of the UDP query-source ports. The server will still use the same query
port for the life of the process, so users for whom the issue of cache
poisoning is highly significant may wish to periodically restart their
server using /etc/rc.d/named restart, or other suitable method.
In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] option.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.
This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447http://www.kb.cert.org/vuls/id/800113http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support, including working threads in this version
BIND 9.5 has a number of new features over previous versions, including:
GSS-TSIG support (RFC 3645), DHCID support
Experimental http server and statistics support for named via xml
More detailed statistics counters, compatible with the ones supported in BIND 8
Faster ACL processing
Efficient LRU cache cleaning mechanism.
NSID support (RFC 5001).
Rink Springer also asked me if he could maintain his own ports. Change
maitainership of games/sudsol, net/freedbd and net/kissd to Rink.
Approved by: philip (mentor), rink
<joe@joeholden.co.uk>
(reason: 553 5.3.5 system config error)
----- Transcript of session follows -----
553 5.3.5 127.0.0.1. config error: mail loops back to me (MX problem?)
554 5.3.5 Local configuration error
The affected ports are the ones with gettext as a run-dependency
according to ports/INDEX-7 (5007 of them) and the ones with USE_GETTEXT
in Makefile (29 of them).
PR: ports/124340
Submitted by: edwin@
Approved by: portmgr (pav)
According to http://cr.yp.to/distributors.html djbdns is
put into the public domain, therefore the port doesn't need
to be RESTRICTED.
PR: ports/122864
Submitted by: Björn Jonare <rksah@bredband.net>
Approved by: maintainer timeout
Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run as
a server, but are linked into an application) are easily possible.
Goals:
* A validating recursive DNS resolver.
* Code diversity in the DNS resolver monoculture.
* Drop-in replacement for BIND apart from config.
* DNSSEC support.
* Fully RFC compliant.
* High performance
o even with validation.
* Used as
o stub resolver.
o full caching name server.
o resolver library.
* Elegant design of validator, resolver, cache modules.
o provide the ability to pick and choose modules.
* Robust.
* In C, open source: The BSD license.
* Smallest as possible component that does the job.
* Stub-zones can be configured (local data or AS112 zones).
Non-goals:
* An authoritative name server.
* Too many Features.
WWW: http://unbound.net
- Remove USE_XLIB/USE_X_PREFIX/USE_XPM in favor of USE_XORG
- Remove X11BASE support in favor of LOCALBASE or PREFIX
- Use USE_LDCONFIG instead of INSTALLS_SHLIB
- Remove unneeded USE_GCC 3.4+
Thanks to all Helpers:
Dmitry Marakasov, Chess Griffin, beech@, dinoex, rafan, gahr,
ehaupt, nox, itetcu, flz, pav
PR: 116263
Tested on: pointyhat
Approved by: portmgr (pav)
Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver.
Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers
to cause a denial of service (program "croak") via a crafted DNS
response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet
parsing routines are now enclosed in eval blocks to trap exception
and avoid premature termination of user program.
Used ideas from:
PR: ports/120702
Submitted by: Felippe de Meirelles Motta <lippemail@gmail.com>
where the portname does not match the projects hostname.
PR: ports/121453 (related)
Submitted by: Edwin Groothuis <edwin@mavetju.org>
Reviewed by: pav@
took the IPv6 address even if you used the -4 option.
- Fix false lame server issues with domains which have the
higher domain in it (command.com for example).
responses.
It is designed to be used in conjunction with an existing recursive DNS resolver
in order to protect networks against DNS rebinding attacks.
interrogation success for a list of IP addresses against a list of DNSBL's.
The module is used to implement the reproting script dnsblstat.
WWW: http://search.cpan.org/dist/Net-DNSBL-Statistics/
PR: ports/119424
Submitted by: Jin-Shan Tseng <tjs at cdpa.nsysu.edu.tw>
Actually, the maintainer submits the rc script which uses 'name=noip2'.
After some discussion with him, I changed it to use noip in order to
match its port name, but forget to properly set $command.
Pointy hat to: rafan
Reported by: Andrea Venturoli <ml at netfence.it>
Approved by: maintainer (implicit)
PLIST_SUB, so deleting them will not change the package. Therefore
no PORTREVISION bump.
PR: ports/119458
Submitted by: Philippe Audeoud <jadawin@tuxaco.net>
directly frobbing packets or calling Net::DNS::RR->new_from_data()
(which you should not be doing anyway) then you should read the changelog
carefully and review/test your code before committing to this version.
2. Remove support for old Perl.
* updated noip2.c: added SkipHeaders() instead of the magic 6 line pass
* Changed to ip1.dynupdate.no-ip.com for ip retrieval
* added fclose() for stdin, stdout & stderr to child
* made Force_Update work on 30 day intervals
* added version number into shared mem and -S display
PR: 118989
Submitted by: Kay Abendroth <kay.abendroth@raxion.net> (maintainer)
