Subject: CVS commit: pkgsrc/net/bind916
From: Takahiro Kambe
Date: 2021-06-02 17:37:06
Message id: 20210602153706.E7DDAFA95@cvs.NetBSD.org
Log Message:
net/bind916: update to 9.11.32

Notes for BIND 9.16.16

Feature Changes

* DNSSEC responses containing NSEC3 records with iteration counts greater
  than 150 are now treated as insecure.  [GL #2445]

* The maximum supported number of NSEC3 iterations that can be configured
  for a zone has been reduced to 150.  [GL #2642]

* The default value of the max-ixfr-ratio option was changed to unlimited,
  for better backwards compatibility in the stable release series.  [GL
  #2671]

* Zones that want to transition from secure to insecure mode without
  becoming bogus in the process must now have their dnssec-policy changed
  first to insecure, rather than none.  After the DNSSEC records have been
  removed from the zone, the dnssec-policy can be set to none or removed
  from the configuration.  Setting the dnssec-policy to insecure causes CDS
  and CDNSKEY DELETE records to be published.  [GL #2645]

* The implementation of the ZONEMD RR type has been updated to match RFC
  8976.  [GL #2658]

* The draft-vandijk-dnsop-nsec-ttl IETF draft was implemented: NSEC(3) TTL
  values are now set to the minimum of the SOA MINIMUM value or the SOA TTL.
  [GL #2347]

Bug Fixes

* It was possible for corrupt journal files generated by an earlier version
  of named to cause problems after an upgrade.  This has been fixed.  [GL
  #2670]

* TTL values in cache dumps were reported incorrectly when
  stale-cache-enable was set to yes.  This has been fixed.  [GL #389] [GL
  #2289]

* A deadlock could occur when multiple rndc addzone, rndc delzone, and/or
  rndc modzone commands were invoked simultaneously for different zones.
  This has been fixed.  [GL #2626]

* named and named-checkconf did not report an error when multiple zones with
  the dnssec-policy option set were using the same zone file.  This has been
  fixed.  [GL #2603]

* If dnssec-policy was active and a private key file was temporarily offline
  during a rekey event, named could incorrectly introduce replacement keys
  and break a signed zone.  This has been fixed.  [GL #2596]

* When generating zone signing keys, KASP now also checks for key ID
  conflicts among newly created keys, rather than just between new and
  existing ones.  [GL #2628]
Files:
RevisionActionfile
1.15modifypkgsrc/net/bind916/Makefile
1.13modifypkgsrc/net/bind916/distinfo
1.2modifypkgsrc/net/bind916/patches/patch-lib_isc_task.c
1.5modifypkgsrc/net/bind916/patches/patch-lib_isc_unix_socket.c