Security Fixes

* Duplicate EDNS COOKIE options in a response could trigger an
  assertion failure. This flaw is disclosed in CVE-2016-2088. 
  [RT #41809]
* The resolver could abort with an assertion failure due to improper
  DNAME handling when parsing fetch reply messages. This flaw is
  disclosed in CVE-2016-1286. [RT #41753]
* Malformed control messages can trigger assertions in named and
  rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]
* Certain errors that could be encountered when printing out or
  logging an OPT record containing a CLIENT-SUBNET option could be
  mishandled, resulting in an assertion failure. This flaw is
  disclosed in CVE-2015-8705. [RT #41397]
* Specific APL data could trigger an INSIST. This flaw is disclosed
  in CVE-2015-8704. [RT #41396]
* Named is potentially vulnerable to the OpenSSL vulnerability
  described in CVE-2015-3193.
* Incorrect reference counting could result in an INSIST failure if a
  socket error occurred while performing a lookup. This flaw is
  disclosed in CVE-2015-8461. [RT#40945]
* Insufficient testing when parsing a message allowed records with an
  incorrect class to be be accepted, triggering a REQUIRE failure
  when those records were subsequently cached. This flaw is disclosed
  in CVE-2015-8000. [RT #40987]

New Features

* None.

Feature Changes

* Updated the compiled in addresses for H.ROOT-SERVERS.NET.

Bug Fixes

* Authoritative servers that were marked as bogus (e.g. blackholed in
  configuration or with invalid addresses) were being queried anyway.
  [RT #41321]