Log message:
PR/29576 -- Use @RCD_SCRIPTS_SHELL@ in rc.d scripts, not /bin/sh

Log message:
Update bind97 package to 9.7.4.

For full changes, please refer:
ftp://ftp.isc.org/isc/bind9/9.7.4/RELEASE-NOTES-BIND-9.7.4.html

New Features

9.7.4

     * A new test has been added to check the apex NSEC3 records after
       DNSKEY records have been added via dynamic update. [RT #23229]
     * Added a tool able to generate malformed packets to allow testing of
       how named handles them. [RT #24096]

Security Fixes

9.7.4

     * named, set up to be a caching resolver, is vulnerable to a user
       querying a domain with very large resource record sets (RRSets)
       when trying to negatively cache the response. Due to an off-by-one
       error, caching the response could cause named to crash. [RT #24650]
       [CVE-2011-1910]
     * Change #2912 (see CHANGES) exposed a latent bug in the DNS message
       processing code that could allow certain UPDATE requests to crash
       named. [RT #24777] [CVE-2011-2464]

Feature Changes

9.7.4

     * Merged in the NetBSD ATF test framework (currently version 0.12)
       for development of future unit tests. Use configure --with-atf to
       build ATF internally or configure --with-atf=prefix to use an
       external copy. [RT #23209]
     * Added more verbose error reporting from DLZ LDAP. [RT #23402]
     * Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]

Log message:
Update bind97 package to bind-9.7.3pl3 (9.7.3-P3), security release.

	--- 9.7.3-P3 released ---

3124.	[bug]		Use an rdataset attribute flag to indicate
			negative-cache records rather than using rrtype 0;
			this will prevent problems when that rrtype is
			used in actual DNS packets.  [RT #24777]

	--- 9.7.3-P2 released (withdrawn) ---

3123.	[security]	Change #2912 exposed a latent flaw in
			dns_rdataset_totext() that could cause named to
			crash with an assertion failure. [RT #24777]

Log message:
Update bind97 package to 9.7.3pl1 (9.7.3-P1).

	--- 9.7.3-P1 released ---

3121.   [security]      An authoritative name server sending a negative
                        response containing a very large RRset could
                        trigger an off-by-one error in the ncache code
                        and crash named. [RT #24650]

3120.	[bug]		Named could fail to validate zones listed in a DLV
			that validated insecure without using DLV and had
			DS records in the parent zone. [RT #24631]

Log message:
Update bind97 package to 9.7.3.

* also sync rc scrpt with base system.

Bug Fixes

9.7.3

     * BIND now builds with threads disabled in versions of NetBSD earlier
       than 5.0 and with pthreads enabled by default in NetBSD versions
       5.0 and higher. Also removes support for unproven-pthreads,
       mit-pthreads and ptl2. [RT #19203]
     * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
       to properly update the zone when adding a DNSKEY for publication
       only). [RT #21324]
     * "nsupdate -l" now gives error message if \ 
"session.key" file is not
       found. [RT #21670]
     * HPUX now correctly defaults to using /dev/poll, which should
       increase performance. [RT #21919]
     * If named is running as a threaded application, after an "rndc stop"
       command has been issued, other inbound TCP requests can cause named
       to hang and never complete shutdown. [RT #22108]
     * After an "rndc reconfig", the refresh timer for managed-keys is
       ignored, resulting in managed-keys not being refreshed until named
       is restarted. [RT #22296]
     * An NSEC3PARAM record placed inside a zone which is not properly
       signed with NSEC3 could cause named to crash, if changed via
       dynamic update. [RT #22363]
     * "rndc -h" now includes "loadkeys" option. [RT #22493]
     * When performing a GSS-TSIG signed dynamic zone update, memory could
       be leaked. This causes an unclean shutdown and may affect
       long-running servers. [RT #22573]
     * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
       allows for a TCP DoS attack. Until there is a kernel fix, ISC is
       disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
     * When signing records, named didn't filter out any TTL changes to
       DNSKEY records. This resulted in an incomplete key set. TTL changes
       are now dealt with before signing. [RT #22590]
     * Corrected a defect where a combination of dynamic updates and zone
       transfers incorrectly locked the in-memory zone database, causing
       named to freeze. [RT #22614]
     * Don't run MX checks (check-mx) when the MX record points to ".".
       [RT #22645]
     * DST key reference counts can now be incremented via dst_key_attach.
       [RT #22672]
     * The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
       were updated/corrected per current Windows OS. [RT #22724]
     * "dnssec-settime -S" no longer tests prepublication interval
       validity when the interval is set to 0. [RT #22761]
     * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
       attr. [RT #22766]
     * The Kerberos realm was being truncated when being pulled from the
       the host prinicipal, make krb5-self updates fail. [RT #22770]
     * named failed to preserve the case of domain names in RDATA which is
       not compressible when writing master files. [RT #22863]
     * The man page for dnssec-keyfromlabel incorrectly had "-U" rather
       than the correct option "-I". [RT #22887]
     * The "rndc" command usage statement was missing the \ 
"-b" option. [RT
       #22937]
     * There was a bug in how the clients-per-query code worked with some
       query patterns. This could result, in rare circumstances, in having
       all the client query slots filled with queries for the same DNS
       label, essentially ignoring the max-clients-per-query setting. [RT
       #22972]
     * The secure zone update feature in named is based on the zone being
       signed and configured for dynamic updates. A bug in the ACL
       processing for "allow-update { none; };" resulted in a zone that is
       supposed to be static being treated as a dynamic zone. Thus, name
       would try to sign/re-sign that zone erroneously. [RT #23120]

Log message:
Update bind97 package to bind-9.7.2pl3 (9.7.2-P3).

http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

CVE: CVE-2010-3613
CERT: VU#706148
BIND: cache incorrectly allows a ncache entry and a rrsig for the same type

CVE: CVE-2010-3614
CERT: VU#837744
BIND: Key algorithm rollover bug in bind9

CVE: CVE-2010-3615
CERT: VU#510208
BIND: allow-query processed incorrectly

Log message:
Update bind97 package to 9.7.2pl2. (leaf package)

New Features

     * Zones may be dynamically added and removed with the "rndc addzone"
       and "rndc delzone" commands. These dynamically added zones are
       written to a per-view configuration file. Do not rely on the
       configuration file name nor contents as this will change in a
       future release. This is an experimental feature at this time.
     * Added new "filter-aaaa-on-v4" access control list to select which
       IPv4 clients have AAAA record filtering applied.
     * A new command "rndc secroots" was added to dump a combined summary
       of the currently managed keys combined with statically configured
       trust anchors.
     * Added support to load new keys into managed zones without signing
       immediately with "rndc loadkeys". Added support to link keys with
       "dnssec-keygen -S" and "dnssec-settime -S".

Changes

     * Documentation improvements
     * ORCHID prefixes were removed from the automatic empty zone list.
     * Improved handling of GSSAPI security contexts. Specifically, better
       memory management of cached contexts, limited lifetime of a context
       to 1 hour, and added a "realm" command to nsupdate to allow
       selection of a non-default realm name.
     * The contributed tool "ztk" was updated to version 1.0.

Security Fixes

     * If BIND, acting as a DNSSEC validating server, has two or more
       trust anchors configured in named.conf for the same zone (such as
       example.com) and the response for a record in that zone from the
       authoritative server includes a bad signature, the validating
       server will crash while trying to validate that query.
     * A flaw where the wrong ACL was applied was fixed. This flaw allowed
       access to a cache via recursion even though the ACL disallowed it.

Bug Fixes

     * Removed a warning message when running BIND 9 under Windows for
       when a TCP connection was aborted. This is a common occurrence and
       the warning was extraneous.
     * Worked around a race condition in the cache database memory
       handling. Without this fix a DNS cache DB or ADB could incorrectly
       stay in an over memory state, effectively refusing further caching,
       which subsequently made a BIND 9 caching server unworkable.
     * Partially disabled change 2864 because it would cause infinite
       attempts of RRSIG queries.
     * BIND did not properly handle non-cacheable negative responses from
       insecure zones. This caused several non-protocol-compliant zones to
       become unresolvable. BIND is now more accepting of responses it
       receives from less strict servers.
     * A bug, introduced in BIND 9.7.2, caused named to fail to start if a
       master zone file was unreadable or missing. This has been corrected
       in 9.7.2-P1.
     * BIND previously accepted answers from authoritative servers that
       did not provide a "proper" response, such as not setting AA bit.
       BIND was changed to be more strict in what it accepted but this
       caused operational issues. This new strictness has been backed out
       in 9.7.2-P1.

Log message:
Update bind97 package to 9.7.1pl2 (BIND 9.7.1-P2).

	--- 9.7.1-P2 released ---

2931.	[security]	Temporarily and partially disable change 2864
			because it would cause inifinite attempts of RRSIG
			queries.  This is an urgent care fix; we'll
			revisit the issue and complete the fix later.
			[RT #21710]

	--- 9.7.1-P1 released ---

2926.	[rollback]	Temporarially rollback change 2748. [RT #21594]

2925.	[bug]		Named failed to accept uncachable negative responses
			from insecure zones. [RT# 21555]

Log message:
Update bindi97 package to 9.7.1.

	--- 9.7.1 released ---

	--- 9.7.1rc1 released ---

2909.	[bug]		named-checkconf -p could die if "update-policy local;"
			was specified in named.conf. [RT #21416]

2908.	[bug]		It was possible for re-signing to stop after removing
			a DNSKEY. [RT #21384]

2907.	[bug]		The export version of libdns had undefined references.
			[RT #21444]

2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]

2905.	[port]		aix: set use_atomic=yes with native compiler.
			[RT #21402]

2904.   [bug]           When using DLV, sub-zones of the zones in the DLV,
			could be incorrectly marked as insecure instead of
			secure leading to negative proofs failing.  This was
			a unintended outcome from change 2890. [RT# 21392]

2903.	[bug]		managed-keys-directory missing from namedconf.c.
			[RT #21370]

	--- 9.7.1b1 released ---

2902.	[func]		Add regression test for change 2897. [RT #21040]

2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

2900.	[bug]		The placeholder negative caching element was not
			properly constructed triggering a INSIST in
			dns_ncache_towire(). [RT #21346]

2899.	[port]		win32: Support linking against OpenSSL 1.0.0.

2898.	[bug]		nslookup leaked memory when -domain=value was
			specified. [RT #21301]

2897.	[bug]		NSEC3 chains could be left behind when transitioning
			to insecure. [RT #21040]

2896.	[bug]		"rndc sign" failed to properly update the zone
			when adding a DNSKEY for publication only. [RT #21045]

2895.	[func]		genrandom: add support for the generation of multiple
			files.  [RT #20917]

2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]

2893.	[bug]		Improve managed keys support.  New named.conf option
			managed-keys-directory. [RT #20924]

2892.	[bug]		Handle REVOKED keys better. [RT #20961]

2891.	[maint]		Update empty-zones list to match
			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

2890.	[bug]		Handle the introduction of new trusted-keys and
			DS, DLV RRsets better. [RT #21097]

2889.	[bug]		Elements of the grammar where not properly reported.
			[RT #21046]

2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]

2887.	[bug]		Report the keytag times in UTC in the .key file,
			local time is presented as a comment within the
			comment.  [RT #21223]

2886.	[bug]		ctime() is not thread safe. [RT #21223]

2885.	[bug]		Improve -fno-strict-aliasing support probing in
			configure. [RT #21080]

2884.	[bug]		Insufficient valadation in dns_name_getlabelsequence().
			[RT #21283]

2883.	[bug]		'dig +short' failed to handle really large datasets.
			[RT #21113]

2882.	[bug]		Remove memory context from list of active contexts
			before clearing 'magic'. [RT #21274]

2881.	[bug]		Reduce the amount of time the rbtdb write lock
			is held when closing a version. [RT #21198]

2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
			consistent. [RT #21078]

2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
			[RT #21106]

2878.	[func]		Incrementally write the master file after performing
			a AXFR.  [RT #21010]

2877.	[bug]		The validator failed to skip obviously mismatching
			RRSIGs. [RT #21138]

2876.	[bug]		Named could return SERVFAIL for negative responses
			from unsigned zones. [RT #21131]

2875.	[bug]		dns_time64_fromtext() could accept non digits.
			[RT #21033]

2874.	[bug]		Cache lack of EDNS support only after the server
			successfully responds to the query using plain DNS.
			[RT #20930]

2873.	[bug]		Canceling a dynamic update via the dns/client module
			could trigger an assertion failure. [RT #21133]

2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
			require one of IPv4 or IPv6 rather than both.
			[RT #21122]

2871.	[bug]		Type mismatch in mem_api.c between the definition and
			the header file, causing build failure with
			--enable-exportlib. [RT #21138]

2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.

2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
			[RT #20877]

2868.	[cleanup]	Run "make clean" at the end of configure to ensure
			any changes made by configure are integrated.
			Use --with-make-clean=no to disable.  [RT #20994]

2867.	[bug]		Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
			don't like it.  [RT #20986]

2866.	[bug]		Windows does not like the TSIG name being compressed.
			[RT #20986]

2865.	[bug]		memset to zero event.data.  [RT #20986]

2864.	[bug]		Direct SIG/RRSIG queries were not handled correctly.
			[RT #21050]

2863.	[port]		linux: disable IPv6 PMTUD and use network minimum MTU.
			[RT #21056]

2862.	[bug]		nsupdate didn't default to the parent zone when
			updating DS records. [RT #20896]

2861.	[doc]		dnssec-settime man pages didn't correctly document the
			inactivation time. [RT #21039]

2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]

2859.	[bug]		When cancelling validation it was possible to leak
			memory. [RT #20800]

2858.	[bug]		RTT estimates were not being adjusted on ICMP errors.
			[RT #20772]

2857.	[bug]		named-checkconf did not fail on a bad trusted key.
			[RT #20705]

2856.	[bug]		The size of a memory allocation was not always properly
			recorded. [RT #20927]

2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]

2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
			source as it produced bad nroff.  [RT #21007]

2850.	[bug]		If isc_heap_insert() failed due to memory shortage
			the heap would have corrupted entries. [RT #20951]

Log message:
Importing net/bind97 package 9.7.0pl2 package.
(This is simply based on net/bind96).