the following security vulnerability.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC,
and querying zones which are in a key rollover period.
The bug will cause answers to incorrectly be marked as insecure.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Remove MD5 from distinfo
5. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Using "allow-query" in the "options" or "view" statements to
restrict access to authoritative zones has no effect.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
Affects authoritative server operators who wish to generally
restrict queries to their authoritative zones, and are running
9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized
end users to receive answers to queries they should not.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Remove MD5 from distinfo
5. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Using "allow-query" in the "options" or "view" statements to
restrict access to authoritative zones has no effect.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
Affects authoritative server operators who wish to generally
restrict queries to their authoritative zones, and are running
9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized
end users to receive answers to queries they should not.
3. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who have 9.7.2-P2 installed,
are validating with DNSSEC, and querying zones which are
in a key rollover period. The bug will cause answers to
incorrectly be marked as insecure.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
- support reload command
- use nsdc cli has command and let it perform the actual start,stop,... of the daemon
- at start check if the database exists if not built it (this prevent the daemon to fail at starting)
- remove the now userless sleep in stop command
bump portrevision
PR: ports/152331
Submitted by: Philippe Pepiot <phil _at_ philpep.org>
Approved by: Jaap Akkerhuis <jaap _at_ NLnetLabs.nl> (maintainer)
using PHP5 objects, exceptions for error handling, better sockets support.
This release is (in most cases) 2x - 10x faster than Net_DNS, as well as
includes more RR's (including DNSSEC RR's), and improved sockets and streams
support.
WWW: http://pear.php.net/package/Net_DNS2/
hopefully also understand the workings of the Domain Name System. When used to
check an domain (aka zone) is submitted to DNSCheck, it will investigate the
general health by performing various tests and sanity checks.
WWW: http://dnscheck.iis.se/
PR: ports/148370
Submitted by: dnscheckengine-port at academ.com (Stan Barber)
Approved by: tabthorpe (mentor)
- connect to license framework
- add special patch from glarkin to ensure daemon detach from tty,
change some printf to use the warning function instead.
PR: 148586
Submitted by: Chris Howey <howeyc _at_ gmail.com>
Approved by: maintainer, glarkin (mentor)
If a query is made explicitly for a record of type 'RRSIG' to a validating
recursive server running BIND 9.7.1 or 9.7.1-P1, and the server has one or
more trust anchors configured statically and/or via DLV, then if the answer
is not already in cache, the server enters a loop which repeatedly generates
queries for RRSIGs to the authoritative servers for the zone containing the
queried name.
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0213
CERT: http://www.kb.cert.org/vuls/id/211905
Versions affected: 9.7.1, 9.7.1-P1
Severity: High
Exploitable: remotely
http://www.isc.org/software/bind/advisories/cve-2010-0213
code where the 9.7.x series tightened its adherence to the DNS protocol
as written, vs. the 9.6.x series which was more liberal in what it accepted.
Specifically:
1. Restore processing of certain forms of negative responses that do
not contain all of the required elements to avoid aggressive
re-querying of authority servers.
2. Accept answers from authority servers without the AA bit set
if they meet the other requirements of an answer packet.
More detail can be found here:
https://www.isc.org/community/blog/201007/compatibility-issues-bind-970-and-971
(QNAME,QTYPE) by prespecified answers. This class is to be used in test suites
where you want to have servers to show predefined behavior.
If the server will do a lookup based on QNAME,QTYPE and return the specified
data. If there is no QNAME, QTYPE match the server will return a SERVFAIL.
A log will be written to STDERR it contains time, IP/PORT, QNAME, QTYPE, RCODE.
WWW: http://search.cpan.org/dist/Net-DNS-TestNS/
PR: ports/148161
Submitted by: Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>
Feature safe: yes
fix was too hasty. Employ a more robust fix that removes the _perl_ dep for
both this file and bind9.xsl.h. The pre-generated versions of these files
are identical to the newly generated ones, which is why this perl issue
never came up previously.
I still have reservations about baking the ISC DLV key into named, but given
that this was already done in 9.7.0+ at least this way we don't violate POLA.
which is a problem, however what it's doing is baking the ISC
DLV key into named which is not something I think is reasonable
to do by default.
So, instead of adding perl as a build dependency eliminate the
need for the file altogether.
This version has numerous minor bug fixes, please refer to the
CHANGES file for details. Many (but not all) of the fixes are
DNSSEC-related, and all users who are doing DNSSEC validation
are encouraged to upgrade to this version.
This release was inadvertently dubbed 2.54 in its logging by Simon Kelley,
so adjust our PORTVERSION to match that, but still build the 2.53 tarball.
Simon will treat 2.53 and 2.54 the same and release 2.55 next time.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q2/004105.html
Check work/dnsmasq-2.53/src/config.h for VERSION after "make extract" to see.
Approved by: garga (mentor)
