src/contrib/bind9/lib/lwres/man/lwres_inetntop.html, branch main FreeBSD source tree Remove BIND. 2013-09-30T17:23:45+00:00 Dag-Erling Smørgrav des@FreeBSD.org 2013-09-30T17:23:45+00:00 56b72efe825d4190e0e2fdbc07ebb295cac299df Approved by: re (gjb) 
Approved by:	re (gjb)
Update Bind to 9.9.3-P2 2013-08-22T08:15:03+00:00 Erwin Lansing erwin@FreeBSD.org 2013-08-22T08:15:03+00:00 08e6ea976b86b6591f317d290bfc9743d11c21ac Notable new features: * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Approved by: delphij (mentor) MFC after: 3 days Sponsored by: DK Hostmaster A/S 
Notable new features:

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

*  Introduces a new tool "dnssec-verify" that validates a signed zone,
   checking for the correctness of signatures and NSEC/NSEC3 chains.
   [RT #23673]

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

*  The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.

Approved by:	delphij (mentor)
MFC after:	3 days
Sponsored by:	DK Hostmaster A/S
Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes. 2012-04-05T04:29:35+00:00 Doug Barton dougb@FreeBSD.org 2012-04-05T04:29:35+00:00 d0f6280db790de2ad69bd01a1275e350cbd2840d 






Upgrade to BIND version 9.8.1. Release notes at:
2011-09-03T07:13:45+00:00

Doug Barton
dougb@FreeBSD.org

2011-09-03T07:13:45+00:00

6fae67da247296c5844ea54a5fc238184ed50046

https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/

Approved by:	re (kib)





https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/

Approved by:	re (kib)







Upgrade to version 9.8.0-P4
2011-07-16T11:12:09+00:00

Doug Barton
dougb@FreeBSD.org

2011-07-16T11:12:09+00:00

7afecc12f4d7b56f03438d5f41b837b9696f0a94

This version has many new features, see /usr/share/doc/bind9/README
for details.





This version has many new features, see /usr/share/doc/bind9/README
for details.







Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.
2011-02-06T22:46:07+00:00

Doug Barton
dougb@FreeBSD.org

2011-02-06T22:46:07+00:00

5143adb5490e2ce9f3b7d74307c8f70197df2afe

All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

  * Various fixes to kerberos support, including GSS-TSIG
  * Various fixes to avoid leaking memory, and to problems that could
    prevent a clean shutdown of named





All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

  * Various fixes to kerberos support, including GSS-TSIG
  * Various fixes to avoid leaking memory, and to problems that could
    prevent a clean shutdown of named







Update to 9.6-ESV-R2, the latest from ISC.
2010-10-31T04:45:53+00:00

Doug Barton
dougb@FreeBSD.org

2010-10-31T04:45:53+00:00

34ceb982dc5764b63f6478db13396f87a0413247

This version contains bug fixes that are relevant to any
caching/resolving name server; as well as DNSSEC-related
fixes.





This version contains bug fixes that are relevant to any
caching/resolving name server; as well as DNSSEC-related
fixes.







Update to 9.6.2-P1, the latest patchfix release which deals with
2010-03-18T19:00:35+00:00

Doug Barton
dougb@FreeBSD.org

2010-03-18T19:00:35+00:00

b8743b3ba53f8c1f9f6a78f82683a4cbb4a47ca3

the problems related to the handling of broken DNSSEC trust chains.

This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.





the problems related to the handling of broken DNSSEC trust chains.

This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.







Upgrade to version 9.6.2. This version includes all previously released
2010-03-03T05:45:24+00:00

Doug Barton
dougb@FreeBSD.org

2010-03-03T05:45:24+00:00

eda14e83f216771932ca56c65bc62d994af63706

security patches to the 9.6.1 version, as well as many other bug fixes.

This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.

Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.





security patches to the 9.6.1 version, as well as many other bug fixes.

This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.

Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.







Upgrade to BIND 9.6.1-P3.
2010-01-25T06:18:31+00:00

Doug Barton
dougb@FreeBSD.org

2010-01-25T06:18:31+00:00

e049346bd486f9343f386ac4a295ef9936bc5691

This version address the following vulnerabilities:

BIND 9 Cache Update from Additional Section
https://www.isc.org/advisories/CVE-2009-4022v6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
A nameserver with DNSSEC validation enabled may incorrectly add
unauthenticated records to its cache that are received during the
resolution of a recursive client query

BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses
https://www.isc.org/advisories/CVE-2010-0097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
There was an error in the DNSSEC NSEC/NSEC3 validation code that could
cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records
proven by NSEC or NSEC3 to exist) to be cached as if they had validated
correctly

These issues only affect systems with DNSSEC validation enabled.





This version address the following vulnerabilities:

BIND 9 Cache Update from Additional Section
https://www.isc.org/advisories/CVE-2009-4022v6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
A nameserver with DNSSEC validation enabled may incorrectly add
unauthenticated records to its cache that are received during the
resolution of a recursive client query

BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses
https://www.isc.org/advisories/CVE-2010-0097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
There was an error in the DNSSEC NSEC/NSEC3 validation code that could
cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records
proven by NSEC or NSEC3 to exist) to be cached as if they had validated
correctly

These issues only affect systems with DNSSEC validation enabled.