Navigation:
Browse pkgsrc
(this page) 2023-04-19 10:12:01 by Adam Ciarcinski | Files touched by this commit (2359) |  |
Log message: revbump after textproc/icu update |
| 2023-03-17 14:54:19 by Takahiro Kambe | Files touched by this commit (3) | |
Log message: net/bind916: update to 9.16.39 --- 9.16.39 released --- 6119. [bug] Make sure to revert the reconfigured zones to the previous version of the view, when the new view reconfiguration fails during the configuration of one of the configured zones. [GL #3911] 6116. [bug] Fix error path cleanup issue in the dns_catz_new_zones() function. [GL #3900] 6115. [bug] Unregister db update notify callback before detaching from the previous db inside the catz update notify callback. [GL #3777] 6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in configure_rpz() and configure_catz(), respectively, just after attaching it to the new view. [GL #3880] 6098. [test] Don't test HMAC-MD5 when not supported by libcrypto. [GL #3871] 6095. [test] Test various 'islands of trust' configurations when using managed keys. [GL #3662] 6094. [bug] Building against (or running with) libuv versions 1.35.0 and 1.36.0 is now a fatal error. The rules for mixing and matching compile-time and run-time libuv versions have been tightened for libuv versions between 1.35.0 and 1.40.0. [GL #3840] |
| 2023-02-16 14:36:01 by Takahiro Kambe | Files touched by this commit (2) | |
Log message: net/bind916: update to 9.16.38 --- 9.16.38 released --- 6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently broken by change 6042. [GL #3827] 6081. [bug] Handle primary server address lookup failures in nsupdate more gracefully. [GL #3830] 6080. [bug] 'named -V' leaked memory. [GL #3829] 6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds' command. [GL #3822] 6075. [bug] Add missing node lock when setting node->wild in add_wildcard_magic. [GL #3799] 6072. [bug] Avoid the OpenSSL lock contention when initializing Message Digest Contexts by using explicit algorithm fetching, initializing static contexts for every supported algorithms, and initializing the new context by copying the static copy. [GL #3795] 6069. [bug] Detach from the view in zone_shutdown() to release the memory held by the dead view early. [GL #3801] |
| 2023-01-26 14:32:47 by Takahiro Kambe | Files touched by this commit (5) | |
Log message: net/bind916: update to 9.16.37 --- 9.16.37 released --- 6067. [security] Fix serve-stale crash when recursive clients soft quota is reached. (CVE-2022-3924) [GL #3619] 6066. [security] Handle RRSIG lookups when serve-stale is active. (CVE-2022-3736) [GL #3622] 6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] 6062. [func] The DSCP implementation, which has only been partly operational since 9.16.0, is now marked as deprecated. Configuring DSCP values in named.conf will cause a warning will be logged. [GL #3773] 6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() by detaching from the zone manager outside of the write lock. [GL #3768] 6059. [bug] In some serve stale scenarios, like when following an expired CNAME record, named could return SERVFAIL if the previous request wasn't successful. Consider non-stale data when in serve-stale mode. [GL #3678] 6058. [bug] Prevent named from crashing when "rndc delzone" attempts to delete a zone added by a catalog zone. [GL #3745] 6050. [bug] Changes to the RPZ response-policy min-update-interval and add-soa options now take effect as expected when named is reconfigured. [GL #3740] 6048. [bug] Fix a log message error in dns_catz_update_from_db(), where serials with values of 2^31 or larger were logged incorrectly as negative numbers. [GL #3742] 6045. [cleanup] The list of supported DNSSEC algorithms changed log level from "warning" to "notice" to match named's other startup messages. [GL !7217] 6044. [bug] There was an "RSASHA236" typo in a log message. [GL !7206] |
| 2023-01-09 07:48:53 by Takahiro Kambe | Files touched by this commit (2) | |
Log message: net/bind916: update to 9.16.36 9.16.36 (2022-12-21) Feature Changes * The auto-dnssec option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667] Bug Fixes * When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the named process to crash. This has been fixed. [GL #3683] * When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. This has been fixed. [GL #3727] * In certain cases, named waited for the resolution of outstanding recursive queries to finish before shutting down. This was unintended and has been fixed. [GL #3183] * The zone <name>/<class>: final reference detached log message was moved from the INFO log level to the DEBUG(1) log level to prevent the named-checkzone tool from superfluously logging this message in non-debug mode. [GL #3707] |
| 2022-11-23 17:21:30 by Adam Ciarcinski | Files touched by this commit (1878) | |
Log message: massive revision bump after textproc/icu update |
| 2022-11-16 14:47:38 by Takahiro Kambe | Files touched by this commit (2) | |
Log message: net/bind916: update to 9.16.35 9.6.35 (2022-11-16) Bug Fixes * A crash was fixed that happened when a dnssec-policy zone that used NSEC3 was reconfigured to enable inline-signing. [GL #3591] * In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3598] * rpz-ip rules in response-policy zones could be ineffective in some cases if a query had the CD (Checking Disabled) bit set to 1. This has been fixed. [GL #3247] * Previously, if Internet connectivity issues were experienced during the initial startup of named, a BIND resolver with dnssec-validation set to auto could enter into a state where it would not recover without stopping named, manually deleting the managed-keys.bind and managed-keys.bind.jnl files, and starting named again. This has been fixed. [GL #2895] * The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could overflow in certain resolution scenarios. This has been fixed. [GL #3584] * Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs. This has been fixed. [GL #3563] * When a DNS resource record's TTL value was equal to the resolver's configured prefetch "eligibility" value, the record was erroneously not treated as eligible for prefetching. This has been fixed. [GL #3603] |
| 2022-10-19 13:04:49 by Takahiro Kambe | Files touched by this commit (2) | |
Log message:
net/bind916: update to 9.16.34
9.16.34
Known Issues
* Upgrading from BIND 9.16.32 or any older version may require a manual
configuration change. The following configurations are affected:
- type primary zones configured with dnssec-policy but without
either allow-update or update-policy,
- type secondary zones configured with dnssec-policy.
* In these cases please add inline-signing yes; to the individual zone
configuration(s). Without applying this change, named will fail to start.
For more details, see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
New Features
* Support for parsing and validating the dohpath service parameter in SVCB
records was added. [GL #3544]
* named now logs the supported cryptographic algorithms during startup and
in the output of named -V. [GL #3541]
Bug Fixes
* Changing just the TSIG key names for primaries in catalog zones' member
zones was not effective. This has been fixed. [GL #3557]
|
| 2022-09-21 14:58:47 by Havard Eidnes | Files touched by this commit (2) | |
Log message:
Upgrade net/bind916 to version 9.16.33.
OKed by wiz@
Pkgsrc changes:
* Just checksum updates.
Upstream changes:
--- 9.16.33 released ---
5962. [security] Fix memory leak in EdDSA verify processing.
(CVE-2022-38178) [GL #3487]
5961. [security] Fix memory leak in ECDSA verify processing.
(CVE-2022-38177) [GL #3487]
5960. [security] Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query.
(CVE-2022-3080) [GL #3517]
5957. [security] Prevent excessive resource use while processing large
delegations. (CVE-2022-2795) [GL #3394]
5956. [func] Make RRL code treat all QNAMEs that are subject to
wildcard processing within a given zone as the same
name. [GL #3459]
5955. [port] The libxml2 library has deprecated the usage of
xmlInitThreads() and xmlCleanupThreads() functions. Use
xmlInitParser() and xmlCleanupParser() instead.
[GL #3518]
5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008
conversion fails. [GL #3485]
5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add
mctx attach/detach pair to make sure that the memory
context used by a memory pool is not destroyed before
the memory pool itself. [GL #3515]
5952. [bug] Use quotes around address strings in YAML output.
[GL #3511]
5951. [bug] In some cases, the dnstap query_message field was
erroneously set when logging response messages.
[GL #3501]
5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing
dns_db_detachnode() call. [GL #3500]
5945. [bug] If parsing /etc/bind.key failed, delv could assert
when trying to parse the built in trust anchors as
the parser hadn't been reset. [GL !6468]
5942. [bug] Fix tkey.c:buildquery() function's error handling by
adding the missing cleanup code. [GL #3492]
5941. [func] Zones with dnssec-policy now require dynamic DNS or
inline-siging to be configured explicitly. [GL #3381]
5936. [bug] Don't enable serve-stale for lookups that error because
it is a duplicate query or a query that would be
dropped. [GL #2982]
|
| 2022-08-17 17:38:28 by Takahiro Kambe | Files touched by this commit (2) | |
Log message: net/bind916: update to 9.16.32 9.16.32 (2022-08-17) Notes for BIND 9.16.32 Feature Changes * The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9). Primary zones using those algorithms need to be migrated to new algorithms prior to running on these systems, as graceful migration to different DNSSEC algorithms is not possible when RSASHA1 is disallowed by the operating system. [GL #3469] * Log messages related to fetch limiting have been improved to provide more complete information. Specifically, the final counts of allowed and spilled fetches are now logged before the counter object is destroyed. [GL #3461] Bug Fixes * Non-dynamic zones that inherit dnssec-policy from the view or options blocks were not marked as inline-signed and therefore never scheduled to be re-signed. This has been fixed. [GL #3438] * The old max-zone-ttl zone option was meant to be superseded by the max-zone-ttl option in dnssec-policy; however, the latter option was not fully effective. This has been corrected: zones no longer load if they contain TTLs greater than the limit configured in dnssec-policy. For zones with both the old max-zone-ttl option and dnssec-policy configured, the old option is ignored, and a warning is generated. [GL #2918] * rndc dumpdb -expired was fixed to include expired RRsets, even if stale-cache-enable is set to no and the cache-cleaning time window has passed. [GL #3462] |
New packages: