6 files changed, 21 insertions, 135 deletions

diff --git a/dns/bind9-devel/Makefile b/dns/bind9-devel/Makefile
index 942dbeaa5a7f..6a6924b926ad 100644
--- a/dns/bind9-devel/Makefile
+++ b/dns/bind9-devel/Makefile
@@ -9,7 +9,7 @@ PORTREVISION=	0
 .else
 # XXX: correct version
 # dns/bind9xx here
-PORTREVISION=	1
+PORTREVISION=	0
 .endif
 CATEGORIES=	dns net ipv6
 # XXX: put the ISC master_site
@@ -40,13 +40,13 @@ LIB_DEPENDS=	libxml2.so:textproc/libxml2
 # XXX: remove tar:bz2
 USES=	cpe libedit ssl tar:bz2
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.13.0a0.2018.06.08
+ISCVERSION=	9.13.0a0.2018.06.15
 # XXX: Remove gitlab
 USE_GITLAB=	yes
 GL_SITE=	https://gitlab.isc.org
 GL_ACCOUNT=	isc-projects
 GL_PROJECT=	bind9
-GL_COMMIT=	b8fbe4aab40f5a41b9b0f00586c972d5afdba05f
+GL_COMMIT=	e495999c621a481db1ae2a5d189c416238a82980
 
 CPE_VENDOR=	isc
 CPE_VERSION=	${ISCVERSION:C/-.*//}
diff --git a/dns/bind9-devel/distinfo b/dns/bind9-devel/distinfo
index b88949d08c28..a0996453db5d 100644
--- a/dns/bind9-devel/distinfo
+++ b/dns/bind9-devel/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1528712121
-SHA256 (isc-projects-bind9-b8fbe4aab40f5a41b9b0f00586c972d5afdba05f_GL0.tar.gz) = a1b32af9f19a77b73661ef6690603bb9b011591f700f6e64819fa04e6399cd59
-SIZE (isc-projects-bind9-b8fbe4aab40f5a41b9b0f00586c972d5afdba05f_GL0.tar.gz) = 8925777
+TIMESTAMP = 1529305510
+SHA256 (isc-projects-bind9-e495999c621a481db1ae2a5d189c416238a82980_GL0.tar.gz) = d9b3559bc9a4d35bbe61d5e2316d3c1f97eac9b21e0f36502fc3839d8c7646c0
+SIZE (isc-projects-bind9-e495999c621a481db1ae2a5d189c416238a82980_GL0.tar.gz) = 8534156
diff --git a/dns/bind9-devel/files/extrapatch-bind-min-override-ttl b/dns/bind9-devel/files/extrapatch-bind-min-override-ttl
index 9f140ce98996..a8f36f6f8857 100644
--- a/dns/bind9-devel/files/extrapatch-bind-min-override-ttl
+++ b/dns/bind9-devel/files/extrapatch-bind-min-override-ttl
@@ -1,4 +1,4 @@
---- bin/named/config.c.orig	2018-06-08 18:48:01 UTC
+--- bin/named/config.c.orig	2018-06-15 08:58:30 UTC
 +++ bin/named/config.c
 @@ -176,12 +176,14 @@ options {\n\
  	max-recursion-queries 75;\n\
@@ -13,11 +13,11 @@
  	nsec3-test-zone no;\n\
 +	override-cache-ttl 0; /* do not override */\n\
  	provide-ixfr true;\n\
+ 	qname-minimization relaxed;\n\
  	query-source address *;\n\
- 	query-source-v6 address *;\n\
---- bin/named/server.c.orig	2018-06-08 18:48:01 UTC
+--- bin/named/server.c.orig	2018-06-15 08:58:30 UTC
 +++ bin/named/server.c
-@@ -4074,6 +4074,16 @@ configure_view(dns_view_t *view, dns_vie
+@@ -4071,6 +4071,16 @@ configure_view(dns_view_t *view, dns_vie
  	}
  
  	obj = NULL;
@@ -34,9 +34,9 @@
  	result = named_config_get(maps, "max-cache-ttl", &obj);
  	INSIST(result == ISC_R_SUCCESS);
  	view->maxcachettl = cfg_obj_asuint32(obj);
---- lib/dns/include/dns/view.h.orig	2018-06-08 18:48:01 UTC
+--- lib/dns/include/dns/view.h.orig	2018-06-15 08:58:30 UTC
 +++ lib/dns/include/dns/view.h
-@@ -149,6 +149,8 @@ struct dns_view {
+@@ -151,6 +151,8 @@ struct dns_view {
  	isc_boolean_t			requestnsid;
  	isc_boolean_t			sendcookie;
  	dns_ttl_t			maxcachettl;
@@ -45,9 +45,9 @@
  	dns_ttl_t			maxncachettl;
  	isc_uint32_t			nta_lifetime;
  	isc_uint32_t			nta_recheck;
---- lib/dns/resolver.c.orig	2018-06-08 18:48:01 UTC
+--- lib/dns/resolver.c.orig	2018-06-15 08:58:30 UTC
 +++ lib/dns/resolver.c
-@@ -5748,6 +5748,18 @@ cache_name(fetchctx_t *fctx, dns_name_t 
+@@ -5799,6 +5799,18 @@ cache_name(fetchctx_t *fctx, dns_name_t 
  		}
  
  		/*
@@ -66,9 +66,9 @@
  		 * Enforce the configure maximum cache TTL.
  		 */
  		if (rdataset->ttl > res->view->maxcachettl) {
---- lib/isccfg/namedconf.c.orig	2018-06-08 18:48:01 UTC
+--- lib/isccfg/namedconf.c.orig	2018-06-15 08:58:30 UTC
 +++ lib/isccfg/namedconf.c
-@@ -1916,6 +1916,8 @@ view_clauses[] = {
+@@ -1917,6 +1917,8 @@ view_clauses[] = {
  	{ "max-acache-size", &cfg_type_sizenodefault,
  	  CFG_CLAUSEFLAG_OBSOLETE },
  	{ "max-cache-size", &cfg_type_sizeorpercent, 0 },
diff --git a/dns/bind9-devel/files/patch-CVE-2018-5738 b/dns/bind9-devel/files/patch-CVE-2018-5738
deleted file mode 100644
index 102f6a1ae18d..000000000000
--- a/dns/bind9-devel/files/patch-CVE-2018-5738
+++ /dev/null
@@ -1,115 +0,0 @@
-commit 03ecba2cdc8d9a6cb6bdf863ffa1e230cb4ff223
-Author: Evan Hunt <each@isc.org>
-Date:   2018-06-04 15:57:58 -0700
-
-    allow-recursion could incorrectly inherit from the default allow-query
-
---- CHANGES.orig	2018-06-08 18:48:01 UTC
-+++ CHANGES
-@@ -22,7 +22,12 @@
- 4961.	[protocol]	Remove support for ECC-GOST (GOST R 34.11-94).
- 			[GL #295]
- 
--4960.	[placeholder]
-+4960.	[security]	When recursion is enabled, but the "allow-recursion"
-+			and "allow-query-cache" ACLs are not specified,
-+			they should be limited to local networks,
-+			but were inadvertently set to match the default
-+			"allow-query", thus allowing remote queries.
-+			(CVE-2018-5738) [GL #309]
- 
- 4959.	[func]		NSID logging (enabled by the "request-nsid" option)
- 			now has its own "nsid" category, instead of using the
---- bin/named/server.c.orig	2018-06-08 18:48:01 UTC
-+++ bin/named/server.c
-@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_vie
- 	CHECKM(named_config_getport(config, &port), "port");
- 	dns_view_setdstport(view, port);
- 
--	CHECK(configure_view_acl(vconfig, config, named_g_config,
--				 "allow-query", NULL, actx,
--				 named_g_mctx, &view->queryacl));
--
- 	/*
- 	 * Make the list of response policy zone names for a view that
- 	 * is used for real lookups and so cares about hints.
-@@ -4697,21 +4693,35 @@ configure_view(dns_view_t *view, dns_vie
- 				 "allow-query-cache-on", NULL, actx,
- 				 named_g_mctx, &view->cacheonacl));
- 	/*
--	 * Set "allow-query-cache", "allow-recursion", and
--	 * "allow-recursion-on" acls if configured in named.conf.
--	 * (Ignore the global defaults for now, because these ACLs
--	 * can inherit from each other when only some of them set at
--	 * the options/view level.)
-+	 * Set the "allow-query", "allow-query-cache", "allow-recursion",
-+	 * and "allow-recursion-on" ACLs if configured in named.conf, but
-+	 * NOT from the global defaults. This is done by leaving the third
-+	 * argument to configure_view_acl() NULL.
-+	 *
-+	 * We ignore the global defaults here because these ACLs
-+	 * can inherit from each other.  If any are still unset after
-+	 * applying the inheritance rules, we'll look up the defaults at
-+	 * that time.
- 	 */
--	CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache",
--				 NULL, actx, named_g_mctx, &view->cacheacl));
-+
-+	/* named.conf only */
-+	CHECK(configure_view_acl(vconfig, config, NULL,
-+				 "allow-query", NULL, actx,
-+				 named_g_mctx, &view->queryacl));
-+
-+	/* named.conf only */
-+	CHECK(configure_view_acl(vconfig, config, NULL,
-+				 "allow-query-cache", NULL, actx,
-+				 named_g_mctx, &view->cacheacl));
- 
- 	if (strcmp(view->name, "_bind") != 0 &&
- 	    view->rdclass != dns_rdataclass_chaos)
- 	{
-+		/* named.conf only */
- 		CHECK(configure_view_acl(vconfig, config, NULL,
- 					 "allow-recursion", NULL, actx,
- 					 named_g_mctx, &view->recursionacl));
-+		/* named.conf only */
- 		CHECK(configure_view_acl(vconfig, config, NULL,
- 					 "allow-recursion-on", NULL, actx,
- 					 named_g_mctx, &view->recursiononacl));
-@@ -4749,18 +4759,21 @@ configure_view(dns_view_t *view, dns_vie
- 		 * the global config.
- 		 */
- 		if (view->recursionacl == NULL) {
-+			/* global default only */
- 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
- 						 "allow-recursion", NULL,
- 						 actx, named_g_mctx,
- 						 &view->recursionacl));
- 		}
- 		if (view->recursiononacl == NULL) {
-+			/* global default only */
- 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
- 						 "allow-recursion-on", NULL,
- 						 actx, named_g_mctx,
- 						 &view->recursiononacl));
- 		}
- 		if (view->cacheacl == NULL) {
-+			/* global default only */
- 			CHECK(configure_view_acl(NULL, NULL, named_g_config,
- 						 "allow-query-cache", NULL,
- 						 actx, named_g_mctx,
-@@ -4774,6 +4787,14 @@ configure_view(dns_view_t *view, dns_vie
- 		CHECK(dns_acl_none(mctx, &view->cacheacl));
- 	}
- 
-+	if (view->queryacl == NULL) {
-+		/* global default only */
-+		CHECK(configure_view_acl(NULL, NULL, named_g_config,
-+					 "allow-query", NULL,
-+					 actx, named_g_mctx,
-+					 &view->queryacl));
-+	}
-+
- 	/*
- 	 * Ignore case when compressing responses to the specified
- 	 * clients. This causes case not always to be preserved,
diff --git a/dns/bind9-devel/files/patch-configure b/dns/bind9-devel/files/patch-configure
index fe2793a821b7..76ed226dfddf 100644
--- a/dns/bind9-devel/files/patch-configure
+++ b/dns/bind9-devel/files/patch-configure
@@ -1,6 +1,6 @@
---- configure.orig	2018-06-08 18:48:01 UTC
+--- configure.orig	2018-06-15 08:58:30 UTC
 +++ configure
-@@ -14848,27 +14848,9 @@ done
+@@ -14856,27 +14856,9 @@ done
  		# problems start to show up.
  		saved_libs="$LIBS"
  		for TRY_LIBS in \
@@ -30,7 +30,7 @@
  		    { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
  $as_echo_n "checking linking as $TRY_LIBS... " >&6; }
  		    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-@@ -14911,47 +14893,7 @@ $as_echo "no" >&6; } ;;
+@@ -14919,47 +14901,7 @@ $as_echo "no" >&6; } ;;
  		no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
  		esac
  
@@ -79,7 +79,7 @@
  		DNS_GSSAPI_LIBS="$LIBS"
  
  		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
-@@ -23303,7 +23245,7 @@ $as_echo "" >&6; }
+@@ -23311,7 +23253,7 @@ $as_echo "" >&6; }
  			# Check other locations for includes.
  			# Order is important (sigh).
  
diff --git a/dns/bind9-devel/pkg-plist b/dns/bind9-devel/pkg-plist
index e00f01a43e0d..b32a43c032c9 100644
--- a/dns/bind9-devel/pkg-plist
+++ b/dns/bind9-devel/pkg-plist
@@ -120,6 +120,7 @@ include/dns/view.h
 include/dns/xfrin.h
 include/dns/zone.h
 include/dns/zonekey.h
+include/dns/zoneverify.h
 include/dns/zt.h
 include/dst/dst.h
 include/dst/gssapi.h