diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index cb2581a44b39..a44c804076ba 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,3 +1,55 @@ + + --- 9.6-ESV-R3 released --- + +2972. [bug] win32: address windows socket errors. [RT #21906] + +2971. [bug] Fixed a bug that caused journal files not to be + compacted on Windows systems as a result of + non-POSIX-compliant rename() semantics. [RT #22434] + +2970. [security] Adding a NO DATA negative cache entry failed to clear + any matching RRSIG records. A subsequent lookup of + of NO DATA cache entry could trigger a INSIST when the + unexpected RRSIG was also returned with the NO DATA + cache entry. + + CVE-2010-3613, VU#706148. [RT #22288] + +2969. [security] Fix acl type processing so that allow-query works + in options and view statements. Also add a new + set of tests to verify proper functioning. + + CVE-2010-3615, VU#510208. [RT #22418] + +2968. [security] Named could fail to prove a data set was insecure + before marking it as insecure. One set of conditions + that can trigger this occurs naturally when rolling + DNSKEY algorithms. + + CVE-2010-3614, VU#837744. [RT #22309] + +2967. [bug] 'host -D' now turns on debugging messages earlier. + [RT #22361] + +2966. [bug] isc_print_vsnprintf() failed to check if there was + space available in the buffer when adding a left + justified character with a non zero width, + (e.g. "%-1c"). [RT #22270] + +2964. [bug] view->queryacl was being overloaded. Seperate the + usage into view->queryacl, view->cacheacl and + view->queryonacl. [RT #22114] + +2962. [port] win32: add more dependencies to BINDBuild.dsw. + [RT #22062] + +2952. [port] win32: named-checkzone and named-checkconf failed + to initialise winsock. [RT #21932] + +2951. [bug] named failed to generate a correct signed response + in a optout, delegation only zone with no secure + delegations. [RT #22007] + --- 9.6-ESV-R2 released --- 2939. [func] Check that named successfully skips NSEC3 records diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html new file mode 100644 index 000000000000..946330dfd57c --- /dev/null +++ b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html @@ -0,0 +1,225 @@ + + + + + + +
+ +

Introduction

+ +

+ BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV. +

+

+ This document summarizes changes from BIND 9.6-ESV-R1 to BIND 9.6-ESV-R3. + Please see the CHANGES file in the source code release for a + complete list of all changes. +

+
+ +

Download

+ +

+ The latest release of BIND 9 software can always be found + on our web site at + http://www.isc.org/software/bind. + There you will find additional information about each release, + source code, and some pre-compiled versions for certain operating + systems. +

+
+ +

Support

+ +

Product support information is available on + http://www.isc.org/services/support + for paid support options. Free support is provided by our user + community via a mailing list. Information on all public email + lists is available at + https://lists.isc.org/mailman/listinfo. +

+
+ +

New Features

+ +

9.6-ESV-R2

+ +

None.

+
+

9.6-ESV-R3

+ +

None.

+
+
+ +

Feature Changes

+ +

9.6-ESV-R2

+ +

None.

+
+

9.6-ESV-R3

+ +

None.

+
+
+ +

Security Fixes

+ +

9.6-ESV-R2

+ +

None.

+
+

9.6-ESV-R3

+ +
  • + Adding a NO DATA signed negative response to cache failed to clear + any matching RRSIG records already in cache. A subsequent lookup + of the cached NO DATA entry could crash named (INSIST) when the + unexpected RRSIG was also returned with the NO DATA cache entry. + [RT #22288] [CVE-2010-3613] [VU#706148] +
  • + BIND, acting as a DNSSEC validator, was determining if the NS RRset + is insecure based on a value that could mean either that the RRset + is actually insecure or that there wasn't a matching key for the RRSIG + in the DNSKEY RRset when resuming from validating the DNSKEY RRset. + This can happen when in the middle of a DNSKEY algorithm rollover, + when two different algorithms were used to sign a zone but only the + new set of keys are in the zone DNSKEY RRset. + [RT #22309] [CVE-2010-3614] [VU#837744] +
+
+
+ +

Bug Fixes

+ +

9.6-ESV-R2

+ +
  • + Check that named successfully skips NSEC3 records + that fail to match the NSEC3PARAM record currently + in use. + [RT #21868] +
  • + Worked around a race condition in the cache database memory + handling. Without this fix a DNS cache DB or ADB could + incorrectly stay in an over memory state, effectively refusing + further caching, which subsequently made a BIND 9 caching + server unworkable. + [RT #21818] +
  • + BIND did not properly handle non-cacheable negative responses + from insecure zones. This caused several non-protocol-compliant + zones to become unresolvable. BIND is now more accepting of + responses it receives from less strict servers. + [RT #21555] +
  • + The resolver could attempt to destroy a fetch context too + soon, resulting in a crash. + [RT #19878] +
  • + The placeholder negative caching element was not + properly constructed triggering a crash (INSIST) in + dns_ncache_towire(). + [RT #21346] +
  • + Handle the introduction of new trusted-keys and + DS, DLV RRsets better. + [RT #21097] +
  • + Fix arguments to dns_keytable_findnextkeynode() call. + [RT #20877] +
+
+

9.6-ESV-R3

+ +
  • + Microsoft changed the behavior of sockets between NT/XP based + stacks vs Vista/windows7 stacks. Server 2003/2008 have the older + behavior, 2008r2 has the new behavior. With the change, different + error results are possible, so ISC adapted BIND to handle the new + error results. + This resolves an issue where sockets would shut down on + Windows servers causing named to stop responding to queries. + [RT #21906] +
  • + Windows has non-POSIX compliant behavior in its rename() and unlink() + calls. This caused journal compaction to fail on Windows BIND servers + with the log error: "dns_journal_compact failed: failure". + [RT #22434] +
  • + 'host -D' now turns on debugging messages earlier. + [RT #22361] +
  • + isc_print_vsnprintf() failed to check if there was + space available in the buffer when adding a left + justified character with a non zero width, + (e.g. "%-1c"). + [RT #22270] +
  • + view->queryacl was being overloaded. Seperate the + usage into view->queryacl, view->cacheacl and + view->queryonacl. + [RT #22114] +
  • + win32: add more dependencies to BINDBuild.dsw. + [RT #22062] +
  • + win32: named-checkzone and named-checkconf failed + to initialise winsock. + [RT #21932] +
  • + named failed to generate a correct signed response + in a optout, delegation only zone with no secure + delegations. + [RT #22007] +
+
+
+ +

Known issues in this release

+ +
  • +

    + "make test" will fail on OSX and possibly other operating systems. + The failure occurs in a new test to check for allow-query ACLs. + The failure is caused because the source address is not specified on + the dig commands issued in the test. +

    +

    + If running "make test" is part of your usual acceptance process, + please edit the file bin/tests/system/allow_query/test.sh + and add +

    + -b 10.53.0.2 +

    + to the DIGOPTS line. +

    +
+
+ +

Thank You

+ +

+ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to make + quality open source software, please visit our donations page at + http://www.isc.org/supportisc. +

+
+
diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf new file mode 100644 index 000000000000..60fa9fa0f166 Binary files /dev/null and b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf differ diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt new file mode 100644 index 000000000000..028c16dcdbb7 --- /dev/null +++ b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt @@ -0,0 +1,133 @@ + __________________________________________________________________ + +Introduction + + BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV. + + This document summarizes changes from BIND 9.6-ESV-R1 to BIND + 9.6-ESV-R3. Please see the CHANGES file in the source code release for + a complete list of all changes. + +Download + + The latest release of BIND 9 software can always be found on our web + site at http://www.isc.org/software/bind. There you will find + additional information about each release, source code, and some + pre-compiled versions for certain operating systems. + +Support + + Product support information is available on + http://www.isc.org/services/support for paid support options. Free + support is provided by our user community via a mailing list. + Information on all public email lists is available at + https://lists.isc.org/mailman/listinfo. + +New Features + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + None. + +Feature Changes + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + None. + +Security Fixes + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + * Adding a NO DATA signed negative response to cache failed to clear + any matching RRSIG records already in cache. A subsequent lookup of + the cached NO DATA entry could crash named (INSIST) when the + unexpected RRSIG was also returned with the NO DATA cache entry. + [RT #22288] [CVE-2010-3613] [VU#706148] + * BIND, acting as a DNSSEC validator, was determining if the NS RRset + is insecure based on a value that could mean either that the RRset + is actually insecure or that there wasn't a matching key for the + RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY + RRset. This can happen when in the middle of a DNSKEY algorithm + rollover, when two different algorithms were used to sign a zone + but only the new set of keys are in the zone DNSKEY RRset. [RT + #22309] [CVE-2010-3614] [VU#837744] + +Bug Fixes + +9.6-ESV-R2 + + * Check that named successfully skips NSEC3 records that fail to + match the NSEC3PARAM record currently in use. [RT #21868] + * Worked around a race condition in the cache database memory + handling. Without this fix a DNS cache DB or ADB could incorrectly + stay in an over memory state, effectively refusing further caching, + which subsequently made a BIND 9 caching server unworkable. [RT + #21818] + * BIND did not properly handle non-cacheable negative responses from + insecure zones. This caused several non-protocol-compliant zones to + become unresolvable. BIND is now more accepting of responses it + receives from less strict servers. [RT #21555] + * The resolver could attempt to destroy a fetch context too soon, + resulting in a crash. [RT #19878] + * The placeholder negative caching element was not properly + constructed triggering a crash (INSIST) in dns_ncache_towire(). [RT + #21346] + * Handle the introduction of new trusted-keys and DS, DLV RRsets + better. [RT #21097] + * Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877] + +9.6-ESV-R3 + + * Microsoft changed the behavior of sockets between NT/XP based + stacks vs Vista/windows7 stacks. Server 2003/2008 have the older + behavior, 2008r2 has the new behavior. With the change, different + error results are possible, so ISC adapted BIND to handle the new + error results. This resolves an issue where sockets would shut down + on Windows servers causing named to stop responding to queries. [RT + #21906] + * Windows has non-POSIX compliant behavior in its rename() and + unlink() calls. This caused journal compaction to fail on Windows + BIND servers with the log error: "dns_journal_compact failed: + failure". [RT #22434] + * 'host -D' now turns on debugging messages earlier. [RT #22361] + * isc_print_vsnprintf() failed to check if there was space available + in the buffer when adding a left justified character with a non + zero width, (e.g. "%-1c"). [RT #22270] + * view->queryacl was being overloaded. Seperate the usage into + view->queryacl, view->cacheacl and view->queryonacl. [RT #22114] + * win32: add more dependencies to BINDBuild.dsw. [RT #22062] + * win32: named-checkzone and named-checkconf failed to initialise + winsock. [RT #21932] + * named failed to generate a correct signed response in a optout, + delegation only zone with no secure delegations. [RT #22007] + +Known issues in this release + + * "make test" will fail on OSX and possibly other operating systems. + The failure occurs in a new test to check for allow-query ACLs. The + failure is caused because the source address is not specified on + the dig commands issued in the test. + If running "make test" is part of your usual acceptance process, + please edit the file bin/tests/system/allow_query/test.sh and add + -b 10.53.0.2 + to the DIGOPTS line. + +Thank You + + Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/supportisc. diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c index e0a7208f3788..396f10520cf4 100644 --- a/contrib/bind9/bin/check/check-tool.c +++ b/contrib/bind9/bin/check/check-tool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */ +/* $Id: check-tool.c,v 1.35.36.3.24.2 2010/09/07 23:46:25 tbox Exp $ */ /*! \file */ @@ -23,6 +23,10 @@ #include +#ifdef _WIN32 +#include +#endif + #include "check-tool.h" #include #include @@ -662,3 +666,26 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, return (result); } + +#ifdef _WIN32 +void +InitSockets(void) { + WORD wVersionRequested; + WSADATA wsaData; + int err; + + wVersionRequested = MAKEWORD(2, 0); + + err = WSAStartup( wVersionRequested, &wsaData ); + if (err != 0) { + fprintf(stderr, "WSAStartup() failed: %d\n", err); + exit(1); + } +} + +void +DestroySockets(void) { + WSACleanup(); +} +#endif + diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h index b0ba7e06ef44..01289266a7d2 100644 --- a/contrib/bind9/bin/check/check-tool.h +++ b/contrib/bind9/bin/check/check-tool.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */ +/* $Id: check-tool.h,v 1.14.628.2 2010/09/07 23:46:26 tbox Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H @@ -43,6 +43,11 @@ isc_result_t dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, dns_masterformat_t fileformat, const dns_master_style_t *style); +#ifdef _WIN32 +void InitSockets(void); +void DestroySockets(void); +#endif + extern int debug; extern isc_boolean_t nomerge; extern isc_boolean_t docheckmx; diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c index eba0d93b641d..7ed1043438d2 100644 --- a/contrib/bind9/bin/check/named-checkconf.c +++ b/contrib/bind9/bin/check/named-checkconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */ +/* $Id: named-checkconf.c,v 1.46.222.2.24.2 2010/09/07 23:46:26 tbox Exp $ */ /*! \file */ @@ -453,6 +453,10 @@ main(int argc, char **argv) { if (conffile == NULL || conffile[0] == '\0') conffile = NAMED_CONFFILE; +#ifdef _WIN32 + InitSockets(); +#endif + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS); @@ -494,5 +498,9 @@ main(int argc, char **argv) { isc_mem_destroy(&mctx); +#ifdef _WIN32 + DestroySockets(); +#endif + return (exit_status); } diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c index 0b49b51afc58..1fa015a88069 100644 --- a/contrib/bind9/bin/check/named-checkzone.c +++ b/contrib/bind9/bin/check/named-checkzone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.51.34.4 2009/11/10 20:01:41 each Exp $ */ +/* $Id: named-checkzone.c,v 1.51.34.4.10.2 2010/09/07 23:46:26 tbox Exp $ */ /*! \file */ @@ -419,6 +419,10 @@ main(int argc, char **argv) { if (isc_commandline_index + 2 != argc) usage(); +#ifdef _WIN32 + InitSockets(); +#endif + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); if (!quiet) RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) @@ -453,5 +457,8 @@ main(int argc, char **argv) { isc_hash_destroy(); isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); +#ifdef _WIN32 + DestroySockets(); +#endif return ((result == ISC_R_SUCCESS) ? 0 : 1); } diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c index 8cd5b3db29a8..1a7d174146bf 100644 --- a/contrib/bind9/bin/dig/host.c +++ b/contrib/bind9/bin/dig/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.116.216.3 2009/09/08 23:28:20 marka Exp $ */ +/* $Id: host.c,v 1.116.216.3.10.2 2010/10/19 23:46:25 tbox Exp $ */ /*! \file */ @@ -625,7 +625,9 @@ pre_parse_args(int argc, char **argv) { case 'v': break; case 'w': break; case 'C': break; - case 'D': break; + case 'D': + debugging = ISC_TRUE; + break; case 'N': break; case 'R': break; case 'T': break; @@ -792,7 +794,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { ndots = atoi(isc_commandline_argument); break; case 'D': - debugging = ISC_TRUE; + /* Handled by pre_parse_args(). */ break; case '4': if (have_ipv4) { diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c index ae5386cb4893..a0e034ae2d27 100644 --- a/contrib/bind9/bin/named/client.c +++ b/contrib/bind9/bin/named/client.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */ +/* $Id: client.c,v 1.259.12.3.24.2 2010/09/29 23:46:31 tbox Exp $ */ #include @@ -1859,13 +1859,13 @@ client_request(isc_task_t *task, isc_event_t *event) { client->view->recursionacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, NULL, - client->view->queryacl, + client->view->cacheacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, &client->interface->addr, client->view->recursiononacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, &client->interface->addr, - client->view->queryonacl, + client->view->cacheonacl, ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h index 500b57714e4f..3f019a3da691 100644 --- a/contrib/bind9/bin/named/include/named/query.h +++ b/contrib/bind9/bin/named/include/named/query.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.40 2007/06/19 23:46:59 tbox Exp $ */ +/* $Id: query.h,v 1.40.626.2 2010/09/29 23:46:31 tbox Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 @@ -71,6 +71,8 @@ struct ns_query { #define NS_QUERYATTR_SECURE 0x0200 #define NS_QUERYATTR_NOAUTHORITY 0x0400 #define NS_QUERYATTR_NOADDITIONAL 0x0800 +#define NS_QUERYATTR_CACHEACLOKVALID 0x1000 +#define NS_QUERYATTR_CACHEACLOK 0x2000 isc_result_t ns_query_init(ns_client_t *client); diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 73ed1a6b9095..0ba708bf7c06 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.313.20.16.10.2 2010/06/26 23:46:14 tbox Exp $ */ +/* $Id: query.c,v 1.313.20.16.10.3 2010/09/29 00:03:32 marka Exp $ */ /*! \file */ @@ -820,17 +820,15 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, return (DNS_R_REFUSED); dns_db_attach(client->view->cachedb, &db); - if ((client->query.attributes & - NS_QUERYATTR_QUERYOKVALID) != 0) { + if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) { /* - * We've evaluated the view's queryacl already. If - * NS_QUERYATTR_QUERYOK is set, then the client is + * We've evaluated the view's cacheacl already. If + * NS_QUERYATTR_CACHEACLOK is set, then the client is * allowed to make queries, otherwise the query should * be refused. */ check_acl = ISC_FALSE; - if ((client->query.attributes & - NS_QUERYATTR_QUERYOK) == 0) + if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0) goto refuse; } else { /* @@ -844,16 +842,15 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; result = ns_client_checkaclsilent(client, NULL, - client->view->queryacl, + client->view->cacheacl, ISC_TRUE); if (result == ISC_R_SUCCESS) { /* - * We were allowed by the default - * "allow-query" ACL. Remember this so we - * don't have to check again. + * We were allowed by the "allow-query-cache" ACL. + * Remember this so we don't have to check again. */ client->query.attributes |= - NS_QUERYATTR_QUERYOK; + NS_QUERYATTR_CACHEACLOK; if (log && isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) { @@ -876,9 +873,9 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, } /* * We've now evaluated the view's query ACL, and - * the NS_QUERYATTR_QUERYOK attribute is now valid. + * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid. */ - client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; + client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID; if (result != ISC_R_SUCCESS) goto refuse; diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index 8f6778666a07..5fbe043e644a 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.520.12.11.10.1 2010/03/03 22:06:36 marka Exp $ */ +/* $Id: server.c,v 1.520.12.11.10.4 2010/11/16 22:42:03 marka Exp $ */ /*! \file */ @@ -1132,6 +1132,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_acache_setcachesize(view->acache, max_acache_size); } + CHECK(configure_view_acl(vconfig, config, "allow-query", actx, + ns_g_mctx, &view->queryacl)); + + if (view->queryacl == NULL) { + CHECK(configure_view_acl(NULL, ns_g_config, "allow-query", actx, + ns_g_mctx, &view->queryacl)); + } + /* * Configure the zones. */ @@ -1606,13 +1614,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * configured in named.conf. */ CHECK(configure_view_acl(vconfig, config, "allow-query-cache", - actx, ns_g_mctx, &view->queryacl)); + actx, ns_g_mctx, &view->cacheacl)); CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", - actx, ns_g_mctx, &view->queryonacl)); - if (view->queryonacl == NULL) + actx, ns_g_mctx, &view->cacheonacl)); + if (view->cacheonacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache-on", actx, - ns_g_mctx, &view->queryonacl)); + ns_g_mctx, &view->cacheonacl)); if (strcmp(view->name, "_bind") != 0) { CHECK(configure_view_acl(vconfig, config, "allow-recursion", actx, ns_g_mctx, @@ -1628,14 +1636,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * "allow-recursion" inherits from "allow-query-cache" if set, * otherwise from "allow-query" if set. */ - if (view->queryacl == NULL && view->recursionacl != NULL) - dns_acl_attach(view->recursionacl, &view->queryacl); - if (view->queryacl == NULL && view->recursion) + if (view->cacheacl == NULL && view->recursionacl != NULL) + dns_acl_attach(view->recursionacl, &view->cacheacl); + if (view->cacheacl == NULL && view->recursion) CHECK(configure_view_acl(vconfig, config, "allow-query", - actx, ns_g_mctx, &view->queryacl)); + actx, ns_g_mctx, &view->cacheacl)); if (view->recursion && - view->recursionacl == NULL && view->queryacl != NULL) - dns_acl_attach(view->queryacl, &view->recursionacl); + view->recursionacl == NULL && view->cacheacl != NULL) + dns_acl_attach(view->cacheacl, &view->recursionacl); /* * Set default "allow-recursion", "allow-recursion-on" and @@ -1651,16 +1659,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, "allow-recursion-on", actx, ns_g_mctx, &view->recursiononacl)); - if (view->queryacl == NULL) { + if (view->cacheacl == NULL) { if (view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); - else { - if (view->queryacl != NULL) - dns_acl_detach(&view->queryacl); - CHECK(dns_acl_none(ns_g_mctx, &view->queryacl)); - } + ns_g_mctx, &view->cacheacl)); + else + CHECK(dns_acl_none(ns_g_mctx, &view->cacheacl)); } /* diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api index b1adf7845b24..82e6786c1d0a 100644 --- a/contrib/bind9/lib/dns/api +++ b/contrib/bind9/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 57 +LIBINTERFACE = 58 LIBREVISION = 0 -LIBAGE = 2 +LIBAGE = 0 diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h index 5b53c1644f72..0b4dedc9bf45 100644 --- a/contrib/bind9/lib/dns/include/dns/view.h +++ b/contrib/bind9/lib/dns/include/dns/view.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.h,v 1.111.88.4 2009/01/29 22:40:35 jinmei Exp $ */ +/* $Id: view.h,v 1.111.88.4.24.2 2010/09/29 23:46:31 tbox Exp $ */ #ifndef DNS_VIEW_H #define DNS_VIEW_H 1 @@ -118,6 +118,8 @@ struct dns_view { isc_boolean_t enablevalidation; isc_boolean_t acceptexpired; dns_transfer_format_t transfer_format; + dns_acl_t * cacheacl; + dns_acl_t * cacheonacl; dns_acl_t * queryacl; dns_acl_t * queryonacl; dns_acl_t * recursionacl; diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c index 638e64755b54..933576f3f1f0 100644 --- a/contrib/bind9/lib/dns/journal.c +++ b/contrib/bind9/lib/dns/journal.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.103.48.6 2009/11/04 23:47:25 tbox Exp $ */ +/* $Id: journal.c,v 1.103.48.6.10.2 2010/11/17 23:46:16 tbox Exp $ */ #include @@ -2173,6 +2173,12 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, indexend = new->header.end.offset; } + + /* + * Close both journals before trying to rename files (this is + * necessary on WIN32). + */ + dns_journal_destroy(&j); dns_journal_destroy(&new); /* @@ -2180,12 +2186,14 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, * Any IXFR outs will just continue and the old journal will be * removed on final close. * - * With MSDOS / NTFS we need to do a two stage rename triggered - * bu EEXISTS. Hopefully all IXFR's that were active at the last - * rename are now complete. + * With MSDOS / NTFS we need to do a two stage rename, triggered + * by EEXIST. (If any IXFR's are running in other threads, however, + * this will fail, and the journal will not be compacted. But + * if so, hopefully they'll be finished by the next time we + * compact.) */ if (rename(newname, filename) == -1) { - if (errno == EACCES && !is_backup) { + if (errno == EEXIST && !is_backup) { result = isc_file_remove(backup); if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) @@ -2202,7 +2210,6 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, } } - dns_journal_destroy(&j); result = ISC_R_SUCCESS; failure: diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c index 538c228df023..f61b83b8ba91 100644 --- a/contrib/bind9/lib/dns/rbtdb.c +++ b/contrib/bind9/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.16.10.3 2010/08/13 07:25:21 marka Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.16.10.6 2010/11/16 07:46:23 marka Exp $ */ /*! \file */ @@ -5421,14 +5421,14 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, dns_rdataset_t *addedrdataset, isc_stdtime_t now) { rbtdb_changed_t *changed = NULL; - rdatasetheader_t *topheader, *topheader_prev, *header; + rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader; unsigned char *merged; isc_result_t result; isc_boolean_t header_nx; isc_boolean_t newheader_nx; isc_boolean_t merge; dns_rdatatype_t rdtype, covers; - rbtdb_rdatatype_t negtype; + rbtdb_rdatatype_t negtype, sigtype; dns_trust_t trust; int idx; @@ -5466,7 +5466,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE; topheader_prev = NULL; - + sigheader = NULL; negtype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); @@ -5475,26 +5475,34 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, * We're adding a negative cache entry. */ covers = RBTDB_RDATATYPE_EXT(newheader->type); - if (covers == dns_rdatatype_any) { + sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, + covers); + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { /* - * We're adding an negative cache entry + * If we're adding an negative cache entry * which covers all types (NXDOMAIN, * NODATA(QTYPE=ANY)). * * We make all other data stale so that the * only rdataset that can be found at this * node is the negative cache entry. + * + * Otherwise look for any RRSIGs of the + * given type so they can be marked stale + * later. */ - for (topheader = rbtnode->data; - topheader != NULL; - topheader = topheader->next) { + if (covers == dns_rdatatype_any) { set_ttl(rbtdb, topheader, 0); topheader->attributes |= RDATASET_ATTR_STALE; - } - rbtnode->dirty = 1; - goto find_header; + rbtnode->dirty = 1; + } else if (topheader->type == sigtype) + sigheader = topheader; } + if (covers == dns_rdatatype_any) + goto find_header; negtype = RBTDB_RDATATYPE_VALUE(covers, 0); } else { /* @@ -5732,6 +5740,11 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, if (rbtversion == NULL) { set_ttl(rbtdb, header, 0); header->attributes |= RDATASET_ATTR_STALE; + if (sigheader != NULL) { + set_ttl(rbtdb, sigheader, 0); + sigheader->attributes |= + RDATASET_ATTR_STALE; + } } idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { @@ -7071,6 +7084,8 @@ dns_rbtdb_create * change. */ if (!IS_CACHE(rbtdb)) { + dns_rbtnode_t *nsec3node; + rbtdb->origin_node = NULL; result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin, &rbtdb->origin_node); @@ -7093,6 +7108,32 @@ dns_rbtdb_create rbtdb->origin_node->locknum = dns_name_hash(&name, ISC_TRUE) % rbtdb->node_lock_count; +#endif + /* + * Add an apex node to the NSEC3 tree so that NSEC3 searches + * return partial matches when there is only a single NSEC3 + * record in the tree. + */ + nsec3node = NULL; + result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin, + &nsec3node); + if (result != ISC_R_SUCCESS) { + INSIST(result != ISC_R_EXISTS); + free_rbtdb(rbtdb, ISC_FALSE, NULL); + return (result); + } + nsec3node->nsec3 = 1; + /* + * We need to give the nsec3 origin node the right locknum. + */ + dns_name_init(&name, NULL); + dns_rbt_namefromnode(nsec3node, &name); +#ifdef DNS_RBT_USEHASH + nsec3node->locknum = nsec3node->hashval % + rbtdb->node_lock_count; +#else + nsec3node->locknum = dns_name_hash(&name, ISC_TRUE) % + rbtdb->node_lock_count; #endif } diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c index 90c18bc95b3f..fc6f4544c3c8 100644 --- a/contrib/bind9/lib/dns/validator.c +++ b/contrib/bind9/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.11.10.6 2010/09/03 02:55:18 marka Exp $ */ +/* $Id: validator.c,v 1.164.12.11.10.7 2010/11/16 01:48:32 marka Exp $ */ #include @@ -393,6 +393,7 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; + isc_result_t saved_result; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_FETCHDONE); @@ -429,6 +430,17 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { val->keyset = &val->frdataset; } result = validate(val, ISC_TRUE); + if (result == DNS_R_NOVALIDSIG && + (val->attributes & VALATTR_TRIEDVERIFY) == 0) + { + saved_result = result; + validator_log(val, ISC_LOG_DEBUG(3), + "falling back to insecurity proof"); + val->attributes |= VALATTR_INSECURITY; + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); + if (result == DNS_R_NOTINSECURE) + result = saved_result; + } if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -619,6 +631,7 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; + isc_result_t saved_result; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); @@ -645,6 +658,17 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { if (val->frdataset.trust >= dns_trust_secure) (void) get_dst_key(val, val->siginfo, &val->frdataset); result = validate(val, ISC_TRUE); + if (result == DNS_R_NOVALIDSIG && + (val->attributes & VALATTR_TRIEDVERIFY) == 0) + { + saved_result = result; + validator_log(val, ISC_LOG_DEBUG(3), + "falling back to insecurity proof"); + val->attributes |= VALATTR_INSECURITY; + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); + if (result == DNS_R_NOTINSECURE) + result = saved_result; + } if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -1875,9 +1899,11 @@ validate(dns_validator_t *val, isc_boolean_t resume) { * was known and "sufficiently good". */ if (!dns_resolver_algorithm_supported(val->view->resolver, - event->name, - val->siginfo->algorithm)) + event->name, + val->siginfo->algorithm)) { + resume = ISC_FALSE; continue; + } if (!resume) { result = get_key(val, val->siginfo); @@ -1888,16 +1914,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) { } /* - * The key is insecure, so mark the data as insecure also. + * There isn't a secure DNSKEY for this signature so move + * onto the next RRSIG. */ if (val->key == NULL) { - if (val->mustbesecure) { - validator_log(val, ISC_LOG_WARNING, - "must be secure failure"); - return (DNS_R_MUSTBESECURE); - } - markanswer(val, "validate"); - return (ISC_R_SUCCESS); + resume = ISC_FALSE; + continue; } do { @@ -3703,6 +3725,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) */ result = DNS_R_NOVALIDNSEC; goto out; + } else if (DNS_TRUST_PENDING(val->frdataset.trust) || + DNS_TRUST_ANSWER(val->frdataset.trust)) { + /* + * If we have "trust == answer" then this namespace + * has switched from insecure to should be secure. + */ + result = create_validator(val, tname, + dns_rdatatype_ds, + &val->frdataset, + NULL, dsvalidated, + "proveunsecure"); + if (result != ISC_R_SUCCESS) + goto out; + return (DNS_R_WAIT); } else if (val->frdataset.trust < dns_trust_secure) { /* * This shouldn't happen, since the negative diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c index 3726eefa5fb6..54f0d264162a 100644 --- a/contrib/bind9/lib/dns/view.c +++ b/contrib/bind9/lib/dns/view.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.150.84.3.10.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: view.c,v 1.150.84.3.10.2 2010/09/29 00:03:32 marka Exp $ */ /*! \file */ @@ -168,6 +168,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->acceptexpired = ISC_FALSE; view->minimalresponses = ISC_FALSE; view->transfer_format = dns_one_answer; + view->cacheacl = NULL; + view->cacheonacl = NULL; view->queryacl = NULL; view->queryonacl = NULL; view->recursionacl = NULL; @@ -294,6 +296,10 @@ destroy(dns_view_t *view) { dns_acl_detach(&view->matchclients); if (view->matchdestinations != NULL) dns_acl_detach(&view->matchdestinations); + if (view->cacheacl != NULL) + dns_acl_detach(&view->cacheacl); + if (view->cacheonacl != NULL) + dns_acl_detach(&view->cacheonacl); if (view->queryacl != NULL) dns_acl_detach(&view->queryacl); if (view->queryonacl != NULL) diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api index 823f692fe3c4..b765f45fee6b 100644 --- a/contrib/bind9/lib/isc/api +++ b/contrib/bind9/lib/isc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 53 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 3 diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c index b892e3a2ed09..6b9819505584 100644 --- a/contrib/bind9/lib/isc/print.c +++ b/contrib/bind9/lib/isc/print.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: print.c,v 1.35 2008/02/18 23:46:59 tbox Exp $ */ +/* $Id: print.c,v 1.35.418.2 2010/10/18 23:46:34 tbox Exp $ */ /*! \file */ @@ -468,7 +468,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { if (width > 0) { count += width; width--; - if (left) { + if (left && size > 1) { *str++ = c; size--; } diff --git a/contrib/bind9/release-notes.css b/contrib/bind9/release-notes.css new file mode 100644 index 000000000000..411eb8bfb83b --- /dev/null +++ b/contrib/bind9/release-notes.css @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: release-notes.css,v 1.1.4.3 2010/11/29 01:16:39 tbox Exp $ */ + +body { + background-color: #ffffff; + color: #333333; + font-family: "Helvetica Neue", "ArialMT", "Verdana", "Arial", "Helvetica", sans-serif; + font-size: 14px; + line-height: 18px; + margin: 2em auto; + width: 700px; +} + +.command { + font-family: "Courier New", "Courier", monospace; + font-weight: normal; +} + +.note { + background-color: #ddeedd; + border: 1px solid #aaccaa; + margin: 1em 0 1em 0; + padding: 0.5em 1em 0.5em 1em; + -moz-border-radius: 10px; + -webkit-border-radius: 10px; +} + +.screen { + background-color: #ffffee; + border: 1px solid #ddddaa; + padding: 0.25em 1em 0.25em 1em; + margin: 1em 0 1em 0; + -moz-border-radius: 10px; + -webkit-border-radius: 10px; +} + +.section.title { + font-size: 150%; + font-weight: bold; +} + +.section.section.title { + font-size: 130%; + font-weight: bold; +} diff --git a/contrib/bind9/version b/contrib/bind9/version index a16a96f2e012..d736ecf00acc 100644 --- a/contrib/bind9/version +++ b/contrib/bind9/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.43.12.8.4.3 2010/09/03 02:57:11 marka Exp $ +# $Id: version,v 1.43.12.8.4.4 2010/11/18 23:37:13 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=6 PATCHVER= RELEASETYPE=-ESV -RELEASEVER=-R2 +RELEASEVER=-R3