 2017-04-21 21:48:50 -07:00
Mukund Sivaraman
03be5a6b4e Improve performance for delegation heavy answers and also general query performance (#44029) 2017-04-22 09:22:44 +05:30
Evan Hunt
d26ae7fc08 [master] give threads unique names to assist debugging 
4602.	[func]		Threads are now set to human-readable
			names to assist debugging, when supported by
			the OS. [RT #43234]
 2017-04-21 13:59:40 -07:00
Evan Hunt
f5c39b072c [master] hex output mode for dnstap-read 
4594.	[func]		"dnstap-read -x" prints a hex dump of the wire
			format of each logged DNS message. [RT #44816]
 2017-04-20 20:22:19 -07:00
Tinderbox User
2d863323b6 regen master 2017-04-21 01:05:18 +00:00
Tinderbox User
19643a1ded regen master 2017-04-13 01:05:08 +00:00
Evan Hunt
52e398c0af [master] formatting 2017-04-12 14:05:54 -07:00
Tinderbox User
e67fe90a1f regen master 2017-04-12 01:05:15 +00:00
Tinderbox User
0a1d79ed8f regen master 2017-03-30 01:05:19 +00:00
Mark Andrews
fe1ad70e51 add CVE-2017-3138 2017-03-30 02:56:33 +11:00
Tinderbox User
38704ecee9 regen master 2017-03-26 01:05:14 +00:00
Evan Hunt
39eb1d0353 [master] host -A 
4593.	[func]		"host -A" returns most records for a name but
			omits RRSIG, NSEC and NSEC3. (Thanks to Tony Finch.)
			[RT #43032]
 2017-03-25 12:49:25 -07:00
Tinderbox User
ecbef65ae5 regen master 2017-03-13 01:05:40 +00:00
Evan Hunt
d2650297ca [master] tag mismatch 2017-03-10 17:34:01 -08:00
Mark Andrews
786402ec12 fix tag mismatch 2017-03-10 13:05:59 +11:00
Tinderbox User
d2f2db283b update copyright notice / whitespace 2017-03-09 23:46:23 +00:00
Evan Hunt
612b2e2c0d [master] timestamp suffixes for log files 
4579.	[func]		Logging channels and dnstap output files can now
			be configured with a "suffix" option, set to
			either "increment" or "timestamp", indicating
			whether to use incrementing numbers or timestamps
			as the file suffix when rolling over a log file.
			[RT #42838]
 2017-03-08 23:20:40 -08:00
Evan Hunt
aa00b31b17 [master] fix ARM merge error 2017-03-08 22:51:26 -08:00
Tinderbox User
02716f97c1 regen master 2017-03-02 01:05:06 +00:00
Tinderbox User
a06081491c regen master 2017-02-24 01:04:54 +00:00
Evan Hunt
a1365a0042 [master] remove unnecessary INSIST 
4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]
 2017-02-23 14:34:33 -08:00
Tinderbox User
c4dbad7b36 regen master 2017-02-21 01:04:58 +00:00
Witold Krecicki
fa9b4de716 4576. [func] The RPZ implementation has been substantially refactored for improved performance and reliability. [RT #43449] 2017-02-20 11:57:28 +01:00
Tinderbox User
a32fa1246e regen master 2017-02-16 01:05:00 +00:00
Mark Andrews
009c98a1be add CVE-2017-3136 note 
(cherry picked from commit d77eadc261)
 2017-02-15 12:45:38 +11:00
Tinderbox User
a95dc83de5 regen master 2017-02-09 01:04:58 +00:00
wpk
96912e44b0 4573. [func] Query logic has been substantially refactored (e.g. query_find function has been split into smaller functions) for improved readability, maintainability 2017-02-08 22:15:01 +01:00
Evan Hunt
7fcd72f574 [master] mismatched tag 2017-02-07 18:28:40 -08:00
Evan Hunt
ef0ddc8ba3 [master] doc style 2017-02-07 08:18:15 -08:00
Mark Andrews
009aabd2e5 fix tag mismatch 2017-02-07 12:11:45 +11:00
Evan Hunt
c4e4bd6a09 [master] dnstap size and versions options 
4572.	[func]		The "dnstap-output" option can now take "size" and
			"versions" parameters to indicate the maximum size
			a dnstap log file can grow before rolling to a new
			file, and how many old files to retain. [RT #44502]
 2017-02-06 16:34:58 -08:00
Evan Hunt
5b4d6d2ff8 [master] removed extra note about bind.keys update 2017-02-06 14:19:53 -08:00
Tinderbox User
513cec7786 regen master 2017-02-05 01:04:55 +00:00
Evan Hunt
650b5e7592 [master] store local and remote addresses in dnstap 
4569.	[func]		Store both local and remote addresses in dnstap
			logging, and modify dnstap-read output format to
			print them. [RT #43595]
 2017-02-03 17:05:58 -08:00
Tinderbox User
04241eba68 regen master 2017-02-03 01:04:52 +00:00
Tinderbox User
194f07c628 update copyright notice / whitespace 2017-02-02 23:45:47 +00:00
Evan Hunt
aace5d0fb3 [master] include ECS in query logging 
4566.	[func]		Query logging now includes the ECS option if one
			was included in the query. [RT #44476]
 2017-02-02 11:54:28 -08:00
Mark Andrews
294d73d990 new root KSK 2017-02-02 18:26:52 +11:00
Mark Andrews
2f5444972a perform more testing on rndc <op> -redirect 2017-02-02 17:25:54 +11:00
Tinderbox User
59297922ce regen master 2017-02-02 01:04:40 +00:00
Evan Hunt
caf7f57771 [master] clarify client logging doc 2017-02-01 14:51:02 -08:00
Tinderbox User
1f691c3d22 regen master 2017-01-31 01:05:39 +00:00
Evan Hunt
cd668ea57f [master] change 4558 was incomplete 2017-01-30 14:10:30 -08:00
Tinderbox User
ff52f52a31 regen master 2017-01-25 01:04:56 +00:00
Evan Hunt
afa0ff0cbb [master] expand relnote 2017-01-23 20:04:04 -08:00
Tinderbox User
431ed6eede regen master 2017-01-24 01:04:59 +00:00
Mark Andrews
b1b5229a47 4556. [security] Combining dns64 and rpz can result in dereferencing 
a NULL pointer (read).  (CVE-2017-3135) [RT#44434]

(cherry picked from commit 5abe80ef13)
 2017-01-24 09:55:51 +11:00
Tinderbox User
4502e3c5dd regen master 2017-01-21 01:04:48 +00:00
Tinderbox User
96f5064e3c update copyright notice / whitespace 2017-01-20 23:45:34 +00:00
Evan Hunt
25a9b90369 [master] symbolic option names for dig +ednsopt 
4555.	[func]		dig +ednsopt: EDNS options can now be specified by
			name in addition to numeric value. [RT #44461]
 2017-01-19 23:46:37 -08:00
Tinderbox User
89e63ad516 regen master 2017-01-13 01:04:59 +00:00
Mark Andrews
d2e1b47d4f 4553. [bug] Named could deadlock there were multiple changes to 
NSEC/NSEC3 parameters for a zone being processed at
                        the same time. [RT #42770]
 2017-01-12 14:25:45 +11:00
Mark Andrews
42924b40af 4552. [bug] Named could trigger a assertion when sending notify 
messages. [RT #44019]
 2017-01-12 14:17:43 +11:00
Tinderbox User
86b7ae6b77 regen master 2017-01-10 01:04:52 +00:00
Tinderbox User
2067cfdb46 regen master 2017-01-06 01:05:20 +00:00
Tinderbox User
37ae137942 regen master 2017-01-05 01:05:07 +00:00
Evan Hunt
5804332588 [master] EDNS padding and keepalive support 
4549.	[func]		Added support for the EDNS TCP Keepalive option
			(RFC 7828). [RT #42126]

4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
			[RT #42094]
 2017-01-04 09:16:30 -08:00
Tinderbox User
fdc6f64030 regen master 2016-12-29 04:58:08 +00:00
Evan Hunt
8f2b2012a4 [master] release notes 2016-12-28 20:19:47 -08:00
Tinderbox User
6ce6801f3f regen master 2016-12-29 01:05:39 +00:00
Mark Andrews
2c1c4b99a1 4508. [security] Named incorrectly tried to cache TKEY records which 
could trigger a assertion failure when there was
                            a class mismatch. (CVE-2016-9131) [RT #43522]
 2016-12-29 11:07:40 +11:00
Evan Hunt
eff07b51df [master] release notes 2016-12-28 12:05:08 -08:00
Evan Hunt
cc1a796b78 [master] release note 2016-12-28 11:07:27 -08:00
Tinderbox User
190ea9e6b8 regen master 2016-12-28 01:05:39 +00:00
Mark Andrews
5093e8d482 4542. [func] Allow rndc to manipulate redirect zones with using 
-redirect as the zone name (use "-redirect." to
                        manipulate a zone named "-redirect"). [RT #43971]
 2016-12-28 11:36:31 +11:00
Tinderbox User
dd0e617038 regen master 2016-12-27 01:05:51 +00:00
Evan Hunt
c5b8b74113 [master] clarify auth ECS is not meant for production use 2016-12-26 16:52:30 -08:00
Tinderbox User
16fde7f0b3 regen master 2016-12-07 01:05:34 +00:00
Mark Andrews
1b8ce3b330 4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831] 2016-12-07 10:49:55 +11:00
Tinderbox User
807bf70d07 regenerate 2016-12-05 19:19:01 +00:00
Tinderbox User
b06a5726eb regen master 2016-12-05 18:24:42 +00:00
Evan Hunt
ca58c1ea25 [master] fixed ARM grammars 
4526.	[doc]		Corrected errors and improved formatting of
			grammar defintiions in the ARM. [RT #43739]
 2016-12-05 00:43:10 -08:00
Evan Hunt
e1ba21bd58 [master] fix managed-keys doc 
4525.	[doc]		Fixed outdated documentation on managed-keys.
			[RT #43810]
 2016-12-04 20:22:20 -08:00