BIND 9.4.0 is now available.

BIND 9.4.0 is a feature release for BIND 9.

BIND 9.4.0 contains security fixes:

2126. [security] Serialise validation of type ANY responses. [RT #16555]

2124. [security] It was possible to dereference a freed fetch
context. [RT #16584]

2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named. [RT #16391]

2088. [security] Change the default RSA exponent from 3 to 65537.
[RT #16391]

2066. [security] Handle SIG queries gracefully. [RT #16300]

1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]

If you are running a BIND 9.3.x or pre BIND 9.4.0 version without
these changes you are advised to upgrade as soon as possible to
one of BIND 9.3.4 or BIND 9.4.0.

BIND 9.4 has a number of new features over BIND 9.3, including:

Implemented "additional section caching" (or "acache"), an
internal cache framework for additional section content to
improve response performance. Several configuration options
were provided to control the behavior.

New notify type 'master-only'. Enable notify for master
zones only.

Accept 'notify-source' style syntax for query-source.

rndc now allows addresses to be set in the server clauses.

New option "allow-query-cache". This lets allow-query be
used to specify the default zone access level rather than
having to have every zone override the global value.
allow-query-cache can be set at both the options and view
levels. If allow-query-cache is not set allow-query applies.

rndc: the source address can now be specified.

ixfr-from-differences now takes master and slave in addition
to yes and no at the options and view levels.

Allow the journal's name to be changed via named.conf.

'rndc notify zone [class [view]]' resend the NOTIFY messages
for the specified zone.

'dig +trace' now randomly selects the next servers to try.
Report if there is a bad delegation.

Improve check-names error messages.

Make public the function to read a key file, dst_key_read_public().

dig now returns the byte count for axfr/ixfr.

allow-update is now settable at the options / view level.

named-checkconf now checks the logging configuration.

host now can turn on memory debugging flags with '-m'.

Don't send notify messages to self.

Perform sanity checks on NS records which refer to 'in zone' names.

New zone option "notify-delay". Specify a minimum delay
between sets of NOTIFY messages.

Extend adjusting TTL warning messages.

Named and named-checkzone can now both check for non-terminal
wildcard records.

"rndc freeze/thaw" now freezes/thaws all zones.

named-checkconf now check acls to verify that they only
refer to existing acls.

The server syntax has been extended to support a range of
servers.

Report differences between hints and real NS rrset and
associated address records.

Preserve the case of domain names in rdata during zone
transfers.

Restructured the data locking framework using architecture
dependent atomic operations (when available), improving
response performance on multi-processor machines significantly.
x86, x86_64, alpha, powerpc, and mips are currently supported.

UNIX domain controls are now supported.

Add support for additional zone file formats for improving
loading performance. The masterfile-format option in
named.conf can be used to specify a non-default format. A
separate command named-compilezone was provided to generate
zone files in the new format. Additionally, the -I and -O
options for dnssec-signzone specify the input and output
formats.

dnssec-signzone can now randomize signature end times
(dnssec-signzone -j jitter).

Add support for CH A record.

Add additional zone data consistancy checks. named-checkzone
has extended checking of NS, MX and SRV record and the hosts
they reference. named has extended post zone load checks.
New zone options: check-mx and integrity-check.

edns-udp-size can now be overridden on a per server basis.

dig can now specify the EDNS version when making a query.

Added framework for handling multiple EDNS versions.

Additional memory debugging support to track size and mctx
arguments.

Detect duplicates of UDP queries we are recursing on and
drop them. New stats category "duplicates".

Memory management. "USE INTERNAL MALLOC" is now runtime selectable.

The lame cache is now done on a basis
as some servers only appear to be lame for certain query
types.

Limit the number of recursive clients that can be waiting
for a single query () to resolve. New
options clients-per-query and max-clients-per-query.

dig: report the number of extra bytes still left in the
packet after processing all the records.

Support for IPSECKEY rdata type.

Raise the UDP receive buffer size to 32k if it is less than 32k.

x86 and x86_64 now have separate atomic locking implementations.

named-checkconf now validates update-policy entries.

Attempt to make the amount of work performed in a iteration
self tuning. The covers nodes clean from the cache per
iteration, nodes written to disk when rewriting a master
file and nodes destroyed per iteration when destroying a
zone or a cache.

ISC string copy API.

Automatic empty zone creation for D.F.IP6.ARPA and friends.
Note: RFC 1918 zones are not yet covered by this but are
likely to be in a future release.

New options: empty-server, empty-contact, empty-zones-enable
and disable-empty-zone.

dig now has a '-q queryname' and '+showsearch' options.

host/nslookup now continue (default)/fail on SERVFAIL.

dig now warns if 'RA' is not set in the answer when 'RD'
was set in the query. host/nslookup skip servers that fail
to set 'RA' when 'RD' is set unless a server is explicitly
set.

Integrate contributed DLZ code into named.

Integrate contributed IDN code from JPNIC.

Validate pending NS RRsets, in the authority section, prior
to returning them if it can be done without requiring DNSKEYs
to be fetched.

It is now possible to configure named to accept expired
RRSIGs. Default "dnssec-accept-expired no;". Setting
"dnssec-accept-expired yes;" leaves named vulnerable to
replay attacks.

Additional memory leakage checks.

The maximum EDNS UDP response named will send can now be
set in named.conf (max-udp-size). This is independent of
the advertised receive buffer (edns-udp-size).

Named now falls back to advertising EDNS with a 512 byte
receive buffer if the initial EDNS queries fail.

Control the zeroing of the negative response TTL to a soa
query. Defaults "zero-no-soa-ttl yes;" and
"zero-no-soa-ttl-cache no;".

Separate out MX and SRV to CNAME checks.

dig/nslookup/host: warn about missing "QR".

TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support.

dnssec-signzone: output the SOA record as the first record
in the signed zone.

Two new update policies. "selfsub" and "selfwild".

dig, nslookup and host now advertise a 4096 byte EDNS UDP
buffer size by default.

Report when a zone is removed.

DS/DLV SHA256 digest algorithm support.

Implement "rrset-order fixed".

Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;".

It is now possible to explicitly enable DNSSEC validation.
default dnssec-validation no; to be changed to yes in 9.5.0.

It is now possible to enable/disable DNSSEC validation
from rndc. This is useful for the mobile hosts where the
current connection point breaks DNSSEC (firewall/proxy).

rndc validation newstate [view]

dnssec-signzone can now update the SOA record of the signed
zone, either as an increment or as the system time().

Statistics about acache now recorded and sent to log.

libbind: corresponds to that from BIND 8.4.7.

BIND 9.4.0 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.4.0/bind-9.4.0.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.4.0/bind-9.4.0.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/bi....gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/bi....gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows NT 4.0 is at

ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.zip
ftp://ftp.isc.org/isc/bind9/9.4.0/BI....nt4.debug.zip

The PGP signature of the binary kit for Windows NT 4.0 is at

ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.nt4.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI....debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha512.asc

Note: BIND 9.4.0 will be the last binary release for Windows NT 4.0.

A binary kit for Windows 2000, Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.zip
ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.debug.zip

The PGP signature of the binary kit for Windows 2000, Windows XP and
Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.4.0/BIND9.4.0.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI....debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.0/BI...zip.sha512.asc

Changes since 9.4.0a1.

--- 9.4.0 released ---

2138. [bug] Lock order reversal in resolver.c. [RT #16653]

2137. [port] Mips little endian and/or mips 64 bit are now
supported for atomic operations. [RT#16648]

2136. [bug] nslookup/host looped if there was no search list
and the host didn't exist. [RT #16657]

2135. [bug] Uninitialised rdataset in sdlz.c. [RT# 16656]

2133. [port] powerpc: Support both IBM and MacOS Power PC
assembler syntaxes. [RT #16647]

2132. [bug] Missing unlock on out of memory in
dns_dispatchmgr_setudp().

2131. [contrib] dlz/mysql: AXFR was broken. [RT #16630]

2128. [doc] xsltproc --nonet, update DTD versions. [RT #16635]

--- 9.4.0rc2 released ---

2127. [port] Improved OpenSSL 0.9.8 support. [RT #16563]

2126. [security] Serialise validation of type ANY responses. [RT #16555]

2125. [bug] dns_zone_getzeronosoattl() REQUIRE failure if DLZ
was defined. [RT #16574]

2124. [security] It was possible to dereference a freed fetch
context. [RT #16584]

2120. [doc] Fix markup on nsupdate man page. [RT #16556]

--- 9.4.0rc1 released ---

2118. [bug] Handle response with long chains of domain name
compression pointers which point to other compression
pointers. [RT #16427]

2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
which could lead to validation failures. named didn't
handle negative DS responses that were in the process
of being validated. Check CNAME bit before accepting
NODATA proof. To be able to ignore a child NSEC there
must be SOA (and NS) set in the bitmap. [RT #16399]

2116. [bug] 'rndc reload' could cause the cache to continually
be cleaned. [RT #16401]

2115. [bug] 'rndc reconfig' could trigger a INSIST if the
number of masters for a zone was reduced. [RT #16444]

2114. [bug] dig/host/nslookup: searches for names with multiple
labels were failing. [RT #16447]

2113. [bug] nsupdate: if a zone is specified it should be used
for server discover. [RT# 16455]

2112. [security] Warn if weak RSA exponent is used. [RT #16460]

2111. [bug] Fix a number of errors reported by Coverity.
[RT #16507]

2110. [bug] "minimal-response yes;" interacted badly with BIND 8
priming queries. [RT #16491]

2109. [port] libbind: silence aix 5.3 compiler warnings. [RT #16502]

2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]

2104. [port] Fix Solaris SMF error message.

2103. [port] Add /usr/sfw to list of locations for OpenSSL
under Solaris.

2102. [port] Silence solaris 10 warnings.

--- 9.4.0b4 released ---

2101. [bug] OpenSSL version checks were not quite right.
[RT #16476]

2100. [port] win32: copy libeay32.dll to Build\Debug.
Copy Debug\named-checkzone to Debug\named-compilezone.

2099. [port] win32: more manifiest issues.

2098. [bug] Race in rbtdb.c:no_references(), which occasionally
triggered an INSIST failure about the node lock
reference. [RT #16411]

--- 9.4.0b3 released ---

2097. [bug] named could reference a destroyed memory context
after being reloaded / reconfigured. [RT #16428]

2096. [bug] libbind: handle applications that fail to detect
res_init() failures better.

2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and
net_cidr_ntop_ipv6(). [RT #16388]

2094. [contrib] Update named-bootconf. [RT# 16404]

2093. [bug] named-checkzone -s was broken.

2092. [bug] win32: dig, host, nslookup. Use registry config
if resolv.conf does not exist or no nameservers
listed. [RT #15877]

2091. [port] dighost.c: race condition on cleanup. [RT #16417]

2090. [port] win32: Visual C++ 2005 command line manifest support.
[RT #16417]

2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named. [RT #16391]

2088. [security] Change the default RSA exponent from 3 to 65537.
[RT #16391]

2087. [port] libisc failed to compile on OS's w/o a vsnprintf.
[RT #16382]

2086. [port] libbind: FreeBSD now has get*by*_r() functions.
[RT #16403]

2085. [doc] win32: added index.html and README to zip. [RT #16201]

2084. [contrib] dbus update for 9.3.3rc2.

2083. [port] win32: Visual C++ 2005 support.

2082. [doc] Document 'cache-file' as a test only option.

--- 9.4.0b2 released ---

2081. [port] libbind: minor 64-bit portability fix in memcluster.c.
[RT #16360]

2080. [port] libbind: res_init.c did not compile on older versions
of Solaris. [RT #16363]

2079. [bug] The lame cache was not handling multiple types
correctly. [RT #16361]

2078. [bug] dnssec-checkzone output style "default" was badly
named. It is now called "relative". [RT #16326]

2077. [bug] 'dnssec-signzone -O raw' wasn't outputing the
complete signed zone. [RT #16326]

2076. [bug] Several files were missing #include
causing build failures on OSF. [RT #16341]

2075. [bug] The spillat timer event hander could leak memory.
[RT #16357]

2074. [bug] dns_request_createvia2(), dns_request_createvia3(),
dns_request_createraw2() and dns_request_createraw3()
failed to send multiple UDP requests. [RT #16349]

2073. [bug] Incorrect semantics check for update policy "wildcard".
[RT #16353]

2072. [bug] We were not generating valid HMAC SHA digests.
[RT #16320]

2071. [port] Test whether gcc accepts -fno-strict-aliasing.
[RT #16324]

2070. [bug] The remote address was not always displayed when
reporting dispatch failures. [RT #16315]

2069. [bug] Cross compiling was not working. [RT #16330]

2068. [cleanup] Lower incremental tuning message to debug 1.
[RT #16319]

2067. [bug] 'rndc' could close the socket too early triggering
a INSIST under Windows. [RT #16317]

2066. [security] Handle SIG queries gracefully. [RT #16300]

2065. [bug] libbind: probe for HPUX prototypes for
endprotoent_r() and endservent_r(). [RT 16313]

2064. [bug] libbind: silence AIX compiler warnings. [RT #16218]

2063. [bug] Change #1955 introduced a bug which caused the first
'rndc flush' call to not free memory. [RT #16244]

2062. [bug] 'dig +nssearch' was reusing a buffer before it had
been returned by the socket code. [RT #16307]

2061. [bug] Accept expired wildcard message reversed. [RT #16296]

2060. [bug] Enabling DLZ support could leave views partially
configured. [RT #16295]

--- 9.4.0b1 released ---

2059. [bug] Search into cache rbtdb could trigger an INSIST
failure while cleaning up a stale rdataset.
[RT #16292]

2058. [bug] Adjust how we calculate rtt estimates in the presence
of authoritative servers that drop EDNS and/or CD
requests. Also fallback to EDNS/512 and plain DNS
faster for zones with less than 3 servers. [RT #16187]

2057. [bug] Make setting "ra" dependent on both allow-query-cache
and allow-recursion. [RT #16290]

2056. [bug] dig: ixfr= was not being treated case insensitively
at all times. [RT #15955]

2055. [bug] Missing goto after dropping multicast query.
[RT #15944]

2054. [port] freebsd: do not explicitly link against -lpthread.
[RT #16170]

2053. [port] netbsd:libbind: silence compiler warnings. [RT #16220]

2052. [bug] 'rndc' improve connect failed message to report
the failing address. [RT #15978]

2051. [port] More strtol() fixes. [RT #16249]

2050. [bug] Parsing of NSAP records was not case insensitive.
[RT #16287]

2049. [bug] Restore SOA before AXFR when falling back from
a attempted IXFR when transfering in a zone.
Allow a initial SOA query before attempting
a AXFR to be requested. [RT #16156]

2048. [bug] It was possible to loop forever when using
avoid-v4-udp-ports / avoid-v6-udp-ports when
the OS always returned the same local port.
[RT #16182]

2047. [bug] Failed to initialise the interface flags to zero.
[RT #16245]

2046. [bug] rbtdb.c:rdataset_setadditional() could cause duplicate
cleanup [RT #16247].

2045. [func] Use lock buckets for acache entries to limit memory
consumption. [RT #16183]

2044. [port] Add support for atomic operations for Itanium.
[RT #16179]

2043. [port] nsupdate/nslookup: Force the flushing of the prompt
for interactive sessions. [RT#16148]

2042. [bug] named-checkconf was incorrectly rejecting the
logging category "config". [RT #16117]

2041. [bug] "configure --with-dlz-bdb=yes" produced a bad
set of libraries to be linked. [RT #16129]

2040. [bug] rbtdb no_references() could trigger an INSIST
failure with --enable-atomic. [RT #16022]

2039. [func] Check that all buffers passed to the socket code
have been retrieved when the socket event is freed.
[RT #16122]

2038. [bug] dig/nslookup/host was unlinking from wrong list
when handling errors. [RT #16122]

2037. [func] When unlinking the first or last element in a list
check that the list head points to the element to
be unlinked. [RT #15959]

2036. [bug] 'rndc recursing' could cause trigger a REQUIRE.
[RT #16075]

2034. [bug] gcc: set -fno-strict-aliasing. [RT #16124]

2033. [bug] We wern't creating multiple client memory contexts
on demand as expected. [RT #16095]

--- 9.4.0a6 released ---

2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074]

2031. [bug] Emit a error message when "rndc refresh" is called on
a non slave/stub zone. [RT # 16073]

2030. [bug] We were being overly conservative when disabling
openssl engine support. [RT #16030]

2029. [bug] host printed out the server multiple times when
specified on the command line. [RT #15992]

2028. [port] linux: socket.c compatability for old systems.
[RT #16015]

2027. [port] libbind: Solaris x86 support. [RT #16020]

2026. [bug] Rate limit the two recursive client exceeded messages.
[RT #16044]

2025. [func] Update "zone serial unchanged" message. [RT #16026]

2024. [bug] named emited spurious "zone serial unchanged"
messages on reload. [RT #16027]

2023. [bug] "make install" should create ${localstatedir}/run and
${sysconfdir} if they do not exist. [RT #16033]

2022. [bug] If dnssec validation is disabled only assert CD if
CD was requested. [RT #16037]

2021. [bug] dnssec-enable no; triggered a REQUIRE. [RT #16037]

2020. [bug] rdataset_setadditional() could leak memory. [RT #16034]

2019. [tuning] Reduce the amount of work performed per quantum
when cleaning the cache. [RT #15986]

2018. [bug] Checking if the HMAC MD5 private file was broken.
[RT #15960]

2017. [bug] allow-query default was not correct. [RT #15946]

2016. [bug] Return a partial answer if recursion is not
allowed but requested and we had the answer
to the original qname. [RT #15945]

--- 9.4.0a5 released ---

2015. [cleanup] use-additional-cache is now acache-enable for
consistancy. Default acache-enable off in BIND 9.4
as it requires memory usage to be configured.
It may be enabled by default in BIND 9.5 once we
have more experience with it.

2014. [func] Statistics about acache now recorded and sent
to log. [RT #15976]

2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR
responses more gracefully. [RT #15941]

2012. [func] Don't insert new acache entries if acache is full.
[RT #15970]

2011. [func] dnssec-signzone can now update the SOA record of
the signed zone, either as an increment or as the
system time(). [RT #15633]

--- 9.4.0a4 released ---

2009. [bug] libbind: coverity fixes. [RT #15808]

2008. [func] It is now posssible to enable/disable DNSSEC
validation from rndc. This is useful for the
mobile hosts where the current connection point
breaks DNSSEC (firewall/proxy). [RT #15592]

rndc validation newstate [view]

2007. [func] It is now possible to explicitly enable DNSSEC
validation. default dnssec-validation no; to
be changed to yes in 9.5.0. [RT #15674]

2006. [security] Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".

This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.

The best fix is for full BCP 38 deployment to
remove spoofed traffic.

2005. [bug] libbind: Retransmission timeouts should be
based on which attempt it is to the nameserver
and not the nameserver itself. [RT #13548]

2004. [bug] dns_tsig_sign() could pass a NULL pointer to
dst_context_destroy() when cleaning up after a
error. [RT #15835]

2003. [bug] libbind: The DNS name/address lookup functions could
occasionally follow a random pointer due to
structures not being completely zeroed. [RT #15806]

2002. [bug] libbind: tighten the constraints on when
struct addrinfo._ai_pad exists. [RT #15783]

2001. [func] Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;". [RT #15817]

2000. [bug] memmove()/strtol() fix was incomplete. [RT #15812]

1999. [func] Implement "rrset-order fixed". [RT #13662]

1998. [bug] Restrict handling of fifos as sockets to just SunOS.
This allows named to connect to entropy gathering
daemons that use fifos instead of sockets. [RT #15840]

1997. [bug] Named was failing to replace negative cache entries
when a positive one for the type was learnt.
[RT #15818]

1996. [bug] nsupdate: if a zone has been specified it should
appear in the output of 'show'. [RT #15797]

1995. [bug] 'host' was reporting multiple "is an alias" messages.
[RT #15702]

1994. [port] OpenSSL 0.9.8 support. [RT #15694]

1993. [bug] Log messsage, via syslog, were missing the space
after the timestamp if "print-time yes" was specified.
[RT #15844]

1992. [bug] Not all incoming zone transfer messages included the
view. [RT #15825]

1991. [cleanup] The configuration data, once read, should be treated
as readonly. Expand the use of const to enforce this
at compile time. [RT #15813]

1990. [bug] libbind: isc's override of broken gettimeofday()
implementions was not always effective.
[RT #15709]

1989. [bug] win32: don't check the service password when
re-installing. [RT #15882]

1988. [bug] Remove a bus error from the SHA256/SHA512 support.
[RT #15878]

1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608]

1986. [func] Report when a zone is removed. [RT #15849]

1985. [protocol] DLV has now been assigned a official type code of
32769. [RT #15807]

Note: care should be taken to ensure you upgrade
both named and dnssec-signzone at the same time for
zones with DLV records where named is the master
server for the zone. Also any zones that contain
DLV records should be removed when upgrading a slave
zone. You do not however have to upgrade all
servers for a zone with DLV records simultaniously.

1984. [func] dig, nslookup and host now advertise a 4096 byte
EDNS UDP buffer size by default. [RT #15855]

1983. [func] Two new update policies. "selfsub" and "selfwild".
[RT #12895]

1982. [bug] DNSKEY was being accepted on the parent side of
a delegation. KEY is still accepted there for
RFC 3007 validated updates. [RT #15620]

1981. [bug] win32: condition.c:wait() could fail to reattain
the mutex lock.

1980. [func] dnssec-signzone: output the SOA record as the
first record in the signed zone. [RT #15758]

1979. [port] linux: allow named to drop core after changing
user ids. [RT #15753]

1978. [port] Handle systems which have a broken recvmsg().
[RT #15742]

1977. [bug] Silence noisy log message. [RT #15704]

1976. [bug] Handle systems with no IPv4 addresses. [RT #15695]

1975. [bug] libbind: isc_gethexstring() could misparse multi-line
hex strings with comments. [RT #15814]

1974. [doc] List each of the zone types and associated zone
options seperately in the ARM.

1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606]

1972. [contrib] DBUS dynamic forwarders integation from
Jason Vas Dias .

1971. [port] linux: make detection of missing IF_NAMESIZE more
robust. [RT #15443]

1970. [bug] nsupdate: adjust UDP timeout when falling back to
unsigned SOA query. [RT #15775]

1969. [bug] win32: the socket code was freeing the socket
structure too early. [RT #15776]

1968. [bug] Missing lock in resolver.c:validated(). [RT #15739]

1967. [func] dig/nslookup/host: warn about missing "QR". [RT #15779]

1966. [bug] Don't set CD when we have fallen back to plain DNS.
[RT #15727]

1965. [func] Suppress spurious "recusion requested but not
available" warning with 'dig +qr'. [RT #15780].

1964. [func] Seperate out MX and SRV to CNAME checks. [RT #15723]

1963. [port] Tru64 4.0E doesn't support send() and recv().
[RT #15586]

1962. [bug] Named failed to clear old update-policy when it
was removed. [RT #15491]

1961. [bug] Check the port and address of responses forwarded
to dispatch. [RT #15474]

1960. [bug] Update code should set NSEC ttls from SOA MINIMUM.
[RT #15465]

1959. [func] Control the zeroing of the negative response TTL to
a soa query. Defaults "zero-no-soa-ttl yes;" and
"zero-no-soa-ttl-cache no;". [RT #15460]

1958. [bug] Named failed to update the zone's secure state
until the zone was reloaded. [RT #15412]

1957. [bug] Dig mishandled responses to class ANY queries.
[RT #15402]

1956. [bug] Improve cross compile support, 'gen' is now built
by native compiler. See README for additional
cross compile support information. [RT #15148]

1955. [bug] Pre-allocate the cache cleaning interator. [RT #14998]

1954. [func] Named now falls back to advertising EDNS with a
512 byte receive buffer if the initial EDNS queries
fail. [RT #14852]

1953. [func] The maximum EDNS UDP response named will send can
now be set in named.conf (max-udp-size). This is
independent of the advertised receive buffer
(edns-udp-size). [RT #14852]

1952. [port] hpux: tell the linker to build a runtime link
path "-Wl,+b:". [RT #14816].

1951. [security] Drop queries from particular well known ports.
Don't return FORMERR to queries from particular
well known ports. [RT #15636]

1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect()
a TCP socket. This prevents the source address being
set for TCP connections. [RT #15628]

1949. [func] Addition memory leakage checks. [RT #15544]

1948. [bug] If was possible to trigger a REQUIRE failure in
xfrin.c:maybe_free() if named ran out of memory.
[RT #15568]

1947. [func] It is now possible to configure named to accept
expired RRSIGs. Default "dnssec-accept-expired no;".
Setting "dnssec-accept-expired yes;" leaves named
vulnerable to replay attacks. [RT #14685]

1946. [bug] resume_dslookup() could trigger a REQUIRE failure
when using forwarders. [RT #15549]

1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
To generate a RSAMD5 key you must explicitly request
RSAMD5. [RT #13780]

1944. [cleanup] isc_hash_create() does not need a read/write lock.
[RT #15522]

1943. [bug] Set the loadtime after rolling forward the journal.
[RT #15647]

1597. [func] Allow notify-source and query-source to be specified
on a per server basis similar to transfer-source.
[RT #6496]

--- 9.4.0a3 released ---

1942. [bug] If the name of a DNSKEY match that of one in
trusted-keys do not attempt to validate the DNSKEY
using the parents DS RRset. [RT #15649]

1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]

1940. [bug] Fixed a number of error conditions reported by
Coverity.

1939. [bug] The resolver could dereference a null pointer after
validation if all the queries have timed out.
[RT #15528]

1938. [bug] The validator was not correctly handling unsecure
negative responses at or below a SEP. [RT #15528]

1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]

1936. [bug] The validator could leak memory. [RT #15544]

1935. [bug] 'acache' was DO sensitive. [RT #15430]

1934. [func] Validate pending NS RRsets, in the authority section,
prior to returning them if it can be done without
requiring DNSKEYs to be fetched. [RT #15430]

1919. [contrib] queryperf: a set of new features: collecting/printing
response delays, printing intermediate results, and
adjusting query rate for the "target" qps.

--- 9.4.0a2 released ---

1933. [bug] dump_rdataset_raw() had a incorrect INSIST. [RT #15534]

1932. [bug] hpux: LDFLAGS was getting corrupted. [RT #15530]

1931. [bug] Per-client mctx could require a huge amount of memory,
particularly for a busy caching server. [RT #15519]

1930. [port] HPUX: ia64 support. [RT #15473]

1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.

1928. [bug] Race in rbtdb.c:currentversion(). [RT #15517]

1927. [bug] Access to soanode or nsnode in rbtdb violated the
lock order rule and could cause a dead lock.
[RT# 15518]

1926. [bug] The Windows installer did not check for empty
passwords. BINDinstall was being installed in
the wrong place. [RT #15483]

1925. [port] All outer level AC_TRY_RUNs need cross compiling
defaults. [RT #15469]

1924. [port] libbind: hpux ia64 support. [RT #15473]

1923. [bug] ns_client_detach() called too early. [RT #15499]

1922. [bug] check-tool.c:setup_logging() missing call to
dns_log_setcontext().

1921. [bug] Client memory contexts were not using internal
malloc. [RT# 15434]

1920. [bug] The cache rbtdb lock array was too small to
have the desired performance characteristics.
[RT #15454]

--- 9.4.0a1 released ---