[v9_11] prep 9.11.3rc1

add note for update-policy rules changes (cherry picked from commit ff8f2a584d6a809158b1aaf59bde12061c096cc1)

update copyright notice / whitespace

[v9_11] typo

[v9_11] block validator deadlock and prevent use-after-free 4859. [bug] A loop was possible when attempting to validate unsigned CNAME responses from secure zones; this caused a delay in returning SERVFAIL and also increased the chances of encountering CVE-2017-3145. [RT #46839] 4858. [security] Addresses could be referenced after being freed in resolver.c, causing an assertion failure. (CVE-2017-3145) [RT #46839]

add [RT #46774] (cherry picked from commit 77f96234391bb393050ad445a9088644cc90235a)

[v9_11] revised release note

add note for [RT #46743] and [RT #46754] (cherry picked from commit 9ff34db455b1d0d2addcdac7092f273acdec4c65)

[v9_11] fix "allow-transfer" inheritance and clean up ACL configuration 4836. [bug] Zones created using "rndc addzone" could temporarily fail to inherit an "allow-transfer" ACL that had been configured in the options statement. [RT #46603] (cherry picked from commit e197a2bd150783f53044342cf0d02510dfb744df)

Add system tests and remove redundent logging from: 4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside . trust-anchor dlv.isc.org;' now elicit warnings rather than being fatal configuration errors. [RT #46410] (cherry picked from commit f5e1b555c59074e9b8626921c4a068ee6fc1c1e3)

use correct tag

s/made/may/

note removal of <isc/util.h> from other header files (cherry picked from commit 9e5439a6d897f90fd12e09dd1cd81b37c1de96bc)

[v9_11] require writable managed keys directory 4769. [bug] Enforce the requirement that the managed keys directory (specified by "managed-keys-directory", and defaulting to the working directory if not specified) must be writable. [RT #46077]

[v9_11] README and relnote fixes (cherry picked from commit 30419509dd31502bbddcb69a41201eb73f8aeccc)

[v9_11] further restrict update-policy local 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492]

4754. [bug] dns_zone_setview needs a two stage commit to properly handle errors. [RT #45841]

[v9_11] fix tag

[v9_11] de-DLV 4749. [func] The ISC DLV service has been shut down, and all DLV records have been removed from dlv.isc.org. - Removed references to ISC DLV in documentation - Removed DLV key from bind.keys - No longer use ISC DLV by default in delv [RT #46155]

4688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in messages. [RT #44804] (cherry picked from commit 07741d43c8da09821b6eedbbe066fad86af72cc8)

[v9_11] revise CHANGES note and add release note

[v9_11] update relnotes to mention termination of windows XP support

[v9_11] add a release note for TSIG regression

note change in AD setting on some truncated answers (cherry picked from commit 56d8312a48942422855beb86bb9af955d6e8ef90)

add note about .local (cherry picked from commit 99879922328da2d328f8ab62d59a5ed28de66a56)

[v9_11] address TSIG bypass/forgery vulnerabilities 4643. [security] An error in TSIG handling could permit unauthorized zone transfers or zone updates. (CVE-2017-3142) (CVE-2017-3143) [RT #45383] (cherry picked from commit 581c1526ab0f74a177980da9ff0514f795ed8669)

[v9_11] prevent reload failure due to LMDB database perms 4638. [bug] Reloading or reconfiguring named could fail on some platforms when LMDB was in use. [RT #45203] (cherry picked from commit bf05e66bb38c44378a7873ff3701e6e596e70bf7)

[v9_11] quote service registry paths 4532. [security] The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. (CVE-2017-3141) [RT #45229] (cherry picked from commit 967a3b9419a3c12b8c0870c86d1ee3840bcbbad7)

[v9_11] fix rpz formerr loop 4531. [security] Some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. (CVE-2017-3140) [RT #45181]

update copyright notice / whitespace

[v9_11] symbolic option names for dig +ednsopt 4555. [func] dig +ednsopt: EDNS options can now be specified by name in addition to numeric value. [RT #44461] (cherry picked from commit 25a9b90369f2de5c9921fae84a27c94c83f156be)

add warning about semicolon no longer being escaped (cherry picked from commit d4d73bca797a70976d627c355907026ca1aee880)

[v9_11] fix lmdb delzone 4616. [bug] When using LMDB, zones deleted using "rndc delzone" were not correctly removed from the new-zone database. [RT #45185] (cherry picked from commit 3a554a444caf444b6239a7ae80d6448cad3a363e)

[v9_11] give threads unique names to assist debugging 4602. [func] Threads are now set to human-readable names to assist debugging, when supported by the OS. [RT #43234] (cherry picked from commit d26ae7fc0802f67a50f6f01152f356182d47305e)

[v9_11] clear out relnotes

[v9_11] formatting (cherry picked from commit 52e398c0afdb220ee2cc5119d10f8c23f924d883)

add CVE-2017-3138 (cherry picked from commit fe1ad70e510d2327f9decf5096915becbc2c95c0)

[v9_11] remove unnecessary INSIST and prep 9.11.1rc2 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] (cherry picked from commit a1365a0042db8c1cd0ee4dbd0c91ce65ae09e098)

add CVE-2017-3136 note (cherry picked from commit d77eadc26113486f32fea25320ae4c6f1f2e7fb2)

[v9_11] doc style

[v9_11] removed extra note about bind.keys update

[v9_11] release note about new root key

[v9_11] store local and remote addresses in dnstap 4569. [func] Store both local and remote addresses in dnstap logging, and modify dnstap-read output format to print them. [RT #43595] (cherry picked from commit 650b5e7592be43d6994ba425bc1fa654d538cd7e)

new root KSK

[v9_11] change 4558 was incomplete (cherry picked from commit cd668ea57fc236e1f7509c3827e4a39a62078a2d)

[v9_11] expand relnote (cherry picked from commit afa0ff0cbb75f4ce20d082eb3cb30ea6b2840920)

4556. [security] Combining dns64 and rpz can result in dereferencing a NULL pointer (read). (CVE-2017-3135) [RT#44434] (cherry picked from commit 5abe80ef138340e3d4f551059a3c340b78940933)

update copyright notice / whitespace

4553. [bug] Named could deadlock there were multiple changes to NSEC/NSEC3 parameters for a zone being processed at the same time. [RT #42770] (cherry picked from commit d2e1b47d4fc7f2e12ea91cc59dc5f951a9df5fbc)

4552. [bug] Named could trigger a assertion when sending notify messages. [RT #44019] (cherry picked from commit 42924b40af972acc2f2ca82d6e7211e10b4f4a29)

[v9_11] release notes

4508. [security] Named incorrectly tried to cache TKEY records which could trigger a assertion failure when there was a class mismatch. (CVE-2016-9131) [RT #43522] (cherry picked from commit 2c1c4b99a127a0f34e10fe27324d552ccbc54e04)

[v9_11] expand intro

[v9_11] release notes

[v9_11] release note

[v9_11] clarify auth ECS is not meant for production use

4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831] (cherry picked from commit 1b8ce3b3302f0afe682d04df8a1f20b4ac346fb2)

4504. [security] Allow the maximum number of records in a zone to be specified. This provides a control for issues raised in CVE-2016-6170. [RT #42143] (cherry picked from commit 5f8412a4cb5ee14a0e8cddd4107854b40ee3291e)

[v9_11] render querylog format consistent, and add a release note 4471. [cleanup] Render client/query logging format consistent for ease of log file parsing. (Note that this affects "querylog" format: there is now an additional field indicating the client object address.) [RT #43238] (cherry picked from commit c4b7db49326be650fa95a7ede6e066bbe1268561)

reorder (cherry picked from commit 9ffbc3f9b35e377aea919cc4285f6456f489e7f2)

add CVE-2016-2776 (cherry picked from commit d4c8a622c0806b332880d7a9db69cf48a5260901)

[v9_11] fix dnssec-policy.conf in notes (cherry picked from commit bfb479d5e32c42c6ebf85d13bbb2f9cfa46173be)

[v9_11] add missing release notes and fix other doc nits (cherry picked from commit 864dc79dce81123d31a30bc7b47ea564dd7a20a3)

4437. [func] Minimal-responses now has two additional modes no-auth and no-auth-recursive which suppress adding the NS records to the authority section as well as the associated address records for the nameservers. [RT #42005] (cherry picked from commit 78e31dd18798f22828059b0f5cbc1c984c7e142c)

4424. [experimental] Named now sends _ta-XXXX.<trust-anchor>/NULL queries to provide feedback to the trust-anchor administrators about how key rollovers are progressing as per draft-ietf-dnsop-edns-key-tag-02. This can be disabled using 'trust-anchor-telemetry no;'. [RT #40583] (cherry picked from commit f20179857a8512441c3be7ad33f1c84e367de041)

update copyright notice / whitespace

[v9_11] add release note

[v9_11] store "addzone" zone config in a NZD database 4421. [func] When built with LMDB (Lightning Memory-mapped Database), named will now use a database to store the configuration for zones added by "rndc addzone" instead of using a flat NZF file. This improves performance of "rndc delzone" and "rndc modzone" significantly. Existing NZF files will automatically by converted to NZD databases. To view the contents of an NZD or to roll back to NZF format, use "named-nzd2nzf". To disable this feature, use "configure --without-lmdb". [RT #39837]

grammar (cherry picked from commit 8f7881684be27d6d698f78f771d3d16dc57101c9)

[v9_11] rndc dnstap -roll 4411. [func] "rndc dnstap -roll" automatically rolls the dnstap output file; the previous version is saved with ".0" suffix, and earlier versions with ".1" and so on. An optional numeric argument indicates how many prior files to save. [RT #42830]

add [RT #42694]

issue -> flaw (cherry picked from commit 268f9e6832841a8e9f22562cc1294b4046d39ec3)

add CVE-2016-2775 (cherry picked from commit 909d442cc0bed4337760419fa135c98224a79c73)

add note for rt42694 (cherry picked from commit 429701008e672edc50d33c83d983ba096fee5f13)

license section is no longer a list

spelling

[v9_11] notes formatting, fix a CHANGES tag

Fix a typo and missing link in notes.xml

cleanup of notes.xml added better text to describe the license change added information about the following changes to notes.xml +4396. [func] dnssec-keymgr now takes a '-r randomfile' option. + [RT #42455] +4392. [func] Collect statistics for RSSAC02v3 traffic-volume, + traffic-sizes and rcode-volume reporting. [RT #41475] +4388. [func] Support for master entries with TSIG keys in catalog + zones. [RT #42577] +4385. [func] Add support for allow-query and allow-transfer ACLs + to catalog zones. [RT #42578]

4401. [misc] Change LICENSE to MPL 2.0.

4394. [func] Add rndc command "dnstap-reopen" to close and reopen dnstap output filed. [RT #41803]

4376. [experimental] Added support for Catalog Zones, a new method for provisioning secondary servers in which a list of zones to be served is stored in a DNS zone and can be propagated to slaves via AXFR/IXFR. [RT #41581] 4375. [func] Add support for automatic reallocation of isc_buffer to isc_buffer_put* functions. [RT #42394]

[master] spelling

[master] extend release notes

[master] fix tag mismatch

[master] minimal-any 4371. [func] New "minimal-any" option reduces the size of UDP responses for qtype ANY by returning a single arbitrarily selected RRset instead of all RRsets. Thanks to Tony Finch. [RT #41615]

note RNDC module

update for 9.11.0a2

4362. [func] Changed rndc reconfig behaviour so that newly added zones are loaded asynchronously and the loading does not block the server. [RT #41934]

[master] add nsip-wait-recurse release note

[master] log message when using ISC DLV 4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to be disabled in 2017. A warning is now logged when named is configured to use it, either explicitly or via "dnssec-lookaside auto;" [RT #42207]

fix tag mis-match

[master] dnssec-keymgr 4349. [contrib] kasp2policy: A python script to create a DNSSEC policy file from an OpenDNSSEC KASP XML file. 4348. [func] dnssec-keymgr: A new python-based DNSSEC key management utility, which reads a policy definition file and can create or update DNSSEC keys as needed to ensure that a zone's keys match policy, roll over correctly on schedule, etc. Thanks to Sebastian Castro for assistance in development. [RT #39211]

[master] better relnote for read-only controls option

[master] fixes for release notes

[master] remove pre-9.11.0a1 security fixes from 9.11 release notes

regen master

[master] fix broken tag

[master] prep 9.11.0a1

note rrsig regeneration

add AVC

[master] recursively clean empty interior nodes when deleting database records 4324. [bug] When deleting records from a zone database, interior nodes could be left empty but not deleted, damaging search performance afterward. [RT #40997]

4322. [security] Duplicate EDNS COOKIE options in a response could trigger an assertion failure. (CVE-2016-2088) [RT #41809]

Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) (#41753)

4318. [security] Malformed control messages can trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666]

[master] remove reporter's name per his request

[master] NOSETFC incorrectly applied 4300. [bug] A flag could be set in the wrong field when setting up nonrecursive queries; this could cause the SERVFAIL cache to cache responses it shouldn't. New querytrace logging has been added which identified this error. [RT #41155]

[master] millisecond granularity for statschannel timers 4290. [func] The timers returned by the statistics channel (indicating current time, server boot time, and most recent reconfiguration time) are now reported with millisecond accuracy. [RT #40082]

[master] fix ticket number

[master] fix use after free on xfr timeout 4289. [bug] The server could crash due to memory being used after it was freed if a zone transfer timed out. [RT #41297]

[master] fixed bogus server regression 4288. [bug] Fixed a regression in resolver.c:possibly_mark() which caused known-bogus servers to be queried anyway. [RT #41321]

update copyright notice / whitespace

[master] clean up notes

4286. [security] render_ecs errors were mishandled when printing out a OPT record resulting in a assertion failure. (CVE-2015-8705) [RT #41397] (cherry picked from commit 3e0c1603a835c678b07f1147909bf196988ee0d3)

remove period

4285. [security] Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]

[master] fix geoip options 4284. [bug] Some GeoIP options were incorrectly documented using abbreviated forms which were not accepted by named. The code has been updated to allow both long and abbreviated forms. [RT #41381]

add dig +mapped

Update notes.xml for #40996

[master] disallow map zones in response-policy 4269. [bug] Zones using "map" format master files currently don't work as policy zones. This limitation has now been documented; attempting to use such zones in "response-policy" statements is now a configuration error. [RT #38321]

update description

Add CVE-2015-8461

spelling

note the address changes for H.ROOT-SERVERS.NET

[master] typo

4260. [security] Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. (CVE-2015-8000) [RT #4098]

Update notes.xml for #40498

4255. [func] Add 'message-compression' option to disable DNS compression in responses. [RT #40726]

[master] NTAs did not survive reoad/reconfig 4251. [bug] NTAs were deleted when the server was reconfigured or reloaded. [RT #41058]

cleanup trailing white space in SGML like files

[master] shorten default servfail-ttl 4239. [func] Changed default servfail-ttl value to 1 second from 10. Also, the maximum value is now 30 instead of 300. [RT #37556]

update copyright notice / whitespace

[master] upgrade doc toolchain 4237. [doc] Upgraded documentation toolchain to use DocBook 5 and dblatex. [RT #40766]

Fix notes and CHANGES for #40761

Update CHANGES and notes.xml for #40761

Update the default value for number of UDP listeners (#40761)

[master] dnstap 4235. [func] Added support in named for "dnstap", a fast method of capturing and logging DNS traffic, and a new command "dnstap-read" to read a dnstap log file. Use "configure --enable-dnstap" to enable this feature (note that this requires libprotobuf-c and libfstrm). See the ARM for configuration details. Thanks to Robert Edmonds of Farsight Security. [RT #40211]

[master] merge dyndb 4224. [func] Added support for "dyndb", a new interface for loading zone data from an external database, developed by Red Hat for the FreeIPA project. DynDB drivers fully implement the BIND database API, and are capable of significantly better performance and functionality than DLZ drivers, while taking advantage of advanced database features not available in BIND such as multi-master replication. Thanks to Adam Tkac and Petr Spacek of Red Hat. [RT #35271]

4217. [protocol] Add support for CSYNC. [RT #40532]

4214. [protocol] Add support for TALINK. [RT #40544]

4199. [protocol] Add support for NINFO, RKEY, SINK, TA. [RT #40545] [RT #40547] [RT #40561] [RT #40563]

4201. [func] The default preferred-glue is now the address record type of the transport the query was received over. [RT #40468]

4200. [cleanup] win32: update BINDinstall to be BIND release independent. [RT #38915]

4199. [protocol] Add support for NINFO, RKEY, TA. [RT #40545] [RT #40547] [RT #40563]

4199. [protocol] Add support for NINFO, RKEY. [RT #40547] [RT #40563]

4199. [protocol] Add support for RKEY. [RT #40563]

[master] fix incorrect bug ID

[master] fix the o umlaut for HTML and TXT too

[master] add CVE number

support umlaut 'o'

[master] xml doesn't define &ouml;

Updated CHANGES note to include require-server-cookie: 4152. [func] Implement DNS COOKIE option. This replaces the experimental SIT option of BIND 9.10. The following named.conf directives are available: send-cookie, cookie-secret, cookie-algorithm, nocookie-udp-size and require-server-cookie. The following dig options are available: +[no]cookie[=value] and +[no]badcookie. [RT #39928]

[master] fix length check in OPENPGPKEY 4170. [security] An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. [RT #40286]

[master] address buffer accounting error 4168. [security] A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. (CVE-2015-5722) [RT #40212]

[master] revert incorrect 'correction'

[master] corrected relnotes -- assertion in name.c not message.c

add CVE-2015-5477

[master] DDoS mitigation features 3938. [func] Added quotas to be used in recursive resolvers that are under high query load for names in zones whose authoritative servers are nonresponsive or are experiencing a denial of service attack. - "fetches-per-server" limits the number of simultaneous queries that can be sent to any single authoritative server. The configured value is a starting point; it is automatically adjusted downward if the server is partially or completely non-responsive. The algorithm used to adjust the quota can be configured via the "fetch-quota-params" option. - "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - New stats counters have been added to count queries spilled due to these quotas. See the ARM for details of these options. [RT #37125]

[master] traffic size stats 4156. [func] Added statistics counters to track the sizes of incoming queries and outgoing responses in histogram buckets, as specified in RSSAC002. [RT #39049]

Allow RPZ rewrite logging to be configured on a per-zone basis (#39754)

4152. [func] Implement DNS COOKIE option. This replaces the experimental SIT option of BIND 9.10. The following named.conf directives are avaliable: send-cookie, cookie-secret, cookie-algorithm and nocookie-udp-size. The following dig options are available: +[no]cookie[=value] and +[no]badcookie. [RT #39928]

Add comma

add release notes for CVE-2015-4620

[master] further RPZ fixes 4131. [bug] Addressed further problems with reloading RPZ zones. [RT #39649]

[master] fix tags

Update notes.xml and CHANGES for #39567

Fix RPZ radix tree search() for CLIENT-IP triggers (#39481)

[master] ensure rpz summary consistence during AXFR updates 4121. [bug] When updating a response-policy zone via AXFR, summary data about other policy zones could fall out of sync. Ultimately this could trigger an assertion failure in rpz.c. [RT #39567]

[master] address a possible policy update race 4120. [bug] A bug in RPZ could cause the server to crash if policy zones were updated while recursion was pending for RPZ processing of an active query. [RT #39415]

Fix a bug in RPZ that could cause unwanted recursion (#39229) Conflicts: doc/arm/notes.xml

4109. [port] linux: support reading the local port range from net.ipv4.ip_local_port_range. [RT # 39379]

[master] more verbose CHANGES note, added release note 4108. [func] An additional NXDOMAIN redirect method (option "nxdomain-redirect") has been added, allowing redirection to a specified DNS namespace instead of a single redirect zone. [RT #37989]

4108. [func] A additional nxdomain redirect (nxdomain-redirect) method is now supported. [RT #37989]

[master] fix +split and +rrcomments with dig +short 4101. [bug] dig: the +split and +rrcomments options didn't work with +short. [RT #39291]

docbook <command> tags around named server references

fix mismatched docbook tag

[master] hold a reference on fetch context during query 4094. [bug] A race during shutdown or reconfiguration could cause an assertion in mem.c. [RT #38979]

[master] dig can now learn the SIT value when retrying 4093. [func] Dig now learns the SIT value from truncated responses when it retries over TCP. [RT #39047]

4082. [bug] Incrementally sign large inline zone deltas. [RT #37927]

[master] release note for change #4013

[master] add "lock-file" and fix up singleton code 4080. [func] Completed change #4022, adding a "lock-file" option to named.conf to override the default lock file, in addition to the "named -X <filename>" command line option. Setting the lock file to "none" using either method disables the check completely. [RT #37908]

Update win32 configure for --enable-querytrace (#37520) Also enable querytrace when --enable-developer is specified.

[master] fix LOADPENDING issues 4063. [bug] Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]

[master] 5011 tests and fixes 4056. [bug] Expanded automatic testing of trust anchor management and fixed several small bugs including a memory leak and a possible loss of key state information. [RT #38458] 4055. [func] "rndc managed-keys" can be used to check status of trust anchors or to force keys to be refreshed, Also, the managed keys data file has easier-to-read comments. [RT #38458]

added mdig tool

[master] avoid crash due to managed-key rollover 4053. [security] Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344]

Update notes.xml for #38454

missing '-' in keep-response-order

[master] "rndc modzone" 4043. [func] "rndc modzone" can be used to modify the configuration of an existing zone, using similar syntax to "rndc addzone". [RT #37895]

[master] correct CHANGES note

[master] add TCP pipelining support 4040. [func] Added server-side support for pipelined TCP queries. TCP connections are no longer closed after the first query received from a client. (The new "keep-response-order" option allows clients to be specified for which the old behavior will still be used.) [RT #37821]

Add NTA persistence (#37087) 4034. [func] When added, negative trust anchors (NTA) are now saved to files (viewname.nta), in order to persist across restarts of the named server. [RT #37087]

4032. [bug] Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310]

update copyright notice / whitespace

[master] rndc showzone / rndc delzone of non-added zones 4030. [func] "rndc delzone" is now applicable to zones that were configured in named.conf, as well as zones that were added via "rndc addzone". (Note, however, that if named.conf is not also modified, the deleted zone will return when named is reloaded.) [RT #37887] 4029. [func] "rndc showzone" displays the current configuration of a specified zone. [RT #37887]

Make named a singleton process [RT#37908] Conflicts: bin/tests/system/conf.sh.in lib/dns/win32/libdns.def.in lib/isc/win32/file.c The merge also needed to update files in legacy and tcp system tests (newly introduced in master after branch was created) to introduce use of lockfile.

[master] adjust max-recursion-queries 4021. [bug] Adjust max-recursion-queries to accommodate the need for more queries when the cache is empty. [RT #38104]

4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery resulting in updates being sent to the wrong server. [RT #37925]

4019. [func] If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. [RT #37978]

4017. [testing] Add system test to check lookups to legacy servers with broken DNS behaviour. [RT #37965]

4015. [bug] Nameservers that are skipped due to them being CNAMEs were not being logged. They are now logged to category 'cname' as per BIND 8. [RT #37935]

[master] delv +tcp 4009. [func] delv: added a +tcp option. [RT #37855]

[master] add notes

[master] allow arbitrary-size rndc output 4005. [func] The buffer used for returning text from rndc commands is now dynamically resizable, allowing arbitrarily large amounts of text to be sent back to the client. (Prior to this change, it was possible for the output of "rndc tsig-list" to be truncated.) [RT #37731]

[master] fix nxrrset in nxdomain redirection 4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET from the redirect zone. [RT #37722]

[master] new mkeys and nzf naming format 3999. [func] "mkeys" and "nzf" files are now named after their corresponding views, unless the view name contains characters that would be incompatible with use in a filename (i.e., slash, backslash, or capital letters). If a view name does contain these characters, the files will still be named using a cryptographic hash of the view name. Regardless of this, if a file using the old name format is found to exist, it will continue to be used. [RT #37704]

3997. [protocol] Add OPENGPGKEY record. [RT# 37671]

add end of life statement

3994. [func] Dig now supports setting the last unassigned DNS header flag bit (dig +zflag). [RT #37421]

3993. [func] Dig now supports EDNS negotiation by default. (dig +[no]ednsnegotiation). [RT #37604]

3992. [func] DiG can now send queries without questions (dig +header-only). [RT #37599]

3991. [func] Add the ability to buffer logging output by specifying "buffered yes;" when defining a channel. [RT #26561]

[master] missed a ticket number

[master] [rt35857] relnote

[master] [rt36945] relnote

[master] [rt36892] relnote

[master] [rt37138] relnote

[master] [rt37159] relnote

[master] [rt37172] relnote

[master] [rt37197] relnote

[master] [rt37410] relnote

[master] [rt37506] relnote

[master] more relnotes backfill

[master] backfill release notes

3987. [func] Allow the zone serial of a dynamically updatable zone to be updated via rndc. [RT #37404]

[master] include relnotes in doc 3982. [doc] Include release notes in product documentation. [RT #37272]