Update bind911 to 9.11.7, this is maintenance releases.
--- 9.11.7 released ---
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
5232. [bug] Fix a high-load race/crash in isc_socket_cancel().
[GL #834]
5231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG.
[GL #960]
5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852]
5228. [cleanup] If trusted-keys and managed-keys are configured
simultaneously for the same name, the key cannot
be rolled automatically. This configuration now
logs a warning. [GL #868]
5224. [bug] Only test provide-ixfr on TCP streams. [GL #991]
5222. [bug] 'delv -t ANY' could leak memory. [GL #983]
5221. [test] Enable parallel execution of system tests on
Windows. [GL !4101]
5218. [bug] Conditionally include <dlfcn.h>. [GL #995]
5214. [bug] win32: named now removes its lock file upon shutdown.
[GL #979]
5213. [bug] win32: Eliminated a race which allowed named.exe running
as a service to be killed prematurely during shutdown.
[GL #978]
5210. [bug] When dnstap is enabled and recursion is not
available, incoming queries are now logged
as "auth". Previously, this depended on whether
recursion was requested by the client, not on
whether recursion was available. [GL #963]
5209. [bug] When update-check-ksk is true, add_sigs was not
considering offline keys, leaving record sets signed
with the incorrect type key. [GL #763]
5208. [test] Run valid rdata wire encodings through totext+fromtext
and tofmttext+fromtext methods to check these methods.
[GL #899]
5207. [test] Check delv and dig TTL values. [GL #965]
5205. [bug] Enforce that a DS hash exists. [GL #899]
5204. [test] Check that dns_rdata_fromtext() produces a record that
will be accepted by dns_rdata_fromwire(). [GL #852]
5203. [bug] Enforce whether key rdata exists or not in KEY,
DNSKEY, CDNSKEY and RKEY. [GL #899]
5197. [bug] dig could die in best effort mode on multiple SIG(0)
records. Similarly on multiple OPT and multiple TSIG
records. [GL #920]
5194. [bug] Enforce non empty ZOMEMD hash. [GL #899]
5193. [bug] EID and NIMLOC failed to do multi-line output
correctly. [GL #899]
5192. [bug] configure --fips-mode failed. [GL #946]
5191. [port] Darwin: dlzexternal/driver.so was not building.
[GL #948]
5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945]
5187. [test] Set time zone before running any tests in dnstap_test.
[GL #940]
5185. [bug] PKCS11 build could fail if ECDSA is not supported.
[GL #935]
5184. [bug] Missing unlocks in sdlz.c. [GL #936]
5182. [bug] Fix a high-load race/crash in handling of
isc_socket_close() in resolver. [GL #834]
5180. [bug] delv now honors the operating system's preferred
ephemeral port range. [GL #925]
5179. [cleanup] Replace some vague type declarations with the more
specific dns_secalg_t and dns_dsdigest_t.
Thanks to Tony Finch. [GL !1498]
5178. [bug] Handle EDQUOT (disk quota) and ENOSPC (disk full)
errors when writing files. [GL #902]
5176. [tests] Remove a dependency on libxml in statschannel system
test. [GL #926]
5175. [bug] Fixed a problem with file input in dnssec-keymgr,
dnssec-coverage and dnssec-checkds when using
python3. [GL #882]
5174. [doc] Tidy dnssec-keygen manual. [GL !1557]
5172. [bug] nsupdate now honors the operating system's preferred
ephemeral port range. [GL #905]
5170. [test] Added --with-dlz-filesystem to feature-test. [GL !1587]
5168. [test] Do not crash on shutdown when RPZ fails to load. Also,
keep previous version of the database if RPZ fails to
load. [GL #813]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
redirect name. [GL #892]
Update bind911 to 9.11.5pl4 (BIND 9.11.5-P4).
Fix security problem CVE-2018-5743 and overhaul pkgsrc. Now no need
to change namedb is permission under NetBSD.
* Update note about required directories.
* Drop pkg-config from USE_TOOLS.
* Drop none existing configure arguments and PKG_OPTIONS:
- fetchlimit
- sit
--- 9.11.6-P1 released ---
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
Update bind911 to 9.11.5pl4 (BIND 9.11.5-P4).
--- 9.11.5-P4 released ---
--- 9.11.5-P3 released (withdrawn) ---
5141. [security] Zone transfer controls for writable DLZ zones were
not effective as the allowzonexfr method was not being
called for such zones. (CVE-2019-6465) [GL #790]
--- 9.11.5-P2 released (withdrawn) ---
5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
Update bind911 to 9.11.5pl1 (BIND 9.11.5-P1).
--- 9.11.5-P1 released ---
5108. [bug] Named could fail to determine bottom of zone when
removing out of date keys leading to invalid NSEC
and NSEC3 records being added to the zone. [GL #771]
--- 9.11.5 released ---
--- 9.11.5rc1 released ---
5038. [bug] Chaosnet addresses were compared incorrectly.
[GL #562]
5034. [bug] A race between threads could prevent zone maintenance
scheduled immediately after zone load from being
performed. [GL #542]
5033. [bug] When adding NTAs to multiple views using "rndc nta",
the text returned via rndc was incorrectly terminated
after the first line, making it look as if only one
NTA had been added. Also, it was not possible to
differentiate between views with the same name but
different classes; this has been corrected with the
addition of a "-class" option. [GL #105]
5032. [func] Add krb5-selfsub and ms-selfsub update policy rules.
[GL #511]
5030. [bug] Align CMSG buffers to a 64-bit boundary, fixes crash
on architectures with strict alignment. [GL #521]
5028. [bug] Spread the initial RRSIG expiration times over the
entire working sig-validity-interval when signing a
zone in named to even out re-signing and transfer
loads. [GL #418]
5026. [bug] rndc reconfig should not touch already loaded zones.
[GL #276]
5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
krb5-subdomain documentation. [GL !708]
5021. [bug] dig returned a non-zero exit code when it received a
reply over TCP after a retry. [GL #487]
5019. [cleanup] A message is now logged when ixfr-from-differences is
set at zone level for an inline-signed zone. [GL #470]
5018. [bug] Fix incorrect sizeof arguments in lib/isc/pk11.c.
[GL !588]
5017. [bug] lib/isc/pk11.c failed to unlink the session before
releasing the lock which is unsafe. [GL !589]
5016. [bug] Named could assert with overlapping filter-aaaa and
dns64 acls. [GL #445]
5015. [bug] Reloading all zones caused zone maintenance to cease
for inline-signed zones. [GL #435]
5014. [bug] Signatures loaded from the journal for the signed
version of an inline-signed zone were not scheduled for
refresh. [GL #482]
5012. [bug] Fix lock order reversal in pk11_initialize. [GL !590]
5009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL
error queue was not logged. [GL #476]
5008. [bug] "rndc signing -nsec3param ..." requests were silently
ignored for zones which were not yet loaded or
transferred. [GL #468]
5007. [cleanup] Replace custom ISC boolean and integer data types
with C99 stdint.h and stdbool.h types. [GL #9]
5005. [bug] dnssec-verify, and dnssec-signzone at the verification
step, failed on some validly signed zones. [GL #442]
5004. [bug] 'rndc reconfig' could cause inline zones to stop
re-signing. [GL #439]
5003. [bug] dns_acl_isinsecure did not handle geoip elements.
[GL #406]
5002. [bug] mdig: Handle malformed +ednsopt option, support 100
+ednsopt options per query rather than 100 total and
address memory leaks if +ednsopt was specified.
[GL #410]
5001. [bug] Fix refcount errors on error paths. [GL !563]
4996. [bug] dig: Handle malformed +ednsopt option. [GL #403]
4995. [test] Add tests for "tcp-self" update policy. [GL !282]
4994. [bug] Trust anchor telemetry queries were not being sent
upstream for locally served zones. [GL #392]
4992. [bug] The wrong address was being logged for trust anchor
telemetry queries. [GL #379]
4990. [bug] Prevent a possible NULL reference in pkcs11-keygen.
[GL #401]
Update bind911 to 9.11.4pl2 (BIND 9.11.4-P2).
--- 9.11.4-P2 released ---
5022. [doc] Update ms-self, ms-subdomain, krb5-self, and
krb5-subdomain documentation. [GL !708]
5015. [bug] Reloading all zones caused zone maintenance to cease
for inline-signed zones. [GL #435]
5014. [bug] Signatures loaded from the journal for the signed
version of an inline-signed zone were not scheduled for
refresh. [GL #482]
Add bind9.11.4pl1 (BIND 9.11.4-P1) package.
Note: named(8) requires writable permission to current directory when
start up or the directory specified by "directory" in options statement.
BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
of nearly all aspects of the underlying BIND architecture. Some
of the important features of BIND-9 are:
- DNS Security
- IP version 6
- DNS Protocol Enhancements
- Views
- Multiprocessor Support
- Improved Portability Architecture
- Full NSEC3 support
- Automatic zone re-signing
- New update-policy methods tcp-self and 6to4-self
This package contains the BIND 9.11 release.
- Catalog Zones, a new method for provisioning servers
- "dnstap", a fast and flexible method of capturing and logging
DNS traffic.
- "dyndb", a new API for loading zone data from an external database
- dnssec-keymgr, a new key mainenance utility
- mdig, an alternate version of dig utility
- And more...
