in the tooth BIND 8. As of today (27 August 2007) ISC has announced
that BIND 8 is officially End of Life (EOL) and therefore it's time
to say good-bye.
Please see http://www.isc.org/sw/bind/bind8-eol.php for details on the
reasoning behind the EOL status, the latest security issues, and a
migration guide to help you move toward BIND 9.4.x.
bind8 (BIND 8.3.7) is marked FORBIDDEN due to the predictable query ID
bug (see above) which will not be fixed for this version.
bind84 is marked DEPRECATED, and will be upgraded to 8.4.7-P1 when it
is available.
daemon.
multi_dnsbl is a DNS emulator daemon that increases the efficacy of DNSBL
look-ups in a mail system. multi_dnsbl may be used as a stand-alone DNSBL or as
a plug-in for a standard BIND 9 installation. multi_dnsbl shares a common
configuration file format with the Mail::SpamCannibal sc_BLcheck.pl script so
that DNSBL's can be maintained in a common configuration file for an entire
mail installation.
Because DNSBL usefulness is dependent on the nature and source of spam sent to
a specific site and because sometimes DNSBL's may provide intermittant service,
multi_dnsbl interrogates them sorted in the order of greatest successful hits.
DNSBL's that do not respond within the configured timeout period are not
interrogated at all after 6 consecutive failures, and thereafter will be
retried not more often than once every hour until they come back online. This
eliminates the need to place DNSBL's in a particular order in your MTA's config
file or periodically monitor the DNSBL statistics and/or update the MTA config
file.
WWW: http://search.cpan.org/~miker/Net-DNSBL-MultiDaemon-0.18/MultiDaemon.pm
PR: ports/115639
Submitted by: Andrew Greenwood <greenwood.andy at gmail.com>
- Add significantly better support in bsd.python.mk for working with
Python Eggs and the easy_install system
Tested by: pointyhat runs
Approved by: pav (portmgr)
Most work by: perky
Thanks to: pav
1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.
All users are encouraged to upgrade.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.
All users are encouraged to upgrade.
See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
supports them. This is determined by running ``configure --help'' in
do-configure target and set the shell variable _LATE_CONFIGURE_ARGS
which is then passed to CONFIGURE_ARGS.
- Remove --mandir and --infodir in ports' Makefile where applicable
Few ports use REINPLACE_CMD to achieve the same effect, remove them too.
- Correct some manual pages location from PREFIX/man to MANPREFIX/man
- Define INFO_PATH where necessary
- Document that .info files are installed in a subdirectory relative to
PREFIX/INFO_PATH and slightly change add-plist-info to use INFO_PATH and
subdirectory detection.
PR: ports/111470
Approved by: portmgr
Discussed with: stas (Mk/*), gerald (info related stuffs)
Tested by: pointyhat exp run
- maradns.sh and zoneserver.sh now use PID file
- change default MaraDNS UID from 99 to bind(53)
- change default maraDNS GID from 99 to bind(53)
- change default duende logger process UID from 66 to nobody(65534)
- create empty etc/logger directory
PR: ports/113235
Submitted by: Simun Mikecin <numisemis@yahoo.com>
Approved by: Alex Kapranoff <alex@kapranoff.ru> (maintainer)
Supports adding, removing, and modifying enteries.
The attributes it can handle are TTL, A record, C name, AAAA
record, and MX record. Outside of TTL, multiple attributes
for each type record.
WWW: http://vvelox.net/projects/ldnsm/
PR: ports/112191
Submitted by: Zane C. Bowers
cap is a network capture utility designed specifically for DNS
traffic. It produces binary data in pcap(3) format, either on
standard output (by default) or in successive dump files (if the d
command line option is given.) This utility is similar to tcpdump(1),
but has finer grained packet recognition tailored to DNS transactions
and protocol options. dnscap is expected to be used for gathering
continuous research or audit traces.
SYNOPSIS
dnscap [-avf6] [-i if ...] [-l vlan ...] [-p port] [-m [quire]] [-h [ir]]
[-q host ...] [-r host ...] [-d base [-k cmd]] [-t lim] [-c lim]
WWW: http://public.oarci.net/tools/dnscap
2172. [bug] query_addsoa() was being called with a non zone db.
[RT #16834]
If you are running BIND 9.4.0 (either pre-release or final),
you are advised to upgrade as soon as possible to BIND 9.4.1.
- Add patch from SVN to support DNSSEC records
- Update examples (config and table creation files)
- For the complete changelog see http://doc.powerdns.com/changelog.html
PR: ports/112055
Submitted by: maintainer (Ralf van der Enden)
Reviewed by: maintainer
contains a bugfix for recovering from permanently lost database connections
- Fix build on gcc 4.x
PR: ports/109273
Submitted by: Ralf van der Enden <tremere at cainites.net> (maintainer)
It uses POE::Component::Client::DNS to handle resolving when configured as
'forward_only' and Net::DNS::Resolver::Recurse wrapped by
POE::Component::Generic to perform recursion.
One may add handlers to massage and manipulate responses to particular queries
which is vaguely modelled after Net::DNS::Nameserver.
WWW: http://search.cpan.org/dist/POE-Component-Server-DNS/
PR: ports/109449
Submitted by: Jin-Shan Tseng <tjs at cdpa.nsysu.edu.tw>
Approved by: erwin (mentor, implicit)
descendant class that allows a virtual DNS to be emulated
instead of querying the real DNS. A set of static DNS
records may be supplied, or arbitrary code may be specified
as a means for retrieving DNS records, or even generating
them on the fly.
WWW: http://search.cpan.org/dist/Net-DNS-Resolver-Programmable/
- Koen Martens
gmc@sonologic.nl
PR: ports/108997
Submitted by: Koen Martens <gmc at sonologic.nl>
- Prepare Makefile for upcoming new stable release of OpenDBX library (which
bumps library number from .1 to .2).
- Add stupidity fix for config location to pdns.in (moved the config but
forgot to edit rc.d script).
- Also changed location of config directory in pdns.conf.
- Bump port-revision.
PR: ports/108685
Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer)
Obtained from: www.linuxnetworks.de [1]
was supposed to work is useless, because if we can't trust the distfile from
the remote machine, we can't trust the signature from the same machine either.
Our MD5 and SHA256 are good for checking both the sanity and the
trustiness of distfiles.
Approved by: portmgr (erwin), erwin (mentor)
following security issues. All users of BIND are encouraged to upgrade
to this version.
2126. [security] Serialise validation of type ANY responses. [RT #16555]
2124. [security] It was possible to dereference a freed fetch
context. [RT #16584]
2089. [security] Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions
prior to these have known security flaws which
are (potentially) exploitable in named. [RT #16391]
2088. [security] Change the default RSA exponent from 3 to 65537.
[RT #16391]
2066. [security] Handle SIG queries gracefully. [RT #16300]
1941. [bug] ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]
single one-ip-address domain. It can handle SOA, NS, MX, A, and PTR
requests. The 1.1.0 version includes a nice X windows GUI for management.
WWW: http://www.fourcalorieservers.com/
PR: ports/107624
Submitted by: Ron Scheckelhoff <rscheckelhoff at fourcalorieservers.com>
much less CPU usage on busy name servers.
PR: ports/106352
Submitted by: Artis Caune <Artis dot Caune_AT_latnet dot lv>
Approved by: maintainer (Mark Foster)
Add the optional ares_config_info patch from Unreal IRCD, on by default;
this is a step closer to building Unreal IRCD with the port version of
c-ares.
for small gateway machines, like a Soekris box. Its main feature
is that it does not require any Perl or Python interpreter.
It supports HTTPS, can send a mail report, and can run as daemon.
It is also very easy to deploy.
WWW: http://www.bsdmon.com/wakka/OpenDD
PR: ports/105434
Submitted by: Alexander Logvinov <ports at logvinov.com>
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list today):
Description:
Because of OpenSSL's recently announced vulnerabilities
(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
we are announcing this workaround and releasing patches. A proof of
concept attack on OpenSSL has been demonstrated for CAN-2006-4339.
OpenSSL is required to use DNSSEC with BIND.
Fix for version 9.3.2-P1 and lower:
Upgrade to BIND 9.2.3-P2, then generate new RSASHA1 and
RSAMD5 keys for all old keys using the old default exponent
and perform a key rollover to these new keys.
These versions also change the default RSA exponent to be
65537 which is not vulnerable to the attacks described in
CAN-2006-4339.
Note that this is another patch that conflicts with the jumbo patch.
PR: 69191
Submitted by: "Michal F. Hanula" <f@7f000001.org>,
Nick Barkas <snb@threerings.net>
- renamed start script to modern format (without .sh)
- Added better example data (including pkg-message)
- utilize SUB_FILES
PR: 103153
Submitted by: paul+ports at it.ca
Chase dependent ports and specify the dependency using "package
dependency" syntax which is immune to such changes.
No portrevision bumps.
Reported by: krismail
Pointy hat to: tobez
- Fix rc script, use command_interpreter to make it stop properly
- Pass maintainership to submitter
PR: ports/101672
Submitted by: Stanislav Sedov <ssedov at mbsd.msk.ru>
for asynchronous DNS resolving. It was repo-copied from the dns/ares port.
WWW: http://daniel.haxx.se/projects/c-ares/
Author: Daniel Stenberg <daniel@haxx.se>
functionality for DLV/DNSSEC.
2. Add virtual category ipv6
3. Add OPTIONS for IPV6, enabled by default.
4. Fix the test for WITH_IPV6, and move it out of the test for
${PERL_LEVEL} < 500800. On my system, the IPv6 libraries are not
(any longer?) installed by default with Perl 5.8. The test is
harmless if the libraries are there in any case, so remove the
pointless micro-optiimiztion.
updates, so I therefore feel the best thing to do is resign as maintainer and
hope that another FreeBSD user who uses dnsmasq actively will take over as
maintainer. [1]
OPTIONify [2]
PR: 98584 [1]
Submitted by: Steven Honson (former maintainer) [1]
itetcu (me) [2]
Approved by: lawrance (mentor, implicit)
- Use INSTALL_DATA (rather than CP) to install files
- Bump PORTREVISION (packing list has changed)
PR: 97698 (follow-up)
Submitted by: hq
Approved by: maintainer
- Use DISTVERSION to avoid complex substitutions in DISTNAME
- Use DATADIR=${JAVASHAREDIR}/${PORTNAME}
- Use SUB_FILES to configure launcher shell script
- Set JAVA_VERSION in launcher shell script
- Use 'exec' to launch JVM (as encouraged in the Porter's Handbook)
- Remove port name from COMMENT
- Do not mkdir ${JAVAJARDIR} (it is part of mtree now)
- Use %%DATADIR%% and %%JAVAJARDIR%% in pkg-plist
- Add $FreeBSD$ tags
- Bump PORTREVISION
PR: 97698
Submitted by: hq
Approved by: maintainer
Those spaces used to hinder searching for the corresponding files
with portsearch -f '/FILENAME$' for obvious reasons.
Although currently portsearch removes those spaces itself remove
them anyway.
Inspired by: ports/94078
Approved by: portmgr (during freeze: krion, then kris advised to wait; at present: erwin)
the lib version back to 1, but since the dependencies still linked to
libadns.so.1 even when the installed file was libadns.so.12, a new
PORTREVISION bump is not needed.
- Let the user define BOOTFILE (default: /etc/namedb/named.boot)
- Let the user define CONFFILE (default: /etc/namedb/named.conf)
- Fully respect CFLAGS
- Remove two patches
- Add an additional master site
- Adopt this port
