[master] add missing functional changes to README

CHANGES

@@ -1204,7 +1204,7 @@
 			zone to be updated via "rndc signing -serial".
 			[RT #37404]
 
-3987.	[func]		Handle future Visual Studio 14 incompatible changes.
+3987.	[port]		Handle future Visual Studio 14 incompatible changes.
 			[RT #37380]
 
 3986.	[doc]		Add the BIND version number to page footers

README

@@ -76,21 +76,42 @@ BIND 9.11.0
 	    Unlike "fetches-per-server", this value is not self-tuning.)
 	  + New stats counters have been added to count
 	    queries spilled due to these quotas.
+	- The experimental "SIT" feature in BIND 9.10 has been renamed
+	  "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
+	  enabling clients to detect off-path spoofed responses, and
+	  servers to detect spoofed-source queries.  Clients that identify
+	  themselves using COOKIE options are not subject to response rate
+	  limiting (RRL) and can receive larger UDP responses.
+	- SERVFAIL responses can now be cached for a limited time
+	  (defaulting to 1 second, with an upper limit of 30).
+	  This can reduce the frequency of retries when a query is
+	  persistently failing.
+	- The "controls" block in named.conf can now grand read-only
+	  "rndc" access to specified clients or keys. Read-only clients
+	  could, for example, check "rndc status" but could not
+	  reconfigure or shut down the server.
+	- "rndc" commands can now return arbitrarily large amounts of
+	  text to the caller.
 	- The zone serial number of a dynamically updatable zone
 	  can now be set via "rndc signing -serial <number> <zonename>".
 	  This allows inline-signing zones to be set to a specific
 	  serial number.
-	- SERVFAIL responses can now be cached for a limited time
+	- The new "rndc nta" command can be used to set a Negative
-	  (defaulting to 10 seconds, with an upper limit of 30).
+	  Trust Anchor (NTA), disabling DNSSEC validation for a
-	  This can reduce the frequency of retries when a query is
+	  specific domain; this can be used when responses from a
-	  persistently failing.
+	  domain are known to be failing validation due to administrative
-	- The new "rndc nta" command can be used to set a "negative
+	  error rather than because of a spoofing attack.  Negative
-	  trust anchor", disabling DNSSEC validation for a specific
+	  trust anchors are strictly temporary; by default they expire
-	  domain; this can be used when responses from a domain are
+	  after one hour, but can be configured to last up to one week.
-	  known to be failing validation due to administrative error
+	- "rndc delzone" can now be used on zones that were not originally
-	  rather than because of a spoofing attack. Negative trust
+	  created by "rndc addzone".
-	  anchors are strictly temporary; by default they expire after
+	- "rndc modzone" reconfigures a single zone, without requiring
-	  one hour, but can be configured to last up to one week.
+	  the entire server to be reconfigured.
+	- "rndc showzone" displays the current configuration of a zone.
+	- "rndc managed-keys" can be used to check the status of RFC 5001
+	  managed trust anchors, or to force trust anchors to be refreshed.
+	- "max-cache-size" can now be set to a percentage of available
+	  memory. The default is 90%.
 	- Update forwarding performance has been improved by allowing
 	  a single TCP connection to be shared by multiple updates.
 	- The EDNS Client Subnet (ECS) option is now supported for
@@ -103,24 +124,55 @@ BIND 9.11.0
 	  side, allowing a slave server to set the expiration timer
 	  correctly when transferring zone data from another slave
 	  server.
+	- The key generation and manipulation tools (dnssec-keygen,
+	  dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
+	  take "-Psync" and "-Dsync" options to set the publication
+	  and deletion times of CDS and CDNSKEY parent-synchronization
+	  records.  Both named and dnssec-signzone can now publish and
+	  remove these records at the scheduled times.
 	- A new "masterfile-style" zone option controls the formatting
 	  of text zone files:  When set to "full", a zone file is dumped
 	  in single-line-per-record format.
-	- "dig +ttlunits" causes dig to print TTL values with time-unit
-	  suffixes: w, d, h, m, s for weeks, days, hours, minutes, and
-	  seconds.
 	- "serial-update-method" can now be set to "date". On update,
 	  the serial number will be set to the current date in YYYYMMDDNN
 	  format.
 	- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
 	- "named -L <filename>" causes named to send log messages to
 	   the specified file by default instead of to the system log.
-	- dig can now set arbitrary EDNS options on requests (+ednsopt).
+	- "dig +ttlunits" prints TTL values with time-unit suffixes:
-	- dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags).
+	  w, d, h, m, s for weeks, days, hours, minutes, and seconds.
-	- serial-query-rate no longer covers NOTIFY messages.  These are
+	- "dig +unknownformat" prints dig output in RFC 3597 "unknown
-	  separately controlled by notify-rate and startup-notify-rate.
+	  record" presentation format.
-	- nsupdate now performs check-names processing by default on records
+	- "dig +ednsopt" allows dig to set arbitrary EDNS options on
-	  to be added.  This can be disabled with "check-names no".
+	  requests.
+	- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
+	  flags on requests.
+	- "mdig" is an alternate version of dig which sends multiple
+	  pipelined TCP queries to a server.  Instead of waiting for a
+	  response after sending a query, it sends all queries
+	  immediately and displays responses in the order received.
+	- "serial-query-rate" no longer controls NOTIFY messages.
+	  These are separately controlled by "notify-rate" and
+	  "startup-notify-rate".
+	- "nsupdate" now performs "check-names" processing by default
+	  on records to be added.  This can be disabled with
+	  "check-names no".
+	- The statistics channel now supports DEFLATE compression,
+	  reducing the size of the data sent over the network when
+	  querying statistics.
+	- New counters have been added to the statistics channel
+	  to track the sizes of incoming queries and outgoing responses in
+	  histogram buckets, as specified in RSSAC002.
+	- An new NXDOMAIN redirect method (option "nxdomain-redirect")
+	  has been added, allowing redirection to a specified DNS
+	  namespace instead of a single redirect zone.
+	- When starting up, named now ensures that no other named
+	  process is already running.
+	- Files created by named to store information, including "mkeys"
+	  and "nzf" files, are now named after their corresponding views
+	  unless the view name contains characters incompatible with use
+	  as a filename. Old style filenames (based on the hash of the
+	  view name) will still work.
 
 	This release addresses the security flaws described in
 	CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,