Fix BIND remote Denial of Service vulnerability. [SA-16:34]

Fix OpenSSL remote DoS vulnerability. [SA-16:35]

Security: FreeBSD-SA-16:34.bind
Security: FreeBSD-SA-16:35.openssl
Approved by: so

Fix BIND remote Denial of Service vulnerability. [SA-16:28]

Fix bspatch heap overflow vulnerability. [SA-16:29]

Fix multiple portsnap vulnerabilities. [SA-16:30]

Approved by: so

Fix multiple vulnerabilities of BIND. [SA-16:13]

Fix a regression with OpenSSL patch. [SA-16:12]

Approved by: so

Fix BIND remote denial of service vulnerability. [SA-16:08]

Fix multiple vulnerabilities of ntp. [SA-16:09]

Fix Linux compatibility layer issetugid(2) system call
vulnerability. [SA-16:10]

Security: FreeBSD-SA-16:08.bind
Security: FreeBSD-SA-16:09.ntp
Security: FreeBSD-SA-16:10.linux
Approved by: so

Fix BIND remote denial of service vulnerability. [SA-15:27]

Security: FreeBSD-SA-15:27.bind
Security: CVE-2015-8000
Approved by: so

Fix remote denial of service vulnerability when parsing malformed
key.

Security: CVE-2015-5722
Security: FreeBSD-SA-15:23.bind
Approved by: so

Fix resource exhaustion in TCP reassembly. [SA-15:15]

Fix OpenSSH multiple vulnerabilities. [SA-15:16]

Fix BIND remote denial of service vulnerability. [SA-15:17]

Approved by: so

Fix BIND resolver remote denial of service when validating.

Security: CVE-2015-4620
Security: FreeBSD-SA-15:11.bind
Approved by: so

Fix integer overflow in IGMP protocol. [SA-15:04]

Fix BIND remote denial of service vulnerability. [SA-15:05]

Fix vt(4) crash with improper ioctl parameters. [EN-15:01]

Updated base system OpenSSL to 0.9.8zd. [EN-15:02]

Fix freebsd-update libraries update ordering issue. [EN-15:03]

Approved by: so

Fix multiple vulnerabilities in file(1) and libmagic(3).

Security: FreeBSD-SA-14:28.file
Security: CVE-2014-3710, CVE-2014-8116, CVE-2014-8117

Fix BIND remote denial of service vulnerability.

Security: FreeBSD-SA-14:29.bind
Security: CVE-2014-8500

Approved by: so

Remove svn:mergeinfo carried over from stable/9.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFV 262445:
Update BIND to 9.9.5

Release note:
https://lists.isc.org/pipermail/bind-announce/2013-September/000871.html
https://lists.isc.org/pipermail/bind-announce/2014-January/000896.html

Note this is a commit straight to stable as BIND no longer exists in head.

Sponsored by: DK Hostmaster A/S

Fix BIND remote denial of service vulnerability.

Security: FreeBSD-SA-14:04.bind
Security: CVE-2014-0591

MFC r254651:

Update Bind to 9.9.3-P2

Notable new features:

* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]

* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]

* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]

* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFC 253983, 253984:

Update Bind to 9.8.5-P2

New Features

Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF
and TXT records in spf format, warning if either resource record
type occurs without a corresponding record of the other resource
record type. [RT #33355]

Adds support for Uniform Resource Identifier (URI) resource
records. [RT #23386]

Adds support for the EUI48 and EUI64 RR types. [RT #33082]

Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
and L64). [RT #31836]

Feature Changes

Changes timing of when slave zones send NOTIFY messages after
loading a new copy of the zone. They now send the NOTIFY before
writing the zone data to disk. This will result in quicker
propagation of updates in multi-level server structures. [RT #27242]
"named -V" can now report a source ID string. (This is will be
of most interest to developers and troubleshooters). The source

ID for ISC's production versions of BIND is defined in the "srcid"
file in the build tree and is normally set to the most recent
git hash. [RT #31494]

Response Policy Zone performance enhancements. New "response-policy"
option "min-ns-dots". "nsip" and "nsdname" now enabled by default
with RPZ. [RT #32251]

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

Fix Denial of Service vulnerability in named(8). [13:07]

Security: CVE-2013-4854
Security: FreeBSD-SA-13:07.bind
Approved by: re (rodrigc)

MFC r248788 (erwin):

Update BIND to 9.8.4-P2

Removed the check for regex.h in configure in order
to disable regex syntax checking, as it exposes
BIND to a critical flaw in libregex on some
platforms. [RT #32688]

MFC r243981,243987:

Update to 9.8.4-P1.

New Features

* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

* Improves OpenSSL error logging [RT #29932]

* nslookup now returns a nonzero exit code when it is unable to get
an answer. [RT #29492]

Other critical bug fixes are included.

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFC r241414:

Upgrade to 9.8.3-P4:

Prevents a lockup when queried a deliberately constructed combination
of records. [CVE-2012-5166]

For more information: https://kb.isc.org/article/AA-00801

MFC 240729 (dougb):

Upgrade to 9.8.3-P3:

Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.

Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.

ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.

A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.

For more information: https://kb.isc.org/article/AA-00788

MFV r238744:

Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure
in BIND9

High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.

CVE: CVE-2012-3817
Posting date: 24 July, 2012

Approved by: re (kib)

Upgrade to 9.8.3-P1, the latest from ISC. This version contains
a critical bugfix:

Processing of DNS resource records where the rdata field is zero length
may cause various issues for the servers handling them.

Processing of these records may lead to unexpected outcomes. Recursive
servers may crash or disclose some portion of memory to the client.
Secondary servers may crash on restart after transferring a zone
containing these records. Master servers may corrupt zone data if the
zone option "auto-dnssec" is set to "maintain". Other unexpected
problems that are not listed here may also be encountered.

All BIND users are strongly encouraged to upgrade.

MFV r236171, MFC r236196:

Upgrade to BIND version 9.8.3, the latest from ISC.

Feature Change

* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)

Bug Fix

* The locking strategy around the handling of iterative queries
has been tuned to reduce unnecessary contention in a multi-
threaded environment.

Other critical bug fixes are included.

All BIND users are encouraged to upgrade.

MFV r234164/MFC r234165:

The BIND 9.8.2 tarball was re-rolled to remove 9.8.1 release notes.
This change was noticed by ISC at:

https://lists.isc.org/pipermail/bind-users/2012-April/087345.html

and verified by me both by comparing the contents of the old and new
distfiles and by verifying the PGP signature on the new distfile.

MFC r233909:

Add Bv9ARM.pdf to the list of docs to install.

MFV/MFC r233914:

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.

Upgrade to BIND 9.8.1-P1 to address the following DDOS bug:

Recursive name servers are failing with an assertion:
INSIST(! dns_rdataset_isassociated(sigrdataset))

At this time it is not thought that authoritative-only servers
are affected, but information about this bug is evolving rapidly.

Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.

For more information see:
https://www.isc.org/software/bind/advisories/cve-2011-4313
which will be updated as more information becomes available.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313

Approved by: re (kib)

MFC: r227006, r227281, r227282

Add a PCI front-end to esp(4) allowing it to support AMD Am53C974 and
replace amd(4) with the former in the amd64, i386 and pc98 GENERIC kernel
configuration files. Besides duplicating functionality, amd(4), which
previously also supported the AMD Am53C974, unlike esp(4) is no longer
maintained and has accumulated enough bit rot over time to always cause
a panic during boot as long as at least one target is attached to it
(see PR 124667).

PR: 124667
Approved by: re (kib)
Obtained from: NetBSD (based on)

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Upgrade to BIND version 9.8.1. Release notes at:

https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/

Approved by: re (kib)

Upgrade to version 9.8.0-P4

This version has many new features, see /usr/share/doc/bind9/README
for details.

Update to version 9.6-ESV-R4-P3

ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY

This update addresses the following vulnerability:

CVE-2011-2464
=============
Severity: High
Exploitable: Remotely

Description:

A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This
defect affects both recursive and authoritative servers. The code location
of the defect makes it impossible to protect BIND using ACLs configured
within named.conf or by disabling any features at compile-time or run-time.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
https://www.isc.org/software/bind/advisories/cve-2011-2464

Apply bug fixes

Submitted by: marius

With retirement of cpumask_t and usage of cpuset_t for representing a
mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.

Remove them and replace their usage with custom pc_cpuid magic (as,
atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and
pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).

This change is not targeted for MFC because of struct pcpu members
removal and dependency by cpumask_t retirement.

MD review by: marcel, marius, alc
Tested by: pluknet
MD testing by: marcel, marius, gonzo, andreast

etire the cpumask_t type and replace it with cpuset_t usage.

This is intended to fix the bug where cpu mask objects are
capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever
value. Anyway, as long as several structures in the kernel are
statically allocated and sized as MAXCPU, it is suggested to keep it
as low as possible for the time being.

Technical notes on this commit itself:
- More functions to handle with cpuset_t objects are introduced.
The most notable are cpusetobj_ffs() (which calculates a ffs(3)
for a cpuset_t object), cpusetobj_strprint() (which prepares a string
representing a cpuset_t object) and cpusetobj_strscan() (which
creates a valid cpuset_t starting from a string representation).
- pc_cpumask and pc_other_cpus are target to be removed soon.
With the moving from cpumask_t to cpuset_t they are now inefficient
and not really useful. Anyway, for the time being, please note that
access to pcpu datas is protected by sched_pin() in order to avoid
migrating the CPU while reading more than one (possible) word
- Please note that size of cpuset_t objects may differ between kernel
and userland. While this is not directly related to the patch itself,
it is good to understand that concept and possibly use the patch
as a reference on how to deal with cpuset_t objects in userland, when
accessing kernland members.
- KTR_CPUMASK is changed and now is represented through a string, to be
set as the example reported in NOTES.

Please additively note that no MAXCPU is bumped in this patch, but
private testing has been done until to MAXCPU=128 on a real 8x8x2(htt)
machine (amd64).

Please note that the FreeBSD version is not yet bumped because of
the upcoming pcpu changes. However, note that this patch is not
targeted for MFC.

People to thank for the time spent on this patch:
- sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested
several revision of the patches and really helped in improving
stability of this work.
- marius fixed several bugs in the sparc64 implementation and reviewed
patches related to ktr.
- jeff and jhb discussed the basic approach followed.
- kib and marcel made targeted review on some specific part of the
patch.
- marius, art, nwhitehorn and andreast reviewed MD specific part of
the patch.
- marius, andreast, gonzo, nwhitehorn and jceel tested MD specific
implementations of the patch.
- Other people have made contributions on other patches that have been
already committed and have been listed separately.

Companies that should be mentioned for having participated at several
degrees:
- Yahoo! for having offered the machines used for testing on big
count of CPUs.
- The FreeBSD Foundation for having sponsored my devsummit attendance,
which has been instrumental.
- Sandvine for having offered offices and infrastructure during
development.

(I really hope I didn't forget anyone, if it happened I apologize in
advance).

Upgrade to 9.6-ESV-R4-P1, which address the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.

Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.

All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

* Various fixes to kerberos support, including GSS-TSIG
* Various fixes to avoid leaking memory, and to problems that could
prevent a clean shutdown of named

Update to version 9.6-ESV-R3, the latest from ISC, which addresses
the following security vulnerabilities.

For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

1. Cache incorrectly allows ncache and rrsig for the same type

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.

This bug applies even if you do not have DNSSEC enabled.

2. Key algorithm rollover

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614

Affects resolver operators who are validating with DNSSEC, and
querying zones which are in a key rollover period. The bug will
cause answers to incorrectly be marked as insecure.

Update to 9.6-ESV-R2, the latest from ISC.

This version contains bug fixes that are relevant to any
caching/resolving name server; as well as DNSSEC-related
fixes.

Upgrade to 9.6.2-P2, which addresses the following;

Named could return SERVFAIL for negative responses
from unsigned zones.

Merger of the quota64 project into head.

This joint work of Dag-Erling Smørgrav and myself updates the
FFS quota system to support both traditional 32-bit and new 64-bit
quotas (for those of you who want to put 2+Tb quotas on your users).

By default quotas are not compiled into the kernel. To include them
in your kernel configuration you need to specify:

options QUOTA # Enable FFS quotas

If you are already running with the current 32-bit quotas, they
should continue to work just as they have in the past. If you
wish to convert to using 64-bit quotas, use `quotacheck -c 64';
if you wish to revert from 64-bit quotas back to 32-bit quotas,
use `quotacheck -c 32'.

There is a new library of functions to simplify the use of the
quota system, do `man quotafile' for details. If your application
is currently using the quotactl(2), it is highly recommended that
you convert your application to use the quotafile interface.
Note that existing binaries will continue to work.

Special thanks to John Kozubik of rsync.net for getting me
interested in pursuing 64-bit quota support and for funding
part of my development time on this project.

Update to 9.6.2-P1, the latest patchfix release which deals with
the problems related to the handling of broken DNSSEC trust chains.

This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.

Upgrade to version 9.6.2. This version includes all previously released
security patches to the 9.6.1 version, as well as many other bug fixes.

This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.

Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.

Upgrade to BIND 9.6.1-P3.

This version address the following vulnerabilities:

BIND 9 Cache Update from Additional Section
https://www.isc.org/advisories/CVE-2009-4022v6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
A nameserver with DNSSEC validation enabled may incorrectly add
unauthenticated records to its cache that are received during the
resolution of a recursive client query

BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses
https://www.isc.org/advisories/CVE-2010-0097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
There was an error in the DNSSEC NSEC/NSEC3 validation code that could
cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records
proven by NSEC or NSEC3 to exist) to be cached as if they had validated
correctly

These issues only affect systems with DNSSEC validation enabled.

Fix Read-After-Write (RAW) dependency violation for ar.ccv in
isc_atomic_xadd() and isc_atomic_cmpxchg().

Approved by: dougb@
MFC after: 1 week

Update to BIND 9.6.1-P2. The vulnerability this is designed to fix is
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.

Wrap some socket handling code in a !NULL bow

This patch or something similar will likely be included in a future
BIND release.

PR: bin/138061
Submitted by: Michael Baker <michael.baker@diversit.com.au>
Original patch submitted by: Volker <volker@vwsoft.com>
Patch reviewed and tweaked by: ISC

Update to version 9.6.1-P1 which addresses a remote DoS vulnerability:

Receipt of a specially-crafted dynamic update message may
cause BIND 9 servers to exit. This vulnerability affects all
servers -- it is not limited to those that are configured to
allow dynamic updates. Access controls will not provide an
effective workaround.

More details can be found here: https://www.isc.org/node/474

All BIND users are encouraged to update to a patched version ASAP.

Approved by: re (re -> SO -> dougb)

This is the solution that ISC committed after 9.6.1-release for
the gcc warning issue. It should be included in the next upstream
release.

Update to the final release version of BIND 9.6.1. It has the following
changes from the 9.6.1rc1 version. The first 2 only affect DNSSEC.

named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.

Accept DS responses from delegation only zones.

"delegation-only" was not being accepted in
delegation-only type zones.

Local hack to get the build going again while ISC works on a more
permanent solution for 9.6.1-release.

"My suggestion is to remove the whole attribute construct.
It only suppresses a warning when a function is unused. In this case
the function is defined as inline, so it's not causing a warning when
not used."

Submitted by: marcel

Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:

Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
DHCID support.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Efficient LRU cache-cleaning mechanism.
NSID support.

Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:

Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
DHCID support.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Efficient LRU cache-cleaning mechanism.
NSID support.

Remove empty directories from the HEAD.

Discussed with: developers, imp

Merge from vendor/bind9/dist as of the 9.4.3-P2 import

Merge from vendor/bind9/dist as of the 9.4.3-P1 import

Merge from vendor/bind9/dist as of the 9.4.3 import

Merge from vendor/bind9/dist as of the 9.4.2-P2 import

Merge from vendor/bind9/dist as of the 9.4.2-P1 import, including
the patch from ISC for lib/bind9/check.c and deletion of unused
files in lib/bind.

This version will by default randomize the UDP query source port
(and sequence number of course) for every query.

In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] options.

The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.

Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.

This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.

All users of BIND are strongly encouraged to upgrade to the latest
version, and to utilize the source port randomization feature.

This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience

The vendor area is the proper home for these files now.

Record baseline merge state.

svn merge --record-only svn+ssh://svn.freebsd.org/base/vendor/bind9/dist .

Add proper mime-types for files that they are relevant for.
This is useful for things like *.pdf files that svn needs
to know about, and will probably be useful down the road
for other things.

This commit was generated by cvs2svn to compensate for changes in r174206,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r174190,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r174187,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r171577,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r170349,
which included commits to RCS files with non-trunk default branches.

Update the upgrade notes for BIND 9.4.1

This commit was generated by cvs2svn to compensate for changes in r170225,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r170222,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r166332,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r165078,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r165071,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r163976,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r162079,
which included commits to RCS files with non-trunk default branches.

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)

Add a reminder to remove obsolete files from the vendor branch.

This commit was generated by cvs2svn to compensate for changes in r154032,
which included commits to RCS files with non-trunk default branches.

Minor updates relative to the 9.2.3 import

Remove files no longer in the BIND 9 distribution

This commit was generated by cvs2svn to compensate for changes in r153816,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r149245,
which included commits to RCS files with non-trunk default branches.

Update (correct autotools usage, copy generated headers, --disable-threads)

Expand and refine a few sections for future reference

Delete all aix ports

This commit was generated by cvs2svn to compensate for changes in r143734,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r143731,
which included commits to RCS files with non-trunk default branches.

NOINET6 -> NO_INET6

Document the upgrade procedure.

This commit was generated by cvs2svn to compensate for changes in r135601,
which included commits to RCS files with non-trunk default branches.

Switch from BIND 8 to BIND 9.

Submitted by: (in part) dougb@, trhodes@
Reviewed by: dougb@, trhodes@, re@
MFC after: 5 days

Add lib/tests.

Add a config.h file.

Add a FREEBSD-Xlist file.

This commit was generated by cvs2svn to compensate for changes in r135471,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r135446,
which included commits to RCS files with non-trunk default branches.