Log Message:
net/bind916: update to 9.16.15

Security release.

	--- 9.16.15 released ---

5621.	[bug]		Due to a backporting mistake in change 5609, named
			binaries built against a Kerberos/GSSAPI library whose
			header files did not define the GSS_SPNEGO_MECHANISM
			preprocessor macro were not able to start if their
			configuration included the "tkey-gssapi-credential"
			option. This has been fixed. [GL #2634]

5620.	[bug]		If zone journal files written by BIND 9.16.11 or earlier
			were present when BIND was upgraded, the zone file for
			that zone could have been inadvertently rewritten with
			the current zone contents. This caused the original zone
			file structure (e.g. comments, $INCLUDE directives) to
			be lost, although the zone data itself was preserved.
			This has been fixed. [GL #2623]

	--- 9.16.14 released ---

5617.	[security]	A specially crafted GSS-TSIG query could cause a buffer
			overflow in the ISC implementation of SPNEGO.
			(CVE-2021-25216) [GL #2604]

5616.	[security]	named crashed when a DNAME record placed in the ANSWER
			section during DNAME chasing turned out to be the final
			answer to a client query. (CVE-2021-25215) [GL #2540]

5615.	[security]	Insufficient IXFR checks could result in named serving a
			zone without an SOA record at the apex, leading to a
			RUNTIME_CHECK assertion failure when the zone was
			subsequently refreshed. This has been fixed by adding an
			owner name check for all SOA records which are included
			in a zone transfer. (CVE-2021-25214) [GL #2467]

5614.	[bug]		Ensure all resources are properly cleaned up when a call
			to gss_accept_sec_context() fails. [GL #2620]

5613.	[bug]		It was possible to write an invalid transaction header
			in the journal file for a managed-keys database after
			upgrading. This has been fixed. Invalid headers in
			existing journal files are detected and named is able
			to recover from them. [GL #2600]

5611.	[func]		Set "stale-answer-client-timeout" to "off" by \ 
default.
			[GL #2608]

5610.	[bug]		Prevent a crash which could happen when a lookup
			triggered by "stale-answer-client-timeout" was attempted
			right after recursion for a client query finished.
			[GL #2594]

5609.	[func]		The ISC implementation of SPNEGO was removed from BIND 9
			source code. It was no longer necessary as all major
			contemporary Kerberos/GSSAPI libraries include support
			for SPNEGO. [GL #2607]

5608.	[bug]		When sending queries over TCP, dig now properly handles
			"+tries=1 +retry=0" by not retrying the connection when
			the remote server closes the connection prematurely.
			[GL #2490]

5607.	[bug]		As "rndc dnssec -checkds" and "rndc dnssec \ 
-rollover"
			commands may affect the next scheduled key event,
			reconfiguration of zone keys is now triggered after
			receiving either of these commands to prevent
			unnecessary key rollover delays. [GL #2488]

5606.	[bug]		CDS/CDNSKEY DELETE records are now removed when a zone
			transitions from a secure to an insecure state.
			named-checkzone also no longer reports an error when
			such records are found in an unsigned zone. [GL #2517]

5605.	[bug]		"dig -u" now uses the CLOCK_REALTIME clock source for
			more accurate time reporting. [GL #2592]

5603.	[bug]		Fix a memory leak that occurred when named failed to
			bind a UDP socket to a network interface. [GL #2575]

5602.	[bug]		Fix TCPDNS and TLSDNS timers in Network Manager. This
			makes the "tcp-initial-timeout" and "tcp-idle-timeout"
			options work correctly again. [GL #2583]

5601.	[bug]		Zones using KASP could not be thawed after they were
			frozen using "rndc freeze". This has been fixed.
			[GL #2523]