new stats that were added for 9.10 (changes 3319-3326) were not
all updated when the new statistics schema was merged (change 3418).
3484. [bug] Some statistics were incorrectly rendered in XML.
[RT #32587]
- rndc zonestatus now checks the signing time on the
signed, not raw, db when looking at inline-signing zones
3476. [bug] "rndc zonestatus" could report a spurious "not
found" error on inline-signing zones. [RT #29226]
- check for NSEC3 in empty nodes when not due to optout delegations
- fixed typo in output ("Bad record NSEC record")
- incidentally fixed an error in signzone that caused an
incorrect warning about missing DNSKEYs when using -S
and -3 together
3473. [bug] dnssec-signzone/verify could incorrectly report
an error condition due to an empty node above an
opt-out delegation lacking an NSEC3. [RT #32072]
3472. [bug] The active-connections counter in the socket
statistics could underflow. [RT #31747]
(cherry picked from commit 4dfe072abe4e76f5078a38ea0b97800333290877)
- handle malformed answers from DLZ better:
- handle dlz_lookup errors better:
when the first lookup of a name returns an unexpected failure code,
we return it to the caller rather than continuing on to look up
the wildcard. we now only continue processing if the return from
the first lookup was either ISC_R_SUCCESS or ISC_R_NOTFOUND.
- improved backward-compatibility for dlz_version:
added a DLZ_DLOPEN_AGE value indicating how many versions
back from the current DLZ_DLOPEN_VERSION named will support
3468. [security] RPZ rules to generate A records (but not AAAA records)
could trigger an assertion failure when used in
conjunction with DNS64. [RT #32141]
