#
267654 |
|
19-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
254897 |
|
26-Aug-2013 |
erwin |
MFC r254651:
Update Bind to 9.9.3-P2
Notable new features:
* Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673]
* BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989]
* The new "inline-signing" option, in combination with the "auto-dnssec" option that was introduced in BIND 9.7, allows named to sign zones completely transparently.
Approved by: delphij (mentor) Sponsored by: DK Hostmaster A/S
|
#
234010 |
|
07-Apr-2012 |
dougb |
MFC r233909:
Add Bv9ARM.pdf to the list of docs to install.
MFV/MFC r233914:
Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
|
#
225736 |
|
22-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
#
224092 |
|
16-Jul-2011 |
dougb |
Upgrade to version 9.8.0-P4
This version has many new features, see /usr/share/doc/bind9/README for details.
|
#
222395 |
|
27-May-2011 |
dougb |
Upgrade to 9.6-ESV-R4-P1, which address the following issues:
1. Very large RRSIG RRsets included in a negative cache can trigger an assertion failure that will crash named (BIND 9 DNS) due to an off-by-one error in a buffer size check.
This bug affects all resolving name servers, whether DNSSEC validation is enabled or not, on all BIND versions prior to today. There is a possibility of malicious exploitation of this bug by remote users.
2. Named could fail to validate zones listed in a DLV that validated insecure without using DLV and had DS records in the parent zone.
Add a patch provided by ru@ and confirmed by ISC to fix a crash at shutdown time when a SIG(0) key is being used.
|
#
193149 |
|
31-May-2009 |
dougb |
Update BIND to version 9.6.1rc1. This version has better performance and lots of new features compared to 9.4.x, including:
Full NSEC3 support Automatic zone re-signing New update-policy methods tcp-self and 6to4-self DHCID support. More detailed statistics counters including those supported in BIND 8. Faster ACL processing. Efficient LRU cache-cleaning mechanism. NSID support.
|
#
186462 |
|
23-Dec-2008 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.3 import
|
#
182645 |
|
01-Sep-2008 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.2-P2 import
|
#
180477 |
|
12-Jul-2008 |
dougb |
Merge from vendor/bind9/dist as of the 9.4.2-P1 import, including the patch from ISC for lib/bind9/check.c and deletion of unused files in lib/bind.
This version will by default randomize the UDP query source port (and sequence number of course) for every query.
In order to take advantage of this randomization users MUST have an appropriate firewall configuration to allow UDP queries to be sent and answers to be received on random ports; and users MUST NOT specify a port number using the query-source[-v6] options.
The avoid-v[46]-udp-ports options exist for users who wish to eliminate certain port numbers from being chosen by named for this purpose. See the ARM Chatper 6 for more information.
Also please note, this issue applies only to UDP query ports. A random ephemeral port is always chosen for TCP queries.
This issue applies primarily to name servers whose main purpose is to resolve random queries (sometimes referred to as "caching" servers, or more properly as "resolving" servers), although even an "authoritative" name server will make some queries, primarily at startup time.
All users of BIND are strongly encouraged to upgrade to the latest version, and to utilize the source port randomization feature.
This update addresses issues raised in: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
|
#
174188 |
|
02-Dec-2007 |
dougb |
This commit was generated by cvs2svn to compensate for changes in r174187, which included commits to RCS files with non-trunk default branches.
|
#
174187 |
|
02-Dec-2007 |
dougb |
Vendor import of BIND 9.4.2
|
#
171577 |
|
25-Jul-2007 |
dougb |
Vendor import of 9.4.1-P1, which has fixes for the following:
1. The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
2. The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers.
All users are encouraged to upgrade.
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
Approved by: re (kensmith, implicit)
|
#
170222 |
|
02-Jun-2007 |
dougb |
Vendor import of BIND 9.4.1
|
#
135446 |
|
18-Sep-2004 |
trhodes |
Vender import of BIND 9.3.0rc4.
|