Log message:
net/bind916: update to 9.16.13

9.16.13 (2022-03-17)

New Features

* A new purge-keys option has been added to dnssec-policy. It sets the
  period of time that key files are retained after becoming obsolete
  due to a key rollover; the default is 90 days. This feature can be
  disabled by setting purge-keys to 0. [GL #2408]

Feature Changes

* When serve-stale is enabled and stale data is available, named now
  returns stale answers upon encountering any unexpected error in the
  query resolution process. This may happen, for example, if the
  fetches-per-server or fetches-per-zone limits are reached. In this
  case, named attempts to answer DNS requests with stale data, but
  does not start the stale-refresh-time window. [GL #2434]

Bug Fixes

* Zone journal (.jnl) files created by versions of named prior to
  9.16.12 were no longer compatible; this could cause problems when
  upgrading if journal files were not synchronized first. This has
  been corrected: older journal files can now be read when starting
  up. When an old-style journal file is detected, it is updated to the
  new format immediately after loading.

  Note that journals created by the current version of named are not
  usable by versions prior to 9.16.12. Before downgrading to a prior
  release, users are advised to ensure that all dynamic zones have
  been synchronized using rndc sync -clean.

  A journal file's format can be changed manually by running
  named-journalprint -d (downgrade) or named-journalprint -u
  (upgrade). Note that this must not be done while named is
  running. [GL #2505]

* named crashed when it was allowed to serve stale answers and
  stale-answer-client-timeout was triggered without any (stale) data
  available in the cache to answer the query. [GL #2503]

* If an outgoing packet exceeded max-udp-size, named dropped it
  instead of sending back a proper response. To prevent this problem,
  the IP_DONTFRAG option is no longer set on UDP sockets, which has
  been happening since BIND 9.16.11. [GL #2466]

* NSEC3 records were not immediately created when signing a dynamic
  zone using dnssec-policy with nsec3param. This has been fixed. [GL
  #2498]

* A memory leak occurred when named was reconfigured after adding an
  inline-signed zone with auto-dnssec maintain enabled. This has been
  fixed. [GL #2041]

* An invalid direction field (not one of N, S, E, W) in a LOC record
  resulted in an INSIST failure when a zone file containing such a
  record was loaded. [GL #2499]

Log message:
bind: update to 9.16.12.

XXX: why does this have so many patches?

	--- 9.16.12 released ---

5578.	[protocol]	Make "check-names" accept A records below \ 
"_spf",
			"_spf_rate", and "_spf_verify" labels in order to cater
			for the "exists" SPF mechanism specified in RFC 7208
			section 5.7 and appendix D.1. [GL #2377]

5577.	[bug]		Fix the "three is a crowd" key rollover bug in KASP by
			correctly implementing Equation (2) of the "Flexible and
			Robust Key Rollover" paper. [GL #2375]

5575.	[bug]		When migrating to KASP, BIND 9 considered keys with the
			"Inactive" and/or "Delete" timing metadata to be
			possible active keys. This has been fixed. [GL #2406]

5572.	[bug]		Address potential double free in generatexml().
			[GL #2420]

5571.	[bug]		named failed to start when its configuration included a
			zone with a non-builtin "allow-update" ACL attached.
			[GL #2413]

5570.	[bug]		Improve performance of the DNSSEC verification code by
			reducing the number of repeated calls to
			dns_dnssec_keyfromrdata(). [GL #2073]

5569.	[bug]		Emit useful error message when "rndc retransfer" is
			applied to a zone of inappropriate type. [GL #2342]

5568.	[bug]		Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
			keys. [GL #2178]

5567.	[bug]		Dig now reports unknown dash options while pre-parsing
			the options. This prevents "-multi" instead of "+multi"
			from reporting memory usage before ending option parsing
			with "Invalid option: -lti". [GL #2403]

5566.	[func]		Add "stale-answer-client-timeout" option, which is the
			amount of time a recursive resolver waits before
			attempting to answer the query using stale data from
			cache. [GL #2247]

5565.	[func]		The SONAMEs for BIND 9 libraries now include the current
			BIND 9 version number, in an effort to tightly couple
			internal libraries with a specific release. [GL #2387]

5562.	[security]	Fix off-by-one bug in ISC SPNEGO implementation.
			(CVE-2020-8625) [GL #2354]

5561.	[bug]		KASP incorrectly set signature validity to the value of
			the DNSKEY signature validity. This is now fixed.
			[GL #2383]

5560.	[func]		The default value of "max-stale-ttl" has been changed
			from 12 hours to 1 day and the default value of
			"stale-answer-ttl" has been changed from 1 second to 30
			seconds, following RFC 8767 recommendations. [GL #2248]

5456.	[func]		Added "primaries" as a synonym for "masters" in
			named.conf, and "primary-only" as a synonym for
			"master-only" in the parameters to "notify", to bring
			terminology up-to-date with RFC 8499. [GL #1948]

5362.	[func]		Limit the size of IXFR responses so that AXFR will
			be used instead if it would be smaller. This is
			controlled by the "max-ixfr-ratio" option, which
			is a percentage representing the ratio of IXFR size
			to the size of the entire zone. This value cannot
			exceed 100%, which is the default. [GL #1515]

Log message:
net/bind916: Update to 9.16.11

- Fix build (at least) on SmartOS

- Changelog:
  * Feature Changes:
    - The new networking code introduced in BIND 9.16 (netmgr) was overhauled
      in order to make it more stable, testable, and maintainable. [GL #2321]

    - Earlier releases of BIND versions 9.16 and newer required the operating
      system to support load-balanced sockets in order for named to be able to
      achieve high performance (by distributing incoming queries among multiple
      threads). However, the only operating systems currently known to support
      load-balanced sockets are Linux and FreeBSD 12, which means both UDP and
      TCP performance were limited to a single thread on other systems. As of
      BIND 9.17.8, named attempts to distribute incoming queries among multiple
      threads on systems which lack support for load-balanced sockets (except
      Windows). [GL #2137]

    - It is now possible to transition a zone from secure to insecure mode
      without making it bogus in the process; changing to dnssec-policy none;
      also causes CDS and CDNSKEY DELETE records to be published, to signal
      that the entire DS RRset at the parent must be removed, as described in
      RFC 8078. [GL #1750]

    - When using the unixtime or date method to update the SOA serial number,
      named and dnssec-signzone silently fell back to the increment method to
      prevent the new serial number from being smaller than the old serial
      number (using serial number arithmetics). dnssec-signzone now prints a
      warning message, and named logs a warning, when such a fallback happens.
      [GL #2058]

  * Bug Fixes:
    - Multiple threads could attempt to destroy a single RBTDB instance at the
      same time, resulting in an unpredictable but low-probability assertion
      failure in free_rbtdb(). This has been fixed. [GL #2317]

    - named no longer attempts to assign threads to CPUs outside the CPU
      affinity set. Thanks to Ole Bjørn Hessen. [GL #2245]

    - When reconfiguring named, removing auto-dnssec did not turn off DNSSEC
      maintenance. This has been fixed. [GL #2341]

    - The report of intermittent BIND assertion failures triggered in
      lib/dns/resolver.c:dns_name_issubdomain() has now been closed without
      further action. Our initial response to this was to add diagnostic
      logging instead of terminating named, anticipating that we would receive
      further useful troubleshooting input. This workaround first appeared in
      BIND releases 9.17.5 and 9.16.7. However, since those releases were
      published, there have been no new reports of assertion failures matching
      this issue, but also no further diagnostic input, so we have closed the
      issue. [GL #2091]

- Full Changelog at:
  https://downloads.isc.org/isc/bind9/9.1 … notes.html

Log message:
bind: Disable atomic operations on i386 too.

Log message:
net/bind916: update to 9.16.10

Update bind916 to 9.16.10 (BIND 9.16.10).

pkgsrc changes:

* Make blocklist/blacklist support really compiled in.
* Fix build problem with pkcs11 PKG_OPTIONS and allow to use it.

	--- 9.16.10 released ---

5544.	[func]		Restore the default value of "nocookie-udp-size" to 4096
			bytes. [GL #2250]

5541.	[func]		Adjust the "max-recursion-queries" default from 75 to
			100. [GL #2305]

5540.	[port]		Fix building with native PKCS#11 support for AEP Keyper.
			[GL #2315]

5539.	[bug]		Tighten handling of missing DNS COOKIE responses over
			UDP by falling back to TCP. [GL #2275]

5538.	[func]		Add NSEC3 support to KASP. A new option for
			"dnssec-policy", "nsec3param", can be used to set the
			desired NSEC3 parameters. NSEC3 salt collisions are
			automatically prevented during resalting. Salt
			generation is now logged with zone context. [GL #1620]

5534.	[bug]		The CNAME synthesized from a DNAME was incorrectly
			followed when the QTYPE was CNAME or ANY. [GL #2280]

Log message:
net/bind916: update to 9.16.9

	--- 9.16.9 released ---

5533.	[func]		Add the "stale-refresh-time" option, a time window that
			starts after a failed lookup, during which a stale RRset
			is served directly from cache before a new attempt to
			refresh it is made. [GL #2066]

5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
			requests. [GL #2252]

5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
			recheck query failed. [GL #2244]

5525.	[bug]		Change 5503 inadvertently broke cross-compilation by
			replacing a call to AC_LINK_IFELSE() with a call to
			AC_RUN_IFELSE() in configure.ac.  This has been fixed,
			making cross-compilation possible again. [GL #2237]

5523.	[bug]		The initial lookup in a zone transitioning to/from a
			signed state could fail if the DNSKEY RRset was not
			found. [GL #2236]

5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]

5520.	[bug]		Fixed a number of shutdown races, reference counting
			errors, and spurious log messages that could occur
			in the network manager. [GL #2221]

5518.	[bug]		Stub zones now work correctly with primary servers using
			"minimal-responses yes". [GL #1736]

5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
			[GL #2208]

	--- 9.16.8 released ---

5516.	[func]		The default EDNS buffer size has been changed from 4096
			to 1232 bytes. [GL #2183]

5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a manual
			rollover for a specific key. [GL #1749]

5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
			[GL #2171]

5513.	[doc]		The ARM section describing the "rrset-order" statement
			was rewritten to make it unambiguous and up-to-date with
			the source code. [GL #2139]

5512.	[bug]		"rrset-order" rules using "order none" were causing
			named to crash despite named-checkconf treating them as
			valid. [GL #2139]

5511.	[bug]		'dig -u +yaml' failed to display timestamps to the
			microsecond. [GL #2190]

5510.	[bug]		Implement the attach/detach semantics for dns_message_t
			to fix a data race in accessing an already-destroyed
			fctx->rmessage. [GL #2124]

5509.	[bug]		filter-aaaa: named crashed upon shutdown if it was in
			the process of recursing for A RRsets. [GL #1040]

5508.	[func]		Added new parameter "-expired" for "rndc \ 
dumpdb" that
			also prints expired RRsets (awaiting cleanup) to the
			dump file. [GL #1870]

5507.	[bug]		Named could compute incorrect SIG(0) responses.
			[GL #2109]

5506.	[bug]		Properly handle failed sysconf() calls, so we don't
			report invalid memory size. [GL #2166]

5505.	[bug]		Updating contents of a mixed-case RPZ could cause some
			rules to be ignored. [GL #2169]

5503.	[bug]		Cleaned up reference counting of network manager
			handles, now using isc_nmhandle_attach() and _detach()
			instead of _ref() and _unref(). [GL #2122]

Log message:
net/bind916: Correct typo in previous commit

Log message:
net/bind916: fix build problem

Fix build problem on platform which supports epoll(2).