• Support custom hosts file size (@flaming-archer, #349)
• Fix origin handling in zone loaded from file or stream (#346)
• Prevent TCP port leak when closing IO (#351)
• Fix confusing parameter name in CNAMERecord (@chkal, #354)
• Optionally disable ShutdownHook in NioClient (@SvenssonWeb, #359)
• TSIG algorithm names from RFC 8945
• Message.toWire can exceed MAXLENGTH (#355)
• TCP query might fail if the shared buffer is full (#357)
• Dynamic updates silently truncates records (#356)
• Fix DoH initial request using recommended nanoTime calculation (@LinZong, #345)

• Add new IANA Trust Anchor (@technoLord, #337)
• Fix Zone handling with signed SOA (@frankarinnet, #335)

• Properly fix LookupSession doesn't cache CNAMEs (#316)
• Move JEP-418 SPI to Java 18 to support EOL workflows (#329)

• Fix CVE-2024-25638 (GHSA-cfxw-4h78-h7fw)
  Lookup and LookupSession do not sanitize input properly, allowing to smuggle additional responses, even with DNSSEC. I would like to thank Thomas Bellebaum from Fraunhofer AISEC (@bellebaum) and Martin Schanzenbach (@schanzen) for reporting and assisting me with this issue.
• Fix CVE-2023-50387 (GHSA-crjg-w57m-rqqf)
  Denial-of-Service Algorithmic Complexity Attacks (KeyTrap)
• Fix CVE-2023-50868 (GHSA-mmwx-rj87-vfgr)
  NSEC3 closest encloser proof can exhaust CPU resources (KeyTrap)
• Fix running all DNSSEC on the specified executor
• Add new DNSSEC algorithm constants for SM2SM3 and ECC-GOST12
• Add A/AAAA record constructor with IP address byte array
• Validate DS record digest lengths (#250)
• Fix NPE in SimpleResolver on invalid responses (#277)
• Add support for JEP 418: Internet-Address Resolution SPI (#290)
• Full JPMS support (#246)
• Pluggable I/O for SimpleResolver
  (@chrisruffalo, #253)
• UDP port leak in SimpleResolver (#318)
• Fix clean shutdown in app containers when never used (#319)
• Fix concurrency issue in I/O clients (#315, #323)
• LookupSession doesn't cache CNAMEs (#316)
• SimpleResolver can fail with UPDATE response (#322)
• Replace synchronization in Zone with locks
  (#305, based on work from @srijeet0406 in #306)

• Fix CNAME in LookupSession (#279)
• Fix Name constructor failing with max length, relative name and root origin (#289, @MMauro94)
• Add config option for Resolver I/O timeout (#273, @vmarian2)
• Extend I/O logging
• Prevent exception during TCP I/O with missing or truncated length prefix
• Use internal base64 codec for Android compatibility (#271)
• Fix multi-message TSIG stream verification for pre-RFC8945 servers (#295, @frankarinnet and @nguichon)
• Add StreamGenerator for generating RFC8945 compliant multi-message streams (related to #295)

• Correctly render empty TXT records (#254)
• More validation on TLSA data input (#257)

• Fix validation of TSIG signed responses (#249)
• DS rdata digest validation hexadecimal digits (#252)

• Add full built-in support for DNSSEC based on dnssecjava (#209)
• Make Record classes serializable again (#242)
• Allow SVCB ServiceMode records without params (#244, @adam-stoler)
• Fix TCPClient receive timeouts (#218 @nguydavi, #219)

Note that the license changed! Previous versions were BSD-2-Clause licensed, while from this release on it is BSD-3-Clause.

• Fix handling of buffers in DNSInput (#224, #225 @nresare)
• Clear existing nameservers on config refresh (#226)
• Fix exception when calling ResolverConfig.refresh (#234)

• Document behavior of ExtendedResolver.setTimeout (#206)
• Add overloads to use an Executor when sending queries in resolvers (#211)
• Remove synchronous locks in DoH Resolver (related to #211)
• Fix broken CNAME handling in LookupSession (#212)
• "WireParseException: bad label type" when parsing Message from ByteBuffer (#213)
• Remove unnecessary synchronization in org.xbill.DNS.Header::getID (#215, @maltalex)
• Add examples for the LookupSession and direct Resolver usage