5ec84352c2
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc). Security Fixes Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] New Features Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130] Feature Changes rndc status now also shows the build-id. [RT #20422] Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414] "configure" now finishes by printing a summary of optional BIND features and whether they are active or inactive. ("configure --enable-full-report" increases the verbosity of the summary.) [RT #31777] Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916] Improved the 'rndc' man page. [RT #33506] 'named -g' now no longer works with an invalid logging configuration. [RT #33473] The default (and minimum) value for tcp-listen-queue is now 10 instead of 3. This is a subtle control setting (not applicable to all OS environments). When there is a high rate of inbound TCP connections, it controls how many connections can be queued before they are accepted by named. Once this limit is exceeded, new TCP connections will be rejected. Note however that a value of 10 does not imply a strict limit of 10 queued TCP connections - the impact of changing this configuration setting will be OS-dependent. Larger values for tcp-listen queue will permit more pending tcp connections, which may be needed where there is a high rate of TCP-based traffic (for example in a dynamic environment where there are frequent zone updates and transfers). For most production servers the new default value of 10 should be adequate. [RT #33029] Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463] Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240] Changed the logging category for RRL events from 'queries' to 'query-errors'. [RT #33540] Bug Fixes Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590] Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583] Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439] Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178] Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600] Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450] Fix the "zone-statistics" option to work with the default traditional statistics (not new "--enable-newstats" feature). [RT #34466] named could crash when deleting inline-signing zones with "rndc delzone". [RT #34066] Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939] named was failing to answer queries during "rndc reload" [RT #34098] win32: Some executables had been omitted from the installer. [RT #34116] fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045] The build of BIND now installs isc/stat.h so that it's available to /isc/file.h when building other applications that reference these header files - for example dnsperf (see Debian bug ticket #692467). [RT #33056] Better handle failures building XML for stats channel responses. [RT #33706] Fixed a memory leak in GSS-API processing. [RT #33574] Fixed an acache-related race condition that could cause a crash. [RT #33602] rndc now properly fails when given an invalid '-c' argument. [RT #33571] Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411] Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573] Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419] Adjusted RRL behavior for recursive queries to defer rate-limiting until after recursion is complete. Also uses correct rcode for slipped NXDOMAIN responses. [RT #33604] Previously, BIND could erroneously report a missing file specification when using inline slave zones. [RT #33662]
107 lines
2.8 KiB
Makefile
107 lines
2.8 KiB
Makefile
# $NetBSD: options.mk,v 1.10 2013/09/21 16:00:34 taca Exp $
|
|
|
|
PKG_OPTIONS_VAR= PKG_OPTIONS.bind99
|
|
PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server
|
|
PKG_SUPPORTED_OPTIONS+= inet6 threads readline mysql pgsql ldap dlz-filesystem
|
|
PKG_SUPPORTED_OPTIONS+= rrl
|
|
PKG_SUGGESTED_OPTIONS+= readline
|
|
|
|
PTHREAD_OPTS+= native
|
|
.include "../../mk/pthread.buildlink3.mk"
|
|
|
|
.if defined(PTHREAD_TYPE) && (${PTHREAD_TYPE} == "none") || \
|
|
!empty(MACHINE_PLATFORM:MNetBSD-*-vax) || \
|
|
!empty(MACHINE_PLATFORM:MNetBSD-*-sparc) || \
|
|
!empty(MACHINE_PLATFORM:MNetBSD-*-sparc64) || \
|
|
!empty(MACHINE_PLATFORM:MNetBSD-*-m68k)
|
|
# don't touch PKG_SUGGESTED_OPTIONS
|
|
.else
|
|
PKG_SUGGESTED_OPTIONS+= threads
|
|
.endif
|
|
|
|
.if empty(MISSING_FEATURES:Minet6)
|
|
PKG_SUGGESTED_OPTIONS+= inet6
|
|
.endif
|
|
|
|
.include "../../mk/bsd.options.mk"
|
|
|
|
###
|
|
### The mysql pgsql ldap dlz-filesystem options are all for BIND
|
|
### DLZ (Dynamically Loadable Zones) functionality
|
|
###
|
|
### NOTE: bdb is excluded on purpose as pkgsrc does not contain
|
|
### a bdb v4.1 or 4.2 package which is what BIND needs.
|
|
### The majority of these are compile tested only
|
|
###
|
|
|
|
.if !empty(PKG_OPTIONS:Mmysql)
|
|
.include "../../mk/mysql.buildlink3.mk"
|
|
CONFIGURE_ARGS+= --with-dlz-mysql=${BUILDLINK_PREFIX.mysql-client}
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mpgsql)
|
|
.include "../../mk/pgsql.buildlink3.mk"
|
|
CONFIGURE_ARGS+= --with-dlz-postgres=${BUILDLINK_PREFIX.${PGSQL_TYPE}}
|
|
CONFIGURE_ENV+= ac_cv_path_PG_CONFIG=${PREFIX}/bin/pg_config
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mldap)
|
|
.include "../../databases/openldap-client/buildlink3.mk"
|
|
CONFIGURE_ARGS+= --with-dlz-ldap=${BUILDLINK_PREFIX.openldap-client}
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mdlz-filesystem)
|
|
CONFIGURE_ARGS+= --with-dlz-filesystem
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mrrl)
|
|
CONFIGURE_ARGS+= --enable-rrl
|
|
.endif
|
|
|
|
###
|
|
### The statistics server in bind99 and later needs libxml2
|
|
###
|
|
.if !empty(PKG_OPTIONS:Mbind-xml-statistics-server)
|
|
.include "../../textproc/libxml2/buildlink3.mk"
|
|
CONFIGURE_ARGS+= --with-libxml2
|
|
.else
|
|
CONFIGURE_ARGS+= --without-libxml2
|
|
.endif
|
|
|
|
###
|
|
### IPv6 support
|
|
###
|
|
.if !empty(PKG_OPTIONS:Minet6)
|
|
CONFIGURE_ARGS+= --enable-ipv6
|
|
.else
|
|
CONFIGURE_ARGS+= --disable-ipv6
|
|
.endif
|
|
|
|
###
|
|
### pthreads support (also see magic above)
|
|
###
|
|
.if !empty(PKG_OPTIONS:Mthreads)
|
|
PTHREAD_AUTO_VARS= yes
|
|
CONFIGURE_ARGS+= --enable-threads
|
|
.else
|
|
CONFIGURE_ARGS+= --disable-threads
|
|
.endif
|
|
|
|
###
|
|
### readline support in dig(1) and nsupdate(1).
|
|
###
|
|
.if !empty(PKG_OPTIONS:Mreadline)
|
|
.include "../../mk/readline.buildlink3.mk"
|
|
CONFIGURE_ARGS+= --with-readline
|
|
.else
|
|
CONFIGURE_ARGS+= --without-readline
|
|
.endif
|
|
|
|
###
|
|
### dig(1) option +sigchase for DNSSEC signature chasing
|
|
###
|
|
.if !empty(PKG_OPTIONS:Mbind-dig-sigchase)
|
|
# If anything else needs to add entries to STD_CDEFINES, this will need
|
|
# to be changed so that the two can cooperate.
|
|
CONFIGURE_ENV+= STD_CDEFINES=-DDIG_SIGCHASE=1
|
|
.endif
|