./net/bind99, Berkeley Internet Name Daemon implementation of DNS, version 9.9

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 9.9.5nb1, Package name: bind-9.9.5nb1, Maintainer: pkgsrc-users

BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
of nearly all aspects of the underlying BIND architecture. Some
of the important features of BIND-9 are:

- DNS Security
- IP version 6
- DNS Protocol Enhancements
- Views
- Multiprocessor Support
- Improved Portability Architecture
- Full NSEC3 support
- Automatic zone re-signing
- New update-policy methods tcp-self and 6to4-self

This package contains the BIND 9.9 release.



Package options: inet6, readline, threads

Master sites: (Expand)

SHA1: f3fe8000628ec57f332aec1ad9587b767208a38f
RMD160: cc2351d9af779ed1a1dd5909a10cce28ddb41747
Filesize: 7548.53 KB

Version history: (Expand)


CVS history: (Expand)


   2014-03-11 15:34:41 by Jonathan Perkin | Files touched by this commit (99)
Log message:
Import initial SMF support for individual packages.
   2014-03-11 15:05:19 by Jonathan Perkin | Files touched by this commit (350)
Log message:
Remove example rc.d scripts from PLISTs.

These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
   2014-02-13 00:18:57 by Matthias Scheler | Files touched by this commit (1568)
Log message:
Recursive PKGREVISION bump for OpenSSL API version bump.
   2014-02-02 08:58:20 by Takahiro Kambe | Files touched by this commit (6) | Package updated
Log message:
Update bind99 to 9.9.5 (BIND 9.9.5).

Security fixes were already covered by 9.9.4pl2.

Some bug fixes and clean up, please refer CHANGES file in detail.
   2014-01-13 18:31:00 by Takahiro Kambe | Files touched by this commit (4) | Package updated
Log message:
Update bind99 to 9.9.4pl2 (BIND 9.9.4-P2), securify fix for CVE-2014-0591.

pkgsrc change: remove patches/patch-configure.in.

	--- 9.9.4-P2 released ---

3693.	[security]	memcpy was incorrectly called with overlapping
			ranges resulting in malformed names being generated
			on some platforms.  This could cause INSIST failures
			when serving NSEC3 signed zones.  [RT #35120]

3658.	[port]		linux: Address platform specific compilation issue
			when libcap-devel is installed. [RT #34838]
   2013-11-07 05:23:58 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
Update bind99 to 9.9.4pl1 (BIND 9.9.4-P1).

Security Fixes

   Treat an all zero netmask as invalid when generating the localnets
   acl. A Winsock library call on some Windows systems can return
   an incorrect value for an interface's netmask, potentially
   causing unexpected matches to BIND's built-in "localnets" Access
   Control List. (CVE-2013-6230) [RT #34687]
   2013-09-21 18:00:34 by Takahiro Kambe | Files touched by this commit (12) | Package updated
Log message:
Update bind99 to 9.9.4 (BIND 9.9.4).
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc).

Security Fixes

   Previously an error in bounds checking on the private type
   'keydata' could be used to deny service through a deliberately
   triggerable REQUIRE failure (CVE-2013-4854).  [RT #34238]

   Prevents exploitation of a runtime_check which can crash named
   when satisfying a recursive query for particular malformed zones.
   (CVE-2013-3919) [RT #33690]

New Features

   Added Response Rate Limiting (RRL) functionality to reduce the
   effectiveness of DNS as an amplifier for reflected denial-of-service
   attacks by rate-limiting substantially-identical responses. [RT
   #28130]

Feature Changes

   rndc status now also shows the build-id. [RT #20422]

   Improved OPT pseudo-record processing to make it easier to support
   new EDNS options. [RT #34414]

   "configure" now finishes by printing a summary of optional BIND
   features and whether they are active or inactive. ("configure
   --enable-full-report" increases the verbosity of the summary.)
   [RT #31777]

   Addressed compatibility issues with newer versions of Microsoft
   Visual Studio. [RT #33916]

   Improved the 'rndc' man page. [RT #33506]

   'named -g' now no longer works with an invalid logging configuration.
   [RT #33473]

   The default (and minimum) value for tcp-listen-queue is now 10
   instead of 3.  This is a subtle control setting (not applicable
   to all OS   environments).  When there is a high rate of inbound
   TCP connections, it   controls how many connections can be queued
   before they are accepted by named.  Once this limit is exceeded,
   new TCP connections will be rejected.  Note however that a value
   of 10 does not imply a strict limit of 10 queued TCP connections
   - the impact of changing this configuration setting will be
   OS-dependent.  Larger values for tcp-listen queue will permit
   more pending tcp connections, which may be needed where there
   is a high rate of TCP-based traffic (for example in a dynamic
   environment where there are frequent zone updates and transfers).
   For most production servers the new default value of 10 should
   be adequate.  [RT #33029]

   Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
   with PKCS#11. [RT #33463]

   Added logging messages on slave servers when they forward DDNS
   updates to a master. [RT #33240]

   Changed the logging category for RRL events from 'queries' to
   'query-errors'. [RT #33540]

Bug Fixes

   Fixed the "allow-query-on" option to correctly check the destination
   address. [RT #34590]

   Fix forwarding for  forward only "zones" beneath automatic empty
   zones. [RT #34583]

   Fix DNSSEC auto maintenance so signatures can be removed from a
   zone with only KSK keys for an algorithm. [RT #34439]

   Fix DNSSEC auto maintenance so signatures from newly inactive
   keys are removed (when publishing a new key while deactivating
   another key at the same time). [RT #32178]

   Remove bogus warning log message about missing signatures when
   receiving a query for a SIG record. [RT #34600]

   Fix Response Policy Zones on slave servers so new RPZ changes
   take effect. [RT #34450]

   Fix the "zone-statistics" option to work with the default
   traditional statistics (not new "--enable-newstats" feature).
   [RT #34466]

   named could crash when deleting inline-signing zones with "rndc
   delzone". [RT #34066]

   Improved resistance to a theoretical authentication attack based
   on differential timing.  [RT #33939]

   named was failing to answer queries during "rndc reload" [RT
   #34098]

   win32: Some executables had been omitted from the installer. [RT
   #34116]

   fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
   [RT #34045]

   The build of BIND now installs isc/stat.h so that it's available
   to /isc/file.h when building other applications that reference
   these header files - for example dnsperf (see Debian bug ticket
   #692467).  [RT #33056]

   Better handle failures building XML for stats channel responses.
   [RT #33706]

   Fixed a memory leak in GSS-API processing. [RT #33574]

   Fixed an acache-related race condition that could cause a crash.
   [RT #33602]

   rndc now properly fails when given an invalid '-c' argument. [RT
   #33571]

   Fixed an issue with the handling of zero TTL records that could
   cause improper SERVFAILs. [RT #33411]

   Fixed a crash-on-shutdown race condition with DNSSEC validation.
   [RT #33573]

   Corrected the way that "rndc addzone" and "rndc delzone" \ 
handle
   non-standard characters in zone names. [RT #33419]

   Adjusted RRL behavior for recursive queries to defer rate-limiting
   until after recursion is complete.  Also uses correct rcode for
   slipped NXDOMAIN responses. [RT #33604]

   Previously, BIND could erroneously report a missing file
   specification when using inline slave zones.  [RT #33662]
   2013-08-07 20:34:35 by John Klos | Files touched by this commit (1) | Package updated
Log message:
rl-9.9.3-P2.patch has been updated. From http://ss.vix.su/~vjs/rrlrpz.html