aboutsummaryrefslogtreecommitdiff
path: root/dns/bind96
Commit message (Collapse)AuthorAgeFilesLines
* Add a gentle reminder that Bind 9.6 will be EOL shortlyErwin Lansing2013-03-121-0/+2
| | | | | | | | | | and recommend planning to move to newer versions before June 2013. http://www.isc.org/software/bind/versions Notes: svn path=/head/; revision=313955
* Add LICENSE.Erwin Lansing2013-01-041-0/+2
| | | | Notes: svn path=/head/; revision=309925
* - Use new OPTIONS_GROUP for DLZ options.[1]Erwin Lansing2012-12-141-3/+3
| | | | | | | | | | | - This also allows more than one DLZ option to be set.[2] Submitted by: bapt [1] (as RADIO) Suggested by: az [2] (thus GROUP instead) Notes: svn path=/head/; revision=308897
* Improve the SSL option descriptionErwin Lansing2012-12-031-1/+1
| | | | | | | | Submitted by: Kazunori Fujiwara <fujiwara@jprs.co.jp> Feature safe: yes Notes: svn path=/head/; revision=308136
* Remove gpg signature checking that in itself does notErwin Lansing2012-12-031-5/+0
| | | | | | | | | provide any additional security. Feature safe: yes Notes: svn path=/head/; revision=308135
* - Update CONFLICTSErwin Lansing2012-11-271-5/+9
| | | | | | | | | | | | | - Fix a typo in the OPTIONSNG conversion - Add FIXED_RRSET option - Add RPZ options (9.8 and 9.8 only) PR: 172586 Submitted by: Craig Leres <leres@ee.lbl.gov> Feature safe: yes Notes: svn path=/head/; revision=307830
* Reduce lenght of the option description for DLZ_MYSQL toErwin Lansing2012-10-261-1/+1
| | | | | | | | | | avoid problems with the older dialog(1) on FreeBSD 8.x Noticed by: Terry Kennedy <terry@tmk.com> Feature safe: yes Notes: svn path=/head/; revision=306427
* - Convert to OPTIONSNGErwin Lansing2012-10-251-37/+39
| | | | | | | | | - Turn on IPv6 support by default Feature safe: yes Notes: svn path=/head/; revision=306379
* Update to 9.6-ESV-R8Erwin Lansing2012-10-192-6/+6
| | | | | | | Feature safe: yes Notes: svn path=/head/; revision=306110
* Upgrade to the latest BIND patch level:Erwin Lansing2012-10-102-6/+6
| | | | | | | | | | A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. Security: http://www.vuxml.org/freebsd/57a700f9-12c0-11e2-9f86-001d923933b6.html Notes: svn path=/head/; revision=305645
* Take maintainership of the BIND ports while I'm working on the latestErwin Lansing2012-10-101-1/+1
| | | | | | | security releases. Notes: svn path=/head/; revision=305639
* Throw my ports back in the pool, and make my intentions clear for theDoug Barton2012-10-081-7/+1
| | | | | | | | | | | various ports that I've created. I bid fond fare well A chapter closes for me What opens for you? Notes: svn path=/head/; revision=305526
* Upgrade to the latest BIND patch level:Doug Barton2012-09-192-12/+9
| | | | | | | | | | | | | | | | | | | | | | Prevents a crash when queried for a record whose RDATA exceeds 65535 bytes. Prevents a crash when validating caused by using "Bad cache" data before it has been initialized. ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. For more information: https://kb.isc.org/article/AA-00788 Notes: svn path=/head/; revision=304476
* Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion FailureDoug Barton2012-07-242-8/+7
| | | | | | | | | | | | | | in BIND9 High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized. CVE: CVE-2012-3817 Posting date: 24 July, 2012 Notes: svn path=/head/; revision=301487
* Upgrade to 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, and 9.9.1-P1, the latestDoug Barton2012-06-042-6/+6
| | | | | | | | | | | | | | | | | | | from ISC. These patched versions contain a critical bugfix: Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered. All BIND users are strongly encouraged to upgrade. Notes: svn path=/head/; revision=298399
* Upgrade to BIND versions 9.9.1, 9.8.3, 9.7.6, and 9.6-ESV-R7,Doug Barton2012-05-232-6/+6
| | | | | | | | | | | | | | | | | | | | | | | the latest from ISC. These versions all contain the following: Feature Change * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fix * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi- threaded environment. Each version also contains other critical bug fixes. All BIND users are encouraged to upgrade to these latest versions. Notes: svn path=/head/; revision=297257
* Update to version 9.6-ESV-R6, the latest from ISC, which contains numerous ↵Doug Barton2012-04-044-78/+10
| | | | | | | | | | | | | bug fixes. For the port, switch to using the PORTDOCS macro. Also, switch to the (identical) pkg-message in ../bind97 which was apparently missed when the other ports were converted. Feature safe: yes Notes: svn path=/head/; revision=294220
* Upgrade to the latest security patch releases to address theDoug Barton2011-11-162-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | following DDOS bug: Recursive name servers are failing with an assertion: INSIST(! dns_rdataset_isassociated(sigrdataset)) At this time it is not thought that authoritative-only servers are affected, but information about this bug is evolving rapidly. Because it may be possible to trigger this bug even on networks that do not allow untrusted users to access the recursive name servers (perhaps via specially crafted e-mail messages, and/or malicious web sites) it is recommended that ALL operators of recursive name servers upgrade immediately. For more information see: https://www.isc.org/software/bind/advisories/cve-2011-tbd which will be updated as more information becomes available. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 Feature safe: yes Notes: svn path=/head/; revision=285937
* Remove more tags from pkg-descr files fo the form:Doug Barton2011-10-241-3/+0
| | | | | | | | | | | - Name em@i.l or variations thereof. While I'm here also fix some whitespace and other formatting errors, including moving WWW: to the last line in the file. Notes: svn path=/head/; revision=284232
* Update to version 9.6-ESV-R5 which contains various bug fixesDoug Barton2011-08-023-7/+13
| | | | | | | | | and improvements: ftp://ftp.isc.org/isc/bind9/9.6-ESV-R5/RELEASE-NOTES-BIND-9.6-ESV.html Notes: svn path=/head/; revision=278762
* Remove patch incorporated into version 9.6-ESV-R5Doug Barton2011-08-021-14/+0
| | | | Notes: svn path=/head/; revision=278761
* Fix the location of the default pid file in named.8Doug Barton2011-07-171-0/+1
| | | | | | | | | | Problem pointed out in the PR PR: conf/155006 Submitted by: Helmut Schneider <jumper99@gmx.de> Notes: svn path=/head/; revision=277826
* Update to versions 9.7.3-P3, and 9.6-ESV-R4-P3.Doug Barton2011-07-052-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY This update addresses the following vulnerability: CVE-2011-2464 ============= Severity: High Exploitable: Remotely Description: A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2464 Notes: svn path=/head/; revision=277140
* Upgrade to 9.6-ESV-R4-P1 and 9.7.3-P1, which address the following issues:Doug Barton2011-05-273-6/+20
| | | | | | | | | | | | | | | | | | | 1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users. 2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used. Notes: svn path=/head/; revision=274746
* Miscellaneous cleanups and fixes, some of the windowmaker stuffDoug Barton2011-05-161-1/+1
| | | | | | | gracefully provided by danfe. Notes: svn path=/head/; revision=274159
* Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.Doug Barton2011-02-052-6/+6
| | | | | | | | | | | | | | | | | | | All 9.6 users with DNSSEC validation enabled should upgrade to this version, or the latest version in the 9.7 branch, prior to 2011-03-31 in order to avoid validation failures for names in .COM as described here: https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record In addition the fixes for this and other bugs, there are also the following: * Various fixes to kerberos support, including GSS-TSIG * Various fixes to avoid leaking memory, and to problems that could prevent a clean shutdown of named Feature safe: yes Notes: svn path=/head/; revision=268619
* CONFLICTS for bind98Doug Barton2010-12-181-1/+1
| | | | Notes: svn path=/head/; revision=266535
* Update to version 9.6-ESV-R3, the latest from ISC, which addressesDoug Barton2010-12-032-20/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the following security vulnerabilities. For more information regarding these issues please see: http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories 1. Cache incorrectly allows ncache and rrsig for the same type http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613 Affects resolver operators whose servers are open to potential attackers. Triggering the bug will cause the server to crash. This bug applies even if you do not have DNSSEC enabled. 2. Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones has no effect. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615 Affects authoritative server operators who wish to generally restrict queries to their authoritative zones, and are running 9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized end users to receive answers to queries they should not. For the port: 1. Add CONFLICT for the ../bind-tools port 2. Remove CONFLICT for the removed ../bind9 port 3. Remove OPTION for threads on < RELENG_7 4. Switch to pkg-install to create the symlinks to /etc/namedb/ as requested in [1] PR: ports/151635 [1] Submitted by: Benjamin Lee <ben@b1c1l1.com> [1] Notes: svn path=/head/; revision=265651
* Update to 9.6-ESV-R2, the latest from ISC.Doug Barton2010-10-302-8/+6
| | | | | | | | | This version contains bug fixes that are relevant to any caching/resolving name server; as well as DNSSEC-related fixes. Notes: svn path=/head/; revision=263802
* Update to the latest patch set from ISC, which addresses the following:Doug Barton2010-05-202-8/+8
| | | | | | | | Named could return SERVFAIL for negative responses from unsigned zones. Notes: svn path=/head/; revision=254632
* Update to the latest patchfix releases to deal with the problemsDoug Barton2010-03-172-8/+8
| | | | | | | | | | | related to the handling of broken DNSSEC trust chains. This fix is only necessary for those who have DNSSEC validation enabled and configure trust anchors from third parties, either manually, or through a system like DLV. Notes: svn path=/head/; revision=251154
* Upgrade to version 9.6.2. This version includes all previously releasedDoug Barton2010-03-023-27/+8
| | | | | | | | | | | | | security patches to the 9.6.1 version, as well as many other bug fixes. Due to the fact that the DNSSEC algorithm that will be used to sign the root zone is only included in this version and in 9.7.x those who wish to do validation MUST upgrade to one of these prior to July 2010. Feature safe: yes Notes: svn path=/head/; revision=250486
* Upgrade to BIND 9.4.3-P5, 9.5.2-P2, and 9.6.1-P3. These versions addressDoug Barton2010-01-252-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | the following vulnerabilities: BIND 9 Cache Update from Additional Section https://www.isc.org/advisories/CVE-2009-4022v6 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses https://www.isc.org/advisories/CVE-2010-0097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097 There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly These issues only affect systems with DNSSEC validation enabled. Notes: svn path=/head/; revision=248498
* Update CONFLICTS for bind97Doug Barton2009-12-141-1/+1
| | | | Notes: svn path=/head/; revision=245755
* Update to the latest patchlevels for BINDs 9.[456]. The vulnerabilityDoug Barton2009-11-302-9/+8
| | | | | | | | | | this is designed to fix is related to DNSSEC validation on a resolving name server that allows access to untrusted users. If your system does not fall into all 3 of these categories you do not need to update immediately. Notes: svn path=/head/; revision=245002
* Wrap some query socket handling in dig with a socket != NULL bowDoug Barton2009-11-072-0/+20
| | | | | | | | | | | | | This patch or something similar will likely be included in a future BIND release. PR: bin/138061 Submitted by: Michael Baker <michael.baker@diversit.com.au> Original patch submitted by: Volker <volker@vwsoft.com> Patch reviewed and tweaked by: ISC Notes: svn path=/head/; revision=243943
* The new LINKS OPTION is not only useless it's harmful when combinedDoug Barton2009-09-011-2/+2
| | | | | | | | | | with the REPLACE_BASE option so if the latter is defined don't try to make the LINKS. Problem pointed out by: Chris Wopat <me@falz.net> Notes: svn path=/head/; revision=240641
* For all:Doug Barton2009-08-292-2/+59
| | | | | | | | | | | | | | | | | Add an OPTION (on by default) to install the appropriate symlinks for named.conf and rndc.key in /usr/local/etc and /var/named/usr/local/etc. For bind9[456]: Add OPTIONs (off by default) for the DLZ configure options, and their corresponding ports knobs. [1] The basic infrastructure for this was provided in the PR, but this version is slightly different in a few details so responsibility for bugs is mine. PR: ports/122974 [1] Submitted by: Michael Schout <mschout@gkg.net> [1] Notes: svn path=/head/; revision=240544
* The dependency on idnkit should be a LIB_, not a BUILD_Doug Barton2009-07-301-1/+1
| | | | | | | | PR: ports/137240 Submitted by: danger Notes: svn path=/head/; revision=238687
* Update the hashes of the PGP signature files for the new releases.Doug Barton2009-07-291-2/+2
| | | | | | | | | | The previous signatures were derived from the wrong key. The new signatures all verify correctly. No changes to the hashes for the software itself. Notes: svn path=/head/; revision=238636
* Update to patched versions which address a remote DoS vulnerability:Doug Barton2009-07-282-8/+8
| | | | | | | | | | | | | | | Receipt of a specially-crafted dynamic update message may cause BIND 9 servers to exit. This vulnerability affects all servers -- it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround. More details can be found here: https://www.isc.org/node/474 All BIND users are encouraged to update to a patched version ASAP. Notes: svn path=/head/; revision=238566
* Update to version 9.6.1, the latest from ISC. This version containsDoug Barton2009-06-193-9/+10
| | | | | | | | | | numerous bug fixes and updates, especially in the DNSSEC code, including the new NSEC3 protocol. Full details are available at: http://oldwww.isc.org/sw/bind/view/?release=9.6.1&noframes=1 Notes: svn path=/head/; revision=236266
* - Flip from MAKE_JOBS_SAFE to MAKE_JOBS_UNSAFE, fails both on pointyhat and onPav Lucistnik2009-04-121-1/+1
| | | | | | | my local machine Notes: svn path=/head/; revision=232247
* Fix CONFLICTS (again). The previous example didn't work at all for portsDoug Barton2009-03-241-1/+1
| | | | | | | | other than plain bind9 since the real PORTNAMEs for the other ports are bind9[456]. This fix has the added advantage of covering REPLACE_BASE. Notes: svn path=/head/; revision=230905
* Where it matters, update regarding MAKE_JOBS_{UN}SAFE for my portsDoug Barton2009-03-241-0/+2
| | | | Notes: svn path=/head/; revision=230904
* Update to the -P1 versions of the current BIND ports which containDoug Barton2009-01-082-14/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | the fix for the following vulnerability: https://www.isc.org/node/373 Description: Return values from OpenSSL library functions EVP_VerifyFinal() and DSA_do_verify() were not checked properly. Impact: It is theoretically possible to spoof answers returned from zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6). In short, if you're not using DNSSEC to verify signatures you have nothing to worry about. While I'm here, address the issues raised in the PR by adding a knob to disable building with OpenSSL altogether (which eliminates DNSSEC capability), and fix the configure arguments to better deal with the situation where the user has ssl bits in both the base and LOCALBASE. PR: ports/126297 Submitted by: Ronald F.Guilmette <rfg@tristatelogic.com> Notes: svn path=/head/; revision=225434
* Update CONFLICTS to reflect the addition of the bind96 port,Doug Barton2009-01-041-1/+1
| | | | | | | the demise of bind9-dlz, and updates to the bind9-sdb-* ports. Notes: svn path=/head/; revision=225213
* Update after repo-copy for BIND 9.6.0Doug Barton2009-01-044-22/+31
| | | | Notes: svn path=/head/; revision=225212
* Upgrade to version 9.5.1 which includes numerous bug fixes and performanceDoug Barton2008-12-293-13/+19
| | | | | | | | | | | | improvements, including, "Additional support for query port randomization including performance improvement and port range specification." When building on amd64 ports' configure doesn't properly recognize our arch, so help it along a bit. [1] Submitted by: ivan jr sy <ivan_jr@yahoo.com> [1] Notes: svn path=/head/; revision=224956
* Adjust WWWs for new ISC websiteDoug Barton2008-12-191-1/+1
| | | | Notes: svn path=/head/; revision=224478
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-18 15:05:30 +0000