Update bind99 to 9.9.7.

Security Fixes

     * On servers configured to perform DNSSEC validation using managed
       trust anchors (i.e., keys configured explicitly via managed-keys,
       or implicitly via dnssec-validation auto; or dnssec-lookaside
       auto;), revoking a trust anchor and sending a new untrusted
       replacement could cause named to crash with an assertion failure.
       This could occur in the event of a botched key rollover, or
       potentially as a result of a deliberate attack if the attacker was
       in position to monitor the victim's DNS traffic.
       This flaw was discovered by Jan-Piet Mens, and is disclosed in
       CVE-2015-1349. [RT #38344]
     * A flaw in delegation handling could be exploited to put named into
       an infinite loop, in which each lookup of a name server triggered
       additional lookups of more name servers. This has been addressed by
       placing limits on the number of levels of recursion named will
       allow (default 7), and on the number of queries that it will send
       before terminating a recursive query (default 50).
       The recursion depth limit is configured via the max-recursion-depth
       option, and the query limit via the max-recursion-queries option.
       The flaw was discovered by Florian Maury of ANSSI, and is disclosed
       in CVE-2014-8500. [RT #37580]

New Features

     * None

Feature Changes

     * NXDOMAIN responses to queries of type DS are now cached separately
       from those for other types. This helps when using "grafted" zones
       of type forward, for which the parent zone does not contain a
       delegation, such as local top-level domains. Previously a query of
       type DS for such a zone could cause the zone apex to be cached as
       NXDOMAIN, blocking all subsequent queries. (Note: This change is
       only helpful when DNSSEC validation is not enabled. "Grafted" zones
       without a delegation in the parent are not a recommended
       configuration.)
     * NOTIFY messages that are sent because a zone has been updated are
       now given priority above NOTIFY messages that were scheduled when
       the server started up. This should mitigate delays in zone
       propagation when servers are restarted frequently.
     * Errors reported when running rndc addzone (e.g., when a zone file
       cannot be loaded) have been clarified to make it easier to diagnose
       problems.
     * Added support for OPENPGPKEY type.
     * When encountering an authoritative name server whose name is an
       alias pointing to another name, the resolver treats this as an
       error and skips to the next server. Previously this happened
       silently; now the error will be logged to the newly-created "cname"
       log category.
     * If named is not configured to validate the answer then allow
       fallback to plain DNS on timeout even when we know the server
       supports EDNS. This will allow the server to potentially resolve
       signed queries when TCP is being blocked.

Bug Fixes

     * dig, host and nslookup aborted when encountering a name which,
       after appending search list elements, exceeded 255 bytes. Such
       names are now skipped, but processing of other names will continue.
       [RT #36892]
     * The error message generated when named-checkzone or named-checkconf
       -z encounters a $TTL directive without a value has been clarified.
       [RT #37138]
     * Semicolon characters (;) included in TXT records were incorrectly
       escaped with a backslash when the record was displayed as text.
       This is actually only necessary when there are no quotation marks.
       [RT #37159]
     * When files opened for writing by named, such as zone journal files,
       were referenced more than once in named.conf, it could lead to file
       corruption as multiple threads wrote to the same file. This is now
       detected when loading named.conf and reported as an error. [RT
       #37172]
     * dnssec-keygen -S failed to generate successor keys for some
       algorithm types (including ECDSA and GOST) due to a difference in
       the content of private key files. This has been corrected. [RT
       #37183]
     * UPDATE messages that arrived too soon after an rndc thaw could be
       lost. [RT #37233]
     * Forwarding of UPDATE messages did not work when they were signed
       with SIG(0); they resulted in a BADSIG response code. [RT #37216]
     * When checking for updates to trust anchors listed in managed-keys,
       named now revalidates keys based on the current set of active trust
       anchors, without relying on any cached record of previous
       validation. [RT #37506]
     * When NXDOMAIN redirection is in use, queries for a name that is
       present in the redirection zone but a type that is not present will
       now return NOERROR instead of NXDOMAIN.
     * When a zone contained a delegation to an IPv6 name server but not
       an IPv4 name server, it was possible for a memory reference to be
       left un-freed. This caused an assertion failure on server shutdown,
       but was otherwise harmless. [RT #37796]
     * Due to an inadvertent removal of code in the previous release, when
       named encountered an authoritative name server which dropped all
       EDNS queries, it did not always try plain DNS. This has been
       corrected. [RT #37965]
     * A regression caused nsupdate to use the default recursive servers
       rather than the SOA MNAME server when sending the UPDATE.
     * Adjusted max-recursion-queries to better accommodate empty caches.
     * Built-in "empty" zones did not correctly inherit the
       "allow-transfer" ACL from the options or view. [RT #38310]
     * A mutex leak was fixed that could cause named processes to grow to
       very large sizes. [RT #38454]
     * Fixed some bugs in RFC 5011 trust anchor management, including a
       memory leak and a possible loss of state information.[RT #38458]
This commit is contained in:
taca 2015-02-26 10:14:10 +00:00
parent f85ef2d951
commit 4783d0a606
5 changed files with 37 additions and 32 deletions

View file

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.42 2015/02/19 00:36:27 taca Exp $
# $NetBSD: Makefile,v 1.43 2015/02/26 10:14:10 taca Exp $
DISTNAME= bind-${BIND_VERSION}
PKGNAME= ${DISTNAME:S/-P/pl/}
@ -14,7 +14,7 @@ CONFLICTS+= host-[0-9]*
MAKE_JOBS_SAFE= no
BIND_VERSION= 9.9.6-P2
BIND_VERSION= 9.9.7
.include "../../mk/bsd.prefs.mk"

View file

@ -1,4 +1,4 @@
@comment $NetBSD: PLIST,v 1.9 2014/12/08 21:58:18 taca Exp $
@comment $NetBSD: PLIST,v 1.10 2015/02/26 10:14:10 taca Exp $
bin/bind9-config
bin/dig
bin/host
@ -386,6 +386,9 @@ share/doc/bind9/arm/Bv9ARM.ch07.html
share/doc/bind9/arm/Bv9ARM.ch08.html
share/doc/bind9/arm/Bv9ARM.ch09.html
share/doc/bind9/arm/Bv9ARM.ch10.html
share/doc/bind9/arm/Bv9ARM.ch11.html
share/doc/bind9/arm/Bv9ARM.ch12.html
share/doc/bind9/arm/Bv9ARM.ch13.html
share/doc/bind9/arm/Bv9ARM.html
share/doc/bind9/arm/man.arpaname.html
share/doc/bind9/arm/man.ddns-confgen.html
@ -411,3 +414,4 @@ share/doc/bind9/arm/man.nsupdate.html
share/doc/bind9/arm/man.rndc-confgen.html
share/doc/bind9/arm/man.rndc.conf.html
share/doc/bind9/arm/man.rndc.html
share/doc/bind9/arm/notes.html

View file

@ -1,12 +1,13 @@
$NetBSD: distinfo,v 1.27 2015/02/19 00:36:27 taca Exp $
$NetBSD: distinfo,v 1.28 2015/02/26 10:14:10 taca Exp $
SHA1 (bind-9.9.6-P2.tar.gz) = 19b53e60ed632f2063b2d630eabfb7234900bca6
RMD160 (bind-9.9.6-P2.tar.gz) = 5f1d21a0f4d31ebdcc514dae17b14d30c43422c7
Size (bind-9.9.6-P2.tar.gz) = 7816640 bytes
SHA1 (patch-bin_dig_dighost.c) = 72cb7676cdf9cd4b44bc62c72bcf29127d9fbffe
SHA1 (bind-9.9.7.tar.gz) = 8a02c5e67b4d6cb49fd896bb5c56e605cac8c992
RMD160 (bind-9.9.7.tar.gz) = c66e0b43695616adffee4602af324c0e4cbab7c6
Size (bind-9.9.7.tar.gz) = 7960032 bytes
SHA1 (patch-bin_dig_dighost.c) = a18a3d98c85ce8962024d53e01159fd95f99cae4
SHA1 (patch-bin_named_config.c) = da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA1 (patch-bin_tests_system_Makefile.in) = 483fca89658263f5c1f974ce1151721835355aa8
SHA1 (patch-config.threads.in) = 227b83efe9cb3e301aaac9b97cf42f1fb8ad06b2
SHA1 (patch-configure) = b55ed3e56b61df65f526079d6a14b65fdd3a5a43
SHA1 (patch-configure) = d3d9b8e531fbaad3ab42a86735cc01d5d4fbcdf0
SHA1 (patch-contrib_dlz_config.dlz.in) = f18bec63fbfce7cb2cd72929058ce3770fce458f
SHA1 (patch-lib_dns_rbt.c) = df4b029369d9fa3b250d8505b5f7590e2cd86654
SHA1 (patch-lib_lwres_getaddrinfo.c) = cda91b6d1afa02de2c59d51490090ef4ab7f1a41

View file

@ -1,10 +1,10 @@
$NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
$NetBSD: patch-bin_dig_dighost.c,v 1.4 2015/02/26 10:14:10 taca Exp $
* Avoid to use true as variable name.
--- bin/dig/dighost.c.orig 2014-01-27 18:58:24.000000000 +0000
--- bin/dig/dighost.c.orig 2015-02-18 01:56:06.000000000 +0000
+++ bin/dig/dighost.c
@@ -4397,7 +4397,7 @@ prepare_lookup(dns_name_t *name)
@@ -4436,7 +4436,7 @@ prepare_lookup(dns_name_t *name)
isc_result_t result;
isc_region_t r;
dns_rdataset_t *rdataset = NULL;
@ -13,7 +13,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
#endif
memset(namestr, 0, DNS_NAME_FORMATSIZE);
@@ -4411,7 +4411,7 @@ prepare_lookup(dns_name_t *name)
@@ -4450,7 +4450,7 @@ prepare_lookup(dns_name_t *name)
result = advanced_rrsearch(&rdataset, &ns.name,
dns_rdatatype_aaaa,
@ -22,7 +22,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result == ISC_R_SUCCESS) {
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
@@ -4440,7 +4440,7 @@ prepare_lookup(dns_name_t *name)
@@ -4479,7 +4479,7 @@ prepare_lookup(dns_name_t *name)
rdataset = NULL;
result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
@ -31,7 +31,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result == ISC_R_SUCCESS) {
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
@@ -4559,11 +4559,11 @@ isc_result_t
@@ -4598,11 +4598,11 @@ isc_result_t
initialization(dns_name_t *name)
{
isc_result_t result;
@ -45,16 +45,16 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result != ISC_R_SUCCESS) {
printf("\n;; NS RRset is missing to continue validation:"
" FAILED\n\n");
@@ -4911,7 +4911,7 @@ sigchase_td(dns_message_t *msg)
@@ -4960,7 +4960,7 @@ sigchase_td(dns_message_t *msg)
isc_result_t result;
dns_name_t *name = NULL;
isc_boolean_t have_answer = ISC_FALSE;
- isc_boolean_t true = ISC_TRUE;
+ isc_boolean_t isc_true = ISC_TRUE;
if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
== ISC_R_SUCCESS) {
@@ -4920,7 +4920,7 @@ sigchase_td(dns_message_t *msg)
if (msg->rcode != dns_rcode_noerror &&
msg->rcode != dns_rcode_nxdomain) {
@@ -4983,7 +4983,7 @@ sigchase_td(dns_message_t *msg)
initialization(name);
return;
}
@ -63,7 +63,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
} else {
if (!current_lookup->trace_root_sigchase) {
result = dns_message_firstname(msg,
@@ -5038,7 +5038,7 @@ sigchase_td(dns_message_t *msg)
@@ -5104,7 +5104,7 @@ sigchase_td(dns_message_t *msg)
dns_rdatatype_rrsig,
current_lookup
->rdtype_sigchase,
@ -72,7 +72,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result == ISC_R_FAILURE) {
printf("\n;; RRset is missing to continue"
" validation SHOULD NOT APPEND:"
@@ -5051,7 +5051,7 @@ sigchase_td(dns_message_t *msg)
@@ -5117,7 +5117,7 @@ sigchase_td(dns_message_t *msg)
&chase_authority_name,
dns_rdatatype_rrsig,
dns_rdatatype_any,
@ -81,7 +81,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result == ISC_R_FAILURE) {
printf("\n;; RRSIG is missing to continue"
" validation SHOULD NOT APPEND:"
@@ -5127,7 +5127,7 @@ sigchase_td(dns_message_t *msg)
@@ -5193,7 +5193,7 @@ sigchase_td(dns_message_t *msg)
&chase_authority_name,
dns_rdatatype_rrsig,
dns_rdatatype_ds,
@ -90,7 +90,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result != ISC_R_SUCCESS) {
printf("\n;; DSset is missing to continue validation:"
" FAILED\n\n");
@@ -5215,7 +5215,7 @@ sigchase_td(dns_message_t *msg)
@@ -5281,7 +5281,7 @@ sigchase_td(dns_message_t *msg)
result = advanced_rrsearch(&chase_rdataset, &chase_name,
current_lookup->rdtype_sigchase,
dns_rdatatype_any ,
@ -99,7 +99,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result == ISC_R_FAILURE) {
printf("\n;; RRsig of RRset is missing to continue validation"
" SHOULD NOT APPEND: FAILED\n\n");
@@ -5258,7 +5258,7 @@ getneededrr(dns_message_t *msg)
@@ -5324,7 +5324,7 @@ getneededrr(dns_message_t *msg)
dns_name_t *name = NULL;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdata_sig_t siginfo;
@ -108,7 +108,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
!= ISC_R_SUCCESS) {
@@ -5274,7 +5274,7 @@ getneededrr(dns_message_t *msg)
@@ -5340,7 +5340,7 @@ getneededrr(dns_message_t *msg)
if (chase_rdataset == NULL) {
result = advanced_rrsearch(&chase_rdataset, name,
dns_rdatatype_any,
@ -117,7 +117,7 @@ $NetBSD: patch-bin_dig_dighost.c,v 1.3 2014/02/02 07:58:20 taca Exp $
if (result != ISC_R_SUCCESS) {
printf("\n;; No Answers: Validation FAILED\n\n");
return (ISC_R_NOTFOUND);
@@ -5394,7 +5394,7 @@ getneededrr(dns_message_t *msg)
@@ -5459,7 +5459,7 @@ getneededrr(dns_message_t *msg)
result = advanced_rrsearch(&chase_sigdsrdataset,
&chase_signame,
dns_rdatatype_rrsig,

View file

@ -1,12 +1,12 @@
$NetBSD: patch-configure,v 1.9 2014/10/14 16:21:02 taca Exp $
$NetBSD: patch-configure,v 1.10 2015/02/26 10:14:10 taca Exp $
* Add DragonFly support.
* Link proper postgresql library.
* Avoid using "==" for argument of test(1).
--- configure.orig 2014-09-16 19:27:20.000000000 +0000
--- configure.orig 2015-02-18 01:56:06.000000000 +0000
+++ configure
@@ -11677,7 +11677,7 @@ fi
@@ -11691,7 +11691,7 @@ fi
test -n "$PYTHON" && break
done
@ -15,7 +15,7 @@ $NetBSD: patch-configure,v 1.9 2014/10/14 16:21:02 taca Exp $
continue;
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5
@@ -11692,7 +11692,7 @@ $as_echo "not found" >&6; }
@@ -11706,7 +11706,7 @@ $as_echo "not found" >&6; }
unset ac_cv_path_PYTHON
unset PYTHON
done
@ -24,7 +24,7 @@ $NetBSD: patch-configure,v 1.9 2014/10/14 16:21:02 taca Exp $
then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5
$as_echo_n "checking for python support... " >&6; }
@@ -14494,6 +14494,8 @@ case $host in
@@ -14560,6 +14560,8 @@ case $host in
use_threads=false ;;
*-freebsd*)
use_threads=true ;;
@ -33,7 +33,7 @@ $NetBSD: patch-configure,v 1.9 2014/10/14 16:21:02 taca Exp $
*-bsdi[234]*)
# Thread signals do not work reliably on some versions of BSD/OS.
use_threads=false ;;
@@ -19754,7 +19756,7 @@ $as_echo "no" >&6; }
@@ -19923,7 +19925,7 @@ $as_echo "no" >&6; }
fi
if test -n "-L$use_dlz_postgres_lib -lpq"
then