aboutsummaryrefslogtreecommitdiff
path: root/dns/bind96
Commit message (Collapse)AuthorAgeFilesLines
* Upgrade to 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, and 9.9.1-P1, the latestDoug Barton2012-06-042-6/+6
| | | | | | | | | | | | | | | | | | | from ISC. These patched versions contain a critical bugfix: Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered. All BIND users are strongly encouraged to upgrade. Notes: svn path=/head/; revision=298399
* Upgrade to BIND versions 9.9.1, 9.8.3, 9.7.6, and 9.6-ESV-R7,Doug Barton2012-05-232-6/+6
| | | | | | | | | | | | | | | | | | | | | | | the latest from ISC. These versions all contain the following: Feature Change * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fix * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi- threaded environment. Each version also contains other critical bug fixes. All BIND users are encouraged to upgrade to these latest versions. Notes: svn path=/head/; revision=297257
* Update to version 9.6-ESV-R6, the latest from ISC, which contains numerous ↵Doug Barton2012-04-044-78/+10
| | | | | | | | | | | | | bug fixes. For the port, switch to using the PORTDOCS macro. Also, switch to the (identical) pkg-message in ../bind97 which was apparently missed when the other ports were converted. Feature safe: yes Notes: svn path=/head/; revision=294220
* Upgrade to the latest security patch releases to address theDoug Barton2011-11-162-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | following DDOS bug: Recursive name servers are failing with an assertion: INSIST(! dns_rdataset_isassociated(sigrdataset)) At this time it is not thought that authoritative-only servers are affected, but information about this bug is evolving rapidly. Because it may be possible to trigger this bug even on networks that do not allow untrusted users to access the recursive name servers (perhaps via specially crafted e-mail messages, and/or malicious web sites) it is recommended that ALL operators of recursive name servers upgrade immediately. For more information see: https://www.isc.org/software/bind/advisories/cve-2011-tbd which will be updated as more information becomes available. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 Feature safe: yes Notes: svn path=/head/; revision=285937
* Remove more tags from pkg-descr files fo the form:Doug Barton2011-10-241-3/+0
| | | | | | | | | | | - Name em@i.l or variations thereof. While I'm here also fix some whitespace and other formatting errors, including moving WWW: to the last line in the file. Notes: svn path=/head/; revision=284232
* Update to version 9.6-ESV-R5 which contains various bug fixesDoug Barton2011-08-023-7/+13
| | | | | | | | | and improvements: ftp://ftp.isc.org/isc/bind9/9.6-ESV-R5/RELEASE-NOTES-BIND-9.6-ESV.html Notes: svn path=/head/; revision=278762
* Remove patch incorporated into version 9.6-ESV-R5Doug Barton2011-08-021-14/+0
| | | | Notes: svn path=/head/; revision=278761
* Fix the location of the default pid file in named.8Doug Barton2011-07-171-0/+1
| | | | | | | | | | Problem pointed out in the PR PR: conf/155006 Submitted by: Helmut Schneider <jumper99@gmx.de> Notes: svn path=/head/; revision=277826
* Update to versions 9.7.3-P3, and 9.6-ESV-R4-P3.Doug Barton2011-07-052-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY This update addresses the following vulnerability: CVE-2011-2464 ============= Severity: High Exploitable: Remotely Description: A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2464 Notes: svn path=/head/; revision=277140
* Upgrade to 9.6-ESV-R4-P1 and 9.7.3-P1, which address the following issues:Doug Barton2011-05-273-6/+20
| | | | | | | | | | | | | | | | | | | 1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users. 2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used. Notes: svn path=/head/; revision=274746
* Miscellaneous cleanups and fixes, some of the windowmaker stuffDoug Barton2011-05-161-1/+1
| | | | | | | gracefully provided by danfe. Notes: svn path=/head/; revision=274159
* Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.Doug Barton2011-02-052-6/+6
| | | | | | | | | | | | | | | | | | | All 9.6 users with DNSSEC validation enabled should upgrade to this version, or the latest version in the 9.7 branch, prior to 2011-03-31 in order to avoid validation failures for names in .COM as described here: https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record In addition the fixes for this and other bugs, there are also the following: * Various fixes to kerberos support, including GSS-TSIG * Various fixes to avoid leaking memory, and to problems that could prevent a clean shutdown of named Feature safe: yes Notes: svn path=/head/; revision=268619
* CONFLICTS for bind98Doug Barton2010-12-181-1/+1
| | | | Notes: svn path=/head/; revision=266535
* Update to version 9.6-ESV-R3, the latest from ISC, which addressesDoug Barton2010-12-032-20/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the following security vulnerabilities. For more information regarding these issues please see: http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories 1. Cache incorrectly allows ncache and rrsig for the same type http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613 Affects resolver operators whose servers are open to potential attackers. Triggering the bug will cause the server to crash. This bug applies even if you do not have DNSSEC enabled. 2. Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones has no effect. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615 Affects authoritative server operators who wish to generally restrict queries to their authoritative zones, and are running 9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized end users to receive answers to queries they should not. For the port: 1. Add CONFLICT for the ../bind-tools port 2. Remove CONFLICT for the removed ../bind9 port 3. Remove OPTION for threads on < RELENG_7 4. Switch to pkg-install to create the symlinks to /etc/namedb/ as requested in [1] PR: ports/151635 [1] Submitted by: Benjamin Lee <ben@b1c1l1.com> [1] Notes: svn path=/head/; revision=265651
* Update to 9.6-ESV-R2, the latest from ISC.Doug Barton2010-10-302-8/+6
| | | | | | | | | This version contains bug fixes that are relevant to any caching/resolving name server; as well as DNSSEC-related fixes. Notes: svn path=/head/; revision=263802
* Update to the latest patch set from ISC, which addresses the following:Doug Barton2010-05-202-8/+8
| | | | | | | | Named could return SERVFAIL for negative responses from unsigned zones. Notes: svn path=/head/; revision=254632
* Update to the latest patchfix releases to deal with the problemsDoug Barton2010-03-172-8/+8
| | | | | | | | | | | related to the handling of broken DNSSEC trust chains. This fix is only necessary for those who have DNSSEC validation enabled and configure trust anchors from third parties, either manually, or through a system like DLV. Notes: svn path=/head/; revision=251154
* Upgrade to version 9.6.2. This version includes all previously releasedDoug Barton2010-03-023-27/+8
| | | | | | | | | | | | | security patches to the 9.6.1 version, as well as many other bug fixes. Due to the fact that the DNSSEC algorithm that will be used to sign the root zone is only included in this version and in 9.7.x those who wish to do validation MUST upgrade to one of these prior to July 2010. Feature safe: yes Notes: svn path=/head/; revision=250486
* Upgrade to BIND 9.4.3-P5, 9.5.2-P2, and 9.6.1-P3. These versions addressDoug Barton2010-01-252-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | the following vulnerabilities: BIND 9 Cache Update from Additional Section https://www.isc.org/advisories/CVE-2009-4022v6 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses https://www.isc.org/advisories/CVE-2010-0097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097 There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly These issues only affect systems with DNSSEC validation enabled. Notes: svn path=/head/; revision=248498
* Update CONFLICTS for bind97Doug Barton2009-12-141-1/+1
| | | | Notes: svn path=/head/; revision=245755
* Update to the latest patchlevels for BINDs 9.[456]. The vulnerabilityDoug Barton2009-11-302-9/+8
| | | | | | | | | | this is designed to fix is related to DNSSEC validation on a resolving name server that allows access to untrusted users. If your system does not fall into all 3 of these categories you do not need to update immediately. Notes: svn path=/head/; revision=245002
* Wrap some query socket handling in dig with a socket != NULL bowDoug Barton2009-11-072-0/+20
| | | | | | | | | | | | | This patch or something similar will likely be included in a future BIND release. PR: bin/138061 Submitted by: Michael Baker <michael.baker@diversit.com.au> Original patch submitted by: Volker <volker@vwsoft.com> Patch reviewed and tweaked by: ISC Notes: svn path=/head/; revision=243943
* The new LINKS OPTION is not only useless it's harmful when combinedDoug Barton2009-09-011-2/+2
| | | | | | | | | | with the REPLACE_BASE option so if the latter is defined don't try to make the LINKS. Problem pointed out by: Chris Wopat <me@falz.net> Notes: svn path=/head/; revision=240641
* For all:Doug Barton2009-08-292-2/+59
| | | | | | | | | | | | | | | | | Add an OPTION (on by default) to install the appropriate symlinks for named.conf and rndc.key in /usr/local/etc and /var/named/usr/local/etc. For bind9[456]: Add OPTIONs (off by default) for the DLZ configure options, and their corresponding ports knobs. [1] The basic infrastructure for this was provided in the PR, but this version is slightly different in a few details so responsibility for bugs is mine. PR: ports/122974 [1] Submitted by: Michael Schout <mschout@gkg.net> [1] Notes: svn path=/head/; revision=240544
* The dependency on idnkit should be a LIB_, not a BUILD_Doug Barton2009-07-301-1/+1
| | | | | | | | PR: ports/137240 Submitted by: danger Notes: svn path=/head/; revision=238687
* Update the hashes of the PGP signature files for the new releases.Doug Barton2009-07-291-2/+2
| | | | | | | | | | The previous signatures were derived from the wrong key. The new signatures all verify correctly. No changes to the hashes for the software itself. Notes: svn path=/head/; revision=238636
* Update to patched versions which address a remote DoS vulnerability:Doug Barton2009-07-282-8/+8
| | | | | | | | | | | | | | | Receipt of a specially-crafted dynamic update message may cause BIND 9 servers to exit. This vulnerability affects all servers -- it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround. More details can be found here: https://www.isc.org/node/474 All BIND users are encouraged to update to a patched version ASAP. Notes: svn path=/head/; revision=238566
* Update to version 9.6.1, the latest from ISC. This version containsDoug Barton2009-06-193-9/+10
| | | | | | | | | | numerous bug fixes and updates, especially in the DNSSEC code, including the new NSEC3 protocol. Full details are available at: http://oldwww.isc.org/sw/bind/view/?release=9.6.1&noframes=1 Notes: svn path=/head/; revision=236266
* - Flip from MAKE_JOBS_SAFE to MAKE_JOBS_UNSAFE, fails both on pointyhat and onPav Lucistnik2009-04-121-1/+1
| | | | | | | my local machine Notes: svn path=/head/; revision=232247
* Fix CONFLICTS (again). The previous example didn't work at all for portsDoug Barton2009-03-241-1/+1
| | | | | | | | other than plain bind9 since the real PORTNAMEs for the other ports are bind9[456]. This fix has the added advantage of covering REPLACE_BASE. Notes: svn path=/head/; revision=230905
* Where it matters, update regarding MAKE_JOBS_{UN}SAFE for my portsDoug Barton2009-03-241-0/+2
| | | | Notes: svn path=/head/; revision=230904
* Update to the -P1 versions of the current BIND ports which containDoug Barton2009-01-082-14/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | the fix for the following vulnerability: https://www.isc.org/node/373 Description: Return values from OpenSSL library functions EVP_VerifyFinal() and DSA_do_verify() were not checked properly. Impact: It is theoretically possible to spoof answers returned from zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6). In short, if you're not using DNSSEC to verify signatures you have nothing to worry about. While I'm here, address the issues raised in the PR by adding a knob to disable building with OpenSSL altogether (which eliminates DNSSEC capability), and fix the configure arguments to better deal with the situation where the user has ssl bits in both the base and LOCALBASE. PR: ports/126297 Submitted by: Ronald F.Guilmette <rfg@tristatelogic.com> Notes: svn path=/head/; revision=225434
* Update CONFLICTS to reflect the addition of the bind96 port,Doug Barton2009-01-041-1/+1
| | | | | | | the demise of bind9-dlz, and updates to the bind9-sdb-* ports. Notes: svn path=/head/; revision=225213
* Update after repo-copy for BIND 9.6.0Doug Barton2009-01-044-22/+31
| | | | Notes: svn path=/head/; revision=225212
* Upgrade to version 9.5.1 which includes numerous bug fixes and performanceDoug Barton2008-12-293-13/+19
| | | | | | | | | | | | improvements, including, "Additional support for query port randomization including performance improvement and port range specification." When building on amd64 ports' configure doesn't properly recognize our arch, so help it along a bit. [1] Submitted by: ivan jr sy <ivan_jr@yahoo.com> [1] Notes: svn path=/head/; revision=224956
* Adjust WWWs for new ISC websiteDoug Barton2008-12-191-1/+1
| | | | Notes: svn path=/head/; revision=224478
* All -P2 versions now have PGP signatures with ISC's standardDoug Barton2008-08-091-3/+3
| | | | | | | | | | signing key. PR: ports/126389 (for bind9) Submitted by: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> Notes: svn path=/head/; revision=218258
* Update to patchlevel 2 for all versions:Doug Barton2008-08-022-8/+8
| | | | | | | | | | | | | - performance improvement over the P1 releases, namely + significantly remedying the port allocation issues + allowing TCP queries and zone transfers while issuing as many outstanding UDP queries as possible + additional security of port randomization at the same level as P1 - also includes fixes for several bugs in the 9.5.0 base code Notes: svn path=/head/; revision=217934
* Add an OPTION to turn on the ability of dns/host/nslookup to doDoug Barton2008-07-161-0/+5
| | | | | | | | | | | DNSSEC validation. This is off by default, so no PORTREVISION bump. Submitted by: Andrei V. Lavreniyuk <andy.lavr@reactor-xg.kiev.ua> Notes: svn path=/head/; revision=216933
* Strengthen the wording regarding the THREADS OPTION for <FreeBSD-7Doug Barton2008-07-111-1/+1
| | | | Notes: svn path=/head/; revision=216716
* Upgrade to the -P1 versions of each port, which add stronger randomizationDoug Barton2008-07-092-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | of the UDP query-source ports. The server will still use the same query port for the life of the process, so users for whom the issue of cache poisoning is highly significant may wish to periodically restart their server using /etc/rc.d/named restart, or other suitable method. In order to take advantage of this randomization users MUST have an appropriate firewall configuration to allow UDP queries to be sent and answers to be received on random ports; and users MUST NOT specify a port number using the query-source[-v6] option. The avoid-v[46]-udp-ports options exist for users who wish to eliminate certain port numbers from being chosen by named for this purpose. See the ARM Chatper 6 for more information. Also please note, this issue applies only to UDP query ports. A random ephemeral port is always chosen for TCP queries. This issue applies primarily to name servers whose main purpose is to resolve random queries (sometimes referred to as "caching" servers, or more properly as "resolving" servers), although even an "authoritative" name server will make some queries, primarily at startup time. This update addresses issues raised in: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience Notes: svn path=/head/; revision=216629
* Make CONFLICTS a little cleanerDoug Barton2008-07-042-2/+4
| | | | | | | Add README.idnkit to PORTDOCS Notes: svn path=/head/; revision=216303
* Update for 9.5.0Doug Barton2008-07-034-30/+57
| | | | | | | | | | | | | | | | | | | | | | | | Some of the important features of BIND 9 are: DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests) IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA) Experimental IPv6 Resolver Library DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0 Improved standards conformance Views: One server process can provide multiple "views" of the DNS namespace, e.g. an "inside" view to certain clients, and an "outside" view to others. Multiprocessor Support, including working threads in this version BIND 9.5 has a number of new features over previous versions, including: GSS-TSIG support (RFC 3645), DHCID support Experimental http server and statistics support for named via xml More detailed statistics counters, compatible with the ones supported in BIND 8 Faster ACL processing Efficient LRU cache cleaning mechanism. NSID support (RFC 5001). Notes: svn path=/head/; revision=216215
* Update the pkg-message to be even less version-specific, and tell the userDoug Barton2008-06-021-9/+8
| | | | | | | that /etc/rc.d/named will handle everything for them. Notes: svn path=/head/; revision=214165
* Fix pkg-plist by including a new file.Doug Barton2007-12-052-0/+2
| | | | | | | | Pointy hat number N:M (where M = many) goes to: dougb Approved by: portmgr (erwin) Notes: svn path=/head/; revision=202908
* ISC recently announced that BIND 8 has been End-of-Life'd:Doug Barton2007-12-031-1/+1
| | | | | | | | | | | | | | http://www.isc.org/index.pl?/sw/bind/bind8-eol.php Therefore, per the previous announcement, remove the ports for BIND 8. This includes the chinese/bind8 slave port, and mail/smc-milter which has a dependency on libbind_r.a from BIND 8.x. The latter has been unmaintained since 2005, and is 3 versions behind. Approved by: portmgr (linimon) Notes: svn path=/head/; revision=202883
* Update to BIND 9.4.2. Many bugs are fixed, please see the CHANGESDoug Barton2007-12-014-17/+14
| | | | | | | | | file for more details. Approved by: portmgr (erwin) Notes: svn path=/head/; revision=202873
* Update to 9.4.1-P1, which has fixes for the following:Doug Barton2007-07-242-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | 1. The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents. See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925 2. The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker. This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers. All users are encouraged to upgrade. See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926 Notes: svn path=/head/; revision=196229
* - Set --mandir and --infodir in CONFIGURE_ARGS if the configure scriptRong-En Fan2007-07-231-2/+1
| | | | | | | | | | | | | | | | | | | | | supports them. This is determined by running ``configure --help'' in do-configure target and set the shell variable _LATE_CONFIGURE_ARGS which is then passed to CONFIGURE_ARGS. - Remove --mandir and --infodir in ports' Makefile where applicable Few ports use REINPLACE_CMD to achieve the same effect, remove them too. - Correct some manual pages location from PREFIX/man to MANPREFIX/man - Define INFO_PATH where necessary - Document that .info files are installed in a subdirectory relative to PREFIX/INFO_PATH and slightly change add-plist-info to use INFO_PATH and subdirectory detection. PR: ports/111470 Approved by: portmgr Discussed with: stas (Mk/*), gerald (info related stuffs) Tested by: pointyhat exp run Notes: svn path=/head/; revision=196111
* Update to version 9.4.1, a security update from ISC:Doug Barton2007-05-012-8/+8
| | | | | | | | | | | 2172. [bug] query_addsoa() was being called with a non zone db. [RT #16834] If you are running BIND 9.4.0 (either pre-release or final), you are advised to upgrade as soon as possible to BIND 9.4.1. Notes: svn path=/head/; revision=191246
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-05 05:37:33 +0000