head 1.6; access; symbols pkgsrc-2026Q2:1.6.0.8 pkgsrc-2026Q2-base:1.6 pkgsrc-2026Q1:1.6.0.6 pkgsrc-2026Q1-base:1.6 pkgsrc-2025Q4:1.6.0.4 pkgsrc-2025Q4-base:1.6 pkgsrc-2025Q3:1.6.0.2 pkgsrc-2025Q3-base:1.6 pkgsrc-2025Q2:1.5.0.6 pkgsrc-2025Q2-base:1.5 pkgsrc-2025Q1:1.5.0.4 pkgsrc-2025Q1-base:1.5 pkgsrc-2024Q4:1.5.0.2 pkgsrc-2024Q4-base:1.5 pkgsrc-2024Q3:1.4.0.12 pkgsrc-2024Q3-base:1.4 pkgsrc-2024Q2:1.4.0.10 pkgsrc-2024Q2-base:1.4 pkgsrc-2024Q1:1.4.0.8 pkgsrc-2024Q1-base:1.4 pkgsrc-2023Q4:1.4.0.6 pkgsrc-2023Q4-base:1.4 pkgsrc-2023Q3:1.4.0.4 pkgsrc-2023Q3-base:1.4 pkgsrc-2023Q2:1.4.0.2 pkgsrc-2023Q2-base:1.4 pkgsrc-2023Q1:1.3.0.2 pkgsrc-2023Q1-base:1.3 pkgsrc-2022Q4:1.1.0.2 pkgsrc-2022Q4-base:1.1; locks; strict; comment @# @; 1.6 date 2025.08.24.08.56.59; author taca; state Exp; branches; next 1.5; commitid 7QblYzfIKxavGX7G; 1.5 date 2024.12.13.17.29.56; author taca; state Exp; branches; next 1.4; commitid H8NrEydbiahEGmBF; 1.4 date 2023.04.24.13.48.06; author taca; state Exp; branches; next 1.3; commitid EaAvJVZLqkneImmE; 1.3 date 2023.03.17.13.58.59; author taca; state Exp; branches 1.3.2.1; next 1.2; commitid ZYvThFIaXDgKZthE; 1.2 date 2023.02.08.00.13.44; author taca; state Exp; branches; next 1.1; commitid q98NuaQ2UfUcCEcE; 1.1 date 2022.12.11.01.57.55; author sekiya; state Exp; branches 1.1.2.1; next ; commitid h7zPtdhDkR9G555E; 1.3.2.1 date 2023.06.26.09.34.44; author bsiegert; state Exp; branches; next ; commitid bkBuSWXOCfBRhruE; 1.1.2.1 date 2023.02.12.19.52.24; author spz; state Exp; branches; next ; commitid wEIDgliX3e3O0hdE; desc @@ 1.6 log @net/bind918: update to 9.18.39 BIND 9.18.39 (2025-08-20) New Features * Support for parsing the DSYNC record has been added. [GL #5440] Feature Changes * Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest type 1. RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated by the IETF and should no longer be used for DNSSEC. DS digest type 1 (SHA1) has also been deprecated in BIND 9. Validators are now expected to treat these algorithms and digest as unknown, resulting in some zones being treated as insecure when they were previously treated as secure. Warnings have been added to named and tools when these algorithms and this digest are being used for signing. Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a different DNSKEY algorithm. Zones with DS or CDS records with digest type 1 (SHA1) should be updated to use a different digest type (e.g. SHA256) and the digest type 1 records should be removed. [GL #5358] Bug Fixes * Clean enough memory when adding new ADB names/entries under memory pressure. The ADB memory cleaning is opportunistic even when BIND is under memory pressure (in the overmem condition). The opportunistic LRU cleaning and overmem cleaning have been split, and the overmem cleaning always cleans up double of the newly allocated adbname/adbentry to ensure we never allocate more memory than the assigned limit. [GL !10637] * Rescan the interfaces again when reconfiguring the server. Previously on FreeBSD, the server did not listen on the configured localhost interfaces immediately, but only after the interface-interval period had passed. After an earlier fix, the server would listen on the localhost after 60 minutes. Now, the interfaces are rescanned immediately after configuring the interface-interval value and begin listening on the localhost interface immediately. [GL !10758] @ text @@@comment $NetBSD: PLIST,v 1.5 2024/12/13 17:29:56 taca Exp $ bin/arpaname bin/delv bin/dig bin/dnssec-cds bin/dnssec-dsfromkey bin/dnssec-importkey bin/dnssec-keyfromlabel bin/dnssec-keygen bin/dnssec-revoke bin/dnssec-settime bin/dnssec-signzone bin/dnssec-verify ${PLIST.dnstap}bin/dnstap-read bin/host bin/mdig bin/named-checkconf bin/named-checkzone bin/named-compilezone bin/named-journalprint ${PLIST.lmdb}bin/named-nzd2nzf bin/named-rrchecker bin/nsec3hash bin/nslookup bin/nsupdate include/bind9/check.h include/bind9/getaddresses.h include/dns/acl.h include/dns/adb.h include/dns/badcache.h include/dns/bit.h include/dns/byaddr.h include/dns/cache.h include/dns/callbacks.h include/dns/catz.h include/dns/cert.h include/dns/client.h include/dns/clientinfo.h include/dns/compress.h include/dns/db.h include/dns/dbiterator.h include/dns/diff.h include/dns/dispatch.h include/dns/dlz.h include/dns/dlz_dlopen.h include/dns/dns64.h include/dns/dnsrps.h include/dns/dnssec.h include/dns/dnstap.h include/dns/ds.h include/dns/dsdigest.h include/dns/dsync.h include/dns/dyndb.h include/dns/ecs.h include/dns/edns.h include/dns/enumclass.h include/dns/enumtype.h include/dns/events.h include/dns/fixedname.h include/dns/forward.h include/dns/geoip.h include/dns/ipkeylist.h include/dns/iptable.h include/dns/journal.h include/dns/kasp.h include/dns/keydata.h include/dns/keyflags.h include/dns/keymgr.h include/dns/keytable.h include/dns/keyvalues.h include/dns/librpz.h include/dns/log.h include/dns/lookup.h include/dns/master.h include/dns/masterdump.h include/dns/message.h include/dns/name.h include/dns/ncache.h include/dns/nsec.h include/dns/nsec3.h include/dns/nta.h include/dns/opcode.h include/dns/order.h include/dns/peer.h include/dns/private.h include/dns/rbt.h include/dns/rcode.h include/dns/rdata.h include/dns/rdataclass.h include/dns/rdatalist.h include/dns/rdataset.h include/dns/rdatasetiter.h include/dns/rdataslab.h include/dns/rdatastruct.h include/dns/rdatatype.h include/dns/request.h include/dns/resolver.h include/dns/result.h include/dns/rootns.h include/dns/rpz.h include/dns/rriterator.h include/dns/rrl.h include/dns/sdb.h include/dns/sdlz.h include/dns/secalg.h include/dns/secproto.h include/dns/soa.h include/dns/ssu.h include/dns/stats.h include/dns/time.h include/dns/tkey.h include/dns/transport.h include/dns/tsec.h include/dns/tsig.h include/dns/ttl.h include/dns/types.h include/dns/update.h include/dns/validator.h include/dns/view.h include/dns/xfrin.h include/dns/zone.h include/dns/zonekey.h include/dns/zoneverify.h include/dns/zt.h include/dst/dst.h include/dst/gssapi.h include/irs/resconf.h include/isc/aes.h include/isc/align.h include/isc/app.h include/isc/assertions.h include/isc/astack.h include/isc/atomic.h include/isc/attributes.h include/isc/backtrace.h include/isc/barrier.h include/isc/base32.h include/isc/base64.h include/isc/buffer.h include/isc/cmocka.h include/isc/commandline.h include/isc/condition.h include/isc/counter.h include/isc/crc64.h include/isc/deprecated.h include/isc/dir.h include/isc/endian.h include/isc/errno.h include/isc/error.h include/isc/event.h include/isc/eventclass.h include/isc/file.h include/isc/formatcheck.h include/isc/fuzz.h include/isc/glob.h include/isc/hash.h include/isc/heap.h include/isc/hex.h include/isc/hmac.h include/isc/ht.h include/isc/httpd.h include/isc/interfaceiter.h include/isc/iterated_hash.h include/isc/lang.h include/isc/lex.h include/isc/list.h include/isc/log.h include/isc/magic.h include/isc/managers.h include/isc/md.h include/isc/mem.h include/isc/meminfo.h include/isc/mutex.h include/isc/mutexblock.h include/isc/net.h include/isc/netaddr.h include/isc/netdb.h include/isc/netmgr.h include/isc/netscope.h include/isc/nonce.h include/isc/offset.h include/isc/once.h include/isc/os.h include/isc/parseint.h include/isc/pool.h include/isc/portset.h include/isc/print.h include/isc/quota.h include/isc/radix.h include/isc/random.h include/isc/ratelimiter.h include/isc/refcount.h include/isc/regex.h include/isc/region.h include/isc/resource.h include/isc/result.h include/isc/rwlock.h include/isc/safe.h include/isc/serial.h include/isc/siphash.h include/isc/sockaddr.h include/isc/stat.h include/isc/stats.h include/isc/stdatomic.h include/isc/stdio.h include/isc/stdtime.h include/isc/strerr.h include/isc/string.h include/isc/symtab.h include/isc/syslog.h include/isc/task.h include/isc/taskpool.h include/isc/thread.h include/isc/time.h include/isc/timer.h include/isc/tls.h include/isc/tm.h include/isc/types.h include/isc/url.h include/isc/utf8.h include/isc/util.h include/isccc/alist.h include/isccc/base64.h include/isccc/cc.h include/isccc/ccmsg.h include/isccc/events.h include/isccc/sexpr.h include/isccc/symtab.h include/isccc/symtype.h include/isccc/types.h include/isccc/util.h include/isccfg/aclconf.h include/isccfg/cfg.h include/isccfg/duration.h include/isccfg/grammar.h include/isccfg/kaspconf.h include/isccfg/log.h include/isccfg/namedconf.h include/ns/client.h include/ns/events.h include/ns/hooks.h include/ns/interfacemgr.h include/ns/listenlist.h include/ns/log.h include/ns/notify.h include/ns/query.h include/ns/server.h include/ns/sortlist.h include/ns/stats.h include/ns/types.h include/ns/update.h include/ns/xfrout.h lib/bind/filter-a.la lib/bind/filter-aaaa.la lib/libbind9.la lib/libdns.la lib/libirs.la lib/libisc.la lib/libisccc.la lib/libisccfg.la lib/libns.la man/man1/arpaname.1 man/man1/delv.1 man/man1/dig.1 man/man1/dnssec-cds.1 man/man1/dnssec-dsfromkey.1 man/man1/dnssec-importkey.1 man/man1/dnssec-keyfromlabel.1 man/man1/dnssec-keygen.1 man/man1/dnssec-revoke.1 man/man1/dnssec-settime.1 man/man1/dnssec-signzone.1 man/man1/dnssec-verify.1 ${PLIST.dnstap}man/man1/dnstap-read.1 man/man1/host.1 man/man1/mdig.1 man/man1/named-checkconf.1 man/man1/named-checkzone.1 man/man1/named-compilezone.1 man/man1/named-journalprint.1 ${PLIST.lmdb}man/man1/named-nzd2nzf.1 man/man1/named-rrchecker.1 man/man1/nsec3hash.1 man/man1/nslookup.1 man/man1/nsupdate.1 man/man5/named.conf.5 man/man5/rndc.conf.5 man/man8/ddns-confgen.8 man/man8/filter-a.8 man/man8/filter-aaaa.8 man/man8/named.8 man/man8/rndc-confgen.8 man/man8/rndc.8 man/man8/tsig-keygen.8 sbin/ddns-confgen sbin/named sbin/rndc sbin/rndc-confgen sbin/tsig-keygen share/doc/bind9/OPTIONS.md share/doc/bind9/README.md share/examples/bind9/bind.keys share/examples/rc.d/named9 @ 1.5 log @net/bind918: update to 9.18.32 9.18.32 (2024-12-11) New Features * Update built-in bind.keys file with the new 2025 IANA root key. * Add an initial-ds entry to bind.keys for the new root key, ID 38696, which is scheduled for publication in January 2025. [GL #4896] Removed Features * Move contributed DLZ modules into a separate repository. DLZ modules should not be used except in testing. * The DLZ modules were not maintained, the DLZ interface itself is going to be scheduled for removal, and the DLZ interface is blocking. Any module that blocks the query to the database blocks the whole server. * The DLZ modules now live in https://gitlab.isc.org/isc-projects/dlz-modules repository. [GL #4865] Feature Changes * Emit more helpful log messages for exceeding max-records-per-type. * The new log message is emitted when adding or updating an RRset fails due to exceeding the max-records-per-type limit. The log includes the owner name and type, corresponding zone name, and the limit value. It will be emitted on loading a zone file, inbound zone transfer (both AXFR and IXFR), handling a DDNS update, or updating a cache DB. It's especially helpful in the case of zone transfer, since the secondary side doesn't have direct access to the offending zone data. * It could also be used for max-types-per-name, but this change doesn't implement it yet as it's much less likely to happen in practice. * Harden key management when key files have become unavailable. * Prior to doing key management, BIND 9 will check if the key files on disk match the expected keys. If key files for previously observed keys have become unavailable, this will prevent the internal key manager from running. Bug Fixes * {&dns} is as valid as {?dns} in a SVCB's dohpath. * dig failed to parse a valid SVCB record with a dohpath URI template containing a {&dns}, like "dohpath=/some/path?key=value{&dns}". [GL #4922] * Fix NSEC3 closest encloser lookup for names with empty non-terminals. * A previous performance optimization for finding the NSEC3 closest encloser when generating authoritative responses could cause servers to return incorrect NSEC3 records in some cases. This faulty optimization has been removed. [GL #4950] * dig options of the form [+-]option= failed to display the value on the printed command line. This has been fixed. [GL #4993] * Provide more visibility into TLS configuration errors by logging SSL_CTX_use_certificate_chain_file() and SSL_CTX_use_PrivateKey_file() errors individually. [GL #5008] @ text @d1 1 a1 1 @@comment $NetBSD: PLIST,v 1.4 2023/04/24 13:48:06 taca Exp $ d52 1 @ 1.4 log @net/bind918: update to 9.18.14 pkgsrc change: reduce some pkglint warnings. --- 9.18.14 released --- 6145. [bug] Fix a possible use-after-free bug in the dns__catz_done_cb() function. [GL #3997] 6143. [bug] A reference counting problem on the error path in the xfrin_connect_done() might cause an assertion failure on shutdown. [GL #3989] 6142. [bug] Reduce the number of dns_dnssec_verify calls made determining if revoked keys needs to be removed from the trust anchors. [GL #3981] 6141. [bug] Fix several issues in nsupdate timeout handling and update the -t option's documentation. [GL #3674] 6138. [doc] Fix the DF-flag documentation on the outgoing UDP packets. [GL #3710] 6136. [cleanup] Remove the isc_fsaccess API in favor of creating temporary file first and atomically replace the key with non-truncated content. [GL #3982] 6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967] 6129. [cleanup] Value stored to 'source' during its initialization is never read. [GL #3965] 6128. [bug] Fix an omission in an earlier commit to avoid a race between the 'dns__catz_update_cb()' and 'dns_catz_dbupdate_callback()' functions. [GL #3968] 6126. [cleanup] Deprecate zone type "delegation-only" and the "delegation-only" and "root-delegation-only" options. [GL #3953] 6125. [bug] Hold a catz reference while the update process is running, so that the catalog zone is not destroyed during shutdown until the update process is finished or properly canceled by the activated 'shuttingdown' flag. [GL #3955] 6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to an NSEC3 incapable DNSSEC algorithm using KASP the zone could sometimes be incompletely signed. [GL #3937] 6121. [bug] Fix BIND and dig zone transfer hanging when downloading large zones over TLS from a primary server, especially over unstable connections. [GL #3867] @ text @d1 1 a1 1 @@comment $NetBSD: PLIST,v 1.3 2023/03/17 13:58:59 taca Exp $ a298 1 share/doc/bind9/CHANGES @ 1.3 log @net/bind918: update to 9.18.13 --- 9.18.13 released --- 6120. [bug] Use two pairs of dns_db_t and dns_dbversion_t in a catalog zone structure to avoid a race between the dns__catz_update_cb() and dns_catz_dbupdate_callback() functions. [GL #3907] 6119. [bug] Make sure to revert the reconfigured zones to the previous version of the view, when the new view reconfiguration fails during the configuration of one of the configured zones. [GL #3911] 6116. [bug] Fix error path cleanup issues in dns_catz_new_zones() and dns_catz_new_zone() functions. [GL #3900] 6115. [bug] Unregister db update notify callback before detaching from the previous db inside the catz update notify callback. [GL #3777] 6114. [func] Run the catalog zone update process on the offload threads. [GL #3881] 6113. [func] Add shutdown signaling for catalog zones. [GL !7571] 6112. [func] Add reference count tracing for dns_catz_zone_t and dns_catz_zones_t. [GL !7570] 6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in configure_rpz() and configure_catz(), respectively, just after attaching it to the new view. [GL #3880] 6098. [test] Don't test HMAC-MD5 when not supported by libcrypto. [GL #3871] 6096. [bug] Fix RPZ reference counting error on shutdown in dns__rpz_timer_cb(). [GL #3866] 6095. [test] Test various 'islands of trust' configurations when using managed keys. [GL #3662] 6094. [bug] Building against (or running with) libuv versions 1.35.0 and 1.36.0 is now a fatal error. The rules for mixing and matching compile-time and run-time libuv versions have been tightened for libuv versions between 1.35.0 and 1.40.0. [GL #3840] 6092. [bug] dnssec-cds failed to cleanup properly. [GL #3831] 6089. [bug] Source ports configured for query-source, transfer-source, etc, were being ignored. (This feature is deprecated, but it is not yet removed, so the bug still needed fixing.) [GL #3790] @ text @d1 1 a1 1 @@comment $NetBSD: PLIST,v 1.2 2023/02/08 00:13:44 taca Exp $ a152 1 include/isc/fsaccess.h @ 1.3.2.1 log @Pullup ticket #6764 - requested by taca net/bind918: security fix Revisions pulled up: - net/bind918/Makefile 1.10-1.12 - net/bind918/PLIST 1.4 - net/bind918/distinfo 1.7-1.9 - net/bind918/options.mk 1.2 --- Module Name: pkgsrc Committed By: taca Date: Mon Apr 24 13:48:06 UTC 2023 Modified Files: pkgsrc/net/bind918: Makefile PLIST distinfo options.mk Log Message: net/bind918: update to 9.18.14 pkgsrc change: reduce some pkglint warnings. --- 9.18.14 released --- 6145. [bug] Fix a possible use-after-free bug in the dns__catz_done_cb() function. [GL #3997] 6143. [bug] A reference counting problem on the error path in the xfrin_connect_done() might cause an assertion failure on shutdown. [GL #3989] 6142. [bug] Reduce the number of dns_dnssec_verify calls made determining if revoked keys needs to be removed from the trust anchors. [GL #3981] 6141. [bug] Fix several issues in nsupdate timeout handling and update the -t option's documentation. [GL #3674] 6138. [doc] Fix the DF-flag documentation on the outgoing UDP packets. [GL #3710] 6136. [cleanup] Remove the isc_fsaccess API in favor of creating temporary file first and atomically replace the key with non-truncated content. [GL #3982] 6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967] 6129. [cleanup] Value stored to 'source' during its initialization is never read. [GL #3965] 6128. [bug] Fix an omission in an earlier commit to avoid a race between the 'dns__catz_update_cb()' and 'dns_catz_dbupdate_callback()' functions. [GL #3968] 6126. [cleanup] Deprecate zone type "delegation-only" and the "delegation-only" and "root-delegation-only" options. [GL #3953] 6125. [bug] Hold a catz reference while the update process is running, so that the catalog zone is not destroyed during shutdown until the update process is finished or properly canceled by the activated 'shuttingdown' flag. [GL #3955] 6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to an NSEC3 incapable DNSSEC algorithm using KASP the zone could sometimes be incompletely signed. [GL #3937] 6121. [bug] Fix BIND and dig zone transfer hanging when downloading large zones over TLS from a primary server, especially over unstable connections. [GL #3867] --- Module Name: pkgsrc Committed By: taca Date: Wed May 17 13:43:52 UTC 2023 Modified Files: pkgsrc/net/bind918: Makefile distinfo Log Message: net/bind918: update to 9.18.15 --- 9.18.15 released --- 6164. [bug] Set the rndc idle read timeout back to 60 seconds, from the netmgr default of 30 seconds, in order to match the behavior of 9.16 and earlier. [GL #4046] 6161. [bug] Fix log file rotation when using absolute path as file. [GL #3991] 6157. [bug] When removing delegations in an OPTOUT range empty-non-terminal NSEC3 records generated by those delegations were not removed. [GL #4027] 6156. [bug] Reimplement the maximum and idle timeouts for incoming zone tranfers. [GL #4004] 6155. [bug] Treat ISC_R_INVALIDPROTO as a networking error in the dispatch code to avoid retrying with the same server. [GL #4005] 6152. [bug] In dispatch, honour the configured source-port selection when UDP connection fails with address in use error. Also treat ISC_R_NOPERM same as ISC_R_ADDRINUSE. [GL #3986] 6149. [test] As a workaround, include an OpenSSL header file before including cmocka.h in the unit tests, because OpenSSL 3.1.0 uses __attribute__(malloc), conflicting with a redefined malloc in cmocka.h. [GL #4000] --- Module Name: pkgsrc Committed By: taca Date: Wed Jun 21 14:42:23 UTC 2023 Modified Files: pkgsrc/net/bind918: Makefile distinfo Log Message: net/bind918: update to 9.18.16 9.18.16 (2023-06-21) Security release: - CVE-2023-2828 - CVE-2023-2911 6192. [security] A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for 'named' to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) [GL #4089] 6190. [security] Improve the overmem cleaning process to prevent the cache going over the configured limit. (CVE-2023-2828) [GL #4055] 6188. [performance] Reduce memory consumption by allocating properly sized send buffers for stream-based transports. [GL #4038] 6186. [bug] Fix a 'clients-per-query' miscalculation bug. When the 'stale-answer-enable' options was enabled and the 'stale-answer-client-timeout' option was enabled and larger than 0, named was taking two places from the 'clients-per-query' limit for each client and was failing to gradually auto-tune its value, as configured. [GL #4074] 6185. [func] Add "ClientQuota" statistics channel counter, which indicates the number of the resolver's spilled queries due to reaching the clients per query quota. [GL !7978] 6183. [bug] Fix a serve-stale bug where a delegation from cache could be returned to the client. [GL #3950] 6182. [cleanup] Remove configure checks for epoll, kqueue and /dev/poll. [GL #4098] 6181. [func] The "tkey-dhkey" option has been deprecated; a warning will be logged when it is used. In a future release, Diffie-Hellman TKEY mode will be removed. [GL #3905] 6180. [bug] The session key object could be incorrectly added to multiple different views' keyrings. [GL #4079] 6179. [bug] Fix an interfacemgr use-after-free error in zoneconf.c:isself(). [GL #3765] 6176. [test] Add support for using pytest & pytest-xdist to execute the system test suite. [GL #3978] 6174. [bug] BIND could get stuck on reconfiguration when a 'listen' statement for HTTP is removed from the configuration. That has been fixed. [GL #4071] 6173. [bug] Properly process extra "nameserver" lines in resolv.conf otherwise the next line is not properly processed. [GL #4066] 6169. [bug] named could crash when deleting inline-signing zones with "rndc delzone". [GL #4054] 6165. [bug] Fix a logic error in dighost.c which could call the dighost_shutdown() callback twice and cause problems if the callback function was not idempotent. [GL #4039] @ text @d1 1 a1 1 @@comment $NetBSD$ d153 1 @ 1.2 log @net/bind918: update to 9.18.11 Approved by MAINTAINER (sekiya@@). --- 9.18.11 released --- 6067. [security] Fix serve-stale crash when recursive clients soft quota is reached. (CVE-2022-3924) [GL #3619] 6066. [security] Handle RRSIG lookups when serve-stale is active. (CVE-2022-3736) [GL #3622] 6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] 6062. [func] The DSCP implementation, which has been nonfunctional for some time, is now marked as obsolete and the implementation has been removed. Configuring DSCP values in named.conf has no effect, and a warning will be logged that the feature should no longer be used. [GL #3773] 6061. [bug] Fix unexpected "Prohibited" extended DNS error on allow-recursion. [GL #3743] 6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() by detaching from the zone manager outside of the write lock. [GL #3768] 6059. [bug] In some serve stale scenarios, like when following an expired CNAME record, named could return SERVFAIL if the previous request wasn't successful. Consider non-stale data when in serve-stale mode. [GL #3678] 6058. [bug] Prevent named from crashing when "rndc delzone" attempts to delete a zone added by a catalog zone. [GL #3745] 6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752] 6051. [bug] Improve thread safety in the dns_dispatch unit. [GL #3178] [GL #3636] 6050. [bug] Changes to the RPZ response-policy min-update-interval and add-soa options now take effect as expected when named is reconfigured. [GL #3740] 6049. [bug] Exclude ABD hashtables from the ADB memory overmem checks and don't clean ADB names and ADB entries used in the last 10 seconds (ADB_CACHE_MINIMUM). [GL #3739] 6048. [bug] Fix a log message error in dns_catz_update_from_db(), where serials with values of 2^31 or larger were logged incorrectly as negative numbers. [GL #3742] 6047. [bug] Try the next server instead of trying the same server again on an outgoing query timeout. [GL #3637] 6046. [bug] TLS session resumption might lead to handshake failures when client certificates are used for authentication (Mutual TLS). This has been fixed. [GL #3725] 6045. [cleanup] The list of supported DNSSEC algorithms changed log level from "warning" to "notice" to match named's other startup messages. [GL !7217] 6044. [bug] There was an "RSASHA236" typo in a log message. [GL !7206] 5830. [func] Implement incremental resizing of isc_ht hash tables to perform the rehashing gradually. The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3212] [GL #3744] @ text @d1 1 a1 1 @@comment $NetBSD: PLIST,v 1.1 2022/12/11 01:57:55 sekiya Exp $ a137 1 include/isc/bind9.h @ 1.1 log @Add net/bind918 @ text @d1 1 a1 1 @@comment $NetBSD$ a255 1 lib/libbind9-9.18.9.so a256 1 lib/libdns-9.18.9.so a257 1 lib/libirs-9.18.9.so a258 1 lib/libisc-9.18.9.so a259 1 lib/libisccc-9.18.9.so a260 1 lib/libisccfg-9.18.9.so a261 1 lib/libns-9.18.9.so @ 1.1.2.1 log @Pullup ticket #6736 - requested by taca net/bind918: security update Revisions pulled up: - net/bind918/Makefile 1.6 - net/bind918/PLIST 1.2 - net/bind918/distinfo 1.4 - net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh deleted - net/bind918/patches/patch-lib_isc_siphash.c 1.2 - net/bind918/patches/patch-lib_isc_time.c 1.2 - net/bind918/patches/patch-lib_ns_update.c 1.2 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Wed Feb 8 00:13:44 UTC 2023 Modified Files: pkgsrc/net/bind918: Makefile PLIST distinfo pkgsrc/net/bind918/patches: patch-lib_isc_siphash.c patch-lib_isc_time.c patch-lib_ns_update.c Removed Files: pkgsrc/net/bind918/patches: patch-bin_tests_system_keyfromlabel_tests.sh Log Message: net/bind918: update to 9.18.11 Approved by MAINTAINER (sekiya@@). --- 9.18.11 released --- 6067. [security] Fix serve-stale crash when recursive clients soft quota is reached. (CVE-2022-3924) [GL #3619] 6066. [security] Handle RRSIG lookups when serve-stale is active. (CVE-2022-3736) [GL #3622] 6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] 6062. [func] The DSCP implementation, which has been nonfunctional for some time, is now marked as obsolete and the implementation has been removed. Configuring DSCP values in named.conf has no effect, and a warning will be logged that the feature should no longer be used. [GL #3773] 6061. [bug] Fix unexpected "Prohibited" extended DNS error on allow-recursion. [GL #3743] 6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() by detaching from the zone manager outside of the write lock. [GL #3768] 6059. [bug] In some serve stale scenarios, like when following an expired CNAME record, named could return SERVFAIL if the previous request wasn't successful. Consider non-stale data when in serve-stale mode. [GL #3678] 6058. [bug] Prevent named from crashing when "rndc delzone" attempts to delete a zone added by a catalog zone. [GL #3745] 6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752] 6051. [bug] Improve thread safety in the dns_dispatch unit. [GL #3178] [GL #3636] 6050. [bug] Changes to the RPZ response-policy min-update-interval and add-soa options now take effect as expected when named is reconfigured. [GL #3740] 6049. [bug] Exclude ABD hashtables from the ADB memory overmem checks and don't clean ADB names and ADB entries used in the last 10 seconds (ADB_CACHE_MINIMUM). [GL #3739] 6048. [bug] Fix a log message error in dns_catz_update_from_db(), where serials with values of 2^31 or larger were logged incorrectly as negative numbers. [GL #3742] 6047. [bug] Try the next server instead of trying the same server again on an outgoing query timeout. [GL #3637] 6046. [bug] TLS session resumption might lead to handshake failures when client certificates are used for authentication (Mutual TLS). This has been fixed. [GL #3725] 6045. [cleanup] The list of supported DNSSEC algorithms changed log level from "warning" to "notice" to match named's other startup messages. [GL !7217] 6044. [bug] There was an "RSASHA236" typo in a log message. [GL !7206] 5830. [func] Implement incremental resizing of isc_ht hash tables to perform the rehashing gradually. The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3212] [GL #3744] To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 pkgsrc/net/bind918/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/PLIST cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/bind918/distinfo cvs rdiff -u -r1.1 -r0 \ pkgsrc/net/bind918/patches/patch-bin_tests_system_keyfromlabel_tests.sh cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/bind918/patches/patch-lib_isc_siphash.c \ pkgsrc/net/bind918/patches/patch-lib_isc_time.c \ pkgsrc/net/bind918/patches/patch-lib_ns_update.c @ text @d256 1 d258 1 d260 1 d262 1 d264 1 d266 1 d268 1 @