Log message:
net/bind916: update to 9.16.39

--- 9.16.39 released ---

6119.	[bug]		Make sure to revert the reconfigured zones to the
			previous version of the view, when the new view
			reconfiguration fails during the configuration of
			one of the configured zones. [GL #3911]

6116.	[bug]		Fix error path cleanup issue in the dns_catz_new_zones()
			function. [GL #3900]

6115.	[bug]		Unregister db update notify callback before detaching
			from the previous db inside the catz update notify
			callback. [GL #3777]

6105.	[bug]		Detach 'rpzs' and 'catzs' from the previous view in
			configure_rpz() and configure_catz(), respectively,
			just after attaching it to the new view. [GL #3880]

6098.	[test]		Don't test HMAC-MD5 when not supported by libcrypto.
			[GL #3871]

6095.	[test]		Test various 'islands of trust' configurations when
			using managed keys. [GL #3662]

6094.	[bug]		Building against (or running with) libuv versions
			1.35.0 and 1.36.0 is now a fatal error.  The rules for
			mixing and matching compile-time and run-time libuv
			versions have been tightened for libuv versions between
			1.35.0 and 1.40.0. [GL #3840]

Log message:
net/bind916: update to 9.16.38

	--- 9.16.38 released ---

6083.	[bug]		Fix DNSRPS-enabled builds as they were inadvertently
			broken by change 6042. [GL #3827]

6081.	[bug]		Handle primary server address lookup failures in
			nsupdate more gracefully. [GL #3830]

6080.	[bug]		'named -V' leaked memory. [GL #3829]

6079.	[bug]		Force set the DS state after a 'rdnc dnssec -checkds'
			command. [GL #3822]

6075.	[bug]		Add missing node lock when setting node->wild in
			add_wildcard_magic. [GL #3799]

6072.	[bug]		Avoid the OpenSSL lock contention when initializing
			Message Digest Contexts by using explicit algorithm
			fetching, initializing static contexts for every
			supported algorithms, and initializing the new context
			by copying the static copy. [GL #3795]

6069.	[bug]		Detach from the view in zone_shutdown() to
			release the memory held by the dead view
			early. [GL #3801]

Log message:
net/bind916: update to 9.16.37

	--- 9.16.37 released ---

6067.	[security]	Fix serve-stale crash when recursive clients soft quota
			is reached. (CVE-2022-3924) [GL #3619]

6066.	[security]	Handle RRSIG lookups when serve-stale is active.
			(CVE-2022-3736) [GL #3622]

6064.	[security]	An UPDATE message flood could cause named to exhaust all
			available memory. This flaw was addressed by adding a
			new "update-quota" statement that controls the number of
			simultaneous UPDATE messages that can be processed or
			forwarded. The default is 100. A stats counter has been
			added to record events when the update quota is
			exceeded, and the XML and JSON statistics version
			numbers have been updated. (CVE-2022-3094) [GL #3523]

6062.	[func]		The DSCP implementation, which has only been
			partly operational since 9.16.0, is now marked as
			deprecated. Configuring DSCP values in named.conf
			will cause a warning will be logged. [GL #3773]

6060.	[bug]		Fix a use-after-free bug in dns_zonemgr_releasezone()
			by detaching from the zone manager outside of the write
			lock. [GL #3768]

6059.	[bug]		In some serve stale scenarios, like when following an
			expired CNAME record, named could return SERVFAIL if the
			previous request wasn't successful. Consider non-stale
			data when in serve-stale mode. [GL #3678]

6058.	[bug]		Prevent named from crashing when "rndc delzone"
			attempts to delete a zone added by a catalog zone.
			[GL #3745]

6050.	[bug]		Changes to the RPZ response-policy min-update-interval
			and add-soa options now take effect as expected when
			named is reconfigured. [GL #3740]

6048.	[bug]		Fix a log message error in dns_catz_update_from_db(),
			where serials with values of 2^31 or larger were logged
			incorrectly as negative numbers. [GL #3742]

6045.	[cleanup]	The list of supported DNSSEC algorithms changed log
			level from "warning" to "notice" to match named's other
			startup messages. [GL !7217]

6044.	[bug]		There was an "RSASHA236" typo in a log message.
			[GL !7206]

Log message:
net/bind916: update to 9.16.36

9.16.36 (2022-12-21)

Feature Changes

* The auto-dnssec option has been deprecated and will be removed in a future
  BIND 9.19.x release. Please migrate to dnssec-policy.  [GL #3667]

Bug Fixes

* When a catalog zone was removed from the configuration, in some cases a
  dangling pointer could cause the named process to crash.  This has been
  fixed. [GL #3683]

* When a zone was deleted from a server, a key management object related to
  that zone was inadvertently kept in memory and only released upon
  shutdown.  This could lead to constantly increasing memory use on servers
  with a high rate of changes affecting the set of zones being served.  This
  has been fixed.  [GL #3727]

* In certain cases, named waited for the resolution of outstanding recursive
  queries to finish before shutting down.  This was unintended and has been
  fixed.  [GL #3183]

* The zone <name>/<class>: final reference detached log message was moved
  from the INFO log level to the DEBUG(1) log level to prevent the
  named-checkzone tool from superfluously logging this message in non-debug
  mode.  [GL #3707]

Log message:
massive revision bump after textproc/icu update

Log message:
net/bind916: update to 9.16.35

9.6.35 (2022-11-16)

Bug Fixes

* A crash was fixed that happened when a dnssec-policy zone that used NSEC3
  was reconfigured to enable inline-signing.  [GL #3591]

* In certain resolution scenarios, quotas could be erroneously reached for
  servers, including any configured forwarders, resulting in SERVFAIL
  answers being sent to clients.  This has been fixed.  [GL #3598]

* rpz-ip rules in response-policy zones could be ineffective in some cases
  if a query had the CD (Checking Disabled) bit set to 1.  This has been
  fixed.  [GL #3247]

* Previously, if Internet connectivity issues were experienced during the
  initial startup of named, a BIND resolver with dnssec-validation set to
  auto could enter into a state where it would not recover without stopping
  named, manually deleting the managed-keys.bind and managed-keys.bind.jnl
  files, and starting named again.  This has been fixed.  [GL #2895]

* The statistics counter representing the current number of clients awaiting
  recursive resolution results (RecursClients) could overflow in certain
  resolution scenarios.  This has been fixed.  [GL #3584]

* Previously, BIND failed to start on Solaris-based systems with hundreds of
  CPUs.  This has been fixed.  [GL #3563]

* When a DNS resource record's TTL value was equal to the resolver's
  configured prefetch "eligibility" value, the record was erroneously not
  treated as eligible for prefetching.  This has been fixed.  [GL #3603]

Log message:
net/bind916: update to 9.16.34

9.16.34

Known Issues

* Upgrading from BIND 9.16.32 or any older version may require a manual
  configuration change.  The following configurations are affected:

	- type primary zones configured with dnssec-policy but without
          either allow-update or update-policy,

	- type secondary zones configured with dnssec-policy.

* In these cases please add inline-signing yes; to the individual zone
  configuration(s).  Without applying this change, named will fail to start.
  For more details, see
  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing

New Features

* Support for parsing and validating the dohpath service parameter in SVCB
  records was added.  [GL #3544]

* named now logs the supported cryptographic algorithms during startup and
  in the output of named -V.  [GL #3541]

Bug Fixes

* Changing just the TSIG key names for primaries in catalog zones' member
  zones was not effective.  This has been fixed.  [GL #3557]

Log message:
Upgrade net/bind916 to version 9.16.33.

OKed by wiz@

Pkgsrc changes:
 * Just checksum updates.

Upstream changes:
        --- 9.16.33 released ---

5962.   [security]      Fix memory leak in EdDSA verify processing.
                        (CVE-2022-38178) [GL #3487]

5961.   [security]      Fix memory leak in ECDSA verify processing.
                        (CVE-2022-38177) [GL #3487]

5960.   [security]      Fix serve-stale crash that could happen when
                        stale-answer-client-timeout was set to 0 and there was
                        a stale CNAME in the cache for an incoming query.
                        (CVE-2022-3080) [GL #3517]

5957.   [security]      Prevent excessive resource use while processing large
                        delegations. (CVE-2022-2795) [GL #3394]

5956.   [func]          Make RRL code treat all QNAMEs that are subject to
                        wildcard processing within a given zone as the same
                        name. [GL #3459]

5955.   [port]          The libxml2 library has deprecated the usage of
                        xmlInitThreads() and xmlCleanupThreads() functions. Use
                        xmlInitParser() and xmlCleanupParser() instead.
                        [GL #3518]

5954.   [func]          Fallback to IDNA2003 processing in dig when IDNA2008
                        conversion fails. [GL #3485]

5953.   [bug]           Fix a crash on shutdown in delete_trace_entry(). Add
                        mctx attach/detach pair to make sure that the memory
                        context used by a memory pool is not destroyed before
                        the memory pool itself. [GL #3515]

5952.   [bug]           Use quotes around address strings in YAML output.
                        [GL #3511]

5951.   [bug]           In some cases, the dnstap query_message field was
                        erroneously set when logging response messages.
                        [GL #3501]

5948.   [bug]           Fix nsec3.c:dns_nsec3_activex() function, add a missing
                        dns_db_detachnode() call. [GL #3500]

5945.   [bug]           If parsing /etc/bind.key failed, delv could assert
                        when trying to parse the built in trust anchors as
                        the parser hadn't been reset. [GL !6468]

5942.   [bug]           Fix tkey.c:buildquery() function's error handling by
                        adding the missing cleanup code. [GL #3492]

5941.   [func]          Zones with dnssec-policy now require dynamic DNS or
                        inline-siging to be configured explicitly. [GL #3381]

5936.   [bug]           Don't enable serve-stale for lookups that error because
                        it is a duplicate query or a query that would be
                        dropped. [GL #2982]

Log message:
net/bind916: update to 9.16.32

9.16.32 (2022-08-17)

Notes for BIND 9.16.32

Feature Changes

* The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
  disabled on systems where they are disallowed by the security policy
  (e.g. Red Hat Enterprise Linux 9).  Primary zones using those algorithms
  need to be migrated to new algorithms prior to running on these systems,
  as graceful migration to different DNSSEC algorithms is not possible when
  RSASHA1 is disallowed by the operating system.  [GL #3469]

* Log messages related to fetch limiting have been improved to provide more
  complete information.  Specifically, the final counts of allowed and
  spilled fetches are now logged before the counter object is destroyed.
  [GL #3461]

Bug Fixes

* Non-dynamic zones that inherit dnssec-policy from the view or options
  blocks were not marked as inline-signed and therefore never scheduled to
  be re-signed.  This has been fixed.  [GL #3438]

* The old max-zone-ttl zone option was meant to be superseded by the
  max-zone-ttl option in dnssec-policy; however, the latter option was not
  fully effective.  This has been corrected: zones no longer load if they
  contain TTLs greater than the limit configured in dnssec-policy.  For
  zones with both the old max-zone-ttl option and dnssec-policy configured,
  the old option is ignored, and a warning is generated.  [GL #2918]

* rndc dumpdb -expired was fixed to include expired RRsets, even if
  stale-cache-enable is set to no and the cache-cleaning time window has
  passed.  [GL #3462]

Log message:
net/bind916: update to 9.16.31

9.6.31 (2022-07-20)

5917.	[bug]		Update ifconfig.sh script as is miscomputed interface
			identifiers when destroying interfaces. [GL #3061]

5915.	[bug]		Detect missing closing brace (}) and computational
			overflows in $GENERATE directives. [GL #3429]

5913.	[bug]		Fix a race between resolver query timeout and
			validation in resolver.c:validated(). Remove
			resolver.c:maybe_destroy() as it is no loger needed.
			[GL #3398]

5909.	[bug]		The server-side destination port was missing from dnstap
			captures of client traffic. [GL #3309]

5905.	[bug]		When the TCP connection would be closed/reset between
			the connect/accept and the read, the uv_read_start()
			return value would be unexpected and cause an assertion
			failure. [GL #3400]

5903.	[bug]		When named checks that the OPCODE in a response matches
			that of the request, if there is a mismatch named logs
			an error.  Some of those error messages incorrectly
			used RCODE instead of OPCODE to lookup the nemonic.
			This has been corrected. [GL !6420]