Log message:
net/bind916: Update to 9.6.18

This is a bugfix release.

- Fixed a bug that caused the NSEC salt to be changed for KASP zones on every
  startup.

- Signed, insecure delegation responses prepared by named either lacked the
  necessary NSEC records or contained duplicate NSEC records when both wildcard
  expansion and CNAME chaining were required to prepare the response. This has
  been fixed.

- Queries where the wildcard match contained the letter W failed to return the
  correct response as the W was mapped to \000.

- Checking of key-directory and dnssec-policy was broken. The checks failed to
  account for key-directory inheritance.

Full release notes:
https://bind9.readthedocs.io/en/v9_16/notes.html#notes-for-bind-9-16-18

Log message:
net/bind916: Update to 9.16.17

Feature Changes:
- After the network manager was introduced to named to handle incoming traffic,
  it was discovered that recursive performance had degraded compared to
  previous BIND 9 versions. This has now been fixed by processing internal
  tasks inside network manager worker threads, preventing resource contention
  among two sets of threads.

- Zone dumping tasks are now run on separate asynchronous thread pools. This
  change prevents zone dumping from blocking network I/O.

- inline-signing was incorrectly described as being inherited from the
  options/view levels and was incorrectly accepted at those levels without
  effect. This has been fixed; named.conf files with inline-signing at those
  levels no longer load.

Full changelog:
https://bind9.readthedocs.io/en/v9_16/notes.html#notes-for-bind-9-16-17

Log message:
bind916: Fix build on SmartOS

Do not use priorities attribute as they are not supported
at least on SmartOS with gcc 7.5

Log message:
net/bind916: reset PKGREVISION

Log message:
net/bind916: update to 9.11.32

Notes for BIND 9.16.16

Feature Changes

* DNSSEC responses containing NSEC3 records with iteration counts greater
  than 150 are now treated as insecure.  [GL #2445]

* The maximum supported number of NSEC3 iterations that can be configured
  for a zone has been reduced to 150.  [GL #2642]

* The default value of the max-ixfr-ratio option was changed to unlimited,
  for better backwards compatibility in the stable release series.  [GL
  #2671]

* Zones that want to transition from secure to insecure mode without
  becoming bogus in the process must now have their dnssec-policy changed
  first to insecure, rather than none.  After the DNSSEC records have been
  removed from the zone, the dnssec-policy can be set to none or removed
  from the configuration.  Setting the dnssec-policy to insecure causes CDS
  and CDNSKEY DELETE records to be published.  [GL #2645]

* The implementation of the ZONEMD RR type has been updated to match RFC
  8976.  [GL #2658]

* The draft-vandijk-dnsop-nsec-ttl IETF draft was implemented: NSEC(3) TTL
  values are now set to the minimum of the SOA MINIMUM value or the SOA TTL.
  [GL #2347]

Bug Fixes

* It was possible for corrupt journal files generated by an earlier version
  of named to cause problems after an upgrade.  This has been fixed.  [GL
  #2670]

* TTL values in cache dumps were reported incorrectly when
  stale-cache-enable was set to yes.  This has been fixed.  [GL #389] [GL
  #2289]

* A deadlock could occur when multiple rndc addzone, rndc delzone, and/or
  rndc modzone commands were invoked simultaneously for different zones.
  This has been fixed.  [GL #2626]

* named and named-checkconf did not report an error when multiple zones with
  the dnssec-policy option set were using the same zone file.  This has been
  fixed.  [GL #2603]

* If dnssec-policy was active and a private key file was temporarily offline
  during a rekey event, named could incorrectly introduce replacement keys
  and break a signed zone.  This has been fixed.  [GL #2596]

* When generating zone signing keys, KASP now also checks for key ID
  conflicts among newly created keys, rather than just between new and
  existing ones.  [GL #2628]

Log message:
*: recursive bump for perl 5.34

Log message:
net/bind916: update to 9.16.15

Security release.

	--- 9.16.15 released ---

5621.	[bug]		Due to a backporting mistake in change 5609, named
			binaries built against a Kerberos/GSSAPI library whose
			header files did not define the GSS_SPNEGO_MECHANISM
			preprocessor macro were not able to start if their
			configuration included the "tkey-gssapi-credential"
			option. This has been fixed. [GL #2634]

5620.	[bug]		If zone journal files written by BIND 9.16.11 or earlier
			were present when BIND was upgraded, the zone file for
			that zone could have been inadvertently rewritten with
			the current zone contents. This caused the original zone
			file structure (e.g. comments, $INCLUDE directives) to
			be lost, although the zone data itself was preserved.
			This has been fixed. [GL #2623]

	--- 9.16.14 released ---

5617.	[security]	A specially crafted GSS-TSIG query could cause a buffer
			overflow in the ISC implementation of SPNEGO.
			(CVE-2021-25216) [GL #2604]

5616.	[security]	named crashed when a DNAME record placed in the ANSWER
			section during DNAME chasing turned out to be the final
			answer to a client query. (CVE-2021-25215) [GL #2540]

5615.	[security]	Insufficient IXFR checks could result in named serving a
			zone without an SOA record at the apex, leading to a
			RUNTIME_CHECK assertion failure when the zone was
			subsequently refreshed. This has been fixed by adding an
			owner name check for all SOA records which are included
			in a zone transfer. (CVE-2021-25214) [GL #2467]

5614.	[bug]		Ensure all resources are properly cleaned up when a call
			to gss_accept_sec_context() fails. [GL #2620]

5613.	[bug]		It was possible to write an invalid transaction header
			in the journal file for a managed-keys database after
			upgrading. This has been fixed. Invalid headers in
			existing journal files are detected and named is able
			to recover from them. [GL #2600]

5611.	[func]		Set "stale-answer-client-timeout" to "off" by \ 
default.
			[GL #2608]

5610.	[bug]		Prevent a crash which could happen when a lookup
			triggered by "stale-answer-client-timeout" was attempted
			right after recursion for a client query finished.
			[GL #2594]

5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
			source code. It was no longer necessary as all major
			contemporary Kerberos/GSSAPI libraries include support
			for SPNEGO. [GL #2607]

5608.	[bug]		When sending queries over TCP, dig now properly handles
			"+tries=1 +retry=0" by not retrying the connection when
			the remote server closes the connection prematurely.
			[GL #2490]

5607.	[bug]		As "rndc dnssec -checkds" and "rndc dnssec \ 
-rollover"
			commands may affect the next scheduled key event,
			reconfiguration of zone keys is now triggered after
			receiving either of these commands to prevent
			unnecessary key rollover delays. [GL #2488]

5606.	[bug]		CDS/CDNSKEY DELETE records are now removed when a zone
			transitions from a secure to an insecure state.
			named-checkzone also no longer reports an error when
			such records are found in an unsigned zone. [GL #2517]

5605.	[bug]		"dig -u" now uses the CLOCK_REALTIME clock source for
			more accurate time reporting. [GL #2592]

5603.	[bug]		Fix a memory leak that occurred when named failed to
			bind a UDP socket to a network interface. [GL #2575]

5602.	[bug]		Fix TCPDNS and TLSDNS timers in Network Manager. This
			makes the "tcp-initial-timeout" and "tcp-idle-timeout"
			options work correctly again. [GL #2583]

5601.	[bug]		Zones using KASP could not be thawed after they were
			frozen using "rndc freeze". This has been fixed.
			[GL #2523]

Log message:
revbump for textproc/icu

Log message:
net/bind916: update to 9.16.13

9.16.13 (2022-03-17)

New Features

* A new purge-keys option has been added to dnssec-policy. It sets the
  period of time that key files are retained after becoming obsolete
  due to a key rollover; the default is 90 days. This feature can be
  disabled by setting purge-keys to 0. [GL #2408]

Feature Changes

* When serve-stale is enabled and stale data is available, named now
  returns stale answers upon encountering any unexpected error in the
  query resolution process. This may happen, for example, if the
  fetches-per-server or fetches-per-zone limits are reached. In this
  case, named attempts to answer DNS requests with stale data, but
  does not start the stale-refresh-time window. [GL #2434]

Bug Fixes

* Zone journal (.jnl) files created by versions of named prior to
  9.16.12 were no longer compatible; this could cause problems when
  upgrading if journal files were not synchronized first. This has
  been corrected: older journal files can now be read when starting
  up. When an old-style journal file is detected, it is updated to the
  new format immediately after loading.

  Note that journals created by the current version of named are not
  usable by versions prior to 9.16.12. Before downgrading to a prior
  release, users are advised to ensure that all dynamic zones have
  been synchronized using rndc sync -clean.

  A journal file's format can be changed manually by running
  named-journalprint -d (downgrade) or named-journalprint -u
  (upgrade). Note that this must not be done while named is
  running. [GL #2505]

* named crashed when it was allowed to serve stale answers and
  stale-answer-client-timeout was triggered without any (stale) data
  available in the cache to answer the query. [GL #2503]

* If an outgoing packet exceeded max-udp-size, named dropped it
  instead of sending back a proper response. To prevent this problem,
  the IP_DONTFRAG option is no longer set on UDP sockets, which has
  been happening since BIND 9.16.11. [GL #2466]

* NSEC3 records were not immediately created when signing a dynamic
  zone using dnssec-policy with nsec3param. This has been fixed. [GL
  #2498]

* A memory leak occurred when named was reconfigured after adding an
  inline-signed zone with auto-dnssec maintain enabled. This has been
  fixed. [GL #2041]

* An invalid direction field (not one of N, S, E, W) in a LOC record
  resulted in an INSIST failure when a zone file containing such a
  record was loaded. [GL #2499]

Log message:
bind: update to 9.16.12.

XXX: why does this have so many patches?

	--- 9.16.12 released ---

5578.	[protocol]	Make "check-names" accept A records below \ 
"_spf",
			"_spf_rate", and "_spf_verify" labels in order to cater
			for the "exists" SPF mechanism specified in RFC 7208
			section 5.7 and appendix D.1. [GL #2377]

5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
			correctly implementing Equation (2) of the "Flexible and
			Robust Key Rollover" paper. [GL #2375]

5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
			"Inactive" and/or "Delete" timing metadata to be
			possible active keys. This has been fixed. [GL #2406]

5572.	[bug]		Address potential double free in generatexml().
			[GL #2420]

5571.	[bug]		named failed to start when its configuration included a
			zone with a non-builtin "allow-update" ACL attached.
			[GL #2413]

5570.	[bug]		Improve performance of the DNSSEC verification code by
			reducing the number of repeated calls to
			dns_dnssec_keyfromrdata(). [GL #2073]

5569.	[bug]		Emit useful error message when "rndc retransfer" is
			applied to a zone of inappropriate type. [GL #2342]

5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
			keys. [GL #2178]

5567.	[bug]		Dig now reports unknown dash options while pre-parsing
			the options. This prevents "-multi" instead of "+multi"
			from reporting memory usage before ending option parsing
			with "Invalid option: -lti". [GL #2403]

5566.	[func]		Add "stale-answer-client-timeout" option, which is the
			amount of time a recursive resolver waits before
			attempting to answer the query using stale data from
			cache. [GL #2247]

5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
			BIND 9 version number, in an effort to tightly couple
			internal libraries with a specific release. [GL #2387]

5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation.
			(CVE-2020-8625) [GL #2354]

5561.	[bug]		KASP incorrectly set signature validity to the value of
			the DNSKEY signature validity. This is now fixed.
			[GL #2383]

5560.	[func]		The default value of "max-stale-ttl" has been changed
			from 12 hours to 1 day and the default value of
			"stale-answer-ttl" has been changed from 1 second to 30
			seconds, following RFC 8767 recommendations. [GL #2248]

5456.	[func]		Added "primaries" as a synonym for "masters" in
			named.conf, and "primary-only" as a synonym for
			"master-only" in the parameters to "notify", to bring
			terminology up-to-date with RFC 8499. [GL #1948]

5362.	[func]		Limit the size of IXFR responses so that AXFR will
			be used instead if it would be smaller. This is
			controlled by the "max-ixfr-ratio" option, which
			is a percentage representing the ratio of IXFR size
			to the size of the entire zone. This value cannot
			exceed 100%, which is the default. [GL #1515]