FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2013-09-30T17:23:45Z 2013-09-30T17:23:45Z Dag-Erling Smørgrav des@FreeBSD.org 2013-09-30T17:23:45Z urn:sha1:56b72efe825d4190e0e2fdbc07ebb295cac299df Approved by: re (gjb) 2013-08-22T08:15:03Z Erwin Lansing erwin@FreeBSD.org 2013-08-22T08:15:03Z urn:sha1:08e6ea976b86b6591f317d290bfc9743d11c21ac Notable new features: * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Approved by: delphij (mentor) MFC after: 3 days Sponsored by: DK Hostmaster A/S 2013-08-06T06:22:54Z Erwin Lansing erwin@FreeBSD.org 2013-08-06T06:22:54Z urn:sha1:a273027f9224fda6fd8740a05fb25286641770b2 New Features Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355] Adds support for Uniform Resource Identifier (URI) resource records. [RT #23386] Adds support for the EUI48 and EUI64 RR types. [RT #33082] Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Changes timing of when slave zones send NOTIFY messages after loading a new copy of the zone. They now send the NOTIFY before writing the zone data to disk. This will result in quicker propagation of updates in multi-level server structures. [RT #27242] "named -V" can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the "srcid" file in the build tree and is normally set to the most recent git hash. [RT #31494] Response Policy Zone performance enhancements. New "response-policy" option "min-ns-dots". "nsip" and "nsdname" now enabled by default with RPZ. [RT #32251] Approved by: delphij (mentor) Sponsored by: DK Hostmaster A/S 2012-12-07T12:39:58Z Erwin Lansing erwin@FreeBSD.org 2012-12-07T12:39:58Z urn:sha1:cfd4d2c42e1c88d28ef6b9bca1ffbab32de3e7ff Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Other critical bug fixes are included. Approved by: delphij (mentor) MFC after: 3 days Security: CVE-2012-5688 Sponsored by: DK Hostmaster A/S 2012-05-28T19:47:56Z Doug Barton dougb@FreeBSD.org 2012-05-28T19:47:56Z urn:sha1:687aeb3821cb3144a06fb18268c456be2af6e4a7 Feature Change * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) Bug Fix * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi- threaded environment. Other critical bug fixes are included. All BIND users are encouraged to upgrade. 2012-04-05T04:29:35Z Doug Barton dougb@FreeBSD.org 2012-04-05T04:29:35Z urn:sha1:d0f6280db790de2ad69bd01a1275e350cbd2840d 2011-09-03T07:13:45Z Doug Barton dougb@FreeBSD.org 2011-09-03T07:13:45Z urn:sha1:6fae67da247296c5844ea54a5fc238184ed50046 https://deepthought.isc.org/article/AA-00446/81/ or /usr/src/contrib/bind9/ Approved by: re (kib) 2011-07-16T11:12:09Z Doug Barton dougb@FreeBSD.org 2011-07-16T11:12:09Z urn:sha1:7afecc12f4d7b56f03438d5f41b837b9696f0a94 This version has many new features, see /usr/share/doc/bind9/README for details. 2011-07-06T00:48:31Z Doug Barton dougb@FreeBSD.org 2011-07-06T00:48:31Z urn:sha1:7c9d9e417a7229e86c5f13a3976d970479885c65 ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY This update addresses the following vulnerability: CVE-2011-2464 ============= Severity: High Exploitable: Remotely Description: A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2464 2011-05-28T00:21:28Z Doug Barton dougb@FreeBSD.org 2011-05-28T00:21:28Z urn:sha1:37bb75f74000255f3ea6c7c2d2e9ddae3075c19f 1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check. This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users. 2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone. Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used.