/bind99, Berkeley Internet Name Daemon implementation of DNS, version 9.9
9.9.7pl3, Package name:
bind-9.9.7pl3, Maintainer: pkgsrc-users
BIND, the Berkeley Internet Name Daemon, version 9 is a major rewrite
of nearly all aspects of the underlying BIND architecture. Some
of the important features of BIND-9 are:
- DNS Security
- IP version 6
- DNS Protocol Enhancements
- Multiprocessor Support
- Improved Portability Architecture
- Full NSEC3 support
- Automatic zone re-signing
- New update-policy methods tcp-self and 6to4-self
This package contains the BIND 9.9 release.
: inet6, readline, threads
Master sites: (Expand) SHA1:
Version history: (Expand)
- (2015-09-03) Updated to version: bind-9.9.7pl3
- (2015-09-03) Updated to version: bind-9.9.7pl2nb1
- (2015-07-29) Updated to version: bind-9.9.7pl2
- (2015-07-08) Updated to version: bind-9.9.7pl1
- (2015-06-13) Updated to version: bind-9.9.7nb1
- (2015-02-26) Updated to version: bind-9.9.7
CVS history: (Expand)
| 2015-11-04 01:35:47 by Alistair G. Crooks | Files touched by this commit (748) |
Add SHA512 digests for distfiles for net category
Problems found with existing digests:
Package haproxy distfile haproxy-1.5.14.tar.gz
Problems found locating distfiles:
Package bsddip: missing distfile bsddip-1.02.tar.Z
Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
Package djbdns: missing distfile djbdns-cachestats.patch
Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
Package gated: missing distfile gated-3-5-11.tar.gz
Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
Package poink: missing distfile poink-1.6.tar.gz
Package ra-rtsp-proxy: missing distfile rtspd-src-18.104.22.168.tar.gz
Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
Package waste: missing distfile waste-source.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
| 2015-09-03 02:35:03 by Takahiro Kambe | Files touched by this commit (11) | |
Update bind99 to 9.9.7pl3 (BIND 9.9.7-P3).
(These security fixes are already done by bind-9.9.7pl2nb1.)
--- 9.9.7-P3 released ---
4170. [security] An incorrect boundary check in the OPENPGPKEY
rdatatype could trigger an assertion failure.
(CVE-2015-5986) [RT #40286]
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212]
| 2015-09-02 21:44:28 by Sevan Janiyan | Files touched by this commit (11) |
Patch CVE-2015-5722 & CVE-2015-5986
CVE-2015-5722 - Parsing malformed keys may cause BIND to exit due to a failed
assertion in buffer.c
CVE-2015-5986 - An incorrect boundary check can trigger a REQUIRE assertion
failure in openpgpkey_61.c
Reviewed by wiz@
| 2015-07-29 00:35:36 by Takahiro Kambe | Files touched by this commit (2) | |
Update bind99 to 9.9.7pl2 (BIND 9.9.7-P2).
--- 9.9.7-P2 released ---
4165. [security] A failure to reset a value to NULL in tkey.c could
result in an assertion failure. (CVE-2015-5477)
| 2015-07-08 00:25:35 by Takahiro Kambe | Files touched by this commit (2) | |
Update bind99 to 9.9.7pl1 (BIND 9.9.7-P1).
--- 9.9.7-P1 released ---
4138. [bug] An uninitialized value in validator.c could result
in an assertion failure. (CVE-2015-4620) [RT #39795]
| 2015-06-12 12:52:19 by Thomas Klausner | Files touched by this commit (3152) |
Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
| 2015-02-26 11:14:10 by Takahiro Kambe | Files touched by this commit (5) | |
Update bind99 to 9.9.7.
* On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys,
or implicitly via dnssec-validation auto; or dnssec-lookaside
auto;), revoking a trust anchor and sending a new untrusted
replacement could cause named to crash with an assertion failure.
This could occur in the event of a botched key rollover, or
potentially as a result of a deliberate attack if the attacker was
in position to monitor the victim's DNS traffic.
This flaw was discovered by Jan-Piet Mens, and is disclosed in
CVE-2015-1349. [RT #38344]
* A flaw in delegation handling could be exploited to put named into
an infinite loop, in which each lookup of a name server triggered
additional lookups of more name servers. This has been addressed by
placing limits on the number of levels of recursion named will
allow (default 7), and on the number of queries that it will send
before terminating a recursive query (default 50).
The recursion depth limit is configured via the max-recursion-depth
option, and the query limit via the max-recursion-queries option.
The flaw was discovered by Florian Maury of ANSSI, and is disclosed
in CVE-2014-8500. [RT #37580]
* NXDOMAIN responses to queries of type DS are now cached separately
from those for other types. This helps when using "grafted" zones
of type forward, for which the parent zone does not contain a
delegation, such as local top-level domains. Previously a query of
type DS for such a zone could cause the zone apex to be cached as
NXDOMAIN, blocking all subsequent queries. (Note: This change is
only helpful when DNSSEC validation is not enabled. "Grafted" zones
without a delegation in the parent are not a recommended
* NOTIFY messages that are sent because a zone has been updated are
now given priority above NOTIFY messages that were scheduled when
the server started up. This should mitigate delays in zone
propagation when servers are restarted frequently.
* Errors reported when running rndc addzone (e.g., when a zone file
cannot be loaded) have been clarified to make it easier to diagnose
* Added support for OPENPGPKEY type.
* When encountering an authoritative name server whose name is an
alias pointing to another name, the resolver treats this as an
error and skips to the next server. Previously this happened
silently; now the error will be logged to the newly-created "cname"
* If named is not configured to validate the answer then allow
fallback to plain DNS on timeout even when we know the server
supports EDNS. This will allow the server to potentially resolve
signed queries when TCP is being blocked.
* dig, host and nslookup aborted when encountering a name which,
after appending search list elements, exceeded 255 bytes. Such
names are now skipped, but processing of other names will continue.
* The error message generated when named-checkzone or named-checkconf
-z encounters a $TTL directive without a value has been clarified.
* Semicolon characters (;) included in TXT records were incorrectly
escaped with a backslash when the record was displayed as text.
This is actually only necessary when there are no quotation marks.
* When files opened for writing by named, such as zone journal files,
were referenced more than once in named.conf, it could lead to file
corruption as multiple threads wrote to the same file. This is now
detected when loading named.conf and reported as an error. [RT
* dnssec-keygen -S failed to generate successor keys for some
algorithm types (including ECDSA and GOST) due to a difference in
the content of private key files. This has been corrected. [RT
* UPDATE messages that arrived too soon after an rndc thaw could be
lost. [RT #37233]
* Forwarding of UPDATE messages did not work when they were signed
with SIG(0); they resulted in a BADSIG response code. [RT #37216]
* When checking for updates to trust anchors listed in managed-keys,
named now revalidates keys based on the current set of active trust
anchors, without relying on any cached record of previous
validation. [RT #37506]
* When NXDOMAIN redirection is in use, queries for a name that is
present in the redirection zone but a type that is not present will
now return NOERROR instead of NXDOMAIN.
* When a zone contained a delegation to an IPv6 name server but not
an IPv4 name server, it was possible for a memory reference to be
left un-freed. This caused an assertion failure on server shutdown,
but was otherwise harmless. [RT #37796]
* Due to an inadvertent removal of code in the previous release, when
named encountered an authoritative name server which dropped all
EDNS queries, it did not always try plain DNS. This has been
corrected. [RT #37965]
* A regression caused nsupdate to use the default recursive servers
rather than the SOA MNAME server when sending the UPDATE.
* Adjusted max-recursion-queries to better accommodate empty caches.
* Built-in "empty" zones did not correctly inherit the
"allow-transfer" ACL from the options or view. [RT #38310]
* A mutex leak was fixed that could cause named processes to grow to
very large sizes. [RT #38454]
* Fixed some bugs in RFC 5011 trust anchor management, including a
memory leak and a possible loss of state information.[RT #38458]
| 2015-02-19 01:36:27 by Takahiro Kambe | Files touched by this commit (2) | |
Update bind99 to 9.9.6pl2 (BIND 9.9.6-P2).
--- 9.9.6-P2 released ---
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4027. [port] Net::DNS 0.81 compatibility. [RT #38165]