Log message:
bind9{9,10}: Fix path to rndc-confgen in SMF.

Log message:
Update bind99 to 9.9.11.

Here is release note except security (already fixed by bind-9.9.10pl3, BIND
9.9.10-P3).

Release Notes for BIND Version 9.9.11

Introduction

   This document summarizes significant changes since the last production
   release of BIND on the corresponding major release branch. Please see
   the CHANGES file for a further list of bug fixes and other changes.

Download

   The latest versions of BIND 9 software can always be found at
   http://www.isc.org/downloads/. There you will find additional
   information about each release, source code, and pre-compiled versions
   for Microsoft Windows operating systems.

New DNSSEC Root Key

   ICANN is in the process of introducing a new Key Signing Key (KSK) for
   the global root zone. BIND has multiple methods for managing DNSSEC
   trust anchors, with somewhat different behaviors. If the root key is
   configured using the managed-keys statement, or if the pre-configured
   root key is enabled by using dnssec-validation auto, then BIND can keep
   keys up to date automatically. Servers configured in this way should
   have begun the process of rolling to the new key when it was published
   in the root zone in July 2017. However, keys configured using the
   trusted-keys statement are not automatically maintained. If your server
   is performing DNSSEC validation and is configured using trusted-keys,
   you are advised to change your configuration before the root zone
   begins signing with the new KSK. This is currently scheduled for
   October 11, 2017.

   This release includes an updated version of the bind.keys file
   containing the new root key. This file can also be downloaded from
   https://www.isc.org/bind-keys .

Windows XP No Longer Supported

   As of BIND 9.9.11, Windows XP is no longer a supported platform for
   BIND, and Windows XP binaries are no longer available for download from
   ISC.

Feature Changes

     * Threads in named are now set to human-readable names to assist
       debugging on operating systems that support that. Threads will have
       names such as "isc-timer", "isc-sockmgr", \ 
"isc-worker0001", and so
       on. This will affect the reporting of subsidiary thread names in ps
       and top, but not the main thread. [RT #43234]
     * DiG now warns about .local queries which are reserved for Multicast
       DNS. [RT #44783]

Bug Fixes

     * Fixed a bug that was introduced in an earlier development release
       which caused multi-packet AXFR and IXFR messages to fail validation
       if not all packets contained TSIG records; this caused
       interoperability problems with some other DNS implementations. [RT
       #45509]
     * Semicolons are no longer escaped when printing CAA and URI records.
       This may break applications that depend on the presence of the
       backslash before the semicolon. [RT #45216]
     * AD could be set on truncated answer with no records present in the
       answer and authority sections. [RT #45140]

End of Life

   BIND 9.9 (Extended Support Version) will be supported until at least
   June, 2018. https://www.isc.org/downloads/software-support-policy/

Log message:
Update bind99 to 9.9.10pl3 (BIND 9.9.10-P3).

--- 9.9.10-P3 released ---

4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
			message sequences where not all the messages contain
			TSIG records.  These may be used in AXFR and IXFR
			responses. [RT #45509]

Log message:
Update bind99 to 9.9.10pl2 (BIND 9.9.10-P2).

--- 9.9.10-P2 released ---

4643.	[security]	An error in TSIG handling could permit unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]

4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.

Log message:
Update bind99 to 9.9.10pl1 (BIND 9.9.10-P1).

	--- 9.9.10-P1 released ---

4632.	[security]	The BIND installer on Windows used an unquoted
			service path, which can enable privilege escalation.
			(CVE-2017-3141) [RT #45229]

4631.	[security]	Some RPZ configurations could go into an infinite
			query loop when encountering responses with TTL=0.
			(CVE-2017-3140) [RT #45181]

Log message:
Update bind99 to 9.9.10 (BIND 9.9.10).

This is maintenance release and please refer release announce in detail:
https://kb.isc.org/article/AA-01489.

Log message:
Update bind99 to 9.9.9pl8 (BIND 9.9.9-P8).

Quote from release announce:

   BIND 9.9.9-P8 addresses the security issues described in CVE-2017-3136,
   CVE-2017-3137, and CVE-2017-3138, and updates the built-in trusted keys
   for the root zone.

Quote from CHANGELOG:

	--- 9.9.9-P8 released ---

4582.	[security]	'rndc ""' could trigger a assertion failure in named.
			(CVE-2017-3138) [RT #44924]

4580.	[bug]		4578 introduced a regression when handling CNAME to
			referral below the current domain. [RT #44850]

	--- 9.9.9-P7 released ---

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
			assertion failure. (CVE-2017-3136) [RT #44653]

4564.	[maint]		Update the built in managed keys to include the
			upcoming root KSK. [RT #44579]

Log message:
Fix bind.keys PLIST handling, thanks joerg@ for the notice.

Log message:
Change bind99 and bind910 package to use the standard PKG_SYSCONFDIR
for config files instead of the hardcoded /etc path. Sync SMF support
across the two packages. Bump PKGREVISION.

Log message:
Update bind99 to 9.9.9pl6 (BIND 9.9.9-P6).

Security Fixes

     * If a server is configured with a response policy zone (RPZ) that
       rewrites an answer with local data, and is also configured for
       DNS64 address mapping, a NULL pointer can be read triggering a
       server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
     * named could mishandle authority sections with missing RRSIGs,
       triggering an assertion failure. This flaw is disclosed in
       CVE-2016-9444. [RT #43632]
     * named mishandled some responses where covering RRSIG records were
       returned without the requested data, resulting in an assertion
       failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
     * named incorrectly tried to cache TKEY records which could trigger
       an assertion failure when there was a class mismatch. This flaw is
       disclosed in CVE-2016-9131. [RT #43522]
     * It was possible to trigger assertions when processing responses
       containing answers of type DNAME. This flaw is disclosed in
       CVE-2016-8864. [RT #43465]
     * It was possible to trigger an assertion when rendering a message
       using a specially crafted request. This flaw is disclosed in
       CVE-2016-2776. [RT #43139]
     * Calling getrrsetbyname() with a non- absolute name could trigger an
       infinite recursion bug in lwresd or named with lwres configured if,
       when combined with a search list entry from resolv.conf, the
       resulting name is too long. This flaw is disclosed in
       CVE-2016-2775. [RT #42694]

Feature Changes

     * None.

Porting Changes

     * None.

Bug Fixes

     * A synthesized CNAME record appearing in a response before the
       associated DNAME could be cached, when it should not have been.
       This was a regression introduced while addressing CVE-2016-8864.
       [RT #44318]
     * Windows installs were failing due to triggering UAC without the
       installation binary being signed.
     * A race condition in rbt/rbtdb was leading to INSISTs being
       triggered.