Upgrade to 9.4-ESV-R4-P1, which addresses the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

dns/bind94/Makefile

@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind94
-PORTVERSION=	9.4.4.ESV.4
+PORTVERSION=	9.4.4.ESV.4.1
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,7 +25,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and threads
 
 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.4-ESV-R4
+ISCVERSION=	9.4-ESV-R4-P1
 
 DEPRECATED=		Reaches EOL May 2011
 EXPIRATION_DATE=	2011-05-31

dns/bind94/distinfo

@@ -1,6 +1,6 @@
-SHA256 (bind-9.4-ESV-R4.tar.gz) = 2b25d013b34dfed5b70dff5d75825a4338eaa724f68a554afdad4adcd5be10d5
-SIZE (bind-9.4-ESV-R4.tar.gz) = 6753355
-SHA256 (bind-9.4-ESV-R4.tar.gz.asc) = 80b6bc6c204393ce0d2cc763a54cd396667ce1355013f97f2b5f92cc3120fc8f
-SIZE (bind-9.4-ESV-R4.tar.gz.asc) = 481
+SHA256 (bind-9.4-ESV-R4-P1.tar.gz) = 23eb8537a0dfa2f692c083c8d6898c61c349e9e7153bdcf7307b8cd3d8f5b725
+SIZE (bind-9.4-ESV-R4-P1.tar.gz) = 6712151
+SHA256 (bind-9.4-ESV-R4-P1.tar.gz.asc) = 8f7a01dd6be2b7f6a105755200bfa193cd0b3bdd0cc373ee1c5554603a537ad1
+SIZE (bind-9.4-ESV-R4-P1.tar.gz.asc) = 481
 SHA256 (bind-9.4.1-geodns-patch.tar.gz) = 352413037e4779519c0a5b70aef801c8f84bcf15d1d485b16096d75f83644a65
 SIZE (bind-9.4.1-geodns-patch.tar.gz) = 2057