Commit Graph

62 Commits

Author SHA1 Message Date
Erwin Lansing
08e6ea976b Update Bind to 9.9.3-P2
Notable new features:

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

*  Introduces a new tool "dnssec-verify" that validates a signed zone,
   checking for the correctness of signatures and NSEC/NSEC3 chains.
   [RT #23673]

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

*  The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.

Approved by:	delphij (mentor)
MFC after:	3 days
Sponsored by:	DK Hostmaster A/S
2013-08-22 08:15:03 +00:00
Erwin Lansing
a273027f92 Update Bind to 9.8.5-P2
New Features

   Adds a new configuration option, "check-spf"; valid values are
   "warn" (default) and "ignore".  When set to "warn", checks SPF
   and TXT records in spf format, warning if either resource record
   type occurs without a corresponding record of the other resource
   record type.  [RT #33355]

   Adds support for Uniform Resource Identifier (URI) resource
   records. [RT #23386]

   Adds support for the EUI48 and EUI64 RR types. [RT #33082]

   Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
   and L64). [RT #31836]

Feature Changes

   Changes timing of when slave zones send NOTIFY messages after
   loading a new copy of the zone.  They now send the NOTIFY before
   writing the zone data to disk.  This will result in quicker
   propagation of updates in multi-level server structures. [RT #27242]
   "named -V" can now report a source ID string.  (This is will be
   of most interest to developers and troubleshooters).  The source

   ID for ISC's production versions of BIND is defined in the "srcid"
   file in the build tree and is normally set to the most recent
   git hash. [RT #31494]

   Response Policy Zone performance enhancements.  New "response-policy"
   option "min-ns-dots".  "nsip" and "nsdname" now enabled by default
   with RPZ. [RT #32251]

Approved by:	delphij (mentor)
Sponsored by:	DK Hostmaster A/S
2013-08-06 06:22:54 +00:00
Erwin Lansing
378a72e36a Update to 9.8.4-P2
Removed the check for regex.h in configure in order
to disable regex syntax checking, as it exposes
BIND to a critical flaw in libregex on some
platforms. [RT #32688]

Security:	CVE-2013-2266
Approved by:	delphij (mentor)
Sponsored by:	DK Hostmaster A/S
2013-03-27 10:11:43 +00:00
Erwin Lansing
ebd98a8393 Re-disable GSSAPI, which does not build on several archs.
Approved by:	delphij (mentor)
2012-12-07 16:05:04 +00:00
Erwin Lansing
cfd4d2c42e Update to 9.8.4-P1.
Security Fixes

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of  specific queries that are received.

New Features

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

*  Improves OpenSSL error logging [RT #29932]

*  nslookup now returns a nonzero exit code when it is unable to get
   an answer.  [RT #29492]

Other critical bug fixes are included.

Approved by:	delphij (mentor)
MFC after:	3 days
Security:	CVE-2012-5688
Sponsored by:	DK Hostmaster A/S
2012-12-07 12:39:58 +00:00
Doug Barton
687aeb3821 Upgrade to BIND version 9.8.3, the latest from ISC.
Feature Change

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)

Bug Fix

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-
   threaded environment.

Other critical bug fixes are included.

All BIND users are encouraged to upgrade.
2012-05-28 19:47:56 +00:00
Doug Barton
d0f6280db7 Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes. 2012-04-05 04:29:35 +00:00
Doug Barton
6fae67da24 Upgrade to BIND version 9.8.1. Release notes at:
https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/

Approved by:	re (kib)
2011-09-03 07:13:45 +00:00
Doug Barton
023343ae9a Fixes to make the WITH_BIND_LIBS option functional with BIND 9.8.x 2011-07-17 12:07:22 +00:00
Doug Barton
25630ba729 bmake and other updates necessary for the BIND 9.8.x upgrade.
This includes a structural change regarding atomic ops. Previously they
were enabled on all platforms unless we had knowledge that they did not
work. However both work performed by marius@ on sparc64 and the fact that
the 9.8.x branch is fussier in this area has demonstrated that this is
not a safe approach. So I've modified a patch provided by marius to
enable them for i386, amd64, and ia64 only.
2011-07-16 11:20:54 +00:00
Doug Barton
8e75ad45e6 Handle the MK_BIND_XML option more intelligently 2011-07-16 07:12:02 +00:00
Doug Barton
5143adb549 Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.
All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

  * Various fixes to kerberos support, including GSS-TSIG
  * Various fixes to avoid leaking memory, and to problems that could
    prevent a clean shutdown of named
2011-02-06 22:46:07 +00:00
Doug Barton
54570c503f Revert part of r217071 so that us mere mortals can clearly see
what this bit of code is intended to do. :)

Approved by:	imp
2011-01-09 23:47:11 +00:00
Warner Losh
75f7527121 Make this work on big endian MIPS, while not breaking it for small
endian mips.  This will also make it work automatically on all future
big endian platforms.
2011-01-06 21:07:51 +00:00
Doug Barton
031f70f09f Prep for the 9.6-ESV-R2 update 2010-10-31 04:45:25 +00:00
Nathan Whitehorn
daf94b1b7a Since powerpc and powerpc64 share an instruction set, bind can and should
use the 32-bit atomic operations unmodified. Accomplish this by switching
some MACHINE_ARCH values to MACHINE_CPUARCH.
2010-07-10 17:46:53 +00:00
Doug Barton
b8743b3ba5 Update to 9.6.2-P1, the latest patchfix release which deals with
the problems related to the handling of broken DNSSEC trust chains.

This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.
2010-03-18 19:00:35 +00:00
Doug Barton
eda14e83f2 Upgrade to version 9.6.2. This version includes all previously released
security patches to the 9.6.1 version, as well as many other bug fixes.

This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.

Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.
2010-03-03 05:45:24 +00:00
Doug Barton
b25d11ad65 Commit copyright-only changes to generated files as part of the
9.6.1-P3 update
2010-01-25 04:42:54 +00:00
Doug Barton
9748b72412 Update to BIND 9.6.1-P2. The vulnerability this is designed to fix is
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.
2009-11-30 03:38:34 +00:00
Doug Barton
536613bc35 Add support for the build options that are currently in the port:
WITH_BIND_IDN
	WITH_BIND_LARGE_FILE
	WITH_BIND_SIGCHASE
	WITH_BIND_XML
2009-06-01 21:58:59 +00:00
Doug Barton
6318052d9e Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:

	Full NSEC3 support
	Automatic zone re-signing
	New update-policy methods tcp-self and 6to4-self
	DHCID support.
	More detailed statistics counters including those supported in BIND 8.
	Faster ACL processing.
	Efficient LRU cache-cleaning mechanism.
	NSID support.
2009-05-31 05:42:58 +00:00
Doug Barton
9097ac2a7f In preparation for the BIND 9.6.1rc1 import, remove this directory.
The libbind library is no longer distributed as part of the main
BIND package, and we never built it in any case.
2009-05-30 23:50:12 +00:00
Doug Barton
d851678b62 Updates for version 9.4.3 2008-12-23 22:50:39 +00:00
Doug Barton
a5ab4ac13e Vendor import of BIND 9.4.3 2008-12-23 19:18:41 +00:00
Doug Barton
387c038fad Update copyrights and comments as of 9.4.3 (no functional changes) 2008-12-23 19:15:04 +00:00
Doug Barton
2fabdf5789 Vendor import of BIND 9.4.3 2008-12-23 18:35:21 +00:00
Konstantin Belousov
20e76cb365 Add strndup(3) prototype to string.h.
This change was erronously ommitted from the r185690, and attempt
to simply add the prototype to string.h has revealed that several
contributed programs defined local prototypes for strndup(), controlled
by autoconfed config.h. So, manually change #undef HAVE_STRNDUP to
#define HAVE_STRNDUP 1. Next import of the corresponding program would
regenerate config.h, overriding the changes in this commit.

No objections from: kan
2008-12-08 21:04:24 +00:00
Doug Barton
35a876a0ed Update for version 9.4.2-P2 2008-09-01 22:55:23 +00:00
Doug Barton
ca732c8b83 Vendor import of BIND 9.4.2-P2 2008-09-01 20:53:25 +00:00
Doug Barton
e9dc1cc616 These files are unused, and due to a more thorough FREEBSD-Xlist
are no longer updated.
2008-07-12 07:32:48 +00:00
Peter Wemm
a988131922 Flatten bind9 vendor work area 2008-07-12 05:00:28 +00:00
Doug Barton
02b0457cc2 One more glue update for BIND 9.4.2 2007-12-02 22:21:30 +00:00
Doug Barton
476368dbeb Update glue for BIND 9.4.2 2007-12-02 19:13:58 +00:00
Doug Barton
34a1405271 Remove the special atomic.h case for arm, and allow it to use
the platform specific file that imp provided.
2007-06-05 22:17:16 +00:00
Doug Barton
6c49136e5e Fix the amd64 and pc98 versions of ISC_ATOMIC_ARCH with some help
from ru@.

Take a guess at what might work on arm to try and fix the build.
2007-06-03 16:49:57 +00:00
Doug Barton
47f2e4235c Update generated files for BIND 9.4.1 2007-06-02 23:24:14 +00:00
Doug Barton
d6ceb6db22 Update bmake glue for the BIND 9.4.1 import.
This includes a return to building with threads, since one of the
major focuses of the 9.4.x branch is to improve thread performance.
2007-06-02 23:19:58 +00:00
Doug Barton
7f4199b213 Update generated files for BIND 9.3.4 2007-01-29 18:33:18 +00:00
Doug Barton
b02f06c3da Changes to generated files related to the 9.3.3 import. 2006-12-10 07:11:04 +00:00
Ruslan Ermilov
e1fe3dba5c Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by:	imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00
Doug Barton
a52821c94c Updated versions of header files generated per the instructions
in src/contrib/bind9/FREEBSD-Upgrade for the 9.2.3 import
2005-12-29 04:29:03 +00:00
Ruslan Ermilov
1e4146ce4b Finish the removal of threads support in ../config.mk,v 1.15. 2005-11-07 15:22:35 +00:00
Dag-Erling Smørgrav
c9275efacc Disable thread support in BIND. It appears to reduce performance rather
than increase it, and seems to be the cause of the memory leaks which some
users have reported.

Requested by:	dougb
MFC after:	5 days
2005-07-25 14:44:11 +00:00
Doug Barton
abc776e5fc Regenerate for 9.3.1 2005-03-17 08:39:12 +00:00
Doug Barton
098df091f3 bmake changes to handle the move of dns/sec and related files 2005-03-17 08:35:21 +00:00
Ruslan Ermilov
731db6a428 NOINET6 -> NO_INET6 2004-12-21 10:49:29 +00:00
Ruslan Ermilov
a216173556 NOCRYPT -> NO_CRYPT 2004-12-21 10:16:04 +00:00
Ruslan Ermilov
f1f6253f4f NOLIBC_R -> NO_LIBC_R
NOLIBPTHREAD -> NO_LIBPTHREAD
NOLIBTHR -> NO_LIBTHR
2004-12-21 09:00:26 +00:00
Ruslan Ermilov
6ef8c2e5c6 For variables that are only checked with defined(), don't provide
any fake value.
2004-10-24 15:46:50 +00:00