./net/bind910, Berkeley Internet Name Daemon implementation of DNS, version 9.10

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 9.10.5pl1, Package name: bind-9.10.5pl1, Maintainer: pkgsrc-users

BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
of nearly all aspects of the underlying BIND architecture. Some
of the important features of BIND-9 are:

- DNS Security
- IP version 6
- DNS Protocol Enhancements
- Views
- Multiprocessor Support
- Improved Portability Architecture
- Full NSEC3 support
- Automatic zone re-signing
- New update-policy methods tcp-self and 6to4-self

This package contains the BIND 9.10 release.


Required to build:
[pkgtools/cwrappers]

Package options: inet6, readline, threads

Master sites:

SHA1: 934eee6466769cf67c09475c1428dd062ee2d755
RMD160: d3a5b423137c0290872bec5f1a2718573f40ac8b
Filesize: 9186.413 KB

Version history: (Expand)


CVS history: (Expand)


   2017-06-15 03:58:41 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
Update bind910 package to 9.10.5pl1 (BIND 9.10.5-P1).

	--- 9.10.5-P1 released ---

4632.	[security]	The BIND installer on Windows used an unquoted
			service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]

4631.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]
   2017-04-22 18:05:43 by Takahiro Kambe | Files touched by this commit (4) | Package updated
Log message:
Update bind910 to 9.10.5 (BIND 9.10.5).

This is maintenance release and please refer release announce in detail:
https://kb.isc.org/article/AA-01490.
   2017-04-13 03:52:42 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
Update bind910 to 9.10.4pl8 (BIND 9.10.4-P8).

Quote from release announce:

   BIND 9.10.4-P8 addresses the security issues described in
   CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138, and updates the
   built-in trusted keys for the root zone.

From CHANGELOG:

	--- 9.10.4-P8 released ---

4582.	[security]	'rndc ""' could trigger a assertion failure in named.
			(CVE-2017-3138) [RT #44924]

4580.	[bug]		4578 introduced a regression when handling CNAME to
			referral below the current domain. [RT #44850]

	--- 9.10.4-P7 released ---

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
			assertion failure. (CVE-2017-3136) [RT #44653]

4564.	[maint]		Update the built in managed keys to include the
			upcoming root KSK. [RT #44579]
   2017-02-24 16:46:14 by Filip Hajny | Files touched by this commit (4)
Log message:
Fix bind.keys PLIST handling, thanks joerg@ for the notice.
   2017-02-20 16:19:54 by Filip Hajny | Files touched by this commit (6) | Package updated
Log message:
Change bind99 and bind910 package to use the standard PKG_SYSCONFDIR
for config files instead of the hardcoded /etc path. Sync SMF support
across the two packages. Bump PKGREVISION.
   2017-02-09 01:48:59 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
Update bind910 to 9.10.4pl6 (BIND 9.10.4-P6).

Security Fixes

     * If a server is configured with a response policy zone (RPZ) that
       rewrites an answer with local data, and is also configured for
       DNS64 address mapping, a NULL pointer can be read triggering a
       server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
     * named could mishandle authority sections with missing RRSIGs,
       triggering an assertion failure. This flaw is disclosed in
       CVE-2016-9444. [RT #43632]
     * named mishandled some responses where covering RRSIG records were
       returned without the requested data, resulting in an assertion
       failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
     * named incorrectly tried to cache TKEY records which could trigger
       an assertion failure when there was a class mismatch. This flaw is
       disclosed in CVE-2016-9131. [RT #43522]
     * It was possible to trigger assertions when processing responses
       containing answers of type DNAME. This flaw is disclosed in
       CVE-2016-8864. [RT #43465]
     * Added the ability to specify the maximum number of records
       permitted in a zone (max-records #;). This provides a mechanism to
       block overly large zone transfers, which is a potential risk with
       slave zones from other parties, as described in CVE-2016-6170. [RT
       #42143]
     * It was possible to trigger an assertion when rendering a message
       using a specially crafted request. This flaw is disclosed in
       CVE-2016-2776. [RT #43139]
     * Calling getrrsetbyname() with a non absolute name could trigger an
       infinite recursion bug in lwresd or named with lwres configured if,
       when combined with a search list entry from resolv.conf, the
       resulting name is too long. This flaw is disclosed in
       CVE-2016-2775. [RT #42694]

New Features

     * named now provides feedback to the owners of zones which have trust
       anchors configured (trusted-keys, managed-keys, dnssec-validation
       auto; and dnssec-lookaside auto;) by sending a daily query which
       encodes the keyids of the configured trust anchors for the zone.
       This is controlled by trust-anchor-telemetry and defaults to yes.
     * A new tcp-only option has been added to server clauses, to indicate
       that UDP should not be used when sending queries to a specified IP
       address or prefix.

Feature Changes

     * The built in mangaged keys for the global root zone have been
       updated to include the upcoming key signing key (keyid 20326).
     * The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to
       be disabled in 2017. A warning is now logged when named is
       configured to use this service, either explicitly or via
       dnssec-lookaside auto;. [RT #42207]
     * If an ACL is specified with an address prefix in which the prefix
       length is longer than the address portion (for example,
       192.0.2.1/8), named will now log a warning. In future releases this
       will be a fatal configuration error. [RT #43367]

Bug Fixes

     * A synthesized CNAME record appearing in a response before the
       associated DNAME could be cached, when it should not have been.
       This was a regression introduced while addressing CVE-2016-8864.
       [RT #44318]
     * Named could deadlock there were multiple changes to NSEC/NSEC3
       parameters for a zone being processed at the same time. [RT #42770]
     * Named could trigger a assertion when sending notify messages. [RT
       #44019]
     * Fixed a crash when calling rndc stats on some Windows builds: some
       Visual Studio compilers generate code that crashes when the "%z"
       printf() format specifier is used. [RT #42380]
     * Windows installs were failing due to triggering UAC without the
       installation binary being signed.
     * A change in the internal binary representation of the RBT database
       node structure enabled a race condition to occur (especially when
       BIND was built with certain compilers or optimizer settings),
       leading to inconsistent database state which caused random
       assertion failures. [RT #42380]
     * Referencing a nonexistent zone in a response-policy statement could
       cause an assertion failure during configuration. [RT #43787]
     * rndc addzone could cause a crash when attempting to add a zone with
       a type other than master or slave. Such zones are now rejected. [RT
       #43665]
     * named could hang when encountering log file names with large
       apparent gaps in version number (for example, when files exist
       called "logfile.0", "logfile.1", and \ 
"logfile.1482954169"). This is
       now handled correctly. [RT #38688]
     * If a zone was updated while named was processing a query for
       nonexistent data, it could return out-of-sync NSEC3 records causing
       potential DNSSEC validation failure. [RT #43247]
     * named could crash when loading a zone which had RRISG records whose
       expiry fields were far enough apart to cause an integer overflow
       when comparing them. [RT #40571]
     * The arpaname and named-rrchecker commands were not installed into
       the correct prefix/bin directory. [RT #42910]
     * When receiving a response from an authoritative server with a TTL
       value of zero, named> will now only use that response once, to
       answer the currently active clients that were waiting for it.
       Previously, such response could be cached and reused for up to one
       second. [RT #42142]
     * named-checkconf now checks the rate-limit clause for correctness.
       [RT #42970]
     * Corrected a bug in the rndc control channel that could allow a read
       past the end of a buffer, crashing named. Thanks to Lian Yihan for
       reporting this error.

Maintenance

     * The built-in root hints have been updated to include IPv6 addresses
       for B.ROOT-SERVERS.NET (2001:500:84::b), E.ROOT-SERVERS.NET
       (2001:500:a8::e) and G.ROOT-SERVERS.NET (2001:500:12::d0d).
   2017-01-12 01:04:43 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
Update bind910 to 9.10.4pl5 (BIND 9.10.4-P5), including security fixes.

	--- 9.10.4-P5 released ---

4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
			in responses resulting in SERVFAIL being returned.
			[RT #43779]

4528.	[bug]		Only set the flag bits for the i/o we are waiting
			for on EPOLLERR or EPOLLHUP. [RT #43617]

4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]

4517.	[security]	Named could mishandle authority sections that were
			missing RRSIGs triggering an assertion failure.
			(CVE-2016-9444) [RT # 43632]

4510.	[security]	Named mishandled some responses where covering RRSIG
			records are returned without the requested data
			resulting in a assertion failure. (CVE-2016-9147)
			[RT #43548]

4508.	[security]	Named incorrectly tried to cache TKEY records which
			could trigger a assertion failure when there was
			a class mismatch. (CVE-2016-9131) [RT #43522]
   2016-12-16 16:41:03 by Hans Rosenfeld | Files touched by this commit (1) | Package updated
Log message:
Bump PKGREVISION for SMF update.