Add an OPTION (on by default) to install the appropriate symlinks for
named.conf and rndc.key in /usr/local/etc and /var/named/usr/local/etc.
For bind9[456]:
Add OPTIONs (off by default) for the DLZ configure options, and their
corresponding ports knobs. [1] The basic infrastructure for this was
provided in the PR, but this version is slightly different in a few
details so responsibility for bugs is mine.
PR: ports/122974 [1]
Submitted by: Michael Schout <mschout@gkg.net> [1]
complete DNS client implementation, including full DNSSEC
support.
WWW: http://rubyforge.org/projects/dnsruby/
PR: ports/138203
Submitted by: Wen Heping <wenheping at gmail.com>
The most popular use of this patch is to send web site visitors to their
nearest web server. Suppose you have a site called www.example555.com with
two web servers: one in the US and one in England. You can use this patch
in order for visitors from Europe to connect to the server in England and
all other visitors to the server in the US. This is just one example of
its usage. There are probably many others.
WWW: http://www.caraytech.com/geodns/
I created a slave port rather than making this an option but other than
that I was able to use the excellent work in the PR.
PR: ports/119997
Submitted by: Jui-Nan Lin <jnlin@csie.nctu.edu.tw>
- load configuration earlier so that we don't run without config file,
analyzed, reported and patch suggested by Fumiyuki Shimizu
- mention /etc/rc.conf.local (as suggested in the Porter's handbook)
- mention dnsmasq_flags for additional command line arguments
- pass pidfile and dnsmasq_conf as arguments to dnsmasq (previously,
overriding dnsmasq_conf had no effect).
* Fix COMMENT to mention TFTP server; shorten it so it fully fits on the
pkg_info list.
PR: 137506
Submitted by: Matthias Andree <matthias.andree@gmx.de> (maintainer)
BIND 9.6.0. Originally from older versions of BIND, they have been
continually maintained and improved but not installed by default with
BIND 9. This standard resolver library contains the same historical
functions and headers included with many Unix operating systems.
In fact, most implementations are based on the same original code.
ISC's libbind provides the standard resolver library, along with header
files and documentation, for communicating with domain name servers,
retrieving network host entries from /etc/hosts or via DNS, converting
CIDR network addresses, performing Hesiod information lookups, retrieving
network entries from /etc/networks, implementing TSIG transaction/request
security of DNS messages, performing name-to-address and address-to-name
translations, and utilizing /etc/resolv.conf for resolver configuration.
WWW: https://www.isc.org/software/libbind
- Doug Barton
DougB@FreeBSD.org
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.
It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.
With help: marcus and kwm
Pointyhat-exp: a few times by pav
Tested by: pgollucci, "Romain Tartière" <romain@blogreen.org>, and
a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by: marcus
Approved by: portmgr
DoS vulnerability:
Receipt of a specially-crafted dynamic update message may
cause BIND 9 servers to exit. This vulnerability affects all
servers -- it is not limited to those that are configured to
allow dynamic updates. Access controls will not provide an
effective workaround.
More details can be found here: https://www.isc.org/node/474
All BIND users are encouraged to update to a patched version ASAP.
Receipt of a specially-crafted dynamic update message may
cause BIND 9 servers to exit. This vulnerability affects all
servers -- it is not limited to those that are configured to
allow dynamic updates. Access controls will not provide an
effective workaround.
More details can be found here: https://www.isc.org/node/474
All BIND users are encouraged to update to a patched version ASAP.
- Split boost port to separate components, with boost-all metaport
PR: ports/137054
Submitted by: Alexander Churanov <churanov.port.maintainer@gmail.com> (maintainer)
propogated by copy and paste.
1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).
No PORTREVISION bumps because all of these changes are noops.
and answers with records pointing back to localhost. Combined with
packet filter pf(4) this works as a bandwidth efficient spamtrap.
WWW: http://www.wolfermann.org/dnsreflector.html
PR: ports/135077
Submitted by: ismail.yenigul at endersys.com.tr
hostname to the nearest mirrors (as defined by geography; on the
country / continent level).
It is used for search.cpan.org/cpansearch.perl.org and for
ftp.perl.org/ftp.cpan.org; to provide nearby-ish
servers for the NTP Pool; and to balance svn.apache.org to
svn.us.apache.org and svn.eu.apache.org.
WWW: http://geo.bitnames.com/
in DNSSEC lookaside validation (DLV): unrecognized signature algorithms,
which should have been treated as the equivalent of an unsigned zone,
were instead treated as a validation failure.
in DNSSEC lookaside validation (DLV): unrecognized signature algorithms,
which should have been treated as the equivalent of an unsigned zone,
were instead treated as a validation failure.
Matthew Dempsky. Also, fix the quoting of the BROKEN messages.
PR: 132366, 132349
Submitted by: Renato Botelho <garga@FreeBSD.org>,
Howard Goldstein <hg@queue.to>
- Add selection for mysql or pgsql backend
- Pass maintainership to submitter
PR: ports/131035
Submitted by: Edmondas Girkantas <eg@fbsd.lt>
Approved by: maintainer timeout (no activity since 2005)
- turn devel/py-twisted into a meta port.
- Update USE_TWISTED{,_BUILD,_RUN} in bsd.python.mk:
* Remove flow, pair, xish, which are deprecated
(but still update them to latest release in the tree)
* Remove USE_TWISTED=13 (no port uses this)
* Fix typos in twisted components _DEPENDS
PR: ports/130001
Submitted by: lwhsu
Approved by: maintainer timeout
the fix for the following vulnerability: https://www.isc.org/node/373
Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.
Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).
In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.
While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.
PR: ports/126297
Submitted by: Ronald F.Guilmette <rfg@tristatelogic.com>
improvements, including, "Additional support for query port randomization
including performance improvement and port range specification."
When building on amd64 ports' configure doesn't properly recognize our
arch, so help it along a bit. [1]
Submitted by: ivan jr sy <ivan_jr@yahoo.com> [1]
- Remove EXTRACT_SUFX as it uses USE_ZIP which automatically sets EXTRACT_SUFX
- Bump PORTREVISION
PR: ports/129812
Submitted by: Joseph S. Atkinson <jsatkinson at embarqmail.com>
Approved by: Alex Samorukov <samm at os2.kiev.ua> (maintainer)
Add a note to pkg-message indicating that ISC declared this version EOL
as of 1 December, but that we will support the port through the RELENG_6
lifetime.
lookups for the .local domain and self assigned IP addresses, rejecting
others. This can be used to speed up the resolution of non mdns registered
host names.
PR: ports/128107
Submitted by: Andrew <andrew@ugh.net.au>
Approved by: Ashish Shukla <wahjava@gmail.com> (maintainer)
traffic. It normally produces binary data in pcap(3) format, either
on standard output or in successive dump files (based on the -w
command line option.) This utility is similar to tcpdump(1), but
has finer grained packet recognition tailored to DNS transactions
and protocol options. dnscap is expected to be used for gathering
continuous research or audit traces.
WWW: https://www.dns-oarc.net/tools/dnscap
PR: ports/127433
Submitted by: Edwin Groothuis <edwin@mavetju.org>
Updates dns/nss_mdns port to v0.10 and changes MAINTAINER
field (as per bms's suggestion). This PR fixes the issue
reported in PR ports/123169, so that PR can be closed.
PR: ports/126952
Submitted by: Ashish Shukla <wahjava@gmail.com>
Approved by: bms@
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.
To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.
To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.
Changes to Mk/*:
- Add runtime detection magic in bsd.port.mk
- Remove CONFIGURE_TARGET hack in various bsd.*.mk
- USE_GNOME=gnometarget is now an no-op
Changes to individual ports, other than removing the CONFIGURE_TARGET hack:
= pkg-plist changed (due to the ugly CONFIGURE_TARGET prefix in * executables)
- comms/gnuradio
- science/abinit
- science/elmer-fem
- science/elmer-matc
- science/elmer-meshgen2d
- science/elmerfront
- science/elmerpost
= use x86_64 as ARCH
- devel/g-wrap
= other changes
- print/magicfilter
GNU_CONFIGURE -> HAS_CONFIGURE since it's not generated by autoconf
Total # of ports modified: 1,027
Total # of ports affected: ~7,000 (set GNU_CONFIGURE to yes)
PR: 126524 (obsoletes 52917)
Submitted by: rafan
Tested on: two pointyhat 7-amd64 exp runs (by pav)
Approved by: portmgr (pav)
ZKT is a tool to manage keys and signatures for DNSSEC-zones.
The Zone Key Tool consists of two commands:
- dnssec-zkt to create and list dnssec zone keys and
- dnssec-signer to sign a zone and manage the lifetime of
the zone signing keys
See: http://www.hznet.de/dns/zkt/
PR: ports/126296
Submitted by: Frank Behrens <frank+ports@ilse.behrens.de>
DNS Server Cache. By sending many queries to a DNS server along with fake
replies, an attacker can successfuly writes a fake new entry in the DNS
cache.
WWW: http://www.securebits.org/dnsmre.html
PR: ports/126189
Submitted by: Tomoyuki Sakurai <cherry at trombik.org>
- Pet portlint
- Remove support for FreeBSD < 5
- Remove file leftover from repocopy
- Bump portepoch
NOTE: Version numbering changed back to 2.9.x instead of 3.x
PR: ports/126270
Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer)
- performance improvement over the P1 releases, namely
+ significantly remedying the port allocation issues
+ allowing TCP queries and zone transfers while issuing as many
outstanding UDP queries as possible
+ additional security of port randomization at the same level as P1
- also includes fixes for several bugs in the 9.5.0 base code
- Change default OpenLDAP version to 2.4
- Remove OpenLDAP 2.2 support, the port has been gone for some time now
- Add -DDEPRECATED to CFLAGS for all OpenLDAP using ports
PR: ports/123602, ports/124115, ports/125605
Submitted by: delphij, Jens Rehsack <rehsack@web.de>,
Yuri Pankov <yuri.pankov@gmail.com>
- Remove USE_GTK, it's no longer used
PR: ports/123528
Submitted by: mezz
- Use PATCH_WRKSRC instead of WRKSRC in do-patch target
PR: ports/124169
Submitted by: Max Brazhnikov <makc@issp.ac.ru>
- Remove USE_XPM, it's been replaced by USE_XORG+=xpm
PR: ports/124506
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
- Minor fixups for bsd.port.mk
PR: ports/122675
Submitted by: linimon
- Remove stale comment about USE_GETOPT_LONG
PR: ports/124521
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
- Correct comment about default fetch arguments
PR: ports/125334
Submitted by: Gary Palmer <freebsd-gnats@in-addr.com>
of the UDP query-source ports. The server will still use the same query
port for the life of the process, so users for whom the issue of cache
poisoning is highly significant may wish to periodically restart their
server using /etc/rc.d/named restart, or other suitable method.
In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] option.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.
This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447http://www.kb.cert.org/vuls/id/800113http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support, including working threads in this version
BIND 9.5 has a number of new features over previous versions, including:
GSS-TSIG support (RFC 3645), DHCID support
Experimental http server and statistics support for named via xml
More detailed statistics counters, compatible with the ones supported in BIND 8
Faster ACL processing
Efficient LRU cache cleaning mechanism.
NSID support (RFC 5001).
