1 files changed, 240 insertions, 11 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index a44c804..edf2c89 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,5 +1,54 @@
+	--- 9.6.3 released ---
 
-	--- 9.6-ESV-R3 released ---
+3009.	[bug]		clients-per-query code didn't work as expected with
+			particular query patterns. [RT #22972]
+
+	--- 9.6.3rc1 released ---
+
+3007.	[bug]		Named failed to preserve the case of domain names in
+			rdata which is not compressible when writing master
+			files.  [RT #22863]
+
+3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
+			[RT #22766]
+
+2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
+			[RT #22589]
+
+2995.	[bug]		The Kerberos realm was not being correctly extracted
+			from the signer's identity. [RT #22770]
+
+2994.	[port]		NetBSD: use pthreads by default on NetBSD >= 5.0, and
+			do not use threads on earlier versions.  Also kill
+			the unproven-pthreads, mit-pthreads, and ptl2 support.
+
+2984.	[bug]		Don't run MX checks when the target of the MX record
+			is ".".  [RT #22645]
+
+2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
+			[RT #20768]
+
+	--- 9.6.3b1 released ---
+
+2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
+			increment the reference count.
+
+			Note: dns_tsigkey_createfromkey() callers should now
+			always call dst_key_free() rather than setting it
+			to NULL on success. [RT #22672]
+
+2979.	[bug]		named could deadlock during shutdown if two
+			"rndc stop" commands were issued at the same
+			time. [RT #22108]
+
+2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
+
+2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
+			key. [RT #22573]
+
+2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() aquired the
+			wrong lock which could lead to server deadlock.
+			[RT #22614]
 
 2972.	[bug]		win32: address windows socket errors. [RT #21906]
 
@@ -36,6 +85,9 @@
 			justified character with a non zero width,
 			(e.g. "%-1c"). [RT #22270]
 
+2965.	[func]		Test HMAC functions using test data from RFC 2104 and
+			RFC 4634. [RT #21702]
+
 2964.	[bug]		view->queryacl was being overloaded.  Seperate the
 			usage into view->queryacl, view->cacheacl and
 			view->queryonacl. [RT #22114]
@@ -43,6 +95,25 @@
 2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
 			[RT #22062]
 
+2960.	[func]		Check that named accepts non-authoritative answers.
+			[RT #21594]
+
+2959.	[func]		Check that named starts with a missing masterfile.
+			[RT #22076]
+
+2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
+			the API for RAND_bytes() and RAND_pseudo_bytes()
+			respectively. [RT #21962]
+
+2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
+
+2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
+			build_sqldbinstance failure. [RT #21623]
+
+2953.	[bug]		Silence spurious "expected covering NSEC3, got an
+			exact match" message when returning a wildcard
+			no data response. [RT #21744]
+
 2952.	[port]		win32: named-checkzone and named-checkconf failed
 			to initialise winsock. [RT #21932]
 
@@ -50,7 +121,23 @@
 			in a optout, delegation only zone with no secure
 			delegations. [RT #22007]
 
-	--- 9.6-ESV-R2 released ---
+2950.	[bug]		named failed to perform a SOA up to date check when
+			falling back to TCP on UDP timeouts when
+			ixfr-from-differences was set. [RT #21595]
+
+2946.	[doc]		Document the default values for the minimum and maximum
+			zone refresh and retry values in the ARM. [RT #21886]
+
+2945.	[doc]		Update empty-zones list in ARM. [RT #21772]
+
+2944.	[maint]		Remove ORCHID prefix from built in empty zones.
+			[RT #21772]
+
+2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
+			[RT #21610]
+
+2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
+			DNAME at the zone apex.  [RT #21610]
 
 2939.	[func]		Check that named successfully skips NSEC3 records
 			that fail to match the NSEC3PARAM record currently
@@ -73,31 +160,173 @@
 			likely that the bug happens only when enabling threads,
 			but it's not confirmed yet. [RT #21818]
 
+2935.	[bug]		nsupdate: improve 'file not found' error message.
+			[RT #21871]
+
+2934.	[bug]		Use ANSI C compliant shift range in lib/isc/entropy.c.
+			[RT #21871]
+
+2933.	[bug]		'dig +nsid' used stack memory after it went out of
+			scope.  This could potentially result in a unknown,
+			potentially malformed, EDNS option being sent instead
+			of the desired NSID option. [RT #21781]
+
+2932.	[cleanup]	Corrected a numbering error in the "dnssec" test.
+			[RT #21597]
+
+2931.	[bug]		Temporarily and partially disable change 2864
+			because it would cause infinite attempts of RRSIG
+			queries.  This is an urgent care fix; we'll
+			revisit the issue and complete the fix later.
+			[RT #21710]
+
+2929.	[bug]		Improved handling of GSS security contexts:
+			 - added LRU expiration for generated TSIGs
+			 - added the ability to use a non-default realm
+                         - added new "realm" keyword in nsupdate
+			 - limited lifetime of generated keys to 1 hour
+			   or the lifetime of the context (whichever is
+			   smaller)
+			[RT #19737]
+
 2925.	[bug]		Named failed to accept uncachable negative responses
 			from insecure zones. [RT# 21555]
 
+2923.	[bug]		'dig +trace' could drop core after "connection
+			timeout". [RT #21514]
+
+2922.	[contrib]	Update zkt to version 1.0.
+
 2921.	[bug]		The resolver could attempt to destroy a fetch context
 			too soon.  [RT #19878]
 
+2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
+
+2916.	[func]		Add framework to use IPv6 in tests.
+			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
+
+2915.	[cleanup]	Be smarter about which objects we attempt to compile
+			based on configure options. [RT #21444]
+
+2912.	[func]		Windows clients don't like UPDATE responses that clear
+			the zone section. [RT #20986]
+
+2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
+			[RT #21367]
+
+2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
+
+2908.	[bug]		It was possible for re-signing to stop after removing
+			a DNSKEY. [RT #21384]
+
+2905.	[port]		aix: set use_atomic=yes with native compiler.
+			[RT #21402]
+
+2904.   [bug]           When using DLV, sub-zones of the zones in the DLV,
+			could be incorrectly marked as insecure instead of
+			secure leading to negative proofs failing.  This was
+			a unintended outcome from change 2890. [RT# 21392]
+
+2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
+
 2900.	[bug]		The placeholder negative caching element was not
-			properly constructed triggering a INSIST in 
+			properly constructed triggering a INSIST in
 			dns_ncache_towire(). [RT #21346]
-			
+
+2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
+
+2898.	[bug]		nslookup leaked memory when -domain=value was
+			specified. [RT #21301]
+
+2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
+
+2891.	[maint]		Update empty-zones list to match
+			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
+
 2890.	[bug]		Handle the introduction of new trusted-keys and
 			DS, DLV RRsets better. [RT #21097]
 
-2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
-			[RT #20877]
+2889.	[bug]		Elements of the grammar where not properly reported.
+			[RT #21046]
+
+2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
+
+2885.	[bug]		Improve -fno-strict-aliasing support probing in
+			configure. [RT #21080]
+
+2884.	[bug]		Insufficient validation in dns_name_getlabelsequence().
+			[RT #21283]
+
+2883.	[bug]		'dig +short' failed to handle really large datasets.
+			[RT #21113]
+
+2882.	[bug]		Remove memory context from list of active contexts
+			before clearing 'magic'. [RT #21274]
+
+2881.	[bug]		Reduce the amount of time the rbtdb write lock
+			is held when closing a version. [RT #21198]
 
-	--- 9.6-ESV-R1 released ---
+2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
+			[RT #21106]
+
+2877.	[bug]		The validator failed to skip obviously mismatching
+			RRSIGs. [RT #21138]
 
 2876.	[bug]		Named could return SERVFAIL for negative responses
 			from unsigned zones. [RT #21131]
 
-	--- 9.6-ESV released ---
+2875.	[bug]		dns_time64_fromtext() could accept non digits.
+			[RT #21033]
+
+2874.	[bug]		Cache lack of EDNS support only after the server
+			successfully responds to the query using plain DNS.
+			[RT #20930]
+
+2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
+
+2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
+			[RT #20877]
+
+2868.	[cleanup]	Run "make clean" at the end of configure to ensure
+			any changes made by configure are integrated.
+			Use --with-make-clean=no to disable.  [RT #20994]
+
+2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
+			don't like it.  [RT #20986]
+
+2866.	[bug]		Windows does not like the TSIG name being compressed.
+			[RT #20986]
+
+2865.	[bug]		memset to zero event.data.  [RT #20986]
+
+2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
+			[RT #21050]
+
+2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
+			[RT #21056]
+
+2862.	[bug]		nsupdate didn't default to the parent zone when
+			updating DS records. [RT #20896]
+
+2859.	[bug]		When cancelling validation it was possible to leak
+			memory. [RT #20800]
+
+2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
+			[RT #20772]
+
+2857.	[bug]		named-checkconf did not fail on a bad trusted key.
+			[RT #20705]
+
+2856.	[bug]		The size of a memory allocation was not always properly
+			recorded. [RT #20927]
+
+2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 
 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 
+2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
+			source as it produced bad nroff.  [RT #21007]
+
 	--- 9.6.2 released ---
 
 2850.	[bug]		If isc_heap_insert() failed due to memory shortage
@@ -138,10 +367,10 @@
 
 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
 
-2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define
+2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
 			[RT #20771]
 
-2818.	[cleanup]	rndc could return an incorrect error code 
+2818.	[cleanup]	rndc could return an incorrect error code
 			when a zone was not found. [RT #20767]
 
 2815.	[bug]		Exclusively lock the task when freezing a zone.
@@ -357,7 +586,7 @@
 
 2621.	[doc]		Made copyright boilterplate consistent.  [RT #19833]
 
-2920.	[bug]		Delay thawing the zone until the reload of it has
+2620.	[bug]		Delay thawing the zone until the reload of it has
 			completed successfully.  [RT #19750]
 
 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could