kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/net/bind98/PLIST

380 lines
9.3 KiB
Text
Raw Normal View History

Update bind98 to 9.8.6 (BIND 9.8.6). (CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.) Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Bug Fixes Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590] Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439] Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583] Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178] Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600] Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450] Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939] named was failing to answer queries during "rndc reload" [RT #34098] Fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045] The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056] Better handle failures building XML for stats channel responses. [RT #33706] Fixed a memory leak in GSS-API processing. [RT #33574] Fixed an acache-related race condition that could cause a crash. [RT #33602] rndc now properly fails when given an invalid '-c' argument. [RT #33571] Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411] Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573] Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
2013-09-21 17:59:00 +02:00
@comment $NetBSD: PLIST,v 1.5 2013/09/21 15:59:00 taca Exp $
Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
2011-03-04 04:52:14 +01:00
bin/dig
bin/host
bin/isc-config.sh
bin/nslookup
bin/nsupdate
${PLIST.inet6}include/isc/ipv6.h
include/bind9/check.h
include/bind9/getaddresses.h
include/bind9/version.h
include/dns/acl.h
include/dns/adb.h
include/dns/byaddr.h
include/dns/cache.h
include/dns/callbacks.h
include/dns/cert.h
include/dns/compress.h
include/dns/db.h
include/dns/dbiterator.h
include/dns/dbtable.h
include/dns/diff.h
include/dns/dispatch.h
include/dns/dlz.h
include/dns/dnssec.h
include/dns/ds.h
include/dns/enumclass.h
include/dns/enumtype.h
include/dns/events.h
include/dns/fixedname.h
include/dns/iptable.h
include/dns/journal.h
include/dns/keyflags.h
include/dns/keytable.h
include/dns/keyvalues.h
include/dns/lib.h
include/dns/log.h
include/dns/master.h
include/dns/masterdump.h
include/dns/message.h
include/dns/name.h
include/dns/ncache.h
include/dns/nsec.h
include/dns/peer.h
include/dns/portlist.h
include/dns/private.h
include/dns/rbt.h
include/dns/rcode.h
include/dns/rdata.h
include/dns/rdataclass.h
include/dns/rdatalist.h
include/dns/rdataset.h
include/dns/rdatasetiter.h
include/dns/rdataslab.h
include/dns/rdatastruct.h
include/dns/rdatatype.h
include/dns/request.h
include/dns/resolver.h
include/dns/result.h
include/dns/rootns.h
Update bind98 package to 9.8.1. pkgsrc change: add a patch to fix build problem with some PKG_OPTIONS, such as "ldap". New Features 9.8.1 * Added a new include file with function typedefs for the DLZ "dlopen" driver. [RT #23629] * Added a tool able to generate malformed packets to allow testing of how named handles them. [RT #24096] * The root key is now provided in the file bind.keys allowing DNSSEC validation to be switched on at start up by adding "dnssec-validation auto;" to named.conf. If the root key provided has expired, named will log the expiration and validation will not work. More information and the most current copy of bind.keys can be found at http://www.isc.org/bind-keys. *Please note this feature was actually added in 9.8.0 but was not included in the 9.8.0 release notes. [RT #21727] Security Fixes 9.8.1 * If named is configured with a response policy zone (RPZ) and a query of type RRSIG is received for a name configured for RRset replacement in that RPZ, it will trigger an INSIST and crash the server. RRSIG. [RT #24280] * named, set up to be a caching resolver, is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache the response. Due to an off-by-one error, caching the response could cause named to crash. [RT #24650] [CVE-2011-1910] * Using Response Policy Zone (RPZ) to query a wildcard CNAME label with QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type independant. [RT #24715] * Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label can cause named to crash. Now logs that DNAME is not supported. [RT #24766] * Change #2912 populated the message section in replies to UPDATE requests, which some Windows clients wanted. This exposed a latent bug that allowed the response message to crash named. With this fix, change 2912 has been reduced to copy only the zone section to the reply. A more complete fix for the latent bug will be released later. [RT #24777] Feature Changes 9.8.1 * Merged in the NetBSD ATF test framework (currently version 0.12) for development of future unit tests. Use configure --with-atf to build ATF internally or configure --with-atf=prefix to use an external copy. [RT #23209] * Added more verbose error reporting from DLZ LDAP. [RT #23402] * The DLZ "dlopen" driver is now built by default, no longer requiring a configure option. To disable it, use "configure --without-dlopen". (Note: driver not supported on win32.) [RT #23467] * Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587] * Make --with-gssapi default for ./configure. [RT #23738] * Improved the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with lots of zones will be serving that zone data much sooner. [RT #24406] * Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990]
2011-09-01 05:44:35 +02:00
include/dns/rpz.h
Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
2011-03-04 04:52:14 +01:00
include/dns/sdb.h
include/dns/sdlz.h
include/dns/secalg.h
include/dns/secproto.h
include/dns/soa.h
include/dns/ssu.h
include/dns/tcpmsg.h
include/dns/time.h
include/dns/tkey.h
include/dns/tsig.h
include/dns/ttl.h
include/dns/types.h
include/dns/validator.h
include/dns/version.h
include/dns/view.h
include/dns/xfrin.h
include/dns/zone.h
include/dns/zonekey.h
include/dns/zt.h
include/dst/dst.h
include/dst/gssapi.h
include/dst/lib.h
include/dst/result.h
include/isc/app.h
include/isc/assertions.h
include/isc/atomic.h
include/isc/base64.h
include/isc/bind9.h
include/isc/bitstring.h
include/isc/boolean.h
include/isc/buffer.h
include/isc/bufferlist.h
include/isc/commandline.h
include/isc/condition.h
include/isc/dir.h
include/isc/entropy.h
include/isc/error.h
include/isc/event.h
include/isc/eventclass.h
include/isc/file.h
include/isc/formatcheck.h
include/isc/fsaccess.h
include/isc/hash.h
include/isc/heap.h
include/isc/hex.h
include/isc/hmacmd5.h
Update bind98 pacakge to 9.8.2. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + RPZ implementation now conforms to version 3 of the specification. [RT #27316] + It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103]
2012-04-05 02:39:34 +02:00
include/isc/hmacsha.h
Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
2011-03-04 04:52:14 +01:00
include/isc/httpd.h
include/isc/int.h
include/isc/interfaceiter.h
include/isc/iterated_hash.h
include/isc/lang.h
include/isc/lex.h
include/isc/lfsr.h
include/isc/lib.h
include/isc/list.h
include/isc/log.h
include/isc/magic.h
include/isc/md5.h
include/isc/mem.h
include/isc/msgcat.h
include/isc/msgs.h
include/isc/mutex.h
include/isc/mutexblock.h
include/isc/namespace.h
include/isc/net.h
include/isc/netaddr.h
include/isc/netdb.h
include/isc/offset.h
include/isc/once.h
include/isc/ondestroy.h
include/isc/os.h
include/isc/parseint.h
include/isc/platform.h
include/isc/print.h
include/isc/quota.h
include/isc/radix.h
include/isc/random.h
include/isc/ratelimiter.h
include/isc/refcount.h
Update bind98 to 9.8.5pl1 (BIND 9.8.5-P1). Please refer CHANGES file for complete changes and here is quote from release announce. Introduction BIND 9.8.5-P1 is the latest production release of BIND 9.8. Security Fixes Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. (CVE-2012-5166) [RT #31090] Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688] Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141] New Features Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355] Adds support for Uniform Resource Identifier (URI) resource records. [RT #23386] Adds support for the EUI48 and EUI64 RR types. [RT #33082] Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836]
2013-06-06 04:56:36 +02:00
include/isc/regex.h
Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
2011-03-04 04:52:14 +01:00
include/isc/region.h
include/isc/resource.h
include/isc/result.h
include/isc/resultclass.h
include/isc/rwlock.h
Update bind98 to 9.8.6 (BIND 9.8.6). (CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.) Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Bug Fixes Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590] Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439] Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583] Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178] Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600] Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450] Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939] named was failing to answer queries during "rndc reload" [RT #34098] Fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045] The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056] Better handle failures building XML for stats channel responses. [RT #33706] Fixed a memory leak in GSS-API processing. [RT #33574] Fixed an acache-related race condition that could cause a crash. [RT #33602] rndc now properly fails when given an invalid '-c' argument. [RT #33571] Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411] Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573] Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
2013-09-21 17:59:00 +02:00
include/isc/safe.h
Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
2011-03-04 04:52:14 +01:00
include/isc/serial.h
include/isc/sha1.h
include/isc/sha2.h
include/isc/sockaddr.h
include/isc/socket.h
Update bind98 to 9.8.6 (BIND 9.8.6). (CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc.) Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Bug Fixes Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590] Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439] Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583] Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178] Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600] Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450] Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939] named was failing to answer queries during "rndc reload" [RT #34098] Fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045] The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056] Better handle failures building XML for stats channel responses. [RT #33706] Fixed a memory leak in GSS-API processing. [RT #33574] Fixed an acache-related race condition that could cause a crash. [RT #33602] rndc now properly fails when given an invalid '-c' argument. [RT #33571] Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411] Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573] Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
2013-09-21 17:59:00 +02:00
include/isc/stat.h
Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
2011-03-04 04:52:14 +01:00
include/isc/stdio.h
include/isc/stdlib.h
include/isc/stdtime.h
include/isc/string.h
include/isc/symtab.h
include/isc/syslog.h
include/isc/task.h
include/isc/taskpool.h
include/isc/thread.h
include/isc/time.h
include/isc/timer.h
include/isc/types.h
include/isc/util.h
include/isc/version.h
include/isc/xml.h
include/isccc/alist.h
include/isccc/base64.h
include/isccc/cc.h
include/isccc/ccmsg.h
include/isccc/events.h
include/isccc/lib.h
include/isccc/result.h
include/isccc/sexpr.h
include/isccc/symtab.h
include/isccc/symtype.h
include/isccc/types.h
include/isccc/util.h
include/isccc/version.h
include/isccfg/aclconf.h
include/isccfg/cfg.h
include/isccfg/grammar.h
include/isccfg/log.h
include/isccfg/namedconf.h
include/isccfg/version.h
include/lwres/context.h
include/lwres/int.h
include/lwres/ipv6.h
include/lwres/lang.h
include/lwres/list.h
include/lwres/lwbuffer.h
include/lwres/lwpacket.h
include/lwres/lwres.h
include/lwres/net.h
include/lwres/netdb.h
include/lwres/platform.h
include/lwres/result.h
include/lwres/version.h
lib/libbind9.la
lib/libdns.la
lib/libisc.la
lib/libisccc.la
lib/libisccfg.la
lib/liblwres.la
man/man1/arpaname.1
man/man1/dig.1
man/man1/host.1
man/man1/isc-config.sh.1
man/man1/nslookup.1
man/man1/nsupdate.1
man/man3/lwres.3
man/man3/lwres_addr_parse.3
man/man3/lwres_buffer.3
man/man3/lwres_buffer_add.3
man/man3/lwres_buffer_back.3
man/man3/lwres_buffer_clear.3
man/man3/lwres_buffer_first.3
man/man3/lwres_buffer_forward.3
man/man3/lwres_buffer_getmem.3
man/man3/lwres_buffer_getuint16.3
man/man3/lwres_buffer_getuint32.3
man/man3/lwres_buffer_getuint8.3
man/man3/lwres_buffer_init.3
man/man3/lwres_buffer_invalidate.3
man/man3/lwres_buffer_putmem.3
man/man3/lwres_buffer_putuint16.3
man/man3/lwres_buffer_putuint32.3
man/man3/lwres_buffer_putuint8.3
man/man3/lwres_buffer_subtract.3
man/man3/lwres_conf_clear.3
man/man3/lwres_conf_get.3
man/man3/lwres_conf_init.3
man/man3/lwres_conf_parse.3
man/man3/lwres_conf_print.3
man/man3/lwres_config.3
man/man3/lwres_context.3
man/man3/lwres_context_allocmem.3
man/man3/lwres_context_create.3
man/man3/lwres_context_destroy.3
man/man3/lwres_context_freemem.3
man/man3/lwres_context_initserial.3
man/man3/lwres_context_nextserial.3
man/man3/lwres_context_sendrecv.3
man/man3/lwres_endhostent.3
man/man3/lwres_endhostent_r.3
man/man3/lwres_freeaddrinfo.3
man/man3/lwres_freehostent.3
man/man3/lwres_gabn.3
man/man3/lwres_gabnrequest_free.3
man/man3/lwres_gabnrequest_parse.3
man/man3/lwres_gabnrequest_render.3
man/man3/lwres_gabnresponse_free.3
man/man3/lwres_gabnresponse_parse.3
man/man3/lwres_gabnresponse_render.3
man/man3/lwres_gai_strerror.3
man/man3/lwres_getaddrinfo.3
man/man3/lwres_getaddrsbyname.3
man/man3/lwres_gethostbyaddr.3
man/man3/lwres_gethostbyaddr_r.3
man/man3/lwres_gethostbyname.3
man/man3/lwres_gethostbyname2.3
man/man3/lwres_gethostbyname_r.3
man/man3/lwres_gethostent.3
man/man3/lwres_gethostent_r.3
man/man3/lwres_getipnode.3
man/man3/lwres_getipnodebyaddr.3
man/man3/lwres_getipnodebyname.3
man/man3/lwres_getnamebyaddr.3
man/man3/lwres_getnameinfo.3
man/man3/lwres_getrrsetbyname.3
man/man3/lwres_gnba.3
man/man3/lwres_gnbarequest_free.3
man/man3/lwres_gnbarequest_parse.3
man/man3/lwres_gnbarequest_render.3
man/man3/lwres_gnbaresponse_free.3
man/man3/lwres_gnbaresponse_parse.3
man/man3/lwres_gnbaresponse_render.3
man/man3/lwres_herror.3
man/man3/lwres_hstrerror.3
man/man3/lwres_inetntop.3
man/man3/lwres_lwpacket_parseheader.3
man/man3/lwres_lwpacket_renderheader.3
man/man3/lwres_net_ntop.3
man/man3/lwres_noop.3
man/man3/lwres_nooprequest_free.3
man/man3/lwres_nooprequest_parse.3
man/man3/lwres_nooprequest_render.3
man/man3/lwres_noopresponse_free.3
man/man3/lwres_noopresponse_parse.3
man/man3/lwres_noopresponse_render.3
man/man3/lwres_packet.3
man/man3/lwres_resutil.3
man/man3/lwres_sethostent.3
man/man3/lwres_sethostent_r.3
man/man3/lwres_string_parse.3
man/man5/named.conf.5
man/man5/rndc.conf.5
man/man8/ddns-confgen.8
man/man8/dnssec-dsfromkey.8
man/man8/dnssec-keyfromlabel.8
man/man8/dnssec-keygen.8
man/man8/dnssec-revoke.8
man/man8/dnssec-settime.8
man/man8/dnssec-signzone.8
man/man8/genrandom.8
man/man8/isc-hmac-fixup.8
man/man8/lwresd.8
man/man8/named-checkconf.8
man/man8/named-checkzone.8
man/man8/named-compilezone.8
man/man8/named-journalprint.8
man/man8/named.8
man/man8/nsec3hash.8
man/man8/rndc-confgen.8
man/man8/rndc.8
sbin/arpaname
sbin/ddns-confgen
sbin/dnssec-dsfromkey
sbin/dnssec-keyfromlabel
sbin/dnssec-keygen
sbin/dnssec-revoke
sbin/dnssec-settime
sbin/dnssec-signzone
sbin/genrandom
sbin/isc-hmac-fixup
sbin/lwresd
sbin/named
sbin/named-checkconf
sbin/named-checkzone
sbin/named-compilezone
sbin/named-journalprint
sbin/nsec3hash
sbin/rndc
sbin/rndc-confgen
share/doc/bind9/README
share/doc/bind9/arm/Bv9ARM.ch01.html
share/doc/bind9/arm/Bv9ARM.ch02.html
share/doc/bind9/arm/Bv9ARM.ch03.html
share/doc/bind9/arm/Bv9ARM.ch04.html
share/doc/bind9/arm/Bv9ARM.ch05.html
share/doc/bind9/arm/Bv9ARM.ch06.html
share/doc/bind9/arm/Bv9ARM.ch07.html
share/doc/bind9/arm/Bv9ARM.ch08.html
share/doc/bind9/arm/Bv9ARM.ch09.html
share/doc/bind9/arm/Bv9ARM.ch10.html
share/doc/bind9/arm/Bv9ARM.html
share/doc/bind9/arm/man.arpaname.html
share/doc/bind9/arm/man.ddns-confgen.html
share/doc/bind9/arm/man.dig.html
share/doc/bind9/arm/man.dnssec-dsfromkey.html
share/doc/bind9/arm/man.dnssec-keyfromlabel.html
share/doc/bind9/arm/man.dnssec-keygen.html
share/doc/bind9/arm/man.dnssec-revoke.html
share/doc/bind9/arm/man.dnssec-settime.html
share/doc/bind9/arm/man.dnssec-signzone.html
share/doc/bind9/arm/man.genrandom.html
share/doc/bind9/arm/man.host.html
share/doc/bind9/arm/man.isc-hmac-fixup.html
share/doc/bind9/arm/man.named-checkconf.html
share/doc/bind9/arm/man.named-checkzone.html
share/doc/bind9/arm/man.named-journalprint.html
share/doc/bind9/arm/man.named.html
share/doc/bind9/arm/man.nsec3hash.html
share/doc/bind9/arm/man.nsupdate.html
share/doc/bind9/arm/man.rndc-confgen.html
share/doc/bind9/arm/man.rndc.conf.html
share/doc/bind9/arm/man.rndc.html
Update bind98 pacakge to 9.8.2. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + RPZ implementation now conforms to version 3 of the specification. [RT #27316] + It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103]
2012-04-05 02:39:34 +02:00
share/doc/bind9/misc/dnssec
share/doc/bind9/misc/ipv6
share/doc/bind9/misc/migration
share/doc/bind9/misc/migration-4to9
share/doc/bind9/misc/options
share/doc/bind9/misc/rfc-compliance
share/doc/bind9/misc/roadmap
share/doc/bind9/misc/sdb
Importing BIND 9.8.0 as net/bind98. Full release note: http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html New Features 9.8.0 * The ADB hash table stores informations about which authoritative servers to query about particular domains. Previous versions of BIND had the hash table size as a fixed value. On a busy recursive server, this could lead to hash table collisions in the ADB cache, resulting in degraded response time to queries. Bind 9.8 now has a dynamically scalable ADB hash table, which helps a busy server to avoid hash table collisions and maintain a consistent query response time. [RT #21186] * BIND now supports a new zone type, static-stub. This allows the administrator of a recursive nameserver to force queries for a particular zone to go to IP addresses of the administrator's choosing, on a per zone basis, both globally or per view. I.e. if the administrator wishes to have their recursive server query 192.0.2.1 and 192.0.2.2 for zone example.com rather than the servers listed by the .com gTLDs, they would configure example.com as a static-stub zone in their recursive server. [RT #21474] * BIND now supports Response Policy Zones, a way of expressing "reputation" in real time via specially constructed DNS zones. See the draft specification here: http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726] * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized from corresponding IN-ADDR.ARPA. [RT #21991/22769] * Dynamically Loadable Zones (DLZ) now support dynamic updates. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than having to be linked with named at compile time. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] * named now retains GSS-TSIG keys across restarts. This is for compatibility with Microsoft DHCP servers doing dynamic DNS updates for clients, which don't know to renegotiate the GSS-TSIG session key when named restarts. [RT #22639] * There is a new update-policy match type "external". This allows named to decide whether to allow a dynamic update by checking with an external daemon. Contributed by Andrew Tridgell of the Samba Project. [RT #22758] * There have been a number of bug fixes and ease of use enhancements for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include: + Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be allowed for any key matching a Kerberos principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629] + It is no longer necessary to have a valid /etc/krb5.conf file. Using the syntax DNS/hostname@REALM in nsupdate is sufficient for to correctly set the default realm. [RT #22795] + Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795] + DLZ correctly deals with NULL zone in a query. [RT 22795] + TSIG correctly deals with a NULL tkey->creator. [RT 22795] * A new test has been added to check the apex NSEC3 records after DNSKEY records have been added via dynamic update. [RT #23229] * RTT banding (randomized server selection on queries) was introduced in BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead of always picking the authoritative server with the lowest RTT to the caching resolver, all the authoritative servers within an RTT range were randomly used by the recursive server. While this did add an extra bit of randomness that an attacker had to overcome to poison a recursive server's cache, it also impacts the resolver's speed in answering end customer queries, since it's no longer the fastest auth server that gets asked. This means that performance optimizations, such using topologically close authoritative servers, are rendered ineffective. ISC has evaluated the amount of security added versus the performance hit to end users and has decided that RTT banding is causing more harm than good. Therefore, with this release, BIND is going back to the server selection used prior to adding RTT banding. [RT #23310] Feature Changes 9.8.0 * There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929 * There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043] * Added option 'resolver-query-timeout' in named.conf (max query timeout in seconds) to set a different value than the default (30 seconds). A value of 0 means 'use the compiled in default'; anything longer than 30 will be silently set to 30. [RT #22852] * For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
2011-03-04 04:52:14 +01:00
share/examples/rc.d/lwresd
share/examples/rc.d/named9
Reference in a new issue Copy permalink