- --- 9.7.1-P2 released ---
-
-2931. [security] Temporarily and partially disable change 2864
+ --- 9.7.2rc1 released ---
+
+2943. [func] Add support to load new keys into managed zones
+ without signing immediately with "rndc loadkeys".
+ Add support to link keys with "dnssec-keygen -S"
+ and "dnssec-settime -S". [RT #21351]
+
+2942. [contrib] zone2sqlite failed to setup the entropy sources.
+ [RT #21610]
+
+2941. [bug] sdb and sdlz (dlz's zone database) failed to support
+ DNAME at the zone apex. [RT #21610]
+
+2940. [port] Remove connection aborted error message on
+ Windows. [RT #21549]
+
+2939. [func] Check that named successfully skips NSEC3 records
+ that fail to match the NSEC3PARAM record currently
+ in use. [RT# 21868]
+
+2938. [bug] When generating signed responses, from a signed zone
+ that uses NSEC3, named would use a uninitialised
+ pointer if it needed to skip a NSEC3 record because
+ it didn't match the selected NSEC3PARAM record for
+ zone. [RT# 21868]
+
+2937. [bug] Worked around an apparent race condition in over
+ memory conditions. Without this fix a DNS cache DB or
+ ADB could incorrectly stay in an over memory state,
+ effectively refusing further caching, which
+ subsequently made a BIND 9 caching server unworkable.
+ This fix prevents this problem from happening by
+ polling the state of the memory context, rather than
+ making a copy of the state, which appeared to cause
+ a race. This is a "workaround" in that it doesn't
+ solve the possible race per se, but several experiments
+ proved this change solves the symptom. Also, the
+ polling overhead hasn't been reported to be an issue.
+ This bug should only affect a caching server that
+ specifies a finite max-cache-size. It's also quite
+ likely that the bug happens only when enabling threads,
+ but it's not confirmed yet. [RT #21818]
+
+2936. [func] Improved configuration syntax and multiple-view
+ support for addzone/delzone feature (see change
+ #2930). Removed "new-zone-file" option, replaced
+ with "allow-new-zones (yes|no)". The new-zone-file
+ for each view is now created automatically, with
+ a filename generated from a hash of the view name.
+ It is no longer necessary to "include" the
+ new-zone-file in named.conf; this happens
+ automatically. Zones that were not added via
+ "rndc addzone" can no longer be removed with
+ "rndc delzone". [RT #19447]
+
+2935. [bug] nsupdate: improve 'file not found' error message.
+ [RT #21871]
+
+2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c.
+ [RT #21871]
+
+2933. [bug] 'dig +nsid' used stack memory after it went out of
+ scope. This could potentially result in a unknown,
+ potentially malformed, EDNS option being sent instead
+ of the desired NSID option. [RT #21781]
+
+2932. [cleanup] Corrected a numbering error in the "dnssec" test.
+ [RT #21597]
+
+ --- 9.7.2b1 released ---
+
+2931. [bug] Temporarily and partially disable change 2864
because it would cause inifinite attempts of RRSIG
queries. This is an urgent care fix; we'll
revisit the issue and complete the fix later.
[RT #21710]
- --- 9.7.1-P1 released ---
-
-2926. [rollback] Temporarially rollback change 2748. [RT #21594]
+2930. [experimental] New "rndc addzone" and "rndc delzone" commads
+ allow dynamic addition and deletion of zones.
+ To enable this feature, specify a "new-zone-file"
+ option at the view or options level in named.conf.
+ Zone configuration information for the new zones
+ will be written into that file. To make the new
+ zones persist after a restart, "include" the file
+ into named.conf in the appropriate view. (Note:
+ This feature is not yet documented, and its syntax
+ is expected to change.) [RT #19447]
+
+2929. [bug] Improved handling of GSS security contexts:
+ - added LRU expiration for generated TSIGs
+ - added the ability to use a non-default realm
+ - added new "realm" keyword in nsupdate
+ - limited lifetime of generated keys to 1 hour
+ or the lifetime of the context (whichever is
+ smaller)
+ [RT #19737]
2925. [bug] Named failed to accept uncachable negative responses
from insecure zones. [RT# 21555]
+2924. [func] 'rndc secroots' dump a combined summary of the
+ current managed keys combined with trusted keys.
+ [RT #20904]
+
+2923. [bug] 'dig +trace' could drop core after "connection
+ timeout". [RT #21514]
+
+2922. [contrib] Update zkt to version 1.0.
+
+2921. [bug] The resolver could attempt to destroy a fetch context
+ too soon. [RT #19878]
+
+2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
+ to IPv4 clients. New acl 'filter-aaaa' (default any).
+
+2919. [func] Add autosign-ksk and autosign-zsk virtual time tests.
+ [RT #20840]
+
+2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET.
+
+2917. [func] Virtual time test framework. [RT #20801]
+
+2916. [func] Add framework to use IPv6 in tests.
+ fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
+
+2915. [cleanup] Be smarter about which objects we attempt to compile
+ based on configure options. [RT #21444]
+
+2914. [bug] Make the "autosign" system test more portable.
+ [RT #20997]
+
+2913. [func] Add pkcs#11 system tests. [RT #20784]
+
+2912. [func] Windows clients don't like UPDATE responses that clear
+ the zone section. [RT #20986]
+
+2911. [bug] dnssec-signzone didn't handle out of zone records well.
+ [RT #21367]
+
+2910. [func] Sanity check Kerberos credentials. [RT #20986]
+
--- 9.7.1 released ---
--- 9.7.1rc1 released ---