the following new features:
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view.
* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See the
draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project.
* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones is likely to be refined in
future releases. Contributed by Andrew Tridgell of the Samba Project.
* numerous GSS-TSIG improvements
* There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with an
external daemon. Contributed by Andrew Tridgell of the Samba Project.
* many other improvements
Feature safe: yes
2010-12-30 databases/p5-sqlrelay: broken and upstream disapeared
2010-12-30 devel/php-dbg2: No upstream support
2010-12-30 dns/fourcdns: upstream has disapeared
2010-12-31 emulators/win4bsd: Development has ceased and distfile is no longer available
2010-12-31 french/mozilla-flp: www/seamonkey port is deprecated. Consider using the www/firefox-i18n.
2010-12-31 french/xtel: Minitel services will be discontinued at the end of 2010.
2010-12-30 ftp/ftpq: upstream has disapeared
2010-12-30 graphics/paintlib: does not compile with new tiff and no more maintained upstream
2010-12-30 graphics/g3dviewer: does not build with gcc 4.2, upstream disapeared
2010-12-30 lang/scriba: Does not compile with gcc 4.2+, looks like abandonware
2010-12-30 math/rascal: Broken on every arch since 2008, looks like an abandonware
2010-12-31 net-mgmt/nrg: Project has vanished. Use cacti instead.
2010-12-31 security/hostsentry: Project is dead.
2010-12-31 sysutils/kcube: Project has vanished
2010-12-31 www/cybercalendar: has been unmaintained since 2001 and is unusable with dates after 2010 (see ports/150974)
2010-12-31 www/flock: Flock 3 moves from Firefox to Chromium
2010-12-31 www/linux-flock: Flock 3 moves from Firefox to Chromium
2010-12-30 x11-clocks/xtu: Looks like abandonware
Leave java/tya in for now, as it has outstanding PRs.
with DNS64. Once 9.8.0 is released officially the -devel tag will be
removed.
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture. Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support
BIND 9.8 includes a number of changes from BIND 9.7 and earlier releases,
including:
Preliminary DNS64 support (AAAA synthesis only initially)
See the CHANGES file for more information on features.
WWW: https://www.isc.org/software/bind
the following security vulnerability.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC,
and querying zones which are in a key rollover period.
The bug will cause answers to incorrectly be marked as insecure.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Remove MD5 from distinfo
5. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Using "allow-query" in the "options" or "view" statements to
restrict access to authoritative zones has no effect.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
Affects authoritative server operators who wish to generally
restrict queries to their authoritative zones, and are running
9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized
end users to receive answers to queries they should not.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Remove MD5 from distinfo
5. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Using "allow-query" in the "options" or "view" statements to
restrict access to authoritative zones has no effect.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
Affects authoritative server operators who wish to generally
restrict queries to their authoritative zones, and are running
9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized
end users to receive answers to queries they should not.
3. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who have 9.7.2-P2 installed,
are validating with DNSSEC, and querying zones which are
in a key rollover period. The bug will cause answers to
incorrectly be marked as insecure.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
- support reload command
- use nsdc cli has command and let it perform the actual start,stop,... of the daemon
- at start check if the database exists if not built it (this prevent the daemon to fail at starting)
- remove the now userless sleep in stop command
bump portrevision
PR: ports/152331
Submitted by: Philippe Pepiot <phil _at_ philpep.org>
Approved by: Jaap Akkerhuis <jaap _at_ NLnetLabs.nl> (maintainer)
using PHP5 objects, exceptions for error handling, better sockets support.
This release is (in most cases) 2x - 10x faster than Net_DNS, as well as
includes more RR's (including DNSSEC RR's), and improved sockets and streams
support.
WWW: http://pear.php.net/package/Net_DNS2/
hopefully also understand the workings of the Domain Name System. When used to
check an domain (aka zone) is submitted to DNSCheck, it will investigate the
general health by performing various tests and sanity checks.
WWW: http://dnscheck.iis.se/
PR: ports/148370
Submitted by: dnscheckengine-port at academ.com (Stan Barber)
Approved by: tabthorpe (mentor)
- connect to license framework
- add special patch from glarkin to ensure daemon detach from tty,
change some printf to use the warning function instead.
PR: 148586
Submitted by: Chris Howey <howeyc _at_ gmail.com>
Approved by: maintainer, glarkin (mentor)
If a query is made explicitly for a record of type 'RRSIG' to a validating
recursive server running BIND 9.7.1 or 9.7.1-P1, and the server has one or
more trust anchors configured statically and/or via DLV, then if the answer
is not already in cache, the server enters a loop which repeatedly generates
queries for RRSIGs to the authoritative servers for the zone containing the
queried name.
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0213
CERT: http://www.kb.cert.org/vuls/id/211905
Versions affected: 9.7.1, 9.7.1-P1
Severity: High
Exploitable: remotely
http://www.isc.org/software/bind/advisories/cve-2010-0213
code where the 9.7.x series tightened its adherence to the DNS protocol
as written, vs. the 9.6.x series which was more liberal in what it accepted.
Specifically:
1. Restore processing of certain forms of negative responses that do
not contain all of the required elements to avoid aggressive
re-querying of authority servers.
2. Accept answers from authority servers without the AA bit set
if they meet the other requirements of an answer packet.
More detail can be found here:
https://www.isc.org/community/blog/201007/compatibility-issues-bind-970-and-971
(QNAME,QTYPE) by prespecified answers. This class is to be used in test suites
where you want to have servers to show predefined behavior.
If the server will do a lookup based on QNAME,QTYPE and return the specified
data. If there is no QNAME, QTYPE match the server will return a SERVFAIL.
A log will be written to STDERR it contains time, IP/PORT, QNAME, QTYPE, RCODE.
WWW: http://search.cpan.org/dist/Net-DNS-TestNS/
PR: ports/148161
Submitted by: Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>
Feature safe: yes
fix was too hasty. Employ a more robust fix that removes the _perl_ dep for
both this file and bind9.xsl.h. The pre-generated versions of these files
are identical to the newly generated ones, which is why this perl issue
never came up previously.
I still have reservations about baking the ISC DLV key into named, but given
that this was already done in 9.7.0+ at least this way we don't violate POLA.
which is a problem, however what it's doing is baking the ISC
DLV key into named which is not something I think is reasonable
to do by default.
So, instead of adding perl as a build dependency eliminate the
need for the file altogether.
This version has numerous minor bug fixes, please refer to the
CHANGES file for details. Many (but not all) of the fixes are
DNSSEC-related, and all users who are doing DNSSEC validation
are encouraged to upgrade to this version.
This release was inadvertently dubbed 2.54 in its logging by Simon Kelley,
so adjust our PORTVERSION to match that, but still build the 2.53 tarball.
Simon will treat 2.53 and 2.54 the same and release 2.55 next time.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q2/004105.html
Check work/dnsmasq-2.53/src/config.h for VERSION after "make extract" to see.
Approved by: garga (mentor)
- actually pass the options-enabled arguments to the configure script!
- add the "hide symbols" configurable knob, though I've no idea why
anybody would want to turn that off... except maybe for debugging
- install the "acountry", "adig", and "ahost" programs, since they do
come in useful every now and then
- refresh the patches and add descriptions at the top
related to the handling of broken DNSSEC trust chains.
This fix is only necessary for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.
security patches to the 9.6.1 version, as well as many other bug fixes.
Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.
Feature safe: yes
asynchronously. It is an asynchronous wrapper around getaddrinfo(3),
getnameinfo(3), res_query(3) and res_search(3) from libc and libresolv.
In contrast to GNU's asynchronous name resolving API getaddrinfo_a(),
libasyncns does not make use of UNIX signals for reporting completion of name
queries. Instead, the API exports a standard UNIX file descriptor which may be
integerated cleanly into custom main loops.
In contrast to asynchronous DNS resolving libraries like libdenise, skadns,
adns, libasyncns is just an asynchronous wrapper around the libc's synchronous
getaddrinfo() API, which has the advantage of allowing name resolution using
techniques like Multicast DNS, LDAP or NIS using standard libc NSS (Name
Service Switch) modules. libasyncns is compatible with IPv6 if the underlying
libc is.
libasyncns is very tiny, consisting of just one header and one source file. It
has no dependencies besides libc.
WWW: http://0pointer.de/lennart/projects/libasyncns/
from ISC. It has numerous bug fixes compared to 9.4.3*, however
in the case of this version "extended" only applies till 2010/12/31
so serious BIND users are still encouraged to upgrade to 9.6.x.
child processes must not shutdown() their sockets
* Fixes and reports a problem occuring with jumping system time,
as reported when running inside some virtual machine. Time jumps
are reported to the log with loglevel NOTICE.
* Delegation now has precedence over wildcard matching
Thanks to Fab for the fix
Fixes bugs #0000038, #0000042
PR: 143223
Submitted by: Hung-Yi Chen <gaod@hychen.org> (maintainer)
Update to new upstream release 2.52. Changelog excerpt below the approval.
Approved by: miwi (mentor)
Upstream changelog excerpt (omitting Linux, Solaris and MacOS X specifics):
[...] Re-read the set of network interfaces when re-loading /etc/resolv.conf
if --bind-interfaces is not set. This handles the case that loopback
interfaces do not exist when dnsmasq is first started.
Tweak the PXE code to support port 4011. This should reduce broadcasts and
make things more reliable when other servers are around. It also improves
inter-operability with certain clients.
Make a pxe-service configuration with no filename or boot service type legal:
this does a local boot. eg. pxe-service=x86PC, "Local boot"
Be more conservative in detecting "A for A" queries. Dnsmasq checks if the
name in a type=A query looks like a dotted-quad IP address and answers the
query itself if so, rather than forwarding it. Previously dnsmasq relied in
the library function inet_addr() to convert addresses, and that will accept
some things which are confusing in this context, like 1.2.3 or even just
1234. Now we only do A for A processing for four decimal numbers delimited by
dots.
[...]
Increased the default limit on number of leases to 1000 (from 150). This is
mainly a defence against DoS attacks, and for the average "one for two class
C networks" installation, IP address exhaustion does that just as well.
Making the limit greater than the number of IP addresses available in such an
installation removes a surprise which otherwise can catch people out.
Removed extraneous trailing space in the value of the DNSMASQ_TIME_REMAINING
DNSMASQ_LEASE_LENGTH and DNSMASQ_LEASE_EXPIRES environment variables. Thanks
to Gildas Le Nadan for spotting this.
Provide the network-id tags for a DHCP transaction to the lease-change script
in the environment variable DNSMASQ_TAGS. A good suggestion from Gildas Le
Nadan.
Add support for RFC3925 "Vendor-Identifying Vendor Options". The syntax looks
like this:
--dhcp-option=vi-encap:<enterprise number>, .........
Add support to --dhcp-match to allow matching against RFC3925
"Vendor-Identifying Vendor Classes". The syntax looks like this:
--dhcp-match=tag,vi-encap<enterprise number>, <value>
Add some application specific code to assist in implementing the Broadband
forum TR069 CPE-WAN specification. The details are in contrib/CPE-WAN/README
Increase the default DNS packet size limit to 4096, as recommended by RFC5625
section 4.4.3. This can be reconfigured using --edns-packet-max if needed.
Thanks to Francis Dupont for pointing this out.
Rewrite query-ids even for DNSSEC signed packets, since this is allowed by
RFC5625 section 4.5.
[...]
Fix link error when including Dbus but excluding DHCP.
Thanks to Oschtan for the bug report.
Updated French translation. Thanks to Gildas Le Nadan.
Updated Polish translation. Thanks to Jan Psota.
Updated Spanish translation. Thanks to Chris Chatham.
DNSSEC. It secures zone data just before it is published in an
authoritative name server.
WWW: http://www.opendnssec.org
PR: ports/142103
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
to thoroughly test this version before updating production systems.
For the port, introduce a new dependency, security/p5-Digest-SHA
Changes in this version, in addition to numerous minor bug fixes:
Feature: Truncation for Nameserver
TAKE CARE:
this feature may cause unexpected behavior for your nameservers
Net::DNS::Packet::truncate is a new method that is called from
within Net::DNS::Nameserver that truncates a packet according to
the rules of RFC2181 section 9.
Feature: Added Net::DNS::Domain
Net::DNS::Domain is an attemt to consistently approach the various
ways we interface with what RFC 1035 calls <domain-name>.
Feature: KX RR
Added support for the KX RR, RFC2230
Feature: HIP RR
Added support for the HIP RR, RFC5205
Feature: DHCID RR
Added rudimentary support for the DHCID RR.
Fix improved fuzzy matching of CLASS and TYPE in the Question
constructor method.
Fix AAAA dynamic update
PR: ports/136065 ports/127469
Submitted by: N.J. Mann <njm@njm.me.uk> and Aldis Berjoza <killasmurf86@gmail.com>
- Early identify port CONFLICTS
PR: 137855
Submitted by: Piotr Smyrak <smyru@heron.pl>
- Add --no-same-permissions to the EXTRACT_AFTER_ARGS command.
Tijl Coosemans has been reported an issue that when root is extracting from the
tarball, and the tarball contains world writable files
(sysutils/policykit as an example), there is a chance that the files
gets changed by malicious third parties right after the extraction,
which makes it possible to inject code into the package thus compromise
the system.
Submitted by: Tijl Coosemans <tijl@coosemans.org> Xin LI (delphij@)
- Fix some whitespaces
Tested with: exp-run
