Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFV 262445:
Update BIND to 9.9.5

Release note:
https://lists.isc.org/pipermail/bind-announce/2013-September/000871.html
https://lists.isc.org/pipermail/bind-announce/2014-January/000896.html

Note this is a commit straight to stable as BIND no longer exists in head.

Sponsored by: DK Hostmaster A/S

MFC r254651:

Update Bind to 9.9.3-P2

Notable new features:

* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]

* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]

* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]

* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFC 253983, 253984:

Update Bind to 9.8.5-P2

New Features

Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF
and TXT records in spf format, warning if either resource record
type occurs without a corresponding record of the other resource
record type. [RT #33355]

Adds support for Uniform Resource Identifier (URI) resource
records. [RT #23386]

Adds support for the EUI48 and EUI64 RR types. [RT #33082]

Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
and L64). [RT #31836]

Feature Changes

Changes timing of when slave zones send NOTIFY messages after
loading a new copy of the zone. They now send the NOTIFY before
writing the zone data to disk. This will result in quicker
propagation of updates in multi-level server structures. [RT #27242]
"named -V" can now report a source ID string. (This is will be
of most interest to developers and troubleshooters). The source

ID for ISC's production versions of BIND is defined in the "srcid"
file in the build tree and is normally set to the most recent
git hash. [RT #31494]

Response Policy Zone performance enhancements. New "response-policy"
option "min-ns-dots". "nsip" and "nsdname" now enabled by default
with RPZ. [RT #32251]

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFC r233909:

Add Bv9ARM.pdf to the list of docs to install.

MFV/MFC r233914:

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Upgrade to BIND version 9.8.1. Release notes at:

https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/

Approved by: re (kib)

Upgrade to version 9.8.0-P4

This version has many new features, see /usr/share/doc/bind9/README
for details.

Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.

All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

* Various fixes to kerberos support, including GSS-TSIG
* Various fixes to avoid leaking memory, and to problems that could
prevent a clean shutdown of named

Update to version 9.6-ESV-R3, the latest from ISC, which addresses
the following security vulnerabilities.

For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

1. Cache incorrectly allows ncache and rrsig for the same type

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.

This bug applies even if you do not have DNSSEC enabled.

2. Key algorithm rollover

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614

Affects resolver operators who are validating with DNSSEC, and
querying zones which are in a key rollover period. The bug will
cause answers to incorrectly be marked as insecure.

Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:

Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
DHCID support.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Efficient LRU cache-cleaning mechanism.
NSID support.

Merge from vendor/bind9/dist as of the 9.4.3 import

Merge from vendor/bind9/dist as of the 9.4.2-P2 import

Merge from vendor/bind9/dist as of the 9.4.2-P1 import, including
the patch from ISC for lib/bind9/check.c and deletion of unused
files in lib/bind.

This version will by default randomize the UDP query source port
(and sequence number of course) for every query.

In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] options.

The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.

Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.

This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.

All users of BIND are strongly encouraged to upgrade to the latest
version, and to utilize the source port randomization feature.

This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience

This commit was generated by cvs2svn to compensate for changes in r174187,
which included commits to RCS files with non-trunk default branches.

Vendor import of BIND 9.4.2

Vendor import of 9.4.1-P1, which has fixes for the following:

1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925

2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.

All users are encouraged to upgrade.

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926

Approved by: re (kensmith, implicit)

Vendor import of BIND 9.4.1

Vendor import of BIND 9.3.3

Vendor import of BIND 9.3.2

Vendor import of BIND 9.3.1

Vender import of BIND 9.3.0rc4.