From e83d3091807de4060c0f7654609c0ba97c607698 Mon Sep 17 00:00:00 2001 From: Erwin Lansing Date: Mon, 24 Feb 2014 13:57:07 +0000 Subject: Vendor import of BIND 9.8.7 Approved by: delphij (mentor, implicit) Sponsored by: DK Hostmaster A/S --- CHANGES | 282 +- COPYRIGHT | 36 +- Makefile.in | 9 +- README | 94 +- bin/check/named-checkconf.8 | 14 +- bin/check/named-checkconf.c | 68 +- bin/check/named-checkconf.docbook | 19 +- bin/check/named-checkconf.html | 24 +- bin/confgen/ddns-confgen.c | 4 +- bin/confgen/rndc-confgen.c | 4 +- bin/dig/dig.1 | 12 +- bin/dig/dig.c | 12 +- bin/dig/dig.docbook | 14 +- bin/dig/dig.html | 18 +- bin/dig/dighost.c | 303 +- bin/dig/host.c | 4 +- bin/dig/include/dig/dig.h | 6 +- bin/dig/nslookup.1 | 9 +- bin/dig/nslookup.c | 19 +- bin/dig/nslookup.docbook | 21 +- bin/dig/nslookup.html | 20 +- bin/dnssec/dnssec-keygen.c | 4 +- bin/dnssec/dnssec-signzone.8 | 6 +- bin/dnssec/dnssec-signzone.c | 24 +- bin/dnssec/dnssec-signzone.docbook | 5 +- bin/dnssec/dnssec-signzone.html | 14 +- bin/dnssec/dnssectool.c | 43 +- bin/named/Makefile.in | 5 +- bin/named/builtin.c | 17 +- bin/named/client.c | 227 +- bin/named/config.c | 16 +- bin/named/control.c | 9 +- bin/named/controlconf.c | 12 +- bin/named/include/named/globals.h | 1 + bin/named/include/named/main.h | 6 +- bin/named/include/named/server.h | 7 +- bin/named/interfacemgr.c | 15 +- bin/named/logconf.c | 61 +- bin/named/lwaddr.c | 10 +- bin/named/lwdgnba.c | 6 +- bin/named/lwdgrbn.c | 21 +- bin/named/main.c | 26 +- bin/named/named.conf.5 | 8 +- bin/named/named.conf.docbook | 7 +- bin/named/named.conf.html | 36 +- bin/named/query.c | 30 +- bin/named/server.c | 552 +- bin/named/statschannel.c | 4 +- bin/named/unix/os.c | 5 +- bin/named/update.c | 18 +- bin/named/zoneconf.c | 8 +- bin/nsupdate/Makefile.in | 6 +- bin/nsupdate/nsupdate.c | 37 +- bin/rndc/rndc.8 | 243 +- bin/rndc/rndc.c | 9 +- bin/rndc/rndc.docbook | 398 +- bin/rndc/rndc.html | 272 +- config.guess | 1077 +-- config.h.in | 3 + config.sub | 472 +- configure.in | 132 +- doc/arm/Bv9ARM-book.xml | 441 +- doc/arm/Bv9ARM.ch03.html | 300 +- doc/arm/Bv9ARM.ch04.html | 171 +- doc/arm/Bv9ARM.ch05.html | 4 +- doc/arm/Bv9ARM.ch06.html | 164 +- doc/arm/Bv9ARM.ch07.html | 12 +- doc/arm/Bv9ARM.ch08.html | 16 +- doc/arm/Bv9ARM.ch09.html | 218 +- doc/arm/Bv9ARM.html | 160 +- doc/arm/Bv9ARM.pdf | 14572 ++++++++++++++++---------------- doc/arm/man.arpaname.html | 6 +- doc/arm/man.ddns-confgen.html | 8 +- doc/arm/man.dig.html | 26 +- doc/arm/man.dnssec-dsfromkey.html | 14 +- doc/arm/man.dnssec-keyfromlabel.html | 12 +- doc/arm/man.dnssec-keygen.html | 14 +- doc/arm/man.dnssec-revoke.html | 8 +- doc/arm/man.dnssec-settime.html | 12 +- doc/arm/man.dnssec-signzone.html | 12 +- doc/arm/man.genrandom.html | 8 +- doc/arm/man.host.html | 8 +- doc/arm/man.isc-hmac-fixup.html | 8 +- doc/arm/man.named-checkconf.html | 22 +- doc/arm/man.named-checkzone.html | 10 +- doc/arm/man.named-journalprint.html | 6 +- doc/arm/man.named.html | 14 +- doc/arm/man.nsec3hash.html | 8 +- doc/arm/man.nsupdate.html | 12 +- doc/arm/man.rndc-confgen.html | 10 +- doc/arm/man.rndc.conf.html | 10 +- doc/arm/man.rndc.html | 270 +- doc/arm/pkcs11.xml | 9 +- lib/bind9/api | 2 +- lib/bind9/check.c | 34 +- lib/dns/acache.c | 3 +- lib/dns/acl.c | 6 +- lib/dns/adb.c | 6 +- lib/dns/api | 6 +- lib/dns/client.c | 27 +- lib/dns/diff.c | 15 +- lib/dns/dispatch.c | 23 +- lib/dns/dns64.c | 16 +- lib/dns/dnssec.c | 15 +- lib/dns/dst_api.c | 17 + lib/dns/dst_internal.h | 4 +- lib/dns/gen.c | 13 +- lib/dns/gssapi_link.c | 14 +- lib/dns/gssapictx.c | 40 +- lib/dns/hmac_link.c | 45 +- lib/dns/include/dns/Makefile.in | 7 +- lib/dns/include/dns/masterdump.h | 7 +- lib/dns/include/dns/message.h | 1 + lib/dns/include/dns/nsec3.h | 4 +- lib/dns/include/dns/rdata.h | 5 +- lib/dns/include/dns/zone.h | 6 + lib/dns/include/dst/dst.h | 19 +- lib/dns/include/dst/gssapi.h | 4 +- lib/dns/journal.c | 47 +- lib/dns/keydata.c | 6 +- lib/dns/master.c | 6 +- lib/dns/masterdump.c | 43 +- lib/dns/message.c | 10 +- lib/dns/name.c | 49 +- lib/dns/nsec.c | 8 +- lib/dns/nsec3.c | 44 +- lib/dns/openssldh_link.c | 6 +- lib/dns/opensslecdsa_link.c | 6 +- lib/dns/opensslgost_link.c | 8 +- lib/dns/opensslrsa_link.c | 4 +- lib/dns/portlist.c | 14 +- lib/dns/rbt.c | 8 +- lib/dns/rbtdb.c | 141 +- lib/dns/rcode.c | 8 +- lib/dns/rdata.c | 40 +- lib/dns/rdata/ch_3/a_1.c | 6 +- lib/dns/rdata/generic/afsdb_18.c | 6 +- lib/dns/rdata/generic/dnskey_48.c | 22 +- lib/dns/rdata/generic/eui48_108.c | 4 +- lib/dns/rdata/generic/eui64_109.c | 4 +- lib/dns/rdata/generic/hip_55.c | 8 +- lib/dns/rdata/generic/ipseckey_45.c | 8 +- lib/dns/rdata/generic/isdn_20.c | 20 +- lib/dns/rdata/generic/key_25.c | 22 +- lib/dns/rdata/generic/keydata_65533.c | 26 +- lib/dns/rdata/generic/l32_105.c | 4 +- lib/dns/rdata/generic/l64_106.c | 4 +- lib/dns/rdata/generic/nid_104.c | 4 +- lib/dns/rdata/generic/opt_41.c | 46 +- lib/dns/rdata/generic/rrsig_46.c | 32 +- lib/dns/rdata/generic/rt_21.c | 6 +- lib/dns/rdata/generic/soa_6.c | 6 +- lib/dns/rdata/generic/spf_99.c | 4 +- lib/dns/rdata/generic/txt_16.c | 4 +- lib/dns/rdata/hs_4/a_1.c | 8 +- lib/dns/rdata/in_1/a6_38.c | 6 +- lib/dns/rdata/in_1/a_1.c | 8 +- lib/dns/rdata/in_1/aaaa_28.c | 10 +- lib/dns/rdata/in_1/apl_42.c | 6 +- lib/dns/rdata/in_1/wks_11.c | 12 +- lib/dns/rdataslab.c | 19 +- lib/dns/resolver.c | 33 +- lib/dns/rootns.c | 2 +- lib/dns/rpz.c | 4 +- lib/dns/spnego.c | 26 +- lib/dns/spnego_asn1.c | 20 +- lib/dns/ssu.c | 4 +- lib/dns/ssu_external.c | 4 +- lib/dns/time.c | 4 +- lib/dns/tkey.c | 12 +- lib/dns/tsig.c | 18 +- lib/dns/ttl.c | 6 +- lib/dns/validator.c | 6 +- lib/dns/view.c | 33 +- lib/dns/xfrin.c | 97 +- lib/dns/zone.c | 267 +- lib/export/isc/Makefile.in | 7 +- lib/export/samples/nsprobe.c | 4 +- lib/export/samples/sample-request.c | 4 +- lib/export/samples/sample-update.c | 6 +- lib/export/samples/sample.c | 4 +- lib/irs/Makefile.in | 4 +- lib/irs/api | 4 +- lib/irs/getaddrinfo.c | 18 +- lib/irs/include/irs/Makefile.in | 4 +- lib/irs/include/irs/resconf.h | 14 +- lib/irs/resconf.c | 93 +- lib/isc/Makefile.in | 13 +- lib/isc/api | 6 +- lib/isc/app_api.c | 12 +- lib/isc/backtrace.c | 15 +- lib/isc/base32.c | 8 +- lib/isc/base64.c | 8 +- lib/isc/buffer.c | 6 +- lib/isc/commandline.c | 8 +- lib/isc/hash.c | 17 +- lib/isc/heap.c | 8 +- lib/isc/hex.c | 8 +- lib/isc/hmacmd5.c | 7 +- lib/isc/hmacsha.c | 43 +- lib/isc/include/isc/Makefile.in | 2 +- lib/isc/include/isc/app.h | 11 +- lib/isc/include/isc/buffer.h | 6 +- lib/isc/include/isc/file.h | 12 +- lib/isc/include/isc/hash.h | 4 +- lib/isc/include/isc/namespace.h | 3 +- lib/isc/include/isc/platform.h.in | 8 +- lib/isc/include/isc/radix.h | 6 +- lib/isc/include/isc/safe.h | 36 + lib/isc/include/isc/socket.h | 7 +- lib/isc/include/isc/stdio.h | 10 +- lib/isc/inet_aton.c | 11 +- lib/isc/inet_pton.c | 13 +- lib/isc/lex.c | 25 +- lib/isc/log.c | 8 +- lib/isc/md5.c | 12 +- lib/isc/mem.c | 22 +- lib/isc/netaddr.c | 8 +- lib/isc/radix.c | 6 +- lib/isc/random.c | 4 +- lib/isc/safe.c | 42 + lib/isc/sha1.c | 8 +- lib/isc/sha2.c | 40 +- lib/isc/sockaddr.c | 6 +- lib/isc/stats.c | 6 +- lib/isc/string.c | 33 +- lib/isc/strtoul.c | 8 +- lib/isc/unix/app.c | 31 +- lib/isc/unix/file.c | 37 +- lib/isc/unix/ifiter_getifaddrs.c | 4 +- lib/isc/unix/ifiter_ioctl.c | 20 +- lib/isc/unix/ifiter_sysctl.c | 10 +- lib/isc/unix/include/isc/Makefile.in | 4 +- lib/isc/unix/interfaceiter.c | 18 +- lib/isc/unix/socket.c | 58 +- lib/isc/unix/stdio.c | 21 +- lib/isccc/api | 2 +- lib/isccc/base64.c | 10 +- lib/isccc/cc.c | 16 +- lib/isccc/include/isccc/util.h | 38 +- lib/isccc/sexpr.c | 6 +- lib/isccfg/api | 6 +- lib/isccfg/include/isccfg/cfg.h | 12 +- lib/isccfg/include/isccfg/grammar.h | 7 +- lib/isccfg/namedconf.c | 6 +- lib/isccfg/parser.c | 54 +- lib/lwres/api | 2 +- lib/lwres/context.c | 32 +- lib/lwres/getaddrinfo.c | 18 +- lib/lwres/gethost.c | 158 +- lib/lwres/getipnode.c | 70 +- lib/lwres/getrrset.c | 10 +- lib/lwres/herror.c | 8 +- lib/lwres/lwbuffer.c | 38 +- lib/lwres/lwconfig.c | 8 +- lib/lwres/lwinetaton.c | 11 +- lib/lwres/lwinetpton.c | 11 +- lib/lwres/lwres_gabn.c | 38 +- lib/lwres/lwres_gnba.c | 42 +- lib/lwres/lwres_grbn.c | 10 +- lib/lwres/lwres_noop.c | 38 +- lib/lwres/lwresutil.c | 46 +- lib/lwres/strtoul.c | 8 +- make/mkdep.in | 6 +- version | 7 +- 265 files changed, 13570 insertions(+), 11066 deletions(-) create mode 100644 lib/isc/include/isc/safe.h create mode 100644 lib/isc/safe.c diff --git a/CHANGES b/CHANGES index e8383c62baf47..6054ae831d32f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,13 +1,289 @@ - --- 9.8.5-P2 released --- + --- 9.8.7 released --- + + --- 9.8.7rc2 released --- + +3710. [bug] Address double dns_zone_detach when switching to + using automatic empty zones from regular zones. + [RT #35177] + +3707. [bug] irs_resconf_load now returns ISC_R_FILENOTFOUND + on a missing resolv.conf file and initializes the + structure as if it had been configured with: + + nameserver ::1 + nameserver 127.0.0.1 + + Note: Callers will need to be updated to treat + ISC_R_FILENOTFOUND as a qualified success or else + they will leak memory. The following code fragment + will work with both old and new versions without + changing the behaviour of the existing code. + + resconf = NULL; + result = irs_resconf_load(mctx, "/etc/resolv.conf", + &resconf); + if (result != ISC_SUCCESS) { + if (resconf != NULL) + irs_resconf_destroy(&resconf); + .... + } + + [RT #35194] + +3706. [contrib] queryperf: Fixed a possible integer overflow when + printing results. [RT #35182] + +3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] + + --- 9.8.7rc1 released --- + +3701. [func] named-checkconf can now suppress the printing of + shared secrets by specifying '-x'. [RT #34465] + +3698. [cleanup] Replaced all uses of memcpy() with memmove(). + [RT #35120] + +3697. [bug] Handle "." as a search list element when IDN support + is enabled. [RT #35133] + +3696. [bug] dig failed to handle AXFR style IXFR responses which + span multiple messages. [RT #35137] + +3695. [bug] Address a possible race in dispatch.c. [RT #35107] + +3694. [bug] Warn when a key-directory is configured for a zone, + but does not exist or is not a directory. [RT #35108] + +3693. [security] memcpy was incorrectly called with overlapping + ranges resulting in malformed names being generated + on some platforms. This could cause INSIST failures + when serving NSEC3 signed zones (CVE-2014-0591). + [RT #35120] + +3692. [bug] Two calls to dns_db_getoriginnode were fatal if there + was no data at the node. [RT #35080] + +3689. [bug] Fixed a bug causing an insecure delegation from one + static-stub zone to another to fail with a broken + trust chain. [RT #35081] + + --- 9.8.7b1 released --- + +3688. [bug] loadnode could return a freed node on out of memory. + [RT #35106] + +3683. [cleanup] Add a more detailed "not found" message to rndc + commands which specify a zone name. [RT #35059] + +3681. [port] Update the Windows build system to support feature + selection and WIN64 builds. This is a work in + progress. [RT #34160] + +3679. [bug] dig could fail to clean up TCP sockets still + waiting on connect(). [RT #35074] + +3678. [port] Update config.guess and config.sub. [RT #35060] + +3677. [bug] 'nsupdate' leaked memory if 'realm' was used multiple + times. [RT #35073] + +3676. [bug] "named-checkconf -z" now checks zones of type + hint as well as master. [RT #35046] + +3675. [misc] Provide a place for third parties to add version + information for their extensions in the version + file by setting the EXTENSIONS variable. + +3670. [bug] Address read after free in server side of + lwres_getrrsetbyname. [RT #29075] + +3669. [port] freebsd: --with-gssapi needs -lhx509. [RT #35001] + +3668. [bug] Fix cast in lex.c which could see 0xff treated as eof. + [RT #34993] +3667. [test] dig: add support to keep the TCP socket open between + successive queries (+[no]keepopen). [RT #34918] + +3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list + locking and other bugs. [RT #34855] + +3663. [bug] Address bugs in dns_rdata_fromstruct and + dns_rdata_tostruct for WKS and ISDN types. [RT #34910] + +3662. [bug] 'host' could die if a UDP query timed out. [RT #34870] + +3660. [cleanup] Changed the name of "isc-config.sh" to "bind9-config". + [RT #23825] + +3658. [port] linux: Address platform specific compilation issue + when libcap-devel is installed. [RT #34838] + +3656. [security] Treat an all zero netmask as invalid when generating + the localnets acl. (The prior behavior could + allow unexpected matches when using some versions + of Winsock: CVE-2013-6320.) [RT #34687] + +3655. [cleanup] Simplify TCP message processing when requesting a + zone transfer. [RT #34825] + +3654. [bug] Address race condition with manual notify requests. + [RT #34806] + +3653. [func] Create delegations for all "children" of empty zones + except "forward first". [RT #34826] + +3651. [tuning] Adjust when a master server is deemed unreachable. + [RT #27075] + +3650. [tuning] Use separate rate limiting queues for refresh and + notify requests. [RT #30589] + +3649. [cleanup] Include a comment in .nzf files, giving the name of + the associated view. [RT #34765] + +3648. [test] Updated the ATF test framework to version 0.17. + [RT #25627] + +3646. [bug] Journal filename string could be set incorrectly, + causing garbage in log messages. [RT #34738] + +3645. [protocol] Use case sensitive compression when responding to + queries. [RT #34737] + +3644. [protocol] Check that EDNS subnet client options are well formed. + [RT #34718] + +3641. [bug] Handle changes to sig-validity-interval settings + better. [RT #34625] + +3640. [bug] ndots was not being checked when searching. Only + continue searching on NXDOMAIN responses. Add the + ability to specify ndots to nslookup. [RT #34711] + +3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used + in a key zone. [RT #34238] + + --- 9.8.6 released --- + +3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is + encountered. [RT #34668] + + --- 9.8.6rc2 released --- + +3637. [bug] 'allow-query-on' was checking the source address + rather than the destination address. [RT #34590] + +3636. [bug] Automatic empty zones now behave better with + forward only "zones" beneath them. [RT #34583] + +3635. [bug] Signatures were not being removed from a zone with + only KSK keys for a algorithm. [RT #34439] + +3634. [func] Report build-id in rndc status. Report build-id + when building from a git repository. [RT #20422] + +3633. [cleanup] Refactor OPT processing in named to make it easier + to support new EDNS options. [RT #34414] + +3632. [bug] Signature from newly inactive keys were not being + removed. [RT #32178] + +3631. [bug] Remove spurious warning about missing signatures when + qtype is SIG. [RT #34600] + +3630. [bug] Ensure correct ID computation for MD5 keys. [RT #33033] + +3627. [bug] RPZ changes were not effective on slaves. [RT #34450] + +3625. [bug] Don't send notify messages to machines outside of the + test setup. + + --- 9.8.6rc1 released --- 3621. [security] Incorrect bounds checking on private type 'keydata' can lead to a remotely triggerable REQUIRE failure (CVE-2013-4854). [RT #34238] - --- 9.8.5-P1 released --- +3615. [cleanup] "configure" now finishes by printing a summary + of optional BIND features and whether they are + active or inactive. ("configure --enable-full-report" + increases the verbosity of the summary.) [RT #31777] + +3614. [port] Check for . [RT #34162] + +3611. [bug] Improved resistance to a theoretical authentication + attack based on differential timing. [RT #33939] + +3610. [cleanup] win32: Some executables had been omitted from the + installer. [RT #34116] + +3608. [port] win32: added todos.pl script to ensure all text files + the win32 build depends on are converted to DOS + newline format. [RT #22067] + +3607. [bug] dnssec-keygen had broken 'Invalid keyfile' error + message. [RT #34045] + + --- 9.8.6b1 released --- + +3605. [port] win32: Addressed several compatibility issues + with newer versions of Visual Studio. [RT #33916] + +3603. [bug] Install . [RT #33956] + +3601. [bug] Added to PKCS#11 openssl patches a value len + attribute in DH derive key. [RT #33928] + +3600. [cleanup] dig: Fixed a typo in the warning output when receiving + an oversized response. [RT #33910] + +3599. [tuning] Check for pointer equivalence in name comparisons. + [RT #18125] + +3594. [maint] Update config.guess and config.sub. [RT #33816] + +3592. [doc] Moved documentation of rndc command options to the + rndc man page. [RT #33506] + +3588. [bug] dig: addressed a memory leak in the sigchase code + that could cause a shutdown crash. [RT #33733] + +3587. [func] 'named -g' now checks the logging configuration but + does not use it. [RT #33473] + +3586. [bug] Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706] 3584. [security] Caching data from an incompletely signed zone could - trigger an assertion failure in resolver.c [RT #33690] + trigger an assertion failure in resolver.c + (CVE-2013-3919). [RT #33690] + +3583. [bug] Address memory leak in GSS-API processing [RT #33574] + +3581. [bug] Changed the tcp-listen-queue default to 10. [RT #33029] + +3580. [bug] Addressed a possible race in acache.c [RT #33602] + +3579. [maint] Updates to PKCS#11 openssl patches, supporting + versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463] + +3578. [bug] 'rndc -c file' now fails if 'file' does not exist. + [RT #33571] + +3577. [bug] Handle zero TTL values better. [RT #33411] + +3576. [bug] Address a shutdown race when validating. [RT #33573] + +3574. [doc] The 'hostname' keyword was missing from server-id + description in the named.conf man page. [RT #33476] + +3573. [bug] "rndc addzone" and "rndc delzone" incorrectly handled + zone names containing punctuation marks and other + nonstandard characters. [RT #33419] + +3571. [bug] Address race condition in dns_client_startresolve(). + [RT #33234] + +3566. [func] Log when forwarding updates to master. [RT #33240] --- 9.8.5 released --- diff --git a/COPYRIGHT b/COPYRIGHT index cc19db471b693..514dbe7e2f5c8 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -1,4 +1,4 @@ -Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. Permission to use, copy, modify, and/or distribute this software for any @@ -13,8 +13,6 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -$Id: COPYRIGHT,v 1.17.14.2 2012/01/04 23:46:18 tbox Exp $ - Portions of this code release fall under one or more of the following Copyright notices. Please see individual source files for details. @@ -99,11 +97,7 @@ are met: 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by the University of - California, Berkeley and its contributors. -4. Neither the name of the University nor the names of its contributors +3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. @@ -516,3 +510,29 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +----------------------------------------------------------------------------- + +Copyright (c) 1995, 1997, 1998 The NetBSD Foundation, Inc. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + diff --git a/Makefile.in b/Makefile.in index 4e41fe5097436..f2088157c8094 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2009, 2011-2014 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -54,7 +54,11 @@ installdirs: install:: isc-config.sh installdirs ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir} + rm -f ${DESTDIR}${bindir}/bind9-config + @LN@ ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1 + rm -f ${DESTDIR}${mandir}/man1/bind9-config.1 + @LN@ ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1 ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir} tags: @@ -86,5 +90,8 @@ FAQ: FAQ.xml LC_ALL=C ${W3M} -T text/html -dump -cols 72 >$@.tmp mv $@.tmp $@ +unit:: + sh ${top_srcdir}/unit/unittest.sh + clean:: rm -f FAQ.tmp diff --git a/README b/README index 9d839b49fce80..c5f899598ce61 100644 --- a/README +++ b/README @@ -48,18 +48,36 @@ BIND 9 For a detailed list of user-visible changes from previous releases, see the CHANGES file. - For up-to-date release notes and errata, see - http://www.isc.org/software/bind9/releasenotes + For up-to-date release notes and errata, see + http://www.isc.org/software/bind9/releasenotes + +BIND 9.8.7 + + BIND 9.8.7 includes several bug fixes and patches the security + flaws described in CVE-2013-6320 and CVE-2014-0591. It also + includes the following functional enhancements: + + - "named" now preserves the capitalization of names when + responding to queries. + - "named-checkconf -px" will print the contents of configuration + files with the shared secrets obscured, making it easier to + share configuration (e.g. when submitting a bug report) + without revealing private information. + +BIND 9.8.6 + + BIND 9.8.6 includes several bug fixes and patches the security + flaws described in CVE-2013-3919 and CVE-2013-4854. BIND 9.8.5 - BIND 9.8.5 includes several bug fixes and patches security - flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266. + BIND 9.8.5 includes several bug fixes and patches security + flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266. BIND 9.8.4 - BIND 9.8.4 includes several bug fixes and patches security - flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244. + BIND 9.8.4 includes several bug fixes and patches security + flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244. BIND 9.8.3 @@ -72,32 +90,32 @@ BIND 9.8.2 BIND 9.8.1 - BIND 9.8.1 includes a number of bug fixes and enhancements from + BIND 9.8.1 includes a number of bug fixes and enhancements from BIND 9.8 and earlier releases. New features include: - The DLZ "dlopen" driver is now built by default. - Added a new include file with function typedefs - for the DLZ "dlopen" driver. + for the DLZ "dlopen" driver. - Made "--with-gssapi" default. - More verbose error reporting from DLZ LDAP. BIND 9.8.0 - BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier - releases. New features include: - - - Built-in trust anchor for the root zone, which can be - switched on via "dnssec-validation auto;" - - Support for DNS64. - - Support for response policy zones (RPZ). - - Support for writable DLZ zones. - - Improved ease of configuration of GSS/TSIG for - interoperability with Active Directory - - Support for GOST signing algorithm for DNSSEC. - - Removed RTT Banding from server selection algorithm. - - New "static-stub" zone type. - - Allow configuration of resolver timeouts via - "resolver-query-timeout" option. + BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier + releases. New features include: + + - Built-in trust anchor for the root zone, which can be + switched on via "dnssec-validation auto;" + - Support for DNS64. + - Support for response policy zones (RPZ). + - Support for writable DLZ zones. + - Improved ease of configuration of GSS/TSIG for + interoperability with Active Directory + - Support for GOST signing algorithm for DNSSEC. + - Removed RTT Banding from server selection algorithm. + - New "static-stub" zone type. + - Allow configuration of resolver timeouts via + "resolver-query-timeout" option. BIND 9.7.0 @@ -183,9 +201,9 @@ Building Ubuntu 7.04, 7.10 Windows XP/2003/2008 - NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of - Windows, including Windows NT and Windows 2000, are no longer - supported. + NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of + Windows, including Windows NT and Windows 2000, are no longer + supported. We have recent reports from the user community that a supported version of BIND will build and run on the following systems: @@ -238,7 +256,7 @@ Building -DDIG_SIGCHASE_BU=1) Disable dropping queries from particular well known ports. -DNS_CLIENT_DROPPORT=0 - Sibling glue checking in named-checkzone is enabled by default. + Sibling glue checking in named-checkzone is enabled by default. To disable the default check set. -DCHECK_SIBLING=0 named-checkzone checks out-of-zone addresses by default. To disable this default set. -DCHECK_LOCAL=0 @@ -285,10 +303,10 @@ Building on the configure command line. The default is operating system dependent. - Support for the "fixed" rrset-order option can be enabled - or disabled by specifying "--enable-fixed-rrset" or - "--disable-fixed-rrset" on the configure command line. - The default is "disabled", to reduce memory footprint. + Support for the "fixed" rrset-order option can be enabled + or disabled by specifying "--enable-fixed-rrset" or + "--disable-fixed-rrset" on the configure command line. + The default is "disabled", to reduce memory footprint. If your operating system has integrated support for IPv6, it will be used automatically. If you have installed KAME IPv6 @@ -355,8 +373,8 @@ Documentation Frequently asked questions and their answers can be found in FAQ. - Additional information on various subjects can be found - in the other README files. + Additional information on various subjects can be found + in the other README files. Change Log @@ -373,7 +391,7 @@ Change Log [security] Fix for a significant security flaw [experimental] Used for new features when the syntax - or other aspects of the design are still + or other aspects of the design are still in flux and may change [port] Portability enhancement @@ -382,15 +400,15 @@ Change Log server addresses and keys [tuning] Changes to built-in configuration defaults - and constants to improve performanceo + and constants to improve performanceo [protocol] Updates to the DNS protocol such as new RR types - [test] Changes to the automatic tests, not - affecting server functionality + [test] Changes to the automatic tests, not + affecting server functionality - [cleanup] Minor corrections and refactoring + [cleanup] Minor corrections and refactoring [doc] Documentation diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8 index 67a8f4a3da6a5..909184ef2f1dd 100644 --- a/bin/check/named-checkconf.8 +++ b/bin/check/named-checkconf.8 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007, 2009, 2014 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2002 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -33,7 +33,7 @@ named\-checkconf \- named configuration file syntax checking tool .SH "SYNOPSIS" .HP 16 -\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-z\fR] +\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-x\fR] [\fB\-z\fR] .SH "DESCRIPTION" .PP \fBnamed\-checkconf\fR @@ -84,6 +84,14 @@ Print out the and included files in canonical form if no errors were detected. .RE .PP +\-x +.RS 4 +When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks ('?'). This allows the contents of +\fInamed.conf\fR +and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data. This option cannot be used without +\fB\-p\fR. +.RE +.PP \-z .RS 4 Perform a test load of all master zones found in @@ -113,7 +121,7 @@ BIND 9 Administrator Reference Manual. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007, 2009, 2014 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2002 Internet Software Consortium. .br diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index ef754ff29af98..30a549c6e1d7f 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009-2013 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009-2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -39,10 +39,13 @@ #include +#include #include #include #include +#include #include +#include #include #include "check-tool.h" @@ -151,6 +154,30 @@ config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) { } } +static isc_result_t +configure_hint(const char *zfile, const char *zclass, isc_mem_t *mctx) { + isc_result_t result; + dns_db_t *db = NULL; + dns_rdataclass_t rdclass; + isc_textregion_t r; + + if (zfile == NULL) + return (ISC_R_FAILURE); + + DE_CONST(zclass, r.base); + r.length = strlen(zclass); + result = dns_rdataclass_fromtext(&rdclass, &r); + if (result != ISC_R_SUCCESS) + return (result); + + result = dns_rootns_create(mctx, rdclass, zfile, &db); + if (result != ISC_R_SUCCESS) + return (result); + + dns_db_detach(&db); + return (ISC_R_SUCCESS); +} + /*% configure the zone */ static isc_result_t configure_zone(const char *vclass, const char *view, @@ -161,7 +188,7 @@ configure_zone(const char *vclass, const char *view, isc_result_t result; const char *zclass; const char *zname; - const char *zfile; + const char *zfile = NULL; const cfg_obj_t *maps[4]; const cfg_obj_t *zoptions = NULL; const cfg_obj_t *classobj = NULL; @@ -195,15 +222,26 @@ configure_zone(const char *vclass, const char *view, cfg_map_get(zoptions, "type", &typeobj); if (typeobj == NULL) return (ISC_R_FAILURE); - if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0) + + cfg_map_get(zoptions, "file", &fileobj); + if (fileobj != NULL) + zfile = cfg_obj_asstring(fileobj); + + /* + * Check hints files for hint zones. + * Skip loading checks for any type other than master. + */ + if (strcasecmp(cfg_obj_asstring(typeobj), "hint") == 0) + return (configure_hint(zfile, zclass, mctx)); + else if ((strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)) return (ISC_R_SUCCESS); + + if (zfile == NULL) + return (ISC_R_FAILURE); + cfg_map_get(zoptions, "database", &dbobj); if (dbobj != NULL) return (ISC_R_SUCCESS); - cfg_map_get(zoptions, "file", &fileobj); - if (fileobj == NULL) - return (ISC_R_FAILURE); - zfile = cfg_obj_asstring(fileobj); obj = NULL; if (get_maps(maps, "check-dup-records", &obj)) { @@ -341,7 +379,7 @@ configure_zone(const char *vclass, const char *view, if (result != ISC_R_SUCCESS) fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass, dns_result_totext(result)); - return(result); + return (result); } /*% configure a view */ @@ -442,10 +480,11 @@ main(int argc, char **argv) { isc_entropy_t *ectx = NULL; isc_boolean_t load_zones = ISC_FALSE; isc_boolean_t print = ISC_FALSE; + unsigned int flags = 0; isc_commandline_errprint = ISC_FALSE; - while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) { + while ((c = isc_commandline_parse(argc, argv, "dhjt:pvxz")) != EOF) { switch (c) { case 'd': debug++; @@ -472,6 +511,10 @@ main(int argc, char **argv) { printf(VERSION "\n"); exit(0); + case 'x': + flags |= CFG_PRINTER_XKEY; + break; + case 'z': load_zones = ISC_TRUE; docheckmx = ISC_FALSE; @@ -494,6 +537,11 @@ main(int argc, char **argv) { } } + if (((flags & CFG_PRINTER_XKEY) != 0) && !print) { + fprintf(stderr, "%s: -x cannot be used without -p\n", program); + exit(1); + } + if (isc_commandline_index + 1 < argc) usage(); if (argv[isc_commandline_index] != NULL) @@ -534,7 +582,7 @@ main(int argc, char **argv) { } if (print && exit_status == 0) - cfg_print(config, output, NULL); + cfg_printx(config, flags, output, NULL); cfg_obj_destroy(parser, &config); cfg_parser_destroy(&parser); diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook index 9535e28430cfd..485dc42a93d19 100644 --- a/bin/check/named-checkconf.docbook +++ b/bin/check/named-checkconf.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> - June 30, 2000 + June 7, 2013 @@ -40,6 +40,7 @@ 2004 2005 2007 + 2013 Internet Systems Consortium, Inc. ("ISC") @@ -194,22 +195,399 @@ + + + COMMANDS + + A list of commands supported by rndc can + be seen by running rndc without arguments. + - For the complete set of commands supported by rndc, - see the BIND 9 Administrator Reference Manual or run - rndc without arguments to see its help - message. + Currently supported commands are: + + + reload + + + Reload configuration file and zones. + + + + + + reload zone class view + + + Reload the given zone. + + + + + + refresh zone class view + + + Schedule zone maintenance for the given zone. + + + + + + retransfer zone class view + + + Retransfer the given zone from the master. + + + + + + sign zone class view + + + Fetch all DNSSEC keys for the given zone + from the key directory (see the + key-directory option in + the BIND 9 Administrator Reference Manual). If they are within + their publication period, merge them into the + zone's DNSKEY RRset. If the DNSKEY RRset + is changed, then the zone is automatically + re-signed with the new key set. + + + This command requires that the + auto-dnssec zone option be set + to allow or + maintain, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) + + + + + + loadkeys zone class view + + + Fetch all DNSSEC keys for the given zone + from the key directory. If they are within + their publication period, merge them into the + zone's DNSKEY RRset. Unlike rndc + sign, however, the zone is not + immediately re-signed by the new keys, but is + allowed to incrementally re-sign over time. + + + This command requires that the + auto-dnssec zone option + be set to maintain, + and also requires the zone to be configured to + allow dynamic DNS. + (See "Dynamic Update Policies" in the Administrator + Reference Manual for more details.) + + + + + + freeze zone class view + + + Suspend updates to a dynamic zone. If no zone is + specified, then all zones are suspended. This allows + manual edits to be made to a zone normally updated by + dynamic update. It also causes changes in the + journal file to be synced into the master file, + and the journal file to be removed. + All dynamic update attempts will be refused while + the zone is frozen. + + + + + + thaw zone class view + + + Enable updates to a frozen dynamic zone. If no + zone is specified, then all frozen zones are + enabled. This causes the server to reload the zone + from disk, and re-enables dynamic updates after the + load has completed. After a zone is thawed, + dynamic updates will no longer be refused. + + + + + + notify zone class view + + + Resend NOTIFY messages for the zone. + + + + + + reconfig + + + Reload the configuration file and load new zones, + but do not reload existing zone files even if they + have changed. + This is faster than a full reload when there + is a large number of zones because it avoids the need + to examine the + modification times of the zones files. + + + + + + stats + + + Write server statistics to the statistics file. + + + + + + querylog on|off + + + Toggle query logging. Query logging can also be enabled + by explicitly directing the queries + category to a + channel in the + logging section of + named.conf or by specifying + querylog yes; in the + options section of + named.conf. + + + + + + dumpdb -all|-cache|-zone view ... + + + Dump the server's caches (default) and/or zones to + the + dump file for the specified views. If no view is + specified, all + views are dumped. + + + + + + secroots view ... + + + Dump the server's security roots to the secroots + file for the specified views. If no view is + specified, security roots for all + views are dumped. + + + + + + stop -p + + + Stop the server, making sure any recent changes + made through dynamic update or IXFR are first saved to + the master files of the updated zones. + If is specified named's process id is returned. + This allows an external process to determine when named + had completed stopping. + + + + + + halt -p + + + Stop the server immediately. Recent changes + made through dynamic update or IXFR are not saved to + the master files, but will be rolled forward from the + journal files when the server is restarted. + If is specified named's process id is returned. + This allows an external process to determine when named + had completed halting. + + + + + + trace + + + Increment the servers debugging level by one. + + + + + + trace level + + + Sets the server's debugging level to an explicit + value. + + + + + + notrace + + + Sets the server's debugging level to 0. + + + + + + flush + + + Flushes the server's cache. + + + + + + flushname name view + + + Flushes the given name from the server's cache. + + + + + + status + + + Display status of the server. + Note that the number of zones includes the internal bind/CH zone + and the default ./IN + hint zone if there is not an + explicit root zone configured. + + + + + + recursing + + + Dump the list of queries named is currently recursing + on. + + + + + + validation ( on | off | check ) view ... + + + Enable, disable, or check the current status of + DNSSEC validation. + Note dnssec-enable also needs to be + set to yes or + auto to be effective. + It defaults to enabled. + + + + + + tsig-list + + + List the names of all TSIG keys currently configured + for use by named in each view. The + list both statically configured keys and dynamic + TKEY-negotiated keys. + + + + + + tsig-delete keyname view + + + Delete a given TKEY-negotiated key from the server. + (This does not apply to statically configured TSIG + keys.) + + + + + + addzone zone class view configuration + + + Add a zone while the server is running. This + command requires the + allow-new-zones option to be set + to yes. The + configuration string + specified on the command line is the zone + configuration text that would ordinarily be + placed in named.conf. + + + The configuration is saved in a file called + hash.nzf, + where hash is a + cryptographic hash generated from the name of + the view. When named is + restarted, the file will be loaded into the view + configuration, so that zones that were added + can persist after a restart. + + + This sample addzone command + would add the zone example.com + to the default view: + + +$ rndc addzone example.com '{ type master; file "example.com.db"; };' + + + (Note the brackets and semi-colon around the zone + configuration text.) + + + + + + delzone zone class view + + + Delete a zone while the server is running. + Only zones that were originally added via + rndc addzone can be deleted + in this manner. + + + + LIMITATIONS - rndc - does not yet support all the commands of - the BIND 8 ndc utility. - There is currently no way to provide the shared secret for a without using the configuration file. diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html index 4195c4e07e9fe..c0050c5faef96 100644 --- a/bin/rndc/rndc.html +++ b/bin/rndc/rndc.html @@ -1,5 +1,5 @@