Log Message:
Upgrade net/bind916 to version 9.16.19.

Upstream changes:

        --- 9.16.19 released ---

5671.   [bug]           A race condition could occur where two threads were
                        competing for the same set of key file locks, leading to
                        a deadlock. This has been fixed. [GL #2786]

5670.   [bug]           create_keydata() created an invalid placeholder keydata
                        record upon a refresh failure, which prevented the
                        database of managed keys from subsequently being read
                        back. This has been fixed. [GL #2686]

5669.   [func]          KASP support was extended with the "check DS" \ 
feature.
                        Zones with "dnssec-policy" and \ 
"parental-agents"
                        configured now check for DS presence and can perform
                        automatic KSK rollovers. [GL #1126]

5668.   [bug]           Rescheduling a setnsec3param() task when a zone failed
                        to load on startup caused a hang on shutdown. This has
                        been fixed. [GL #2791]

5667.   [bug]           The configuration-checking code failed to account for
                        the inheritance rules of the "dnssec-policy" \ 
option.
                        This has been fixed. [GL #2780]

5666.   [doc]           The safe "edns-udp-size" value was tweaked to \ 
match the
                        probing value from BIND 9.16 for better compatibility.
                        [GL #2183]

5665.   [bug]           If nsupdate sends an SOA request and receives a REFUSED
                        response, it now fails over to the next available
                        server. [GL #2758]

5664.   [func]          For UDP messages larger than the path MTU, named now
                        sends an empty response with the TC (TrunCated) bit set.
                        In addition, setting the DF (Don't Fragment) flag on
                        outgoing UDP sockets was re-enabled. [GL #2790]

5662.   [bug]           Views with recursion disabled are now configured with a
                        default cache size of 2 MB unless \ 
"max-cache-size" is
                        explicitly set. This prevents cache RBT hash tables from
                        being needlessly preallocated for such views. [GL #2777]

5661.   [bug]           Change 5644 inadvertently introduced a deadlock: when
                        locking the key file mutex for each zone structure in a
                        different view, the "in-view" logic was not \ 
considered.
                        This has been fixed. [GL #2783]

5658.   [bug]           Increasing "max-cache-size" for a running \ 
named instance
                        (using "rndc reconfig") did not cause the hash \ 
tables
                        used by cache databases to be grown accordingly. This
                        has been fixed. [GL #2770]

5655.   [bug]           Signed, insecure delegation responses prepared by named
                        either lacked the necessary NSEC records or contained
                        duplicate NSEC records when both wildcard expansion and
                        CNAME chaining were required to prepare the response.
                        This has been fixed. [GL #2759]

5653.   [bug]           A bug that caused the NSEC3 salt to be changed on every
                        restart for zones using KASP has been fixed. [GL #2725]