BIND 9.3.3b1 is now available.

BIND 9.3.3b1 is a beta maintenance release for BIND 9.3.

BIND 9.3.3b1 can be downloaded from

The PGP signature of the distribution is at

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows NT 4.0 and Windows 2000 is at

The PGP signature of the binary kit for Windows NT 4.0 and Windows 2000 is at

A list of changes made since 9.3.0 follows. For earlier changes,
see the file CHANGES in the distribution.


--- 9.3.3b1 released ---

2031. [bug] Emit a error message when "rndc refresh" is called on
a non slave/stub zone. [RT # 16073]

2030. [bug] We were being overly conservative when disabling
openssl engine support. [RT #16030]

2029. [bug] host printed out the server multiple times when
specified on the command line. [RT #15992]

2028. [port] linux: socket.c compatability for old systems.
[RT #16015]

2027. [port] libbind: Solaris x86 support. [RT #16020]

2026. [bug] Rate limit the two recursive client exceeded messages.
[RT #16044]

2024. [bug] named emited spurious "zone serial unchanged"
messages on reload. [RT #16027]

2023. [bug] "make install" should create ${localstatedir}/run and
${sysconfdir} if they do not exist. [RT #16033]

2016. [bug] Return a partial answer if recursion is not
allowed but requested and we had the answer
to the original qname. [RT #15945]

2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
responses more gracefully. [RT #15941]

2009. [bug] libbind: coverity fixes. [RT #15808]

2005. [bug] libbind: Retransmission timeouts should be
based on which attempt it is to the nameserver
and not the nameserver itself. [RT #13548]

2004. [bug] dns_tsig_sign() could pass a NULL pointer to
dst_context_destroy() when cleaning up after a
error. [RT #15835]

2003. [bug] libbind: The DNS name/address lookup functions could
occasionally follow a random pointer due to
structures not being completely zeroed. [RT #15806]

2002. [bug] libbind: tighten the constraints on when
struct addrinfo._ai_pad exists. [RT #15783]

2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]

1998. [bug] Restrict handling of fifos as sockets to just SunOS.
This allows named to connect to entropy gathering
daemons that use fifos instead of sockets. [RT #15840]

1997. [bug] Named was failing to replace negative cache entries
when a positive one for the type was learnt.
[RT #15818]

1995. [bug] 'host' was reporting multiple "is an alias" messages.
[RT #15702]

1994. [port] OpenSSL 0.9.8 support. [RT #15694]

1993. [bug] Log messsage, via syslog, were missing the space
after the timestamp if "print-time yes" was specified.
[RT #15844]

1991. [cleanup] The configuration data, once read, should be treated
as readonly. Expand the use of const to enforce this
at compile time. [RT #15813]

1990. [bug] libbind: isc's override of broken gettimeofday()
implementions was not always effective.
[RT #15709]

1989. [bug] win32: don't check the service password when
re-installing. [RT #15882]

1985. [protocol] DLV has now been assigned a official type code of
32769. [RT #15807]

Note: care should be taken to ensure you upgrade
both named and dnssec-signzone at the same time for
zones with DLV records where named is the master
server for the zone. Also any zones that contain
DLV records should be removed when upgrading a slave
zone. You do not however have to upgrade all
servers for a zone with DLV records simultaniously.

1982. [bug] DNSKEY was being accepted on the parent side of
a delegation. KEY is still accepted there for
RFC 3007 validated updates. [RT #15620]

1981. [bug] win32: condition.c:wait() could fail to reattain
the mutex lock.

1979. [port] linux: allow named to drop core after changing
user ids. [RT #15753]

1978. [port] Handle systems which have a broken recvmsg().
[RT #15742]

1977. [bug] Silence noisy log message. [RT #15704]

1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]

1975. [bug] libbind: isc_gethexstring() could misparse multi-line
hex strings with comments. [RT #15814]

1974. [doc] List each of the zone types and associated zone
options seperately in the ARM.

1972. [contrib] DBUS dynamic forwarders integation from
Jason Vas Dias .

1971. [port] linux: make detection of missing IF_NAMESIZE more
robust. [RT #15443]

1970. [bug] nsupdate: adjust UDP timeout when falling back to
unsigned SOA query. [RT #15775]

1969. [bug] win32: the socket code was freeing the socket
structure too early. [RT #15776]

1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]

1966. [bug] Don't set CD when we have fallen back to plain DNS.
[RT #15727]

1963. [port] Tru64 4.0E doesn't support send() and recv().
[RT #15586]

1962. [bug] Named failed to clear old update-policy when it
was removed. [RT #15491]

1961. [bug] Check the port and address of responses forwarded
to dispatch. [RT #15474]

1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
[RT #15465]

1958. [bug] Named failed to update the zone's secure state
until the zone was reloaded. [RT #15412]

1957. [bug] Dig mishandled responses to class ANY queries.
[RT #15402]

1956. [bug] Improve cross compile support, 'gen' is now built
by native compiler. See README for additional
cross compile support information. [RT #15148]

1955. [bug] Pre-allocate the cache cleaning interator. [RT #14998]

1952. [port] hpux: tell the linker to build a runtime link
path "-Wl,+b:". [RT #14816].

1951. [security] Drop queries from particular well known ports.
Don't return FORMERR to queries from particular
well known ports. [RT #15636]

1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
a TCP socket. This prevents the source address being
set for TCP connections. [RT #15628]

1948. [bug] If was possible to trigger a REQUIRE failure in
xfrin.c:maybe_free() if named ran out of memory.
[RT #15568]

1946. [bug] resume_dslookup() could trigger a REQUIRE failure
when using forwarders. [RT #15549]

1944. [cleanup] isc_hash_create() does not need a read/write lock.
[RT #15522]

1943. [bug] Set the loadtime after rolling forward the journal.
[RT #15647]

1942. [bug] If the name of a DNSKEY match that of one in
trusted-keys do not attempt to validate the DNSKEY
using the parents DS RRset. [RT #15649]

1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]

1940. [bug] Fixed a number of error conditions reported by

1939. [bug] The resolver could dereference a null pointer after
validation if all the queries have timed out.
[RT #15528]

1938. [bug] The validator was not correctly handling unsecure
negative responses at or below a SEP. [RT #15528]

1919. [contrib] queryperf: a set of new features: collecting/printing
response delays, printing intermediate results, and
adjusting query rate for the "target" qps.

--- 9.3.2 released ---

--- 9.3.2rc1 released ---

1936. [bug] The validator could leak memory. [RT #15544]

1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]

--- 9.3.2b2 released ---

1930. [port] HPUX: ia64 support. [RT #15473]

1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.

1926. [bug] The Windows installer did not check for empty
passwords. BINDinstall was being installed in
the wrong place. [RT #15483]

1925. [port] All outer level AC_TRY_RUNs need cross compiling
defaults. [RT #15469]

1924. [port] libbind: hpux ia64 support. [RT #15473]

1923. [bug] ns_client_detach() called too early. [RT #15499]

--- 9.3.2b1 released ---

1917. [doc] funcsynopsisinfo wasn't being treated as verbatim
when generating man pages. [RT #15385]

1915. [bug] dig +ndots was broken. [RT #15215]

1914. [protocol] DS is required to accept mnemonic algorithms
(RFC 4034). Still emit numeric algorithms for
compatability with RFC 3658. [RT #15354]

1911. [bug] Update windows socket code. [RT #14965]

1910. [bug] dig's +sigchase code overhauled. [RT #14933]

1909. [bug] The DLV code has been re-worked to make no longer
query order sensitive. [RT #14933]

1905. [bug] Strings returned from cfg_obj_asstring() should be
treated as read-only. [RT #15256]

1901. [cleanup] Don't add DNSKEY records to the additional section.

1900. [bug] ixfr-from-differences failed to ensure that the
serial number increased. [RT #15036]

1896. [bug] Extend ISC_SOCKADDR_FORMATSIZE and
ISC_NETADDR_FORMATSIZE to allow for scope details.

1894. [bug] Recursive clients soft quota support wasn't working
as expected. [RT #15103]

1893. [bug] A escaped character is, potentially, converted to
the output character set too early. [RT #14666]

1892. [port] Use uintptr_t if available. [RT #14606]

1889. [port] sunos: non blocking i/o support. [RT #14951]

1887. [bug] The cache could delete expired records too fast for
clients with a virtual time in the past. [RT #14991]

1886. [bug] fctx_create() could return success even though it
failed. [RT #14993]

1884. [cleanup] dighost.c: move external declarations into .

1883. [bug] dnssec-signzone, dnssec-keygen: handle negative debug
levels. [RT #14962]

1881. [func] Add a system test for named-checkconf. [RT #14931]

1877. [bug] Fix unreasonably low quantum on call to
dns_rbt_destroy2(). Remove unnecessay unhash_node()
call. [RT #14919]

1875. [bug] process_dhtkey() was using the wrong memory context
to free some memory. [RT #14890]

1874. [port] sunos: portability fixes. [RT #14814]

1873. [port] win32: isc__errno2result() now reports its caller.
[RT #13753]

1872. [port] win32: Handle ERROR_NETNAME_DELETED. [RT #13753]

1867. [bug] It was possible to trigger a INSIST in
dlv_validatezonekey(). [RT #14846]

1866. [bug] resolv.conf parse errors were being ignored by
dig/host/nslookup. [RT #14841]

1865. [bug] Silently ignore nameservers in /etc/resolv.conf with
bad addresses. [RT #14841]

1864. [bug] Don't try the alternative transfer source if you
got a answer / transfer with the main source
address. [RT #14802]

1863. [bug] rrset-order "fixed" error messages not complete.

1861. [bug] dig could trigger a INSIST on certain malformed
responses. [RT #14801]

1860. [port] solaris 2.8: hack_shutup_pthreadmutexinit was
incorrectly set. [RT #14775]

1858. [bug] The flush-zones-on-shutdown option wasn't being
parsed. [RT #14686]

1857. [bug] named could trigger a INSIST() if reconfigured /
reloaded too fast. [RT #14673]

1856. [doc] Switch Docbook toolchain from DSSSL to XSL.
[RT #11398]

1855. [bug] ixfr-from-differences was failing to detect changes
of ttl due to dns_diff_subtract() was ignoring the ttl
of records. [RT #14616]

1854. [bug] lwres also needs to know the print format for
(long long). [RT #13754]

1853. [bug] Rework how DLV interacts with proveunsecure().
[RT #13605]

1852. [cleanup] Remove last vestiges of dnssec-signkey and
dnssec-makekeyset (removed from Makefile years ago).

1850. [bug] Memory leak in lwres_getipnodebyaddr(). [RT #14591]

1849. [doc] All forms of the man pages (docbook, man, html) should
have consistant copyright dates.

1848. [bug] Improve SMF integration. [RT #13238]

1847. [bug] isc_ondestroy_init() is called too late in
[RT #13661]

1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer

1845. [bug] Improve error reporting to distingish between
accept()/fcntl() and socket()/fcntl() errors.
[RT #13745]

1844. [bug] inet_pton() accepted more that 4 hexadecimal digits
for each 16 bit piece of the IPv6 address. The text
representation of a IPv6 address has been tighted
to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
[RT #5662]

1843. [cleanup] CINCLUDES takes precedence over CFLAGS. This helps
when CFLAGS contains "-I /usr/local/include"
resulting in old header files being used.

1842. [port] cmsg_len() could produce incorrect results on
some platform. [RT #13744]

1841. [bug] "dig +nssearch" now makes a recursive query to
find the list of nameservers to query. [RT #13694]

1839. [bug] was not being installed.

1838. [cleanup] Don't allow Linux capabilities to be inherited.
[RT #13707]

1837. [bug] Compile time option ISC_FACILITY was not effective
for 'named -u '. [RT #13714]

1836. [cleanup] Silence compiler warnings in hash_test.c.

1835. [bug] Update dnssec-signzone's usage message. [RT #13657]

1834. [bug] Bad memset in rdata_test.c. [RT #13658]

1833. [bug] Race condition in isc_mutex_lock_profile(). [RT #13660]

1832. [bug] named fails to return BADKEY on unknown TSIG algorithm.
[RT #13620]

1831. [doc] Update named-checkzone documentation. [RT#13604]

1830. [bug] adb lame cache has sence of test reversed. [RT #13600]

1829. [bug] win32: "pid-file none;" broken. [RT #13563]

1828. [bug] isc_rwlock_init() failed to properly cleanup if it
encountered a error. [RT #13549]

1827. [bug] host: update usage message for '-a'. [RT #37116]

1826. [bug] Missing DESTROYLOCK() in isc_mem_createx() on out
of memory error. [RT #13537]

1825. [bug] Missing UNLOCK() on out of memory error from in
rbtdb.c:subtractrdataset(). [RT #13519]

1824. [bug] Memory leak on dns_zone_setdbtype() failure.
[RT #13510]

1823. [bug] Wrong macro used to check for point to point interface.

1822. [bug] check-names test for RT was reversed. [RT #13382]

1821. [doc] acls definitions are no longer required to be
in named.conf prior to reference. They can be
defined after being referenced.

1820. [bug] Gracefully handle acl loops. [RT #13659]

1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be
used to introduce a secure zone. [RT #13593]

1816. [port] UnixWare: failed to compile lib/isc/unix/net.c.
[RT #13597]

1815. [bug] nsupdate triggered a REQUIRE if the server was set
without also setting the zone and it encountered
a CNAME and was using TSIG. [RT #13086]

1810. [bug] configure, lib/bind/configure make different default
decisions about whether to do a threaded build.
[RT #13212]

1809. [bug] "make distclean" failed for libbind if the platform
is not supported.

1807. [bug] When forwarding (forward only) set the active domain
from the forward zone name. [RT #13526]

1804. [bug] Ensure that if we are queried for glue that it fits
in the additional section or TC is set to tell the
client to retry using TCP. [RT #10114]

1803. [bug] dnssec-signzone sometimes failed to remove old
RRSIGs. [RT #13483]

1802. [bug] Handle connection resets better. [RT #11280]

1799. [bug] 'rndc flushname' failed to flush negative cache
entries. [RT #13438]

1795. [bug] "rndc dumpdb" was not fully documented. Minor
formating issues with "rndc dumpdb -all". [RT #13396]

1791. [bug] 'host -t a' still printed out AAAA and MX records.
[RT #13230]

--- 9.3.1 released ---

1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]

--- 9.3.1rc1 released ---

1812. [port] win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
[RT #13453]

1808. [bug] zone.c:notify_zone() contained a race condition,
zone->db could change underneath it. [RT #13511]

1806. [bug] The resolver returned the wrong result when a CNAME /
DNAME was encountered when fetching glue from a
secure namespace. [RT #13501]

1805. [bug] Pending status was not being cleared when DLV was
active. [RT #13501]

--- 9.3.1beta2 released ---

1800. [bug] Changes #1719 allowed a INSIST to be triggered.
[RT #13428]

--- 9.3.1beta1 released ---

1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
allow parallel make to succeed.

1789. [bug] Prerequisite test for tkey and dnssec could fail
with "configure --with-libtool".

1788. [bug] needs to link against

1787. [port] HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.

1786. [port] AIX: libt_api needs to be taught to look for
T_testlist in the main executable (--with-libtool).
[RT #13239]

1785. [bug] needs to link against

1784. [cleanup] "libtool -allow-undefined" is the default.
Leave hooks in configure to allow it to be set
if needed in the future.

1783. [cleanup] We only need one copy of libtool.m4, in the
source tree.

1782. [port] OSX: --with-libtool + --enable-libbind broke on
__evOptMonoTime. [RT #13219]

1781. [port] FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]

1780. [bug] Update libtool to 1.5.10.

1779. [port] OSF 5.1: libtool didn't handle -pthread correctly.

1778. [port] HUX 11.11: fix broken IN6ADDR_ANY_INIT and

1777. [port] OSF 5.1: fix broken IN6ADDR_ANY_INIT and

1776. [port] Solaris 2.9: fix broken IN6ADDR_ANY_INIT and

1775. [bug] Only compile getnetent_r.c when threaded. [RT #13205]

1774. [port] Aix: Silence compiler warnings / build failures.
[RT #13154]

1773. [bug] Fast retry on host / net unreachable. [RT #13153]

1770. [bug] named-checkconf failed to report missing a missing
file clause for rbt{64} master/hint zones. [RT#13009]

1769. [port] win32: change compiler flags /MTd ==> /MDd,
/MT ==> /MD.

1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
rdataset. [RT #12907]

1767. [port] Builds on IPv6 platforms without IPv6 Advanced API
support for (struct in6_pktinfo) failed. [RT #13077]

1766. [bug] Update the master file timestamp on successful refresh
as well as the journal's timestamp. [RT# 13062]

1765. [bug] configure --with-openssl=auto failed. [RT #12937]

1764. [bug] dns_zone_replacedb failed to emit a error message
if there was no SOA record in the replacment db.
[RT #13016]

1762. [bug] isc_interfaceiter_create() could return ISC_R_SUCCESS
even when it failed. [RT #12995]

1761. [bug] 'rndc dumpdb' didn't report unassociated entries.
[RT #12971]

1760. [bug] Host / net unreachable was not penalising rtt
estimates. [RT #12970]

1759. [bug] Named failed to startup if the OS supported IPv6
but had no IPv6 interfaces configured. [RT #12942]

1754. [bug] We wern't always attempting to query the parent
server for the DS records at the zone cut.
[RT #12774]

1753. [bug] Don't serve a slave zone which has no NS records.
[RT #12894]

1752. [port] Move isc_app_start() to after ns_os_daemonise()
as some fork() implementations unblock the signals
that are blocked by isc_app_start(). [RT #12810]

1751. [bug] --enable-getifaddrs failed under linux. [RT #12867]

1750. [port] lib/bind/make/ was not bash friendly.
[RT #12864]

1749. [bug] 'check-names response ignore;' failed to ignore.
[RT #12866]

1747. [bug] BIND 8 compatability: named/named-checkconf failed
to parse "host-statistics-max" in named.conf.

1745. [bug] Dig/host/nslookup accept replies from link locals
regardless of scope if no scope was specified when
query was sent. [RT #12745]

1744. [bug] If tuple2msgname() failed to convert a tuple to
a name a REQUIRE could be triggered. [RT #12796]

1743. [bug] If isc_taskmgr_create() was not able to create the
requested number of worker threads then destruction
of the manager would trigger an INSIST() failure.
[RT #12790]

1742. [bug] Deleting all records at a node then adding a
previously existing record, in a single UPDATE
transaction, failed to leave / regenerate the
associated RRSIG records. [RT #12788]

1741. [bug] Deleting all records at a node in a secure zone
using a update-policy grant failed. [RT #12787]

1740. [bug] Replace rbt's hash algorithm as it performed badly
with certain zones. [RT #12729]

NOTE: a hash context now needs to be established
via isc_hash_create() if the application was not
already doing this.

1739. [bug] dns_rbt_deletetree() could incorrectly return
ISC_R_QUOTA. [RT #12695]

1738. [bug] Enable overrun checking by default. [RT #12695]

1737. [bug] named failed if more than 16 masters were specified.
[RT #12627]

1736. [bug] dst_key_fromnamedfile() could fail to read a
public key. [RT #12687]

1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure.
[RE #12688]

1734. [cleanup] 'rndc-confgen -a -t' remove extra '/' in path.
[RT #12588]

1733. [bug] Return non-zero exit status on initial load failure.
[RT #12658]

1732. [bug] 'rrset-order name "*"' wasn't being applied to ".".
[RT #12467]

1731. [port] darwin: relax version test in
[RT #12581]

1730. [port] Determine the length type used by the socket API.
[RT #12581]

1728. [doc] Update check-names documentation.

1727. [bug] named-checkzone: check-names support didn't match

1726. [port] aix5: add support for aix5.

1725. [port] linux: update error message on interaction of threads,
capabilities and setuid support (named -u). [RT #12541]

1724. [bug] Look for DNSKEY records with "dig +sigtrace".
[RT #12557]

1723. [cleanup] Silence compiler warnings from t_tasks.c. [RT #12493]

1722. [bug] Don't commit the journal on malformed ixfr streams.
[RT #12519]

1721. [bug] Error message from the journal processing were not
always identifing the relevent journal. [RT #12519]

1720. [bug] 'dig +chase' did not terminate on a RFC 2308 Type 1
negative response. [RT #12506]

1719. [bug] named was not correctly caching a RFC 2308 Type 1
negative response. [RT #12506]

1718. [bug] nsupdate was not handling RFC 2308 Type 3 negative
responses when looking for the zone / master server.
[RT #12506]

1717. [port] solaris: did not support Solaris 10.
" down" didn't work for Solaris 9.

1716. [doc] named.conf(5) was being installed in the wrong
location. [RT# 12441]

1714. [bug] dig/host/nslookup were only trying the first
address when a nameserver was specified by name.
[RT #12286]

1713. [port] linux: extend capset failure message to say:
please ensure that the capset kernel module is
loaded. see insmod(8)

1712. [bug] Missing FULLCHECK for "trusted-key" in dig.

--- 9.3.0 released ---