Advance notice - H-root address change on December 1, 2015
This is advance notice that there is a scheduled change to the IP addresses for one of the authorities listed for the DNS root zone and the .ARPA TLD. The change is to H.ROOT-SERVERS.NET, which is administered by the U.S. Army Research Laboratory. The new IPv4 address for this authority is 198.97.190.53. The new IPv6 address for the authority is 2001:500:1::53. This change is anticipated to be implemented in the root zone on 1 December 2015, however the new addresses are operational now. They will replace the previous IP addresses of 128.63.2.53 and 2001:500:1::803f:235 (also previously known as AOS.BRL.MIL and AOS.ARL.ARMY.MIL). We encourage operators of DNS infrastructure to update any references to the old IP addresses and replace them with the new addresses. In particular, many DNS resolvers have a DNS root "hints" file. This should be updated with the new IP addresses. New hints files will be available at the following URLs once the change has been formally executed on December 1: http://www.internic.net/domain/named.root http://www.internic.net/domain/named.cache The old IPv4 address will continue to work for six months after the transition (until 1 June 2016), at which point it will be retired from service. The address will remain under the control of the Army Research Laboratory, never to be used again for DNS service. The old IPv6 address will continue to work indefinitely, but may ultimately be retired from service. Simultaneous to the retirement of the old address on June 1, 2016, the ASN for H-root will change from 13 to 1508. You can monitor the transition of queries to the new addresses at the following URL: http://h.root-servers.org/old_vs_new.html -- Howard Kash U.S. Army Research Laboratory
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Kash, Howard M CIV USARMY RDECOM ARL (US) Sent: Monday, August 31, 2015 12:39 PM To: nanog@nanog.org Subject: Advance notice - H-root address change on December 1, 2015
This is advance notice that there is a scheduled change to the IP addresses for one of the authorities listed for the DNS root zone and the .ARPA TLD. The change is to H.ROOT-SERVERS.NET, which is administered by the U.S. Army Research Laboratory.
The new IPv4 address for this authority is 198.97.190.53.
The new IPv6 address for the authority is 2001:500:1::53.
This change is anticipated to be implemented in the root zone on 1 December 2015, however the new addresses are operational now. They will replace the previous IP addresses of 128.63.2.53 and 2001:500:1::803f:235 (also previously known as AOS.BRL.MIL and AOS.ARL.ARMY.MIL).
We encourage operators of DNS infrastructure to update any references to
Friendly reminder... the
old IP addresses and replace them with the new addresses. In particular, many DNS resolvers have a DNS root "hints" file. This should be updated with the new IP addresses.
New hints files will be available at the following URLs once the change has been formally executed on December 1:
http://www.internic.net/domain/named.root http://www.internic.net/domain/named.cache
The old IPv4 address will continue to work for six months after the transition (until 1 June 2016), at which point it will be retired from service. The address will remain under the control of the Army Research Laboratory, never to be used again for DNS service. The old IPv6 address will continue to work indefinitely, but may ultimately be retired from service.
Simultaneous to the retirement of the old address on June 1, 2016, the ASN for H-root will change from 13 to 1508.
You can monitor the transition of queries to the new addresses at the following URL:
http://h.root-servers.org/old_vs_new.html
-- Howard Kash U.S. Army Research Laboratory
Just a heads up, even the latest CentOS 7 package has the wrong IPv4 and v6 address. Version : 9.9.4 Release : 18.el7_1.1 Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mon, Nov 16, 2015 at 7:30 AM, Kash, Howard M CIV USARMY RDECOM ARL (US) < howard.m.kash.civ@mail.mil> wrote:
Friendly reminder...
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Kash, Howard M CIV USARMY RDECOM ARL (US) Sent: Monday, August 31, 2015 12:39 PM To: nanog@nanog.org Subject: Advance notice - H-root address change on December 1, 2015
This is advance notice that there is a scheduled change to the IP addresses for one of the authorities listed for the DNS root zone and the .ARPA TLD. The change is to H.ROOT-SERVERS.NET, which is administered by the U.S. Army Research Laboratory.
The new IPv4 address for this authority is 198.97.190.53.
The new IPv6 address for the authority is 2001:500:1::53.
This change is anticipated to be implemented in the root zone on 1 December 2015, however the new addresses are operational now. They will replace the previous IP addresses of 128.63.2.53 and 2001:500:1::803f:235 (also previously known as AOS.BRL.MIL and AOS.ARL.ARMY.MIL).
We encourage operators of DNS infrastructure to update any references to the old IP addresses and replace them with the new addresses. In particular, many DNS resolvers have a DNS root "hints" file. This should be updated with the new IP addresses.
New hints files will be available at the following URLs once the change has been formally executed on December 1:
http://www.internic.net/domain/named.root http://www.internic.net/domain/named.cache
The old IPv4 address will continue to work for six months after the transition (until 1 June 2016), at which point it will be retired from service. The address will remain under the control of the Army Research Laboratory, never to be used again for DNS service. The old IPv6 address will continue to work indefinitely, but may ultimately be retired from service.
Simultaneous to the retirement of the old address on June 1, 2016, the ASN for H-root will change from 13 to 1508.
You can monitor the transition of queries to the new addresses at the following URL:
http://h.root-servers.org/old_vs_new.html
-- Howard Kash U.S. Army Research Laboratory
Hi,
Just a heads up, even the latest CentOS 7 package has the wrong IPv4 and v6 address.
whilst the new H-ROOT is alive now, the official switch-over date is 1st December 2015 and the old address will be available for 6 months after that....so if any BIND package comes out AFTER 1st December with old addresses in it, THEN complain/warn ;-) alan
In message <20151116161939.GA3129@lboro.ac.uk>, A.L.M.Buxey@lboro.ac.uk writes:
Hi,
Just a heads up, even the latest CentOS 7 package has the wrong IPv4 and v6 address.
whilst the new H-ROOT is alive now, the official switch-over date is 1st December 2015 and the old address will be available for 6 months after that....so if any BIND package comes out AFTER 1st December with old addresses in it, THEN complain/warn ;-)
alan
And given that built in values can be overridden there isn't even a need to do that. Josh, If you want to complain about something useful. Complain that CentOS is still at BIND 9.9.4 rather than BIND 9.9.8. You are missing bug fixes. We ship maintainence releases for a reason. This is like saying. We know there are 360 fixes between 9.9.4 and 9.9.8 and we don't think you are going to need any of them despite other people discovering these bugs. [rock:~/git/bind9] marka% git diff v9_9_4 v9_9_8 CHANGES | grep '^+[34]' | wc 360 3385 22807 [rock:~/git/bind9] marka% Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
No. CentOS follows RedHat. They backport fixes to older versions rather than put the new version out. It appears that have aversion to new feature and just want to put the fixes onto the older versions. So that 9.9.4 probably has 60% of the changes that the diff of 9.9.4 has to 9.9.8 . This action confuses most. alan
In message <A94D98ED-538E-4B0E-B91D-AD63D485DB0F@lboro.ac.uk>, Alan Buxey writes:
No. CentOS follows RedHat. They backport fixes to older versions rather than put the new version out. It appears that have aversion to new feature and just want to put the fixes onto the older versions. So that 9.9.4 probably has 60% of the changes that the diff of 9.9.4 has to 9.9.8 . This action confuses most.
alan
The point of putting out maintainence releases is to fix bugs in the existing code not to introduce features. We leave features to the .0 releases. The [func] below are bug fixes / security fixes. Even with 60% of the changes one is missing a huge number of bug fixes. Mark diff --git a/CHANGES b/CHANGES index e3c5595..5929d64 100644 --- a/CHANGES +++ b/CHANGES @@ -1,8 +1,1220 @@ + --- 9.9.8 released --- + + --- 9.9.8rc1 released --- + +4193. [bug] Handle broken servers that return BADVERS incorrectly. + [RT #40427] + +4192. [bug] The default rrset-order of random was not always being + applied. [RT #40456] + +4191. [protocol] Accept DNS-SD non LDH PTR records in reverse zones + as per RFC 6763. [RT #37889] + +4190. [protocol] Accept Active Diretory gc._msdcs.<forest> name as + valid with check-names. <forest> still needs to be + LDH. [RT #40399] + +4189. [cleanup] Don't exit on overly long tokens in named.conf. + [RT #40418] + +4188. [bug] Support HTTP/1.0 client properly on the statistics + channel. [RT #40261] + +4187. [func] When any RR type implementation doesn't + implement totext() for the RDATA's wire + representation and returns ISC_R_NOTIMPLEMENTED, + such RDATA is now printed in unknown + presentation format (RFC 3597). RR types affected + include LOC(29) and APL(42). [RT #40317]. + +4183. [cleanup] Use timing-safe memory comparisons in cryptographic + code. Also, the timing-safe comparison functions have + been renamed to avoid possible confusion with + memcmp(). Thanks to Loganaden Velvindron of + AFRINIC. [RT #40148] + +4182. [cleanup] Use mnemonics for RR class and type comparisons. + [RT #40297] + +4181. [bug] Queued notify messages could be dequeued from the + wrong rate limiter queue. [RT #40350] + +4179. [bug] Fix double frees in getaddrinfo() in libirs. + [RT #40209] + +4178. [bug] Fix assertion failure in parsing UNSPEC(103) RR from + text. [RT #40274] + +4177. [bug] Fix assertion failure in parsing NSAP records from + text. [RT #40285] + +4176. [bug] Address race issues with lwresd. [RT #40284] + +4175. [bug] TKEY with GSS-API keys needed bigger buffers. + [RT #40333] + +4174. [bug] "dnssec-coverage -r" didn't handle time unit + suffixes correctly. [RT #38444] + +4173. [bug] dig +sigchase was not properly matching the trusted + key. [RT #40188] + +4172. [bug] Named / named-checkconf didn't handle a view of CLASS0. + [RT #40265] + +4171. [bug] Fixed incorrect class checks in TSIG RR + implementation. [RT #40287] + +4170. [security] An incorrect boundary check in the OPENPGPKEY + rdatatype could trigger an assertion failure. + (CVE-2015-5986) [RT #40286] + +4169. [test] Added a 'wire_test -d' option to read input as + raw binary data, for use as a fuzzing harness. + [RT #40312] + +4168. [security] A buffer accounting error could trigger an + assertion failure when parsing certain malformed + DNSSEC keys. (CVE-2015-5722) [RT #40212] + + --- 9.9.8b1 released --- + +4165. [security] A failure to reset a value to NULL in tkey.c could + result in an assertion failure. (CVE-2015-5477) + [RT #40046] + +4164. [bug] Don't rename slave files and journals on out of memory. + [RT #40033] + +4163. [bug] Address compiler warnings. [RT #40024] + +4162. [bug] httpdmgr->flags was not being initialized. [RT #40017] + +4159. [cleanup] Alphabetize dig's help output. [RT #39966] + +4158. [protocol] Support the printing of EDNS COOKIE and EXPIRE options. + [RT #39928] + +4154. [bug] A OPT record should be included with the FORMERR + response when there is a malformed EDNS option. + [RT #39647] + +4153. [bug] Check that non significant ECS bits are zero on + receipt. [RT #39647] + +4151. [bug] 'rndc flush' could cause a deadlock. [RT #39835] + +4150. [bug] win32: listen-on-v6 { any; }; was not working. Apply + minimal fix. [RT #39667] + +4149. [bug] Fixed a race condition in the getaddrinfo() + implementation in libirs. [RT #39899] + +4148. [bug] Fix a bug when printing zone names with '/' character + in XML and JSON statistics output. [RT #39873] + +4147. [bug] Filter-aaaa / filter-aaaa-on-v4 / filter-aaaa-on-v6 + was returning referrals rather than nodata responses + when the AAAA records were filtered. [RT #39843] + +4146. [bug] Address reference leak that could prevent a clean + shutdown. [RT #37125] + +4145. [bug] Not all unassociated adb entries where being printed. + [RT #37125] + +4143. [bug] serial-query-rate was not effective for notify. + [RT #39858] + +4142. [bug] rndc addzone with view specified saved NZF config + that could not be read back by named. This has now + been fixed. [RT #39845] + +4138. [security] An uninitialized value in validator.c could result + in an assertion failure. (CVE-2015-4620) [RT #39795] + +4137. [bug] Make rndc reconfig report configuration errors the + same way rndc reload does. [RT #39635] + +4132. [cleanup] dig: added +rd as a synonym for +recurse, + added +class as an unabbreviated alternative + to +cl. [RT #39686] + +4130. [bug] The compatibility shim for *printf() misprinted some + large numbers. [RT #39586] + +4129. [port] Address API changes in OpenSSL 1.1.0. [RT #39532] + +4128. [bug] Address issues raised by Coverity 7.6. [RT #39537] + +4127. [protocol] CDS and CDNSKEY need to be signed by the key signing + key as per RFC 7344, Section 4.1. [RT #37215] + +4123. [port] Added %z (size_t) format options to the portable + internal printf/sprintf implementation. [RT #39586] + +4118. [bug] Teach isc-config.sh about irs. [RT #39213] + +4117. [protocol] Add EMPTY.AS112.ARPA as per RFC 7534. + +4113. [test] Check for Net::DNS is some system test + prerequisites. [RT #39369] + +4112. [bug] Named failed to load when "root-delegation-only" + was used without a list of domains to exclude. + [RT #39380] + +4111. [doc] Alphabetize rndc man page. [RT #39360] + +4110. [bug] Address memory leaks / null pointer dereferences + on out of memory. [RT #39310] + +4109. [port] linux: support reading the local port range from + net.ipv4.ip_local_port_range. [RT # 39379] + +4107. [bug] Address potential deadlock when updating zone content. + [RT #39269] + +4106. [port] Improve readline support. [RT #38938] + +4105. [port] Misc fixes for Microsoft Visual Studio + 2015 CTP6 in 64 bit mode. [RT #39308] + +4104. [bug] Address uninitialized elements. [RT #39252] + +4102. [bug] Fix a use after free bug introduced in change + #4094. [RT #39281] + +4101. [bug] dig: the +split option didn't work with +short. + [RT #39291] + +4100. [bug] Inherited owernames on the line immediately following + a $INCLUDE were not working. [RT #39268] + +4099. [port] clang: make unknown commandline options hard errors + when determining what options are supported. + [RT #39273] + +4098. [bug] Address use-after-free issue when using a + predecessor key with dnssec-settime. [RT #39272] + +4097. [func] Add additional logging about xfrin transfer status. + [RT #39170] + +4096. [bug] Fix a use after free of query->sendevent. + [RT #39132] + +4094. [bug] A race during shutdown or reconfiguration could + cause an assertion in mem.c. [RT #38979] + +4091. [cleanup] Some cleanups in isc mem code. [RT #38896] + +4090. [bug] Fix a crash while parsing malformed CAA RRs in + presentation format, i.e., from text such as + from master files. Thanks to John Van de + Meulebrouck Brendgard for discovering and + reporting this problem. [RT #39003] + +4089. [bug] Send notifies immediately for slave zones during + startup. [RT #38843] + +4088. [port] Fixed errors when building with libressl. [RT #38899] + +4087. [bug] Fix a crash due to use-after-free due to sequencing + of tasks actions. [RT #38495] + +4085. [bug] ISC_PLATFORM_HAVEXADDQ could be inconsistently set. + [RT #38828] + +4084. [bug] Fix a possible race in updating stats counters. + [RT #38826] + +4082. [bug] Incrementally sign large inline zone deltas. + [RT #37927] + +4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759] + +4077. [test] Add static-stub regression test for DS NXDOMAIN + return making the static stub disappear. [RT #38564] + +4076. [bug] Named could crash on shutdown with outstanding + reload / reconfig events. [RT #38622] + +4075. [bug] Increase nsupdate's input buffer to accomodate + very large RRs. [RT #38689] + +4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708] + +4073. [cleanup] Add libjson-c version number reporting to + "named -V"; normalize version number formatting. + [RT #38056] + +4072. [func] Add a --enable-querytrace configure switch for + very verbose query trace logging. (This option + has a negative performance impact and should be + used only for debugging.) [RT #37520] + +4070. [bug] Fix a segfault in nslookup in a query such as + "nslookup isc.org AMS.SNS-PB.ISC.ORG -all". + [RT #38548] + +4069. [doc] Reorganize options in the nsupdate man page. + [RT #38515] + +4067. [cleanup] Reduce noise from RRL when query logging is + disabled. [RT #38648] + +4066. [doc] Reorganize options in the dig man page. [RT #38516] + +4064. [contrib] dnssec-keyset.sh: Generates a specified number + of DNSSEC keys with timing set to implement a + pre-publication key rollover strategy. Thanks + to Jeffry A. Spain. [RT #38459] + +4063. [bug] Asynchronous zone loads were not handled + correctly when the zone load was already in + progress; this could trigger a crash in zt.c. + [RT #37573] + +4062. [bug] Fix an out-of-bounds read in RPZ code. If the + read succeeded, it doesn't result in a bug + during operation. If the read failed, named + could segfault. [RT #38559] + +3938. [func] Added quotas to be used in recursive resolvers + that are under high query load for names in zones + whose authoritative servers are nonresponsive or + are experiencing a denial of service attack. + + - "fetches-per-server" limits the number of + simultaneous queries that can be sent to any + single authoritative server. The configured + value is a starting point; it is automatically + adjusted downward if the server is partially or + completely non-responsive. The algorithm used to + adjust the quota can be configured via the + "fetch-quota-params" option. + - "fetches-per-zone" limits the number of + simultaneous queries that can be sent for names + within a single domain. (Note: Unlike + "fetches-per-server", this value is not + self-tuning.) + - New stats counters have been added to count + queries spilled due to these quotas. + + These options are not available by default; + use "configure --enable-fetchlimit" (or + --enable-developer) to include them in the build. + + See the ARM for details of these options. [RT #37125] + +3937. [func] Added some debug logging to better indicate the + conditions causing SERVFAILs when resolving. + [RT #35538] + + --- 9.9.7 released --- + + --- 9.9.7rc2 released --- + +4061. [bug] Handle timeout in legacy system test. [RT #38573] + +4060. [bug] dns_rdata_freestruct could be called on a + uninitialized structure when handling a error. + [RT #38568] + +4059. [bug] Addressed valgrind warnings. [RT #38549] + +4058. [bug] UDP dispatches could use the wrong pseudorandom + number generator context. [RT #38578] + +4056. [bug] Fixed several small bugs in automatic trust anchor + management, including a memory leak and a possible + loss of key state information. [RT #38458] + +4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field. + [RT #38565] + +4053. [security] Revoking a managed trust anchor and supplying + an untrusted replacement could cause named + to crash with an assertion failure. + (CVE-2015-1349) [RT #38344] + +4052. [bug] Fix a leak of query fetchlock. [RT #38454] + +4050. [bug] RPZ could send spurious SERVFAILs in response + to duplicate queries. [RT #38510] + +4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491] + +4048. [bug] adb hash table was not being grown. [RT #38470] + + --- 9.9.7rc1 released --- + +4047. [cleanup] "named -V" now reports the current running versions + of OpenSSL and the libxml2 libraries, in addition to + the versions that were in use at build time. + +4046. [bug] Accounting of "total use" in memory context + statistics was not correct. [RT #38370] + +4045. [bug] Skip to next master on dns_request_createvia4 failure. + [RT #25185] + +4044. [bug] Change 3955 was not complete, resulting in an assertion + failure if the timing was just right. [RT #38352] + +4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381] + +4038. [bug] Add 'rpz' flag to node and use it to determine whether + to call dns_rpz_delete. This should prevent unbalanced + add / delete calls. [RT #36888] + +4037. [bug] also-notify was ignoring the tsig key when checking + for duplicates resulting in some expected notify + messages not being sent. [RT #38369] + +4035. [bug] Close temporary and NZF FILE pointers before moving + the former into the latter's place, as required on + Windows. [RT #38332] + +4032. [bug] Built-in "empty" zones did not correctly inherit the + "allow-transfer" ACL from the options or view. + [RT #38310] + +4031. [bug] named-checkconf -z failed to report a missing file + with a hint zone. [RT #38294] + +4028. [bug] $GENERATE with a zero step was not being caught as a + error. A $GENERATE with a / but no step was not being + caught as a error. [RT #38262] + +3973. [test] Added hooks for Google Performance Tools CPU profiler, + including real-time/wall-clock profiling. Use + "configure --with-gperftools-profiler" to enable. + [RT #37339] + + --- 9.9.7b1 released --- + +4027. [port] Net::DNS 0.81 compatibility. [RT #38165] + +4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173] + +4025. [port] bsdi: failed to build. [RT #38047] + +4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next, + dns_rdata_opt_current, dns_rdata_txt_first, + dns_rdata_txt_next and dns_rdata_txt_current were + documented but not implemented. These have now been + implemented. + + dns_rdata_spf_first, dns_rdata_spf_next and + dns_rdata_spf_current were documented but not + implemented. The prototypes for these + functions have been removed. [RT #38068] + +4023. [bug] win32: socket handling with explicit ports and + invoking named with -4 was broken for some + configurations. [RT #38068] + +4021. [bug] Adjust max-recursion-queries to accommodate + the need for more queries when the cache is + empty. [RT #38104] + +4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery + resulting in updates being sent to the wrong server. + [RT #37925] + +4019. [func] If named is not configured to validate the answer + then allow fallback to plain DNS on timeout even + when we know the server supports EDNS. [RT #37978] + +4018. [bug] Fall back to plain DNS when EDNS queries are being + dropped was failing. [RT #37965] + +4017. [test] Add system test to check lookups to legacy servers + with broken DNS behavior. [RT #37965] + +4016. [bug] Fix a dig segfault due to bad linked list usage. + [RT #37591] + +4015. [bug] Nameservers that are skipped due to them being + CNAMEs were not being logged. They are now logged + to category 'cname' as per BIND 8. [RT #37935] + +4014. [bug] When including a master file origin_changed was + not being properly set leading to a potentially + spurious 'inherited owner' warning. [RT #37919] + +4012. [bug] Check returned status of OpenSSL digest and HMAC + functions when they return one. Note this applies + only to FIPS capable OpenSSL libraries put in + FIPS mode and MD5. [RT #37944] + +4011. [bug] master's list port inheritance was not properly + implemented. [RT #37792] + +4007. [doc] Remove acl forward reference restriction. [RT #37772] + +4006. [security] A flaw in delegation handling could be exploited + to put named into an infinite loop. This has + been addressed by placing limits on the number + of levels of recursion named will allow (default 7), + and the number of iterative queries that it will + send (default 50) before terminating a recursive + query (CVE-2014-8500). + + The recursion depth limit is configured via the + "max-recursion-depth" option, and the query limit + via the "max-recursion-queries" option. [RT #37580] + +4004. [bug] When delegations had AAAA glue but not A, a + reference could be leaked causing an assertion + failure on shutdown. [RT #37796] + +4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET + from the redirect zone. [RT #37722] + +3998. [bug] isc_radix_search was returning matches that were + too precise. [RT #37680] + +3997. [protocol] Add OPENGPGKEY record. [RT# 37671] + +3996. [bug] Address use after free on out of memory error in + keyring_add. [RT #37639] + +3995. [bug] receive_secure_serial holds the zone lock for too + long. [RT #37626] + +3990. [testing] Add tests for unknown DNSSEC algorithm handling. + [RT #37541] + +3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748] + +3987. [func] Handle future Visual Studio 14 incompatible changes. + [RT #37380] + +3986. [doc] Add the BIND version number to page footers + in the ARM. [RT #37398] + +3985. [doc] Describe how +ndots and +search interact in dig. + [RT #37529] + +3982. [doc] Include release notes in product documentation. + [RT #37272] + +3981. [bug] Cache DS/NXDOMAIN independently of other query types. + [RT #37467] + +3978. [test] Added a unit test for Diffie-Hellman key + computation, completing change #3974. [RT #37477] + +3976. [bug] When refreshing managed-key trust anchors, clear + any cached trust so that they will always be + revalidated with the current set of secure + roots. [RT #37506] + +3974. [bug] Handle DH_compute_key() failure correctly in + openssldh_link.c. [RT #37477] + +3972. [bug] Fix host's usage statement. [RT #37397] + +3971. [bug] Reduce the cascading failures due to a bad $TTL line + in named-checkconf / named-checkzone. [RT #37138] + +3970. [contrib] Fixed a use after free bug in the SDB LDAP driver. + [RT #37237] + +3968. [bug] Silence spurious log messages when using 'named -[46]'. + [RT #37308] + +3967. [test] Add test for inlined signed zone in multiple views + with different DNSKEY sets. [RT #35759] + +3966. [bug] Missing dns_db_closeversion call in receive_secure_db. + [RT #35746] + +3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error + conditions. [RT #34663] + +3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with + BADSIG. [RT #37216] + +3960. [bug] 'dig +sigchase' could loop forever. [RT #37220] + +3959. [bug] Updates could be lost if they arrived immediately + after a rndc thaw. [RT #37233] + +3958. [bug] Detect when writeable files have multiple references + in named.conf. [RT #37172] + +3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 + and ECDSAP384SHA384. [RT #37183] + +3955. [bug] Notify messages due to changes are no longer queued + behind startup notify messages. [RT #24454] + +3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112] + +3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159] + +3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the + two name pointers were the same. [RT #37176] + + --- 9.9.6 released --- + +3950. [port] Changed the bin/python Makefile to work around a + bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] + + --- 9.9.6rc2 released --- + +3947. [cleanup] Set the executable bit on libraries when using + libtool. [RT #36786] + +3946. [cleanup] Improved "configure" search for a python interpreter. + [RT #36992] + +3945. [bug] Invalid wildcard expansions could be incorrectly + accepted by the validator. [RT #37093] + +3944. [test] Added a regression test for "server-id". [RT #37057] + +3942. [bug] Wildcard responses from a optout range should be + marked as insecure. [RT #37072] + +3941. [doc] Include the BIND version number in the ARM. [RT #37067] + + --- 9.9.6rc1 released --- + +3933. [bug] Corrected the implementation of dns_rdata_casecompare() + for the HIP rdata type. [RT #36911] + +3932. [test] Improved named-checkconf tests. [RT #36911] + +3931. [cleanup] Cleanup how dlz grammar is defined. [RT #36879] + +3929. [bug] 'host -a' needed to clear idnoptions. [RT #36963] + +3928. [test] Improve rndc system test. [RT #36898] + +3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917] + +3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187] + +3923. [bug] Sanity check the xml2-config output. [RT #22246] + +3922. [bug] When resigning, dnssec-signzone was removing + all signatures from delegation nodes. It now + retains DS and (if applicable) NSEC signatures. + [RT #36946] + +3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833] + +3919. [bug] dig: continue to next line if a address lookup fails + in batch mode. [RT #36755] + +3918. [doc] Update check-spf documentation. [RT #36910] + +3917. [bug] dig, nslookup and host now continue on names that are + too long after applying a search list elements. + [RT #36892] + +3916. [contrib] zone2sqlite checked wrong result code. Address + compiler warnings. [RT #36931] + + --- 9.9.6b2 released --- + +3914. [bug] Allow the URI target and CAA value fields to + be zero length. [RT #36737] + +3913. [bug] Address race issue in dispatch. [RT #36731] + +3910. [bug] Fix races to free event during shutdown. [RT #36720] + +3909. [bug] When computing the number of elements required for a + acl count_acl_elements could have a short count leading + to a assertion failure. Also zero out new acl elements + in dns_acl_merge. [RT #36675] + +3908. [bug] rndc now differentiates between a zone in multiple + views and a zone that doesn't exist at all. [RT #36691] + +3907. [cleanup] Alphabetize rndc help. [RT #36683] + +3906. [protocol] Update URI record format to comply with + draft-faltstrom-uri-08. [RT #36642] + +3905. [bug] Address deadlock between view.c and adb.c. [RT #36341] + +3904. [func] Add the RPZ SOA to the additional section. [RT36507] + +3903. [bug] Improve the accuracy of DiG's reported round trip + time. [RT 36611] + +3902. [bug] liblwres wasn't handling link-local addresses in + nameserver clauses in resolv.conf. [RT #36039] + +3901. [protocol] Added support for CAA record type (RFC 6844). + [RT #36625] + +3900. [bug] Fix a crash in PostgreSQL DLZ driver. [RT #36637] + +3899. [bug] "request-ixfr" is only applicable to slave and redirect + zones. [RT #36608] + +3898. [bug] Too small a buffer in tohexstr() calls in test code. + [RT #36598] + +3894. [bug] Buffers in isc_print_vsnprintf were not properly + initialized leading to potential overflows when + printing out quad values. [RT #36505] + +3892. [bug] Setting '-t aaaa' in .digrc had unintended side + effects. [RT #36452] + +3891. [bug] Use ${INSTALL_SCRIPT} rather than ${INSTALL_PROGRAM} + to install python programs. + +3890. [bug] RRSIG sets that were not loaded in a single transaction + at start up where not being correctly added to + re-signing heaps. [RT #36302] + +3889. [port] hurd: configure fixes as per: + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746540 + +3887. [cleanup] Make all static symbols in rbtdb64 end in "64" so + they are easier to use in a debugger. [RT #36373] + + --- 9.9.6b1 released --- + +3885. [port] Use 'open()' rather than 'file()' to open files in + python. + +3884. [protocol] Add CDS and CDNSKEY record types. [RT #36333] + +3881. [bug] Address memory leak with UPDATE error handling. + [RT #36303] + +3880. [test] Update ans.pl to work with new TSIG support in + Net::DNS; add additional Net::DNS version prerequisite + checks. [RT #36327] + +3879. [func] Add version printing option to various BIND utilities. + [RT #10686] + +3878. [bug] Using the incorrect filename for a DLZ module + caused a segmentation fault on startup. [RT #36286] + +3874. [test] Check that only "check-names master" is needed for + updates to be accepted. + +3873. [protocol] Only warn for SPF without TXT spf record. [RT #36210] + +3872. [bug] Address issues found by static analysis. [RT #36209] + +3871. [bug] Don't publish an activated key automatically before + its publish time. [RT #35063] + +3868. [bug] isc_mem_setwater incorrectly cleared hi_called + potentially leaving over memory cleaner running. + [RT #35270] + +3866. [bug] Named could die on disk full in generate_session_key. + [RT #36119] + +3864. [bug] RPZ didn't work well when being used as forwarder. + [RT #36060] + +3862. [cleanup] Return immediately if we are not going to log the + message in ns_client_dumpmessage. + +3861. [bug] Benign missing isc_buffer_availablelength check in + dns_message_pseudosectiontotext. [RT #36078] + +3860. [bug] ioctl(DP_POLL) array size needs to be determined + at run time as it is limited to {OPEN_MAX}. + [RT #35878] + +3858. [bug] Disable GCC 4.9 "delete null pointer check". + [RT #35968] + +3857. [bug] Make it harder for a incorrect NOEDNS classification + to be made. [RT #36020] + +3855. [bug] Limit smoothed round trip time aging to no more than + once a second. [RT #32909] + +3854. [cleanup] Report unrecognized options, if any, in the final + configure summary. [RT #36014] + +3853. [cleanup] Refactor dns_rdataslab_fromrdataset to separate out + the handling of a rdataset with no records. [RT #35968] + +3849. [doc] Alphabetized dig's +options. [RT #35992] + +3847. [bug] 'configure --with-dlz-postgres' failed to fail when + there is not support available. + +3846. [bug] "dig +notcp ixfr=<serial>" should result in a UDP + ixfr query. [RT #35980] + +3844. [bug] Use the x64 version of the Microsoft Visual C++ + Redistributable when built for 64 bit Windows. + [RT #35973] + +3843. [protocol] Check EDNS EXPIRE option in dns_rdata_fromwire. + [RT #35969] + +3842. [bug] Adjust RRL log-only logging category. [RT #35945] + +3841. [cleanup] Refactor zone.c:add_opt to use dns_message_buildopt. + [RT #35924] + +3840. [port] Check for arc4random_addrandom() before using it; + it's been removed from OpenBSD 5.5. [RT #35907] + +3839. [test] Use only posix-compatible shell in system tests. + [RT #35625] + +3838. [protocol] EDNS EXPIRE as been assigned a code point of 9. + +3836. [bug] Address C++ keyword usage in header file. + +3834. [bug] The re-signing heaps were not being updated soon enough + leading to multiple re-generations of the same RRSIG + when a zone transfer was in progress. [RT #35273] + +3833. [bug] Cross compiling was broken due to calling genrandom at + build time. [RT #35869] + +3827. [contrib] The example DLZ driver (a version of which is + also used in the dlzexternal system test) could + use absolute names as relative. [RT #35802] + +3826. [bug] Corrected bad INSIST logic in isc_radix_remove(). + [RT #35870] + +3825. [bug] Address sign extension bug in isc_regex_validate. + [RT #35758] + +3824. [bug] A collision between two flag values could cause + problems with cache cleaning. [RT #35858] + +3822. [bug] Log the correct type of static-stub zones when + removing them. [RT #35842] + +3819. [bug] NSEC3 hashes need to be able to be entered and + displayed without padding. This is not a issue for + currently defined algorithms but may be for future + hash algorithms. [RT #27925] + +3818. [bug] Stop lying to the optimizer that 'void *arg' is a + constant in isc_event_allocate. + +3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808] + +3809. [doc] Fix NSID documentation. + +3807. [bug] Fix sign extension bug in dns_name_fromtext when + lowercase is set. [RT #35743] + +3806. [test] Improved system test portability. [RT #35625] + +3805. [contrib] Added contrib/perftcpdns, a performance testing tool + for DNS over TCP. [RT #35710] + +3804. [bug] Corrected a race condition in dispatch.c in which + portentry could be reset leading to an assertion + failure in socket_search(). (Change #3708 + addressed the same issue but was incomplete.) + [RT #35128] + +3803. [bug] "named-checkconf -z" incorrectly rejected zones + using alternate data sources for not having a "file" + option. [RT #35685] + +3802. [bug] Various header files were not being installed. + +3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615] + +3799. [bug] Improve named's command line error reporting. + [RT #35603] + +3796. [bug] Register dns error codes. [RT #35629] + +3795. [bug] Make named-checkconf detect raw masterfiles for + hint zones and reject them. [RT #35268] + +3794. [maint] Added AAAA for C.ROOT-SERVERS.NET. + +3793. [bug] zone.c:save_nsec3param() could assert when out of + memory. [RT #35621] + +3792. [func] Provide links to the alternate statistics views when + displaying in a browser. [RT #35605] + +3791. [bug] solaris: remove extraneous return. [RT #35589] + +3787. [bug] The code that checks whether "auto-dnssec" is + allowed was ignoring "allow-update" ACLs set at + the options or view level. [RT #29536] + +3780. [bug] $GENERATE handled negative numbers incorrectly. + [RT #25528] + +3779. [cleanup] Clarify the error message when using an option + that was not enabled at compile time. [RT #35504] + +3778. [bug] Log a warning when the wrong address family is + used in "listen-on" or "listen-on-v6". [RT #17848] + +3775. [bug] dlz_dlopen driver could return the wrong error + code on API version mismatch, leading to a segfault. + [RT #35495] + +3773. [func] "host", "nslookup" and "nsupdate" now have + options to print the version number and exit. + [RT #26057] + +3770. [bug] "dig +trace" could fail with an assertion when it + needed to fall back to TCP due to a truncated + response. [RT #24660] + +3769. [doc] Improved documentation of "rndc signing -list". + [RT #30652] + +3768. [bug] "dnssec-checkds" was missing the SHA-384 digest + algorithm. [RT #34000] + +3767. [func] Log explicitly when using rndc.key to configure + command channel. [RT #35316] + +3765. [bug] Fixed a bug in "rndc secroots" that could crash + named when dumping an empty keynode. [RT #35469] + +3764. [bug] The dnssec-keygen/settime -S and -i options + (to set up a successor key and set the prepublication + interval) were missing from dnssec-keyfromlabel. + [RT #35394] + +3761. [bug] Address dangling reference bug in dns_keytable_add. + [RT #35471] + +3757. [port] Enable Python tools (dnssec-coverage, + dnssec-checkds) to run on Windows. [RT #34355] + +3756. [bug] GSSAPI Kerberos realm checking was broken in + check_config leading to spurious messages being + logged. [RT #35443] + +3754. [cleanup] win32: Installer now places files in the + Program Files area rather than system services. + [RT #35361] + +3753. [bug] allow-notify was ignoring keys. [RT #35425] + +3751. [tuning] The default setting for the -U option (setting + the number of UDP listeners per interface) has + been adjusted to improve performance. [RT #35417] + +3747. [bug] A race condition could lead to a core dump when + destroying a resolver fetch object. [RT #35385] + +3743. [bug] delegation-only flag wasn't working in forward zone + declarations despite being documented. This is + needed to support turning off forwarding and turning + on delegation only at the same name. [RT #35392] + +3742. [port] linux: libcap support: declare curval at start of + block. [RT #35387] + +3740. [contrib] Minor fixes to configure --with-dlz-bdb, + --with-dlz-postgres and --with-dlz-odbc. [RT #35340] + +3737. [bug] 'rndc retransfer' could trigger a assertion failure + with inline zones. [RT #35353] + +3736. [bug] nsupdate: When specifying a server by name, + fall back to alternate addresses if the first + address for that name is not reachable. [RT #25784] + +3734. [bug] Improve building with libtool. [RT #35314] + +3732. [contrib] Fixed a type mismatch causing the ODBC DLZ + driver to dump core on 64-bit systems. [RT #35324] + +3731. [func] Added a "no-case-compress" ACL, which causes + named to use case-insensitive compression + (disabling change #3645) for specified + clients. (This is useful when dealing + with broken client implementations that + use case-sensitive name comparisons, + rejecting responses that fail to match the + capitalization of the query that was sent.) + [RT #35300] + +3730. [cleanup] Added "never" as a synonym for "none" when + configuring key event dates in the dnssec tools. + [RT #35277] + +3729. [bug] dnssec-keygen could set the publication date + incorrectly when only the activation date was + specified on the command line. [RT #35278] + +3724. [bug] win32: Fixed a bug that prevented dig and + host from exiting properly after completing + a UDP query. [RT #35288] + +3720. [bug] Address compiler warnings. [RT #35261] + +3719. [bug] Address memory leak in in peer.c. [RT #35255] + +3718. [bug] A missing ISC_LINK_INIT in log.c. [RT #35260] + +3714. [test] System tests that need to test for cryptography + support before running can now use a common + "testcrypto.sh" script to do so. [RT #35213] + +3713. [bug] Save memory by not storing "also-notify" addresses + in zone objects that are configured not to send + notify requests. [RT #35195] + + --- 9.9.5 released --- + + --- 9.9.5rc2 released --- + +3710. [bug] Address double dns_zone_detach when switching to + using automatic empty zones from regular zones. + [RT #35177] + +3709. [port] Use built-in versions of strptime() and timegm() + on all platforms to avoid portability issues. + [RT #35183] + +3708. [bug] Address a portentry locking issue in dispatch.c. + [RT #35128] + +3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND + on a missing resolv.conf file and initializes the + structure as if it had been configured with: + + nameserver ::1 + nameserver 127.0.0.1 + + Note: Callers will need to be updated to treat + ISC_R_FILENOTFOUND as a qualified success or else + they will leak memory. The following code fragment + will work with both old and new versions without + changing the behaviour of the existing code. + + resconf = NULL; + result = irs_resconf_load(mctx, "/etc/resolv.conf", + &resconf); + if (result != ISC_SUCCESS) { + if (resconf != NULL) + irs_resconf_destroy(&resconf); + .... + } + + [RT #35194] + +3706. [contrib] queryperf: Fixed a possible integer overflow when + printing results. [RT #35182] + +3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] + + --- 9.9.5rc1 released --- + +3701. [func] named-checkconf can now obscure shared secrets + when printing by specifying '-x'. [RT #34465] + +3699. [bug] Improvements to statistics channel XSL stylesheet: + the stylesheet can now be cached by the browser; + section headers are omitted from the stats display + when there is no data in those sections to be + displayed; counters are now right-justified for + easier readability. (Only available with + configure --enable-newstats.) [RT #35117] + +3698. [cleanup] Replaced all uses of memcpy() with memmove(). + [RT #35120] + +3697. [bug] Handle "." as a search list element when IDN support + is enabled. [RT #35133] + +3696. [bug] dig failed to handle AXFR style IXFR responses which + span multiple messages. [RT #35137] + +3695. [bug] Address a possible race in dispatch.c. [RT #35107] + +3694. [bug] Warn when a key-directory is configured for a zone, + but does not exist or is not a directory. [RT #35108] + +3693. [security] memcpy was incorrectly called with overlapping + ranges resulting in malformed names being generated + on some platforms. This could cause INSIST failures + when serving NSEC3 signed zones (CVE-2014-0591). + [RT #35120] + +3692. [bug] Two calls to dns_db_getoriginnode were fatal if there + was no data at the node. [RT #35080] + +3690. [bug] Iterative responses could be missed when the source + port for an upstream query was the same as the + listener port (53). [RT #34925] + +3689. [bug] Fixed a bug causing an insecure delegation from one + static-stub zone to another to fail with a broken + trust chain. [RT #35081] + + --- 9.9.5b1 released --- + +3688. [bug] loadnode could return a freed node on out of memory. + [RT #35106] + +3687. [bug] Address null pointer dereference in zone_xfrdone. + [RT #35042] + +3686. [func] "dnssec-signzone -Q" drops signatures from keys + that are still published but no longer active. + [RT #34990] + +3685. [bug] "rndc refresh" didn't work correctly with slave + zones using inline-signing. [RT #35105] + +3683. [cleanup] Add a more detailed "not found" message to rndc + commands which specify a zone name. [RT #35059] + +3682. [bug] Correct the behavior of rndc retransfer to allow + inline-signing slave zones to retain NSEC3 parameters + instead of reverting to NSEC. [RT #34745] + +3681. [port] Update the Windows build system to support feature + selection and WIN64 builds. This is a work in + progress. [RT #34160] + +3679. [bug] dig could fail to clean up TCP sockets still + waiting on connect(). [RT #35074] + +3678. [port] Update config.guess and config.sub. [RT #35060] + +3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple + times. [RT #35073] + +3676. [bug] "named-checkconf -z" now checks zones of type + hint and redirect as well as master. [RT #35046] + +3675. [misc] Provide a place for third parties to add version + information for their extensions in the version + file by setting the EXTENSIONS variable. + +3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026] + +3672. [func] Local address can now be specified when using + dns_client API. [RT #34811] + +3671. [bug] Don't allow dnssec-importkey overwrite a existing + non-imported private key. + +3670. [bug] Address read after free in server side of + lwres_getrrsetbyname. [RT #29075] + +3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001] + +3668. [bug] Fix cast in lex.c which could see 0xff treated as eof. + [RT #34993] + +3667. [test] dig: add support to keep the TCP socket open between + successive queries (+[no]keepopen). [RT #34918] + +3665. [bug] Failure to release lock on error in receive_secure_db. + [RT #34944] + +3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list + locking and other bugs. [RT #34855] + +3663. [bug] Address bugs in dns_rdata_fromstruct and + dns_rdata_tostruct for WKS and ISDN types. [RT #34910] + +3662. [bug] 'host' could die if a UDP query timed out. [RT #34870] + +3661. [bug] Address lock order reversal deadlock with inline zones. + [RT #34856] + +3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config". + [RT #23825] + +3659. [port] solaris: don't add explicit dependencies/rules for + python programs as make won't use the implicit rules. + [RT #34835] + +3658. [port] linux: Address platform specific compilation issue + when libcap-devel is installed. [RT #34838] + +3657. [port] Some readline clones don't accept NULL pointers when + calling add_history. [RT #34842] + +3656. [security] Treat an all zero netmask as invalid when generating + the localnets acl. (The prior behavior could + allow unexpected matches when using some versions + of Winsock: CVE-2013-6320.) [RT #34687] + +3655. [cleanup] Simplify TCP message processing when requesting a + zone transfer. [RT #34825] + +3654. [bug] Address race condition with manual notify requests. + [RT #34806] + +3653. [func] Create delegations for all "children" of empty zones + except "forward first". [RT #34826] + +3651. [tuning] Adjust when a master server is deemed unreachable. + [RT #27075] + +3650. [tuning] Use separate rate limiting queues for refresh and + notify requests. [RT #30589] + +3649. [cleanup] Include a comment in .nzf files, giving the name of + the associated view. [RT #34765] + +3648. [test] Updated the ATF test framework to version 0.17. + [RT #25627] + +3647. [bug] Address a race condition when shutting down a zone. + [RT #34750] + +3646. [bug] Journal filename string could be set incorrectly, + causing garbage in log messages. [RT #34738] + +3645. [protocol] Use case sensitive compression when responding to + queries. [RT #34737] + +3644. [protocol] Check that EDNS subnet client options are well formed. + [RT #34718] + +3642. [func] Allow externally generated DNSKEY to be imported + into the DNSKEY management framework. A new tool + dnssec-importkey is used to do this. [RT #34698] + +3641. [bug] Handle changes to sig-validity-interval settings + better. [RT #34625] + +3640. [bug] ndots was not being checked when searching. Only + continue searching on NXDOMAIN responses. Add the + ability to specify ndots to nslookup. [RT #34711] + +3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used + in a key zone. [RT #34238] + --- 9.9.4 released --- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
This action by red hat is nice from a stability perspective but infuriates many standards derived folks like ISC/BIND and NTP amongst others as a version number means something to them. This dialogue is typically broken from both sides as expectations are different and bug reports get lost between the OS packaging and the supplier packaging. Sometimes this is good other times it can be quite bad. I would prefer to see fewer variants and better bug fixes across the board but the enterprise side often want a specific version number and expect fixes that the upstream maintainers don't want to keep the same version numbering for "that fix" or add a stealth feature and red hat may not want to pick it up... Not saying who is right or wrong but these views sometimes drive the intractable situation where 4.2.6 is shipped for NTP from red hat (as example) but it is EOL from the NTP.org folks. The good news is most people don't need all 13 hints, or more when you consider them dual stacked like all new DNS servers are :-) Either way it's confusing to everyone involved and why I generally track fedora myself. Jared Mauch
On Nov 16, 2015, at 7:16 PM, Mark Andrews <marka@isc.org> wrote:
In message <A94D98ED-538E-4B0E-B91D-AD63D485DB0F@lboro.ac.uk>, Alan Buxey writes:
No. CentOS follows RedHat. They backport fixes to older versions rather than put the new version out. It appears that have aversion to new feature and just want to put the fixes onto the older versions. So that 9.9.4 probably has 60% of the changes that the diff of 9.9.4 has to 9.9.8 . This action confuses most.
alan
The point of putting out maintainence releases is to fix bugs in the existing code not to introduce features. We leave features to the .0 releases. The [func] below are bug fixes / security fixes.
Even with 60% of the changes one is missing a huge number of bug fixes.
On 11/16/15 4:55 PM, Jared Mauch wrote:
This action by red hat is nice from a stability perspective but infuriates many standards derived folks like ISC/BIND and NTP amongst others as a version number means something to them.
This dialogue is typically broken from both sides as expectations are different and bug reports get lost between the OS packaging and the supplier packaging. Sometimes this is good other times it can be quite bad.
I would prefer to see fewer variants and better bug fixes across the board but the enterprise side often want a specific version number and expect fixes that the upstream maintainers don't want to keep the same version numbering for "that fix" or add a stealth feature and red hat may not want to pick it up...
Not saying who is right or wrong but these views sometimes drive the intractable situation where 4.2.6 is shipped for NTP from red hat (as example) but it is EOL from the NTP.org folks.
Red Hat has known for YEARS that we only have the resources to support one stable code branch, and that if they want support for older versions we can offer that at cost. Nobody has ever approached us about support for older releases of NTP. The folks who scream the loudest about our not supporting older releases are the folks who charge their customers money for support. These same companies do nothing to support us. Anybody can see the list of companies that support NTP at: http://nwtime.org/current-members-donors/ The free software companies listed there do not give us any money.
On Nov 16, 2015, at 7:16 PM, Mark Andrews <marka@isc.org> wrote:
The point of putting out maintainence releases is to fix bugs in the existing code not to introduce features. We leave features to the .0 releases. The [func] below are bug fixes / security fixes.
Even with 60% of the changes one is missing a huge number of bug fixes.
In NTP's case, we fixed over 1100 things between 4.2.6 and 4.2.8. Skippy (Harlan'e evil twin brother)
Mark Andrews <marka@isc.org> writes:
The [func] below are bug fixes / security fixes.
Umh, using a very relaxed definition maybe... I was very happy to see this feature added in 9.9.8, and I can certainly agree that it is security related. But I hardly think it is suitable for the strict "no new features" policy that many stable distros enforce:
+3938. [func] Added quotas to be used in recursive resolvers + that are under high query load for names in zones + whose authoritative servers are nonresponsive or + are experiencing a denial of service attack. + + - "fetches-per-server" limits the number of + simultaneous queries that can be sent to any + single authoritative server. The configured + value is a starting point; it is automatically + adjusted downward if the server is partially or + completely non-responsive. The algorithm used to + adjust the quota can be configured via the + "fetch-quota-params" option. + - "fetches-per-zone" limits the number of + simultaneous queries that can be sent for names + within a single domain. (Note: Unlike + "fetches-per-server", this value is not + self-tuning.) + - New stats counters have been added to count + queries spilled due to these quotas. + + These options are not available by default; + use "configure --enable-fetchlimit" (or + --enable-developer) to include them in the build. + + See the ARM for details of these options. [RT #37125]
Yes, I know they could still upgrade to 9.9.8 without this particular feature, by simply not enabling it in the build. But the restricted feature set policy tends to be applied on a source level. Playing the devil's advocate here... As I said, I was really happy to see this feature in 9.9.8 myself. Bjørn
participants (8)
-
A.L.M.Buxey@lboro.ac.uk
-
Alan Buxey
-
Bjørn Mork
-
Harlan Stenn
-
Jared Mauch
-
Josh Luthman
-
Kash, Howard M CIV USARMY RDECOM ARL (US)
-
Mark Andrews