Remove svn:mergeinfo carried over from stable/9.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFV 262445:
Update BIND to 9.9.5

Release note:
https://lists.isc.org/pipermail/bind-announce/2013-September/000871.html
https://lists.isc.org/pipermail/bind-announce/2014-January/000896.html

Note this is a commit straight to stable as BIND no longer exists in head.

Sponsored by: DK Hostmaster A/S

MFC r254651:

Update Bind to 9.9.3-P2

Notable new features:

* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]

* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]

* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]

* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFC 253983, 253984:

Update Bind to 9.8.5-P2

New Features

Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF
and TXT records in spf format, warning if either resource record
type occurs without a corresponding record of the other resource
record type. [RT #33355]

Adds support for Uniform Resource Identifier (URI) resource
records. [RT #23386]

Adds support for the EUI48 and EUI64 RR types. [RT #33082]

Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
and L64). [RT #31836]

Feature Changes

Changes timing of when slave zones send NOTIFY messages after
loading a new copy of the zone. They now send the NOTIFY before
writing the zone data to disk. This will result in quicker
propagation of updates in multi-level server structures. [RT #27242]
"named -V" can now report a source ID string. (This is will be
of most interest to developers and troubleshooters). The source

ID for ISC's production versions of BIND is defined in the "srcid"
file in the build tree and is normally set to the most recent
git hash. [RT #31494]

Response Policy Zone performance enhancements. New "response-policy"
option "min-ns-dots". "nsip" and "nsdname" now enabled by default
with RPZ. [RT #32251]

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFC r248788 (erwin):

Update BIND to 9.8.4-P2

Removed the check for regex.h in configure in order
to disable regex syntax checking, as it exposes
BIND to a critical flaw in libregex on some
platforms. [RT #32688]

MFC r243981,243987:

Update to 9.8.4-P1.

New Features

* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

* Improves OpenSSL error logging [RT #29932]

* nslookup now returns a nonzero exit code when it is unable to get
an answer. [RT #29492]

Other critical bug fixes are included.

Approved by: delphij (mentor)
Sponsored by: DK Hostmaster A/S

MFV r236171, MFC r236196:

Upgrade to BIND version 9.8.3, the latest from ISC.

Feature Change

* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)

Bug Fix

* The locking strategy around the handling of iterative queries
has been tuned to reduce unnecessary contention in a multi-
threaded environment.

Other critical bug fixes are included.

All BIND users are encouraged to upgrade.

MFC r233909:

Add Bv9ARM.pdf to the list of docs to install.

MFV/MFC r233914:

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Upgrade to BIND version 9.8.1. Release notes at:

https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/

Approved by: re (kib)

Fixes to make the WITH_BIND_LIBS option functional with BIND 9.8.x

bmake and other updates necessary for the BIND 9.8.x upgrade.

This includes a structural change regarding atomic ops. Previously they
were enabled on all platforms unless we had knowledge that they did not
work. However both work performed by marius@ on sparc64 and the fact that
the 9.8.x branch is fussier in this area has demonstrated that this is
not a safe approach. So I've modified a patch provided by marius to
enable them for i386, amd64, and ia64 only.

Handle the MK_BIND_XML option more intelligently

Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.

All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

* Various fixes to kerberos support, including GSS-TSIG
* Various fixes to avoid leaking memory, and to problems that could
prevent a clean shutdown of named

Revert part of r217071 so that us mere mortals can clearly see
what this bit of code is intended to do. :)

Approved by: imp

Make this work on big endian MIPS, while not breaking it for small
endian mips. This will also make it work automatically on all future
big endian platforms.

Prep for the 9.6-ESV-R2 update

Since powerpc and powerpc64 share an instruction set, bind can and should
use the 32-bit atomic operations unmodified. Accomplish this by switching
some MACHINE_ARCH values to MACHINE_CPUARCH.

Update to 9.6.2-P1, the latest patchfix release which deals with
the problems related to the handling of broken DNSSEC trust chains.

This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.

Upgrade to version 9.6.2. This version includes all previously released
security patches to the 9.6.1 version, as well as many other bug fixes.

This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.

Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.

Commit copyright-only changes to generated files as part of the
9.6.1-P3 update

Update to BIND 9.6.1-P2. The vulnerability this is designed to fix is
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.

Add support for the build options that are currently in the port:
WITH_BIND_IDN
WITH_BIND_LARGE_FILE
WITH_BIND_SIGCHASE
WITH_BIND_XML

Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:

Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
DHCID support.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Efficient LRU cache-cleaning mechanism.
NSID support.

Updates for version 9.4.3

Update copyrights and comments as of 9.4.3 (no functional changes)

Add strndup(3) prototype to string.h.

This change was erronously ommitted from the r185690, and attempt
to simply add the prototype to string.h has revealed that several
contributed programs defined local prototypes for strndup(), controlled
by autoconfed config.h. So, manually change #undef HAVE_STRNDUP to
#define HAVE_STRNDUP 1. Next import of the corresponding program would
regenerate config.h, overriding the changes in this commit.

No objections from: kan

Update for version 9.4.2-P2

One more glue update for BIND 9.4.2

Update glue for BIND 9.4.2

Remove the special atomic.h case for arm, and allow it to use
the platform specific file that imp provided.

Fix the amd64 and pc98 versions of ISC_ATOMIC_ARCH with some help
from ru@.

Take a guess at what might work on arm to try and fix the build.

Update generated files for BIND 9.4.1

Update bmake glue for the BIND 9.4.1 import.

This includes a return to building with threads, since one of the
major focuses of the 9.4.x branch is to improve thread performance.

Update generated files for BIND 9.3.4

Changes to generated files related to the 9.3.3 import.

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)

Updated versions of header files generated per the instructions
in src/contrib/bind9/FREEBSD-Upgrade for the 9.2.3 import

Finish the removal of threads support in ../config.mk,v 1.15.

Disable thread support in BIND. It appears to reduce performance rather
than increase it, and seems to be the cause of the memory leaks which some
users have reported.

Requested by: dougb
MFC after: 5 days

Regenerate for 9.3.1

bmake changes to handle the move of dns/sec and related files

NOINET6 -> NO_INET6

NOCRYPT -> NO_CRYPT

NOLIBC_R -> NO_LIBC_R
NOLIBPTHREAD -> NO_LIBPTHREAD
NOLIBTHR -> NO_LIBTHR

For variables that are only checked with defined(), don't provide
any fake value.

For variables that are only checked with defined(), don't provide
any fake value.

Fix up the man file installation for the new BIND 9 sources:

1. Install man files and links for the lwres library.

2. Fix the path in various files to say /etc/namedb/ instead of just /etc.

3. Correctly install the conf file man pages for named and rndc.

Ruslan has educated me both on the wisdom of why this approach is
better than mine, and why to wait for review.

Submitted by: ru

Fix the WANT_BIND_LIBS knob by correctly spelling it as WITH_BIND_LIBS
to match how similar syntax is used in the ports system. Thanks to kris
for pointing out my mistake here.

Install the lwres library unless the user defines NO_BIND, or the new
knob, NO_BIND_LIBS_LWRES. There is at least one potential customer
for this library in the wings. Thanks to nectar for the reminder.

Don't expose BIND libraries and their headers to the public by default,
but have a knob (WANT_BIND_LIBS) to build and install them in /usr/lib
and /usr/include. Rumors are that this may be useful at a later point,
let's see.

What this really means is that all BIND libraries are now internal to
buildworld (by default, unless WANT_BIND_LIBS is defined), and linked
statically into various BIND executables.

While here, removed redundant -I's from CFLAGS in lib/bind makefiles.

Sponsored by: des
OK'ed by: dougb

Instead of hardcoding the BIND version, deduce it from ${BIND_DIR}/version.

libpthread is always libpthread, even when it's libc_r.

Reminded by: ru@

Bump version number after vendor import of 9.3.0.

LOCALSTATEDIR should be /var, since the BIND 9 source appends
things like "run/named.pid" to it.

Always link with -lpthread, not -lc_r, because platforms that don't have
full KSE support still have -lpthread as an alias for -lc_r. The only
thing that's different is the name of the knob that turns it off.

Pointed out by: ru@

Clean up and comment config.mk. Centralize more stuff. Bitch if
POSIX threads libraries are not available. Add crypto support if
the crypto libraries are available. Build dnssec-{keygen,signzone}
if crypto is available.

Submitted by: (in part) dougb@

Switch from BIND 8 to BIND 9.

Submitted by: (in part) dougb@, trhodes@
Reviewed by: dougb@, trhodes@, re@
MFC after: 5 days