CHANGES

[2025] Changes in RELEASE_1_9 from RELEASE_1_8

None, yet, see updates after February 16, 2024.

[2024] Changes in RELEASE_1_8 from RELEASE_1_7

- make the forwarding process honor requested EDNS0 lengths in long replies.
- TXT RR's are the first RR that is recursive in parsing, due to the nature
  of DNSSEC and TXT RR's this is unavoidable.  Before this change a TXT RR
  look like so:  hostname.tld,txt,3600,"some text", after the change a TXT
  RR can also look like this:  hostname.tld,txt,3600,"some ","text" so the
  comma values will never stop.  This is important for replicant operation
  with other nameservers.
- increase the txt size limit from 1024 bytes to 4096 bytes
- losing the "inet" pledge in a lot of network facing processes.  We made
helper processes that passed the descriptor to the helper allowing us to
keep a minimal pledge of "stdio recvfd ..."
- lose the "inet" pledge in AXFR, TCP, TLS.
- add a version output in dddctl, also add a tsig output for creating 32 byte
  random tsig keys.
- AXFR transfers are fixed to require TSIG records when configured to use them
  This fixes a MITM/security problem.
- implemented algorithm 14 (ECDSAP384SHA384) and algorithm 15 (Ed25519)
- implemented NSEC support and signing with dddctl
- implemented CERT RR (RFC 4398) support
- in the UDP engine reply truncate (TC) on ratelimit violation instead of
  dropping the packet
- redid the ratelimiting algorithm
- reworked the pledge and unveil'ing to something more proper.


[2022] Changes in RELEASE_1_7 from RELEASE_1_6

- a selectable forwarding strategy between "single" and "spray" pertaining
 to the entered forwarders.  (experimental).
- added a non-documented "dddctl dumpcache" for debugging the expiring of
  names.
- added RFC 7043 (EUI48 and EUI64) support
- fixed NAPTR and SRV (in regular and ANY replies) to NOT compress names in
  their rdata (as per RFC)
- shared memory in delphinusdnsd now has a guard page between each slot, if
  this region of memory gets used delphinusdnsd will segment violate and a
  possible attack is foiled.  The detriment is a higher memory footprint,
  but we can't do without this now that it's in.
- axfrport has been moved to options syntax is ie. "axfrport 10053;"
- strictaxfr only allows authenticated AXFR's and is an option ie. "strictaxfr;"
- config file changes dropping the "label" after options, tsig, passlist, etc.. 
- by default dddctl query now uses cookies (it does not cross check these) and
  if they aren't wanted they can be turned off with -N flag.
- added HTTPS and SVCB support (RFC 9460)
- added KX RR support (RFC 2230)
- added IPSECKEY RR support (RFC 4025)
- fixed delegation points according to RFC 4035 section 2.2 regarding NS RR's
  This was a long standing bug but noone noticed since we don't delegate much
  with delphinusdnsd.
- a hardcoded TCP TIMEOUT of 420 seconds when EDNS option 11 was requested
  this is experimental still...

[2021] Changes in RELEASE_1_6 from RELEASE_1_5

- rdomain support in OpenBSD
- fudgesize in forwarding mode for setting higher FUDGE value
- ntphack in main daemon for allowing *.ntp.org through
- setproctitle setting of an identifier for identifying a delphinusdnsd in
  systems that have multiple delphinusdnsd running
- change every instance of "master" to "primary"
- add a 10-query query cache (memoization) which speeds up subsequent answers
- ZONEMD RR's can now be added to a zone in both DNSSEC and non-DNSSEC zones.
  They can also be integrity checked with dddctl zonemd.
- RFC 9018/7873 Server DNS Cookies support, at first for OpenBSD only
- BIND & nsd by default dropped the question in the header on subsequent AXFR's
  (with the first envelope having it, after that no), adjust to this and add
  primary-axfr-old-behaviour and replicant-axfr-old-behaviour options to the
  global options in order to keep functionality of the old way, however this
  will not be documented in the manpages.  Also see -O switch in dddctl query
  in the source.
- reworked the CNAME code (we now reply to more RR's)
- added wildcarding for *.domain.tld domainnames (with DNSSEC support).
- fixed an endless loop in raxfr process when cortex process died
- added CDS/CDNSKEY support (RFC 8078 standard) this is rather an experimental
  addition since I can't use it with my tld's which are not listed here:
  https://github.com/oskar456/cds-updates/ and 
	https://www.internetsociety.org/deploy360/dnssec/maps/
  ... perhaps this standard will see more adoption in the future, and I can
  use it.
- added LOC support (RFC 1876)
- adjusted ratelimiting to take an optional (/24, /16, /8 in IPv4 and /64 and
	/32 in IPv6) CIDR address range as reflection attacks have progressed
- a delphinusdns.zone(5) manpage which outline the format of supported resource
  records

[2020] Changes in RELEASE_1_5 from RELEASE_1_4

- implement a double-signature rollover method
- allow ZSK and KSK keys to be created without signing
- switch default algorithm to alg 13 (elliptic curve) instead of alg 8 (RSA)
- not specifying a tsigkey in rzone should now imply NOKEY
- multiple RRSIG's are now working without bugs
- fixed the random time restart algorithm to restart at only 1 desired time
  which increases the odds that replicants won't do it at the same time.
- ANY replies have the option now to be forced to TCP only with the
  tcp-on-any-only option.
- conform to RFC 2181 section 5.2, but keep exception for RRSIG per RFC 4034
- added a "cortex" process for IPC between the processes
- added a forwarding mode (with cache)
- changed the config file version from 9 back to 1
- changed how a question gets parsed (build_question()), hopeing to get
  more security out of this
- in dddctl query allow a class to be specified (-c)
- added RP, HINFO and CAA RR support in all areas except dddctl query
- add a SOA constraint on rzone's to constrain SOA refresh/retry/expire values
  by default these are 60/60/60
- terminology changes blacklist->blocklist, whitelist->passlist, 
  anything_slave() to anything_ddd(), to keep with the times
- made the 3G database truly RW (before there was some memcpy'ing going on 
that corrupted pointers making the databse RO).
- added extra security measure to prevent DNS poisoning by AXFR
- added a bytelimit to how much one can AXFR from a remote site.  Unfortunately
  this won't prevent a disk to fill up in most circumstances, but may give
  an operator more time to notice what's going on.  It surely will prevent
  memory exhaustion if used carefully.
- improve on the speed of AXFR's for very large databases (tested on 1.4 million AAAA records, 2 seconds vs. 120 seconds).
- do not reply AA on BADVERS
- add a setable max-udp-payload option for the options section.

[2019] Changes in RELEASE_1_4 from RELEASE_1_3

- dddctl can now count records in configtest
- dddctl can axfr zones, and query other dns data
- the database has been replaced with the 3G DB (3rd generation internal db)
- fixed logic leading up to DNSSEC NODATA ENT replies
- FreeLogic from Russia, offered an unalignment fix affecting rrlimit
- TSIG AXFR's and other TSIG support is now workin
- increased TXT's size from 255 to 1024 (for DKIM)
- TCP now doesn't block upon connect, it will close connections at 64 limit
- refactored the axfr with finer grained control with the mzone keyword
- added algorithm 13 in dddctl, for signing elliptic curves and conforming to
  RFC 8624
- change the default configfile to /etc/delphinusdns/delphinusdns.conf and
  update documentation for this
- add -X and -x argument for setting the serial automatically overriding what
  is in the zonefile
- refused answers now tag on the question, and add on a possible EDNS0 tag,
  which it did not do before.
- fixed referrer NS code with plain subzones incorporating some DNSSEC elements
- remote logging (which was added in BETA_7) has been removed
- last minute change:  teach delphinusdnsd and dddctl to answer multiple TXT's
  per domain name.


[2018] Changes in RELEASE_1_3 from RELEASE_1_2
- created a "zinclude" config, which will only allow zone files to be 
	included and nothing else inside that. 
- created a manpage for dddctl
- fixed a timeout issue with notify hosts, refactored code (axfr.c)
- replaced dd-convert with dddctl which is a utility that can do a bit more,
  including dnssec key roll-over with ZSK key.
- added a DNS conversion tool to convert delphinusdnsd zonefiles to BIND style.
- fixed ENT's with DNSSEC (missing NSEC3 in ENT's, RFC 7129).
- added regressions for the developing platform (OpenBSD)

[2017] Changes in RELEASE_1_2 from RELEASE_1_1

- remove SPF support (deprecated RFC 7208 section 3.1)
- add TLSA anyreply support (affects AXFR)
- change BerkeleyDB to tree(3) RB_* macros (faster?)
- fix EDNS compliancy:  https://ednscomp.isc.org/ednscomp/5a70566c18
- fix truncation code and give empty answers with TC bit set when appropriate
- fix CNAME's with DNSSEC
- fix PTR's with DNSSEC
- move to imsg functions with privsep for IPC messaging
- OpenBSD delphinusdnsd is pledged

[2016] Changes in RELEASE_1_1 from RELEASE_1_0

- dd-convert.c written to replace dd-convert.rb.  It now supports TLSA RR's as
an added bonus.  This utility does not rely on any external (BIND) tools except
for the linkage against openssl/libressl.
- manpage for dd-convert
- Mac OS X port has been dropped
- RFC 8020 compliance with empty non-terminal names starting this release
- Linux now depends on libbsd

[2015] Changes in RELEASE_1_0 from BETA_9

- name change from wildcarddnsd to delphinusdnsd
- fixed the long standing bug that assumed one time to live for all RRSETs in a domain name (ttl fix)
- internal database has been changed in it's ABI
- wildcarding is off for good (due to DNSSEC)
- split-horizon for A records is gone, (may be added back one day)
- EDNS fixup (RFC 2671)
- DNSSEC (RFC 4033, 4034, 4035)
- DNSSEC NSEC3 (RFC 5155)
- TLSA RR (described in RFC 6698)
- dd-convert.rb ruby zone sign tool
- Linux now relies on libressl 2.2.4 library, details in the configure
- some bug fixes

[2014] Changes in BETA_9 from BETA_8

- we have replaced parse.c with parse.y
- Linux now relies on the libressl 2.1.1 library, details in the configure
- commandline options have been moved to configuration file options to coexist
- options keyword in the configfile
- SPF (RR 99) RFC 4408 support
- fix a bug related to truncation
- SSHFP (RR 44) RFC 4255 (+ RFC 6594) support
- defineable ratelimit between 1 and 127 pps , see example8.conf for sample
- EDNS0 (RFC 6891) get detected and replied upon
- NAPTR (RFC 2915) support
- Notify (RFC 1996) master-only support
- underlying BerkeleyDB databases are now stored in /var/db/wdns/[pid]/* 
  instead of /var/db/wdns, cleanup code for this was written as well.
- filter and whitelist ip ranges
- a wildcarddns.conf(5) manpage based on BNF similar to pf.conf(5) with 
  reference from parse.y
- we now log received bytes and sent bytes per query, log at the end of a
  log message.


[2013] Changes in BETA_8 from BETA_7

- we have a non-forking debug mode now with verbosity flag
- make W compile and run on the Raspberry Pi (great projects with this)

[2013] Changes in BETA_7 from BETA_6

- remote (sys)-logging feature with HMAC message verification
- change to Berkeley DB 4.6+ on BSD hosts (Linux had it already)
- allow numerous copies of wildcardnsd to pre-fork (-n flag)
- AXFR master code (this allows a BIND9 to work with wildcarddnsd)
- fix an integer overrun in parse.c which prevented big endian hosts to
  make use of ANY replies and AXFR
- SRV RR support
- left sourceforge.net around August 14, 2012
- Mac OS X compiles now, but has not been tested with queries

[2011] Changes in BETA_6 from BETA_5

- Addition of the utterly broken recursive lookup code
- conf file is at version 4 now
- inclusion of a "root hints" entry in some example.conf's
- "ANY" RR type replies
- pidfiles written to /var/run
- master process which can be HUP'ed for reloading the nameserver
- compress_label fix from possible overflow
- DNS TTL logging fix for OpenBSD
- TCP filedescriptor fix (so -> tnp->so)