2018-07-14 05:53:42 by Takahiro Kambe | Files touched by this commit (3) | |
Log message:
net/bind910: update to 9.10.8
This release contains security fix for CVE-2018-5738 and several bug fixes.
For more detail, please refer CHANGES file.
|
2018-03-24 16:02:33 by Takahiro Kambe | Files touched by this commit (4) | |
Log message:
net/bind910: update to 9.10.7
New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of
BIND are now available.
Release notes can be found with the releases or in the ISC Knowledge Base:
9.9.12: https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html
9.10.7: https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html
9.11.3: https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html
9.12.1: https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html
Users who are migrating an existing BIND configuration to these new
versions should take special note of two changes in the behavior
of the "update-policy" statement which slightly change the behavior
of two update-policy options.
The first such change is discussed in greater length in the BIND
Operational Notification issued today:
https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly
The second change to update-policy behavior concerns this change:
"update-policy rules that otherwise ignore the name field now
require that it be set to "." to ensure that any type list present
is properly interpreted. Previously, if the name field was omitted
from the rule declaration but a type list was present, it wouldn't
be interpreted as expected."
which is a correction to an ambiguous case that was previously allowed,
but which was capable of causing unexpected results when accidentally
applied. The new requirement eliminates is intended to eliminate the
confusion, which previously caused some operators to misapply security
policies. However, due to the new requirement, named configuration
files that relied on the previous behavior will no longer be accepted.
These changes should not affect most operators, even those using
"update-policy" to define Dynamic DNS permissions, but we would like
to draw your attention to them so that operators are informed about
the new behaviors.
|
2018-02-08 15:43:07 by Filip Hajny | Files touched by this commit (2) |
Log message:
net/bind910: Fix problem in configure where contents of $LIBS would
be lost when json-c support was enabled.
|
2018-01-17 01:31:38 by Takahiro Kambe | Files touched by this commit (2) | |
Log message:
net/bind910: update to 9.10.6pl1 (BIND 9.10.6-P1).
Release Notes for BIND Version 9.10.6-P1
Introduction
This document summarizes changes since BIND 9.10.6.
BIND 9.10.6-P1 addresses the security issue described in CVE-2017-3145.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.10.6, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Security Fixes
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this
happening were remote, but the introduction of a delay in
resolution increased them. (The delay will be addressed in an
upcoming maintenance release.) This bug is disclosed in
CVE-2017-3145. [RT #46839]
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143. [RT #45383]
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141. [RT #45229]
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
Feature Changes
* dig +ednsopt now accepts the names for EDNS options in addition to
numeric values. For example, an EDNS Client-Subnet option could be
sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
for the contribution. [RT #44461]
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", \
"isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
The end of life for BIND 9.10 is yet to be determined but will not be
before BIND 9.12.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
|
2018-01-01 23:30:04 by Roland Illig | Files touched by this commit (537) |
Log message:
Sort PLIST files.
Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:
pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
|
2017-12-13 13:05:15 by Jonathan Perkin | Files touched by this commit (2) |
Log message:
bind9{9,10}: Fix path to rndc-confgen in SMF.
|
2017-11-07 03:16:45 by Kamil Rytarowski | Files touched by this commit (3) |
Log message:
bind910: Correct bind-json-statistics-server option build
Switch detection of json-c from homegrown detection of libraries in
hardcoded dirs to pkg-config detection.
Add new USE_TOOLS option pkg-config.
Bump PKGREVISION to 1 for new dependency.
|
2017-07-31 15:37:53 by Takahiro Kambe | Files touched by this commit (3) | |
Log message:
Update bind910 to 9.10.6.
Here is release note except security (already fixed by bind-9.10.5pl3, BIND
9.10.5-P3).
Release Notes for BIND Version 9.10.6
Introduction
This document summarizes changes since the last production release on
the BIND 9.10 branch. Please see the CHANGES file for a further list of
bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.10.6, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Feature Changes
* dig +ednsopt now accepts the names for EDNS options in addition to
numeric values. For example, an EDNS Client-Subnet option could be
sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
for the contribution. [RT #44461]
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", \
"isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
The end of life for BIND 9.10 is yet to be determined but will not be
before BIND 9.12.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
|
2017-07-08 06:29:00 by Takahiro Kambe | Files touched by this commit (2) |
Log message:
Update bind910 to 9.10.5pl3 (BIND 9.10.5-P3).
--- 9.10.5-P3 released ---
4647. [bug] Change 4643 broke verification of TSIG signed TCP
message sequences where not all the messages contain
TSIG records. These may be used in AXFR and IXFR
responses. [RT #45509]
|
2017-07-01 19:39:44 by Takahiro Kambe | Files touched by this commit (2) | |
Log message:
Update bind910 to 9.10.5pl2 (9.10.5-P2).
--- 9.10.5-P2 released ---
4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
|