2010年12月17日

[installer 2602] BIND 9.8.0a1, 9.6.3b1

BIND 9.8.0a1, 9.6.3b1 出ています。

☆ BIND 9.8.0a1
https://www.isc.org/software/bind
ftp://ftp.isc.org/isc/bind9/9.8.0a1/bind-9.8.0a1.tar.gz

--- 9.8.0a1 released ---

2982. [bug] Reference count dst keys. dst_key_attach() can be used
increment the reference count.

Note: dns_tsigkey_createfromkey() callers should now
always call dst_key_free() rather than setting it
to NULL on success. [RT #22672]

2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]

2980. [bug] named didn't properly handle UPDATES that changed the
TTL of the NSEC3PARAM RRset. [RT #22363]

2979. [bug] named could deadlock during shutdown if two
"rndc stop" commands were issued at the same
time. [RT #22108]

2978. [port] hpux: look for <devpoll.h> [RT #21919]

2977. [bug] 'nsupdate -l' report if the session key is missing.
[RT #21670]

2976. [bug] named could die on exit after negotiating a GSS-TSIG
key. [RT #22573]

2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() aquired the
wrong lock which could lead to server deadlock.
[RT #22614]

2974. [bug] Some vaild UPDATE requests could fail due to a
consistency check examining the existing version
of the zone rather than the new version resulting
from the UPDATE. [RT #22413]

2973. [bug] bind.keys.h was being removed by the "make clean"
at the end of configure resulting in build failures
where there is very old version of perl installed.
Move it to "make maintainer-clean". [RT #22230]

2972. [bug] win32: address windows socket errors. [RT #21906]

2971. [bug] Fixed a bug that caused journal files not to be
compacted on Windows systems as a result of
non-POSIX-compliant rename() semantics. [RT #22434]

2970. [security] Adding a NO DATA negative cache entry failed to clear
any matching RRSIG records. A subsequent lookup of
of NO DATA cache entry could trigger a INSIST when the
unexpected RRSIG was also returned with the NO DATA
cache entry.

CVE-2010-3613, VU#706148. [RT #22288]

2969. [security] Fix acl type processing so that allow-query works
in options and view statements. Also add a new
set of tests to verify proper functioning.

CVE-2010-3615, VU#510208. [RT #22418]

2968. [security] Named could fail to prove a data set was insecure
before marking it as insecure. One set of conditions
that can trigger this occurs naturally when rolling
DNSKEY algorithms.

CVE-2010-3614, VU#837744. [RT #22309]

2967. [bug] 'host -D' now turns on debugging messages earlier.
[RT #22361]

2966. [bug] isc_print_vsnprintf() failed to check if there was
space available in the buffer when adding a left
justified character with a non zero width,
(e.g. "%-1c"). [RT #22270]

2965. [func] Test HMAC functions using test data from RFC 2104 and
RFC 4634. [RT #21702]

2964. [placeholder]

2963. [security] The allow-query acl was being applied instead of the
allow-query-cache acl to cache lookups. [RT #22114]

2962. [port] win32: add more dependencies to BINDBuild.dsw.
[RT #22062]

2961. [bug] Be still more selective about the non-authoritative
answers we apply change 2748 to. [RT #22074]

2960. [func] Check that named accepts non-authoritative answers.
[RT #21594]

2959. [func] Check that named starts with a missing masterfile.
[RT #22076]

2958. [bug] named failed to start with a missing master file.
[RT #22076]

2957. [bug] entropy_get() and entropy_getpseudo() failed to match
the API for RAND_bytes() and RAND_pseudo_bytes()
respectively. [RT #21962]

2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]

2955. [func] Provide more detail in the recursing log. [RT #22043]

2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
build_sqldbinstance failure. [RT #21623]

2953. [bug] Silence spurious "expected covering NSEC3, got an
exact match" message when returning a wildcard
no data response. [RT #21744]

2952. [port] win32: named-checkzone and named-checkconf failed
to initialise winsock. [RT #21932]

2951. [bug] named failed to generate a correct signed response
in a optout, delegation only zone with no secure
delegations. [RT #22007]

2950. [bug] named failed to perform a SOA up to date check when
falling back to TCP on UDP timeouts when
ixfr-from-differences was set. [RT #21595]

2949. [bug] dns_view_setnewzones() contained a memory leak if
it was called multiple times. [RT #21942]

2948. [port] MacOS: provide a mechanism to configure the test
interfaces at reboot. See bin/tests/system/README
for details.

2947. [placeholder]

2946. [doc] Document the default values for the minimum and maximum
zone refresh and retry values in the ARM. [RT #21886]

2945. [doc] Update empty-zones list in ARM. [RT #21772]

2944. [maint] Remove ORCHID prefix from built in empty zones.
[RT #21772]

2943. [func] Add support to load new keys into managed zones
without signing immediately with "rndc loadkeys".
Add support to link keys with "dnssec-keygen -S"
and "dnssec-settime -S". [RT #21351]

2942. [contrib] zone2sqlite failed to setup the entropy sources.
[RT #21610]

2941. [bug] sdb and sdlz (dlz's zone database) failed to support
DNAME at the zone apex. [RT #21610]

2940. [port] Remove connection aborted error message on
Windows. [RT #21549]

2939. [func] Check that named successfully skips NSEC3 records
that fail to match the NSEC3PARAM record currently
in use. [RT# 21868]

2938. [bug] When generating signed responses, from a signed zone
that uses NSEC3, named would use a uninitialised
pointer if it needed to skip a NSEC3 record because
it didn't match the selected NSEC3PARAM record for
zone. [RT# 21868]

2937. [bug] Worked around an apparent race condition in over
memory conditions. Without this fix a DNS cache DB or
ADB could incorrectly stay in an over memory state,
effectively refusing further caching, which
subsequently made a BIND 9 caching server unworkable.
This fix prevents this problem from happening by
polling the state of the memory context, rather than
making a copy of the state, which appeared to cause
a race. This is a "workaround" in that it doesn't
solve the possible race per se, but several experiments
proved this change solves the symptom. Also, the
polling overhead hasn't been reported to be an issue.
This bug should only affect a caching server that
specifies a finite max-cache-size. It's also quite
likely that the bug happens only when enabling threads,
but it's not confirmed yet. [RT #21818]

2936. [func] Improved configuration syntax and multiple-view
support for addzone/delzone feature (see change
#2930). Removed "new-zone-file" option, replaced
with "allow-new-zones (yes|no)". The new-zone-file
for each view is now created automatically, with
a filename generated from a hash of the view name.
It is no longer necessary to "include" the
new-zone-file in named.conf; this happens
automatically. Zones that were not added via
"rndc addzone" can no longer be removed with
"rndc delzone". [RT #19447]

2935. [bug] nsupdate: improve 'file not found' error message.
[RT #21871]

2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
[RT #21871]

2933. [bug] 'dig +nsid' used stack memory after it went out of
scope. This could potentially result in a unknown,
potentially malformed, EDNS option being sent instead
of the desired NSID option. [RT #21781]

2932. [cleanup] Corrected a numbering error in the "dnssec" test.
[RT #21597]

2931. [bug] Temporarily and partially disable change 2864
because it would cause infinite attempts of RRSIG
queries. This is an urgent care fix; we'll
revisit the issue and complete the fix later.
[RT #21710]

2930. [experimental] New "rndc addzone" and "rndc delzone" commads
allow dynamic addition and deletion of zones.
To enable this feature, specify a "new-zone-file"
option at the view or options level in named.conf.
Zone configuration information for the new zones
will be written into that file. To make the new
zones persist after a restart, "include" the file
into named.conf in the appropriate view. (Note:
This feature is not yet documented, and its syntax
is expected to change.) [RT #19447]

2929. [bug] Improved handling of GSS security contexts:
- added LRU expiration for generated TSIGs
- added the ability to use a non-default realm
- added new "realm" keyword in nsupdate
- limited lifetime of generated keys to 1 hour
or the lifetime of the context (whichever is
smaller)
[RT #19737]

2928. [bug] Be more selective about the non-authoritative
answer we apply change 2748 to. [RT #21594]

2927. [placeholder]

2926. [placeholder]
h
2925. [bug] Named failed to accept uncachable negative responses
from insecure zones. [RT# 21555]

2924. [func] 'rndc secroots' dump a combined summary of the
current managed keys combined with trusted keys.
[RT #20904]

2923. [bug] 'dig +trace' could drop core after "connection
timeout". [RT #21514]

2922. [contrib] Update zkt to version 1.0.

2921. [bug] The resolver could attempt to destroy a fetch context
too soon. [RT #19878]

2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
to IPv4 clients. New acl 'filter-aaaa' (default any).

2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
[RT #20840]

2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.

2917. [func] Virtual time test framework. [RT #20801]

2916. [func] Add framework to use IPv6 in tests.
fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7

2915. [cleanup] Be smarter about which objects we attempt to compile
based on configure options. [RT #21444]

2914. [bug] Make the "autosign" system test more portable.
[RT #20997]

2913. [func] Add pkcs#11 system tests. [RT #20784]

2912. [func] Windows clients don't like UPDATE responses that clear
the zone section. [RT #20986]

2911. [bug] dnssec-signzone didn't handle out of zone records well.
[RT #21367]

2910. [func] Sanity check Kerberos credentials. [RT #20986]

2909. [bug] named-checkconf -p could die if "update-policy local;"
was specified in named.conf. [RT #21416]

2908. [bug] It was possible for re-signing to stop after removing
a DNSKEY. [RT #21384]

2907. [bug] The export version of libdns had undefined references.
[RT #21444]

2906. [bug] Address RFC 5011 implementation issues. [RT #20903]

2905. [port] aix: set use_atomic=yes with native compiler.
[RT #21402]

2904. [bug] When using DLV, sub-zones of the zones in the DLV,
could be incorrectly marked as insecure instead of
secure leading to negative proofs failing. This was
a unintended outcome from change 2890. [RT# 21392]

2903. [bug] managed-keys-directory missing from namedconf.c.
[RT #21370]

2902. [func] Add regression test for change 2897. [RT #21040]

2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

2900. [bug] The placeholder negative caching element was not
properly constructed triggering a INSIST in
dns_ncache_towire(). [RT #21346]

2899. [port] win32: Support linking against OpenSSL 1.0.0.

2898. [bug] nslookup leaked memory when -domain=value was
specified. [RT #21301]

2897. [bug] NSEC3 chains could be left behind when transitioning
to insecure. [RT #21040]

2896. [bug] "rndc sign" failed to properly update the zone
when adding a DNSKEY for publication only. [RT #21045]

2895. [func] genrandom: add support for the generation of multiple
files. [RT #20917]

2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]

2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]

2892. [bug] Handle REVOKED keys better. [RT #20961]

2891. [maint] Update empty-zones list to match
draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]

2889. [bug] Elements of the grammar where not properly reported.
[RT #21046]

2888. [bug] Only the first EDNS option was displayed. [RT #21273]

2887. [bug] Report the keytag times in UTC in the .key file,
local time is presented as a comment within the
comment. [RT #21223]

2886. [bug] ctime() is not thread safe. [RT #21223]

2885. [bug] Improve -fno-strict-aliasing support probing in
configure. [RT #21080]

2884. [bug] Insufficient validation in dns_name_getlabelsequence().
[RT #21283]

2883. [bug] 'dig +short' failed to handle really large datasets.
[RT #21113]

2882. [bug] Remove memory context from list of active contexts
before clearing 'magic'. [RT #21274]

2881. [bug] Reduce the amount of time the rbtdb write lock
is held when closing a version. [RT #21198]

2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
consistent. [RT #21078]

2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
[RT #21106]

2878. [func] Incrementally write the master file after performing
a AXFR. [RT #21010]

2877. [bug] The validator failed to skip obviously mismatching
RRSIGs. [RT #21138]

2876. [bug] Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131]

2875. [bug] dns_time64_fromtext() could accept non digits.
[RT #21033]

2874. [bug] Cache lack of EDNS support only after the server
successfully responds to the query using plain DNS.
[RT #20930]

2873. [bug] Cancelling a dynamic update via the dns/client module
could trigger an assertion failure. [RT #21133]

2872. [bug] Modify dns/client.c:dns_client_createx() to only
require one of IPv4 or IPv6 rather than both.
[RT #21122]

2871. [bug] Type mismatch in mem_api.c between the definition and
the header file, causing build failure with
--enable-exportlib. [RT #21138]

2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.

2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
[RT #20877]

2868. [cleanup] Run "make clean" at the end of configure to ensure
any changes made by configure are integrated.
Use --with-make-clean=no to disable. [RT #20994]

2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
don't like it. [RT #20986]

2866. [bug] Windows does not like the TSIG name being compressed.
[RT #20986]

2865. [bug] memset to zero event.data. [RT #20986]

2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
[RT #21050]

2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
[RT #21056]

2862. [bug] nsupdate didn't default to the parent zone when
updating DS records. [RT #20896]

2861. [doc] dnssec-settime man pages didn't correctly document the
inactivation time. [RT #21039]

2860. [bug] named-checkconf's usage was out of date. [RT #21039]

2859. [bug] When cancelling validation it was possible to leak
memory. [RT #20800]

2858. [bug] RTT estimates were not being adjusted on ICMP errors.
[RT #20772]

2857. [bug] named-checkconf did not fail on a bad trusted key.
[RT #20705]

2856. [bug] The size of a memory allocation was not always properly
recorded. [RT #20927]

2855. [func] nsupdate will now preserve the entered case of domain
names in update requests it sends. [RT #20928]

2854. [func] dig: allow the final soa record in a axfr response to
be suppressed, dig +onesoa. [RT #20929]

2853. [bug] add_sigs() could run out of scratch space. [RT #21015]

2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]

2851. [doc] nslookup.1, removed <informalexample> from the docbook
source as it produced bad nroff. [RT #21007]

2850. [bug] If isc_heap_insert() failed due to memory shortage
the heap would have corrupted entries. [RT #20951]

2849. [bug] Don't treat errors from the xml2 library as fatal.
[RT #20945]

2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
README.rfc5011 into the ARM. [RT #20899]

2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]

2846. [bug] EOF on unix domain sockets was not being handled
correctly. [RT #20731]

2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]

2844. [doc] notify-delay default in ARM was wrong. It should have
been five (5) seconds.

2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
creating key files if there is a chance that the new
key ID will collide with an existing one after
either of the keys has been revoked. (To override
this in the case of dnssec-keyfromlabel, use the -y
option. dnssec-keygen will simply create a
different, non-colliding key, so an override is
not necessary.) [RT #20838]

2842. [func] Added "smartsign" and improved "autosign" and
"dnssec" regression tests. [RT #20865]

2841. [bug] Change 2836 was not complete. [RT #20883]

2840. [bug] Temporary fixed pkcs11-destroy usage check.
[RT #20760]

2839. [bug] A KSK revoked by named could not be deleted.
[RT #20881]

2838. [placeholder]

2837. [port] Prevent Linux spurious warnings about fwrite().
[RT #20812]

2836. [bug] Keys that were scheduled to become active could
be delayed. [RT #20874]

2835. [bug] Key inactivity dates were inadvertently stored in
the private key file with the outdated tag
"Unpublish" rather than "Inactive". This has been
fixed; however, any existing keys that had Inactive
dates set will now need to have them reset, using
'dnssec-settime -I'. [RT #20868]

2834. [bug] HMAC-SHA* keys that were longer than the algorithm
digest length were used incorrectly, leading to
interoperability problems with other DNS
implementations. This has been corrected.
(Note: If an oversize key is in use, and
compatibility is needed with an older release of
BIND, the new tool "isc-hmac-fixup" can convert
the key secret to a form that will work with all
versions.) [RT #20751]

2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
[RT #20851]

2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
to avoid redefinition in some OSs [RT 20831]

2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2830. [bug] Changing the OPTOUT setting could take multiple
passes. [RT #20813]

2829. [bug] Fixed potential node inconsistency in rbtdb.c.
[RT #20808]

2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
being released. [RT #20740]

2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]

2824. [bug] "rndc sign" was not being run by the correct task.
[RT #20759]

2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2822. [bug] rbtdb.c:loadnode() could return the wrong result.
[RT #20802]

2821. [doc] Add note that named-checkconf doesn't automatically
read rndc.key and bind.keys [RT #20758]

2820. [func] Handle read access failure of OpenSSL configuration
file more user friendly (PKCS#11 engine patch).
[RT #20668]

2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
[RT #20771]

2818. [cleanup] rndc could return an incorrect error code
when a zone was not found. [RT #20767]

2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls.
[RT #20768]

2816. [bug] previous_closest_nsec() could fail to return
data for NSEC3 nodes [RT #29730]

2815. [bug] Exclusively lock the task when freezing a zone.
[RT #19838]

2814. [func] Provide a definitive error message when a master
zone is not loaded. [RT #20757]

2813. [bug] Better handling of unreadable DNSSEC key files.
[RT #20710]

2812. [bug] Make sure updates can't result in a zone with
NSEC-only keys and NSEC3 records. [RT 20748]

2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
output. [RT #20733]

2810. [doc] Clarified the process of transitioning an NSEC3 zone
to insecure. [RT #20746]

2809. [cleanup] Restored accidentally-deleted text in usage output
in dnssec-settime and dnssec-revoke [RT #20739]

2808. [bug] Remove the attempt to install atomic.h from lib/isc.
atomic.h is correctly installed by the architecture
specific subdirectories. [RT #20722]

2807. [bug] Fixed a possible ASSERT when reconfiguring zone
keys. [RT #20720]


☆ BIND 9.6.3b1
https://www.isc.org/software/bind
ftp://ftp.isc.org/isc/bind9/9.6.3b1/bind-9.6.3b1.tar.gz

--- 9.6.3b1 released ---

2982. [bug] Reference count dst keys. dst_key_attach() can be used
increment the reference count.

Note: dns_tsigkey_createfromkey() callers should now
always call dst_key_free() rather than setting it
to NULL on success. [RT #22672]

2979. [bug] named could deadlock during shutdown if two
"rndc stop" commands were issued at the same
time. [RT #22108]

2978. [port] hpux: look for <devpoll.h> [RT #21919]

2976. [bug] named could die on exit after negotiating a GSS-TSIG
key. [RT #22573]

2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() aquired the
wrong lock which could lead to server deadlock.
[RT #22614]

2972. [bug] win32: address windows socket errors. [RT #21906]

2971. [bug] Fixed a bug that caused journal files not to be
compacted on Windows systems as a result of
non-POSIX-compliant rename() semantics. [RT #22434]

2970. [security] Adding a NO DATA negative cache entry failed to clear
any matching RRSIG records. A subsequent lookup of
of NO DATA cache entry could trigger a INSIST when the
unexpected RRSIG was also returned with the NO DATA
cache entry.

CVE-2010-3613, VU#706148. [RT #22288]

2969. [security] Fix acl type processing so that allow-query works
in options and view statements. Also add a new
set of tests to verify proper functioning.

CVE-2010-3615, VU#510208. [RT #22418]

2968. [security] Named could fail to prove a data set was insecure
before marking it as insecure. One set of conditions
that can trigger this occurs naturally when rolling
DNSKEY algorithms.

CVE-2010-3614, VU#837744. [RT #22309]

2967. [bug] 'host -D' now turns on debugging messages earlier.
[RT #22361]

2966. [bug] isc_print_vsnprintf() failed to check if there was
space available in the buffer when adding a left
justified character with a non zero width,
(e.g. "%-1c"). [RT #22270]

2965. [func] Test HMAC functions using test data from RFC 2104 and
RFC 4634. [RT #21702]

2964. [bug] view->queryacl was being overloaded. Seperate the
usage into view->queryacl, view->cacheacl and
view->queryonacl. [RT #22114]

2962. [port] win32: add more dependencies to BINDBuild.dsw.
[RT #22062]

2960. [func] Check that named accepts non-authoritative answers.
[RT #21594]

2959. [func] Check that named starts with a missing masterfile.
[RT #22076]

2957. [bug] entropy_get() and entropy_getpseudo() failed to match
the API for RAND_bytes() and RAND_pseudo_bytes()
respectively. [RT #21962]

2956. [port] Enable atomic operations on the PowerPC64. [RT #21899]

2954. [bug] contrib: dlz_mysql_driver.c bad error handling on
build_sqldbinstance failure. [RT #21623]

2953. [bug] Silence spurious "expected covering NSEC3, got an
exact match" message when returning a wildcard
no data response. [RT #21744]

2952. [port] win32: named-checkzone and named-checkconf failed
to initialise winsock. [RT #21932]

2951. [bug] named failed to generate a correct signed response
in a optout, delegation only zone with no secure
delegations. [RT #22007]

2950. [bug] named failed to perform a SOA up to date check when
falling back to TCP on UDP timeouts when
ixfr-from-differences was set. [RT #21595]

2946. [doc] Document the default values for the minimum and maximum
zone refresh and retry values in the ARM. [RT #21886]

2945. [doc] Update empty-zones list in ARM. [RT #21772]

2944. [maint] Remove ORCHID prefix from built in empty zones.
[RT #21772]

2942. [contrib] zone2sqlite failed to setup the entropy sources.
[RT #21610]

2941. [bug] sdb and sdlz (dlz's zone database) failed to support
DNAME at the zone apex. [RT #21610]

2939. [func] Check that named successfully skips NSEC3 records
that fail to match the NSEC3PARAM record currently
in use. [RT# 21868]

2937. [bug] Worked around an apparent race condition in over
memory conditions. Without this fix a DNS cache DB or
ADB could incorrectly stay in an over memory state,
effectively refusing further caching, which
subsequently made a BIND 9 caching server unworkable.
This fix prevents this problem from happening by
polling the state of the memory context, rather than
making a copy of the state, which appeared to cause
a race. This is a "workaround" in that it doesn't
solve the possible race per se, but several experiments
proved this change solves the symptom. Also, the
polling overhead hasn't been reported to be an issue.
This bug should only affect a caching server that
specifies a finite max-cache-size. It's also quite
likely that the bug happens only when enabling threads,
but it's not confirmed yet. [RT #21818]

2935. [bug] nsupdate: improve 'file not found' error message.
[RT #21871]

2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
[RT #21871]

2933. [bug] 'dig +nsid' used stack memory after it went out of
scope. This could potentially result in a unknown,
potentially malformed, EDNS option being sent instead
of the desired NSID option. [RT #21781]

2932. [cleanup] Corrected a numbering error in the "dnssec" test.
[RT #21597]

2931. [bug] Temporarily and partially disable change 2864
because it would cause infinite attempts of RRSIG
queries. This is an urgent care fix; we'll
revisit the issue and complete the fix later.
[RT #21710]

2929. [bug] Improved handling of GSS security contexts:
- added LRU expiration for generated TSIGs
- added the ability to use a non-default realm
- added new "realm" keyword in nsupdate
- limited lifetime of generated keys to 1 hour
or the lifetime of the context (whichever is
smaller)
[RT #19737]

2925. [bug] Named failed to accept uncachable negative responses
from insecure zones. [RT# 21555]

2923. [bug] 'dig +trace' could drop core after "connection
timeout". [RT #21514]

2922. [contrib] Update zkt to version 1.0.

2921. [bug] The resolver could attempt to destroy a fetch context
too soon. [RT #19878]

2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.

2916. [func] Add framework to use IPv6 in tests.
fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7

2915. [cleanup] Be smarter about which objects we attempt to compile
based on configure options. [RT #21444]

2912. [func] Windows clients don't like UPDATE responses that clear
the zone section. [RT #20986]

2911. [bug] dnssec-signzone didn't handle out of zone records well.
[RT #21367]

2910. [func] Sanity check Kerberos credentials. [RT #20986]

2908. [bug] It was possible for re-signing to stop after removing
a DNSKEY. [RT #21384]

2905. [port] aix: set use_atomic=yes with native compiler.
[RT #21402]

2904. [bug] When using DLV, sub-zones of the zones in the DLV,
could be incorrectly marked as insecure instead of
secure leading to negative proofs failing. This was
a unintended outcome from change 2890. [RT# 21392]

2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

2900. [bug] The placeholder negative caching element was not
properly constructed triggering a INSIST in
dns_ncache_towire(). [RT #21346]

2899. [port] win32: Support linking against OpenSSL 1.0.0.

2898. [bug] nslookup leaked memory when -domain=value was
specified. [RT #21301]

2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]

2891. [maint] Update empty-zones list to match
draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]

2889. [bug] Elements of the grammar where not properly reported.
[RT #21046]

2888. [bug] Only the first EDNS option was displayed. [RT #21273]

2885. [bug] Improve -fno-strict-aliasing support probing in
configure. [RT #21080]

2884. [bug] Insufficient validation in dns_name_getlabelsequence().
[RT #21283]

2883. [bug] 'dig +short' failed to handle really large datasets.
[RT #21113]

2882. [bug] Remove memory context from list of active contexts
before clearing 'magic'. [RT #21274]

2881. [bug] Reduce the amount of time the rbtdb write lock
is held when closing a version. [RT #21198]

2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
[RT #21106]

2877. [bug] The validator failed to skip obviously mismatching
RRSIGs. [RT #21138]

2876. [bug] Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131]

2875. [bug] dns_time64_fromtext() could accept non digits.
[RT #21033]

2874. [bug] Cache lack of EDNS support only after the server
successfully responds to the query using plain DNS.
[RT #20930]

2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.

2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
[RT #20877]

2868. [cleanup] Run "make clean" at the end of configure to ensure
any changes made by configure are integrated.
Use --with-make-clean=no to disable. [RT #20994]

2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
don't like it. [RT #20986]

2866. [bug] Windows does not like the TSIG name being compressed.
[RT #20986]

2865. [bug] memset to zero event.data. [RT #20986]

2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
[RT #21050]

2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
[RT #21056]

2862. [bug] nsupdate didn't default to the parent zone when
updating DS records. [RT #20896]

2859. [bug] When cancelling validation it was possible to leak
memory. [RT #20800]

2858. [bug] RTT estimates were not being adjusted on ICMP errors.
[RT #20772]

2857. [bug] named-checkconf did not fail on a bad trusted key.
[RT #20705]

2856. [bug] The size of a memory allocation was not always properly
recorded. [RT #20927]

2853. [bug] add_sigs() could run out of scratch space. [RT #21015]

2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]

2851. [doc] nslookup.1, removed <informalexample> from the docbook
source as it produced bad nroff. [RT #21007]

----
こがよういちろう


投稿者 xml-rpc : 2010年12月17日 13:46
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/100788
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。