kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/net/bind910/PLIST

457 lines
11 KiB
Text
Raw Normal View History

Fix bind.keys PLIST handling, thanks joerg@ for the notice.
2017-02-24 16:46:14 +01:00
@comment $NetBSD: PLIST,v 1.8 2017/02/24 15:46:14 fhajny Exp $
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
bin/bind9-config
bin/delv
bin/dig
bin/host
bin/isc-config.sh
bin/nslookup
bin/nsupdate
${PLIST.inet6}include/isc/ipv6.h
include/bind9/check.h
include/bind9/getaddresses.h
include/bind9/version.h
include/dns/acache.h
include/dns/acl.h
include/dns/adb.h
include/dns/bit.h
include/dns/byaddr.h
include/dns/cache.h
include/dns/callbacks.h
include/dns/cert.h
include/dns/client.h
include/dns/clientinfo.h
include/dns/compress.h
include/dns/db.h
include/dns/dbiterator.h
include/dns/dbtable.h
include/dns/diff.h
include/dns/dispatch.h
include/dns/dlz.h
include/dns/dlz_dlopen.h
include/dns/dns64.h
include/dns/dnssec.h
include/dns/ds.h
include/dns/dsdigest.h
include/dns/ecdb.h
include/dns/enumclass.h
include/dns/enumtype.h
include/dns/events.h
include/dns/fixedname.h
include/dns/forward.h
include/dns/geoip.h
include/dns/iptable.h
include/dns/journal.h
include/dns/keydata.h
include/dns/keyflags.h
include/dns/keytable.h
include/dns/keyvalues.h
include/dns/lib.h
include/dns/log.h
include/dns/lookup.h
include/dns/master.h
include/dns/masterdump.h
include/dns/message.h
include/dns/name.h
include/dns/ncache.h
include/dns/nsec.h
include/dns/nsec3.h
include/dns/opcode.h
include/dns/order.h
include/dns/peer.h
include/dns/portlist.h
include/dns/private.h
include/dns/rbt.h
include/dns/rcode.h
include/dns/rdata.h
include/dns/rdataclass.h
include/dns/rdatalist.h
include/dns/rdataset.h
include/dns/rdatasetiter.h
include/dns/rdataslab.h
include/dns/rdatastruct.h
include/dns/rdatatype.h
include/dns/request.h
include/dns/resolver.h
include/dns/result.h
include/dns/rootns.h
include/dns/rpz.h
include/dns/rriterator.h
include/dns/rrl.h
include/dns/sdb.h
include/dns/sdlz.h
include/dns/secalg.h
include/dns/secproto.h
include/dns/soa.h
include/dns/ssu.h
include/dns/stats.h
include/dns/tcpmsg.h
include/dns/time.h
include/dns/timer.h
include/dns/tkey.h
include/dns/tsec.h
include/dns/tsig.h
include/dns/ttl.h
include/dns/types.h
include/dns/update.h
include/dns/validator.h
include/dns/version.h
include/dns/view.h
include/dns/xfrin.h
include/dns/zone.h
include/dns/zonekey.h
include/dns/zt.h
include/dst/dst.h
include/dst/gssapi.h
include/dst/lib.h
include/dst/result.h
include/irs/context.h
include/irs/dnsconf.h
include/irs/netdb.h
include/irs/platform.h
include/irs/resconf.h
include/irs/types.h
include/irs/version.h
include/isc/aes.h
include/isc/app.h
include/isc/assertions.h
include/isc/atomic.h
include/isc/backtrace.h
include/isc/base32.h
include/isc/base64.h
include/isc/bind9.h
include/isc/boolean.h
include/isc/buffer.h
include/isc/bufferlist.h
include/isc/commandline.h
include/isc/condition.h
Update bind910 to 9.10.1pl1 (BIND 9.10.1-P1). --- 9.10.1-P1 released --- 4006. [security] A flaw in delegation handling could be exploited to put named into an infinite loop. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and the number of iterative queries that it will send (default 50) before terminating a recursive query (CVE-2014-8500). The recursion depth limit is configured via the "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580] 4003. [security] When geoip-directory was reconfigured during named run-time, the previously loaded GeoIP data could remain, potentially causing wrong ACLs to be used or wrong results to be served based on geolocation (CVE-2014-8680). [RT #37720] 4002. [security] Lookups in GeoIP databases that were not loaded could cause an assertion failure (CVE-2014-8680). [RT #37679] 4001. [security] The caching of GeoIP lookups did not always handle address families correctly, potentially resulting in an assertion failure (CVE-2014-8680). [RT #37672]
2014-12-08 22:59:09 +01:00
include/isc/counter.h
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
include/isc/crc64.h
include/isc/dir.h
include/isc/entropy.h
include/isc/error.h
include/isc/event.h
include/isc/eventclass.h
include/isc/file.h
include/isc/formatcheck.h
include/isc/fsaccess.h
include/isc/hash.h
include/isc/heap.h
include/isc/hex.h
include/isc/hmacmd5.h
include/isc/hmacsha.h
include/isc/httpd.h
include/isc/int.h
include/isc/interfaceiter.h
include/isc/iterated_hash.h
include/isc/json.h
include/isc/keyboard.h
include/isc/lang.h
include/isc/lex.h
include/isc/lfsr.h
include/isc/lib.h
include/isc/list.h
include/isc/log.h
include/isc/magic.h
include/isc/md5.h
include/isc/mem.h
include/isc/msgcat.h
include/isc/msgs.h
include/isc/mutex.h
include/isc/mutexblock.h
include/isc/net.h
include/isc/netaddr.h
include/isc/netdb.h
include/isc/netscope.h
include/isc/offset.h
include/isc/once.h
include/isc/ondestroy.h
include/isc/os.h
include/isc/parseint.h
include/isc/platform.h
include/isc/pool.h
include/isc/portset.h
include/isc/print.h
include/isc/queue.h
include/isc/quota.h
include/isc/radix.h
include/isc/random.h
include/isc/ratelimiter.h
include/isc/refcount.h
include/isc/regex.h
include/isc/region.h
include/isc/resource.h
include/isc/result.h
include/isc/resultclass.h
include/isc/rwlock.h
include/isc/safe.h
include/isc/serial.h
include/isc/sha1.h
include/isc/sha2.h
include/isc/sockaddr.h
include/isc/socket.h
include/isc/stat.h
include/isc/stats.h
include/isc/stdio.h
include/isc/stdlib.h
include/isc/stdtime.h
include/isc/strerror.h
include/isc/string.h
include/isc/symtab.h
include/isc/syslog.h
include/isc/task.h
include/isc/taskpool.h
include/isc/thread.h
include/isc/time.h
include/isc/timer.h
include/isc/tm.h
include/isc/types.h
include/isc/util.h
include/isc/version.h
include/isc/xml.h
include/isccc/alist.h
include/isccc/base64.h
include/isccc/cc.h
include/isccc/ccmsg.h
include/isccc/events.h
include/isccc/lib.h
include/isccc/result.h
include/isccc/sexpr.h
include/isccc/symtab.h
include/isccc/symtype.h
include/isccc/types.h
include/isccc/util.h
include/isccc/version.h
include/isccfg/aclconf.h
include/isccfg/cfg.h
include/isccfg/dnsconf.h
include/isccfg/grammar.h
include/isccfg/log.h
include/isccfg/namedconf.h
include/isccfg/version.h
include/lwres/context.h
include/lwres/int.h
include/lwres/ipv6.h
include/lwres/lang.h
include/lwres/list.h
include/lwres/lwbuffer.h
include/lwres/lwpacket.h
include/lwres/lwres.h
include/lwres/net.h
include/lwres/netdb.h
include/lwres/platform.h
include/lwres/result.h
include/lwres/stdlib.h
Update bind910 to 9.10.1. Security Fixes A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078] A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899] New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347] Feature Changes "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945] Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] An assertion failure could occur if a route event arrived while shutting down. [RT #36887] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses some problems with unrecoverable lookup failures. [RT #36330] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879] FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878] Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272]
2014-10-14 18:23:19 +02:00
include/lwres/string.h
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
include/lwres/version.h
include/pk11/constants.h
include/pk11/internal.h
include/pk11/pk11.h
include/pk11/result.h
include/pkcs11/cryptoki.h
include/pkcs11/pkcs11.h
include/pkcs11/pkcs11f.h
include/pkcs11/pkcs11t.h
lib/libbind9.la
lib/libdns.la
lib/libirs.la
lib/libisc.la
lib/libisccc.la
lib/libisccfg.la
lib/liblwres.la
man/man1/arpaname.1
man/man1/bind9-config.1
man/man1/delv.1
man/man1/dig.1
man/man1/host.1
man/man1/isc-config.sh.1
man/man1/named-rrchecker.1
man/man1/nslookup.1
man/man1/nsupdate.1
man/man3/lwres.3
man/man3/lwres_addr_parse.3
man/man3/lwres_buffer.3
man/man3/lwres_buffer_add.3
man/man3/lwres_buffer_back.3
man/man3/lwres_buffer_clear.3
man/man3/lwres_buffer_first.3
man/man3/lwres_buffer_forward.3
man/man3/lwres_buffer_getmem.3
man/man3/lwres_buffer_getuint16.3
man/man3/lwres_buffer_getuint32.3
man/man3/lwres_buffer_getuint8.3
man/man3/lwres_buffer_init.3
man/man3/lwres_buffer_invalidate.3
man/man3/lwres_buffer_putmem.3
man/man3/lwres_buffer_putuint16.3
man/man3/lwres_buffer_putuint32.3
man/man3/lwres_buffer_putuint8.3
man/man3/lwres_buffer_subtract.3
man/man3/lwres_conf_clear.3
man/man3/lwres_conf_get.3
man/man3/lwres_conf_init.3
man/man3/lwres_conf_parse.3
man/man3/lwres_conf_print.3
man/man3/lwres_config.3
man/man3/lwres_context.3
man/man3/lwres_context_allocmem.3
man/man3/lwres_context_create.3
man/man3/lwres_context_destroy.3
man/man3/lwres_context_freemem.3
man/man3/lwres_context_initserial.3
man/man3/lwres_context_nextserial.3
man/man3/lwres_context_sendrecv.3
man/man3/lwres_endhostent.3
man/man3/lwres_endhostent_r.3
man/man3/lwres_freeaddrinfo.3
man/man3/lwres_freehostent.3
man/man3/lwres_gabn.3
man/man3/lwres_gabnrequest_free.3
man/man3/lwres_gabnrequest_parse.3
man/man3/lwres_gabnrequest_render.3
man/man3/lwres_gabnresponse_free.3
man/man3/lwres_gabnresponse_parse.3
man/man3/lwres_gabnresponse_render.3
man/man3/lwres_gai_strerror.3
man/man3/lwres_getaddrinfo.3
man/man3/lwres_getaddrsbyname.3
man/man3/lwres_gethostbyaddr.3
man/man3/lwres_gethostbyaddr_r.3
man/man3/lwres_gethostbyname.3
man/man3/lwres_gethostbyname2.3
man/man3/lwres_gethostbyname_r.3
man/man3/lwres_gethostent.3
man/man3/lwres_gethostent_r.3
man/man3/lwres_getipnode.3
man/man3/lwres_getipnodebyaddr.3
man/man3/lwres_getipnodebyname.3
man/man3/lwres_getnamebyaddr.3
man/man3/lwres_getnameinfo.3
man/man3/lwres_getrrsetbyname.3
man/man3/lwres_gnba.3
man/man3/lwres_gnbarequest_free.3
man/man3/lwres_gnbarequest_parse.3
man/man3/lwres_gnbarequest_render.3
man/man3/lwres_gnbaresponse_free.3
man/man3/lwres_gnbaresponse_parse.3
man/man3/lwres_gnbaresponse_render.3
man/man3/lwres_herror.3
man/man3/lwres_hstrerror.3
man/man3/lwres_inetntop.3
man/man3/lwres_lwpacket_parseheader.3
man/man3/lwres_lwpacket_renderheader.3
man/man3/lwres_net_ntop.3
man/man3/lwres_noop.3
man/man3/lwres_nooprequest_free.3
man/man3/lwres_nooprequest_parse.3
man/man3/lwres_nooprequest_render.3
man/man3/lwres_noopresponse_free.3
man/man3/lwres_noopresponse_parse.3
man/man3/lwres_noopresponse_render.3
man/man3/lwres_packet.3
man/man3/lwres_resutil.3
man/man3/lwres_sethostent.3
man/man3/lwres_sethostent_r.3
man/man3/lwres_string_parse.3
man/man5/named.conf.5
man/man5/rndc.conf.5
man/man8/ddns-confgen.8
man/man8/dnssec-dsfromkey.8
man/man8/dnssec-importkey.8
man/man8/dnssec-keyfromlabel.8
man/man8/dnssec-keygen.8
man/man8/dnssec-revoke.8
man/man8/dnssec-settime.8
man/man8/dnssec-signzone.8
man/man8/dnssec-verify.8
man/man8/genrandom.8
man/man8/isc-hmac-fixup.8
man/man8/lwresd.8
man/man8/named-checkconf.8
man/man8/named-checkzone.8
man/man8/named-compilezone.8
man/man8/named-journalprint.8
man/man8/named.8
man/man8/nsec3hash.8
Update bind910 to 9.10.4 (BIND 9.10.4). PKG_OPTIONS change: * Remove rrl which is always enabled. * Add fetchlimit, geoip, pkcs11, sit and tuning. Security Fixes * Duplicate EDNS COOKIE options in a response could trigger an assertion failure. This flaw is disclosed in CVE-2016-2088. [RT #41809] * The resolver could abort with an assertion failure due to improper DNAME handling when parsing fetch reply messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] * Malformed control messages can trigger assertions in named and rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666] * Certain errors that could be encountered when printing out or logging an OPT record containing a CLIENT-SUBNET option could be mishandled, resulting in an assertion failure. This flaw is disclosed in CVE-2015-8705. [RT #41397] * Specific APL data could trigger an INSIST. This flaw is disclosed in CVE-2015-8704. [RT #41396] * Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] * Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987] New Features * The following resource record types have been implemented: AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK. * Added a warning for a common misconfiguration involving forwarded RFC 1918 and IPv6 ULA (Universal Local Address) zones. * Contributed software from Nominum is included in the source at contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the performance of authoritative DNS servers, resperf for testing the resolution performance of a caching DNS server, resperf-report for generating a resperf report in HTML with gnuplot graphs, and queryparse to extract DNS queries from pcap capture files. This software is not installed by default with BIND. * When loading a signed zone, named will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately. This helps when a system's clock needs to be reset backwards. Feature Changes * Updated the compiled-in addresses for H.ROOT-SERVERS.NET and L.ROOT-SERVERS.NET. * The default preferred glue is now the address type of the transport the query was received over. * On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one. * Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage. * named -V output now also includes operating system details. Porting Changes * The Microsoft Windows install tool BINDInstall.exe which requires a non-free version of Visual Studio to be built, now uses two files (lists of flags and files) created by the Configure perl script with all the needed information which were previously compiled in the binary. Read win32utils/build.txt for more details. [RT #38915] Bug Fixes * rndc flushtree now works even if there wasn't a cached node at the specified name. [RT #41846] * Don't emit records with zero TTL unless the records were received with a zero TTL. After being returned to waiting clients, the answer will be discarded from the cache. [RT #41687] * For Windows platforms, the SIT (Source Identity Token) support was restored. (It was mistakenly partially replaced in a previous beta with new 9.11 COOKIE support.) [RT #41905] * When deleting records from a zone database, interior nodes could be left empty but not deleted, damaging search performance afterward. [RT #40997] [RT #41941] * The server could crash due to a use-after-free if a zone transfer timed out. [RT #41297] * Authoritative servers that were marked as bogus (e.g. blackholed in configuration or with invalid addresses) were being queried anyway. [RT #41321] * Some of the options for GeoIP ACLs, including "areacode", "metrocode", and "timezone", were incorrectly documented as "area", "metro" and "tz". Both the long and abbreviated versions are now accepted. * Zones configured to use map format master files can't be used as policy zones because RPZ summary data isn't compiled when such zones are mapped into memory. This limitation may be fixed in a future release, but in the meantime it has been documented, and attempting to use such zones in response-policy statements is now a configuration error. [RT #38321]
2016-05-02 15:27:57 +02:00
${PLIST.pkcs11}man/man8/pkcs11-destroy.8
${PLIST.pkcs11}man/man8/pkcs11-keygen.8
${PLIST.pkcs11}man/man8/pkcs11-list.8
${PLIST.pkcs11}man/man8/pkcs11-tokens.8
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
man/man8/rndc-confgen.8
man/man8/rndc.8
man/man8/tsig-keygen.8
sbin/arpaname
sbin/ddns-confgen
sbin/dnssec-dsfromkey
sbin/dnssec-importkey
sbin/dnssec-keyfromlabel
sbin/dnssec-keygen
sbin/dnssec-revoke
sbin/dnssec-settime
sbin/dnssec-signzone
sbin/dnssec-verify
sbin/genrandom
sbin/isc-hmac-fixup
sbin/lwresd
sbin/named
sbin/named-checkconf
sbin/named-checkzone
sbin/named-compilezone
sbin/named-journalprint
sbin/named-rrchecker
sbin/nsec3hash
Update bind910 to 9.10.4 (BIND 9.10.4). PKG_OPTIONS change: * Remove rrl which is always enabled. * Add fetchlimit, geoip, pkcs11, sit and tuning. Security Fixes * Duplicate EDNS COOKIE options in a response could trigger an assertion failure. This flaw is disclosed in CVE-2016-2088. [RT #41809] * The resolver could abort with an assertion failure due to improper DNAME handling when parsing fetch reply messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] * Malformed control messages can trigger assertions in named and rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666] * Certain errors that could be encountered when printing out or logging an OPT record containing a CLIENT-SUBNET option could be mishandled, resulting in an assertion failure. This flaw is disclosed in CVE-2015-8705. [RT #41397] * Specific APL data could trigger an INSIST. This flaw is disclosed in CVE-2015-8704. [RT #41396] * Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] * Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987] New Features * The following resource record types have been implemented: AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK. * Added a warning for a common misconfiguration involving forwarded RFC 1918 and IPv6 ULA (Universal Local Address) zones. * Contributed software from Nominum is included in the source at contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the performance of authoritative DNS servers, resperf for testing the resolution performance of a caching DNS server, resperf-report for generating a resperf report in HTML with gnuplot graphs, and queryparse to extract DNS queries from pcap capture files. This software is not installed by default with BIND. * When loading a signed zone, named will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately. This helps when a system's clock needs to be reset backwards. Feature Changes * Updated the compiled-in addresses for H.ROOT-SERVERS.NET and L.ROOT-SERVERS.NET. * The default preferred glue is now the address type of the transport the query was received over. * On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one. * Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage. * named -V output now also includes operating system details. Porting Changes * The Microsoft Windows install tool BINDInstall.exe which requires a non-free version of Visual Studio to be built, now uses two files (lists of flags and files) created by the Configure perl script with all the needed information which were previously compiled in the binary. Read win32utils/build.txt for more details. [RT #38915] Bug Fixes * rndc flushtree now works even if there wasn't a cached node at the specified name. [RT #41846] * Don't emit records with zero TTL unless the records were received with a zero TTL. After being returned to waiting clients, the answer will be discarded from the cache. [RT #41687] * For Windows platforms, the SIT (Source Identity Token) support was restored. (It was mistakenly partially replaced in a previous beta with new 9.11 COOKIE support.) [RT #41905] * When deleting records from a zone database, interior nodes could be left empty but not deleted, damaging search performance afterward. [RT #40997] [RT #41941] * The server could crash due to a use-after-free if a zone transfer timed out. [RT #41297] * Authoritative servers that were marked as bogus (e.g. blackholed in configuration or with invalid addresses) were being queried anyway. [RT #41321] * Some of the options for GeoIP ACLs, including "areacode", "metrocode", and "timezone", were incorrectly documented as "area", "metro" and "tz". Both the long and abbreviated versions are now accepted. * Zones configured to use map format master files can't be used as policy zones because RPZ summary data isn't compiled when such zones are mapped into memory. This limitation may be fixed in a future release, but in the meantime it has been documented, and attempting to use such zones in response-policy statements is now a configuration error. [RT #38321]
2016-05-02 15:27:57 +02:00
${PLIST.pkcs11}sbin/pkcs11-destroy
${PLIST.pkcs11}sbin/pkcs11-keygen
${PLIST.pkcs11}sbin/pkcs11-list
${PLIST.pkcs11}sbin/pkcs11-tokens
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
sbin/rndc
sbin/rndc-confgen
sbin/tsig-keygen
share/doc/bind9/CHANGES
share/doc/bind9/FAQ
share/doc/bind9/README
share/doc/bind9/arm/Bv9ARM.ch01.html
share/doc/bind9/arm/Bv9ARM.ch02.html
share/doc/bind9/arm/Bv9ARM.ch03.html
share/doc/bind9/arm/Bv9ARM.ch04.html
share/doc/bind9/arm/Bv9ARM.ch05.html
share/doc/bind9/arm/Bv9ARM.ch06.html
share/doc/bind9/arm/Bv9ARM.ch07.html
share/doc/bind9/arm/Bv9ARM.ch08.html
share/doc/bind9/arm/Bv9ARM.ch09.html
share/doc/bind9/arm/Bv9ARM.ch10.html
Update bind910 package to 9.10.2. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] * Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679] A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients. New Features * None Feature Changes * ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";). * When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used. * NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.) * NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently. * Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems. * Added support for OPENPGPKEY type. * When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category. * If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked. Bug Fixes * dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892] * The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138] * Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159] * When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172] * dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183] * UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233] * Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216] * When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506] * Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187] * When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN. * When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796] * Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965] * A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE. * Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time. * Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310] * Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454] * Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information.[RT #38458]
2015-02-26 11:15:02 +01:00
share/doc/bind9/arm/Bv9ARM.ch11.html
share/doc/bind9/arm/Bv9ARM.ch12.html
share/doc/bind9/arm/Bv9ARM.ch13.html
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
share/doc/bind9/arm/Bv9ARM.html
share/doc/bind9/arm/man.arpaname.html
share/doc/bind9/arm/man.ddns-confgen.html
share/doc/bind9/arm/man.delv.html
share/doc/bind9/arm/man.dig.html
share/doc/bind9/arm/man.dnssec-checkds.html
share/doc/bind9/arm/man.dnssec-coverage.html
share/doc/bind9/arm/man.dnssec-dsfromkey.html
share/doc/bind9/arm/man.dnssec-importkey.html
share/doc/bind9/arm/man.dnssec-keyfromlabel.html
share/doc/bind9/arm/man.dnssec-keygen.html
share/doc/bind9/arm/man.dnssec-revoke.html
share/doc/bind9/arm/man.dnssec-settime.html
share/doc/bind9/arm/man.dnssec-signzone.html
share/doc/bind9/arm/man.dnssec-verify.html
share/doc/bind9/arm/man.genrandom.html
share/doc/bind9/arm/man.host.html
share/doc/bind9/arm/man.isc-hmac-fixup.html
Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2). Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer CHANGES file. --- 9.10.4-P2 released --- 4406. [bug] getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwresd and named with lwres configured if when combined with a search list entry the resulting name is too long. (CVE-2016-2775) [RT #42694] 4405. [bug] Change 4342 introduced a regression where you could not remove a delegation in a NSEC3 signed zone using OPTOUT via nsupdate. [RT #42702] 4387. [bug] Change 4336 was not complete leading to SERVFAIL being return as NS records expired. [RT #42683] --- 9.10.4-P1 released --- 4368. [bug] Fix a crash when calling "rndc stats" on some Windows builds because some Visual Studio compilers generated crashing code for the "%z" printf() format specifier. [RT #42380] 4366. [bug] Address race condition when updating rbtnode bit fields. [RT #42379] 4363. [port] win32: Disable explicit triggering UAC when running BINDInstall. --- 9.10.4 released ---
2016-07-19 03:08:05 +02:00
share/doc/bind9/arm/man.lwresd.html
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
share/doc/bind9/arm/man.named-checkconf.html
share/doc/bind9/arm/man.named-checkzone.html
share/doc/bind9/arm/man.named-journalprint.html
share/doc/bind9/arm/man.named-rrchecker.html
Update bind910 to 9.10.4pl2 (BIND 9.10.4-P2). Changes from 9.10.3-P4 to 9.10.4 are too many to write here, please refer CHANGES file. --- 9.10.4-P2 released --- 4406. [bug] getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwresd and named with lwres configured if when combined with a search list entry the resulting name is too long. (CVE-2016-2775) [RT #42694] 4405. [bug] Change 4342 introduced a regression where you could not remove a delegation in a NSEC3 signed zone using OPTOUT via nsupdate. [RT #42702] 4387. [bug] Change 4336 was not complete leading to SERVFAIL being return as NS records expired. [RT #42683] --- 9.10.4-P1 released --- 4368. [bug] Fix a crash when calling "rndc stats" on some Windows builds because some Visual Studio compilers generated crashing code for the "%z" printf() format specifier. [RT #42380] 4366. [bug] Address race condition when updating rbtnode bit fields. [RT #42379] 4363. [port] win32: Disable explicit triggering UAC when running BINDInstall. --- 9.10.4 released ---
2016-07-19 03:08:05 +02:00
share/doc/bind9/arm/man.named.conf.html
Initial import of BIND 9.10.
2014-07-02 04:42:57 +02:00
share/doc/bind9/arm/man.named.html
share/doc/bind9/arm/man.nsec3hash.html
share/doc/bind9/arm/man.nsupdate.html
share/doc/bind9/arm/man.rndc-confgen.html
share/doc/bind9/arm/man.rndc.conf.html
share/doc/bind9/arm/man.rndc.html
Update bind910 package to 9.10.2. Security Fixes * On servers configured to perform DNSSEC validation using managed trust anchors (i.e., keys configured explicitly via managed-keys, or implicitly via dnssec-validation auto; or dnssec-lookaside auto;), revoking a trust anchor and sending a new untrusted replacement could cause named to crash with an assertion failure. This could occur in the event of a botched key rollover, or potentially as a result of a deliberate attack if the attacker was in position to monitor the victim's DNS traffic. This flaw was discovered by Jan-Piet Mens, and is disclosed in CVE-2015-1349. [RT #38344] * A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI, and is disclosed in CVE-2014-8500. [RT #37580] * Two separate problems were identified in BIND's GeoIP code that could lead to an assertion failure. One was triggered by use of both IPv4 and IPv6 address families, the other by referencing a GeoIP database in named.conf which was not installed. Both are covered by CVE-2014-8680. [RT #37672] [RT #37679] A less serious security flaw was also found in GeoIP: changes to the geoip-directory option in named.conf were ignored when running rndc reconfig. In theory, this could allow named to allow access to unintended clients. New Features * None Feature Changes * ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";). * When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used. * NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.) * NOTIFY messages that are sent because a zone has been updated are now given priority above NOTIFY messages that were scheduled when the server started up. This should mitigate delays in zone propagation when servers are restarted frequently. * Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems. * Added support for OPENPGPKEY type. * When encountering an authoritative name server whose name is an alias pointing to another name, the resolver treats this as an error and skips to the next server. Previously this happened silently; now the error will be logged to the newly-created "cname" log category. * If named is not configured to validate the answer then allow fallback to plain DNS on timeout even when we know the server supports EDNS. This will allow the server to potentially resolve signed queries when TCP is being blocked. Bug Fixes * dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892] * The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138] * Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159] * When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172] * dnssec-keygen -S failed to generate successor keys for some algorithm types (including ECDSA and GOST) due to a difference in the content of private key files. This has been corrected. [RT #37183] * UPDATE messages that arrived too soon after an rndc thaw could be lost. [RT #37233] * Forwarding of UPDATE messages did not work when they were signed with SIG(0); they resulted in a BADSIG response code. [RT #37216] * When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506] * Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187] * When NXDOMAIN redirection is in use, queries for a name that is present in the redirection zone but a type that is not present will now return NOERROR instead of NXDOMAIN. * When a zone contained a delegation to an IPv6 name server but not an IPv4 name server, it was possible for a memory reference to be left un-freed. This caused an assertion failure on server shutdown, but was otherwise harmless. [RT #37796] * Due to an inadvertent removal of code in the previous release, when named encountered an authoritative name server which dropped all EDNS queries, it did not always try plain DNS. This has been corrected. [RT #37965] * A regression caused nsupdate to use the default recursive servers rather than the SOA MNAME server when sending the UPDATE. * Adjusted max-recursion-queries to accommodate the smaller initial packet sizes used in BIND 9.10 and higher when contacting authoritative servers for the first time. * Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310] * Two leaks were fixed that could cause named processes to grow to very large sizes. [RT #38454] * Fixed some bugs in RFC 5011 trust anchor management, including a memory leak and a possible loss of state information.[RT #38458]
2015-02-26 11:15:02 +01:00
share/doc/bind9/arm/notes.html
Fix bind.keys PLIST handling, thanks joerg@ for the notice.
2017-02-24 16:46:14 +01:00
share/examples/bind9/bind.keys
Reference in a new issue Copy permalink