Upgrade to 9.8.0-P2, which addresses the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.

Add a patch from ISC that will be in 9.8.1 to handle intermittent
failure of recursive queries involving CNAMEs and previously cached
responses.

4 files changed, 38 insertions, 6 deletions

diff --git a/dns/bind98/Makefile b/dns/bind98/Makefile
index 68ffa643be3c..3bab874a41a7 100644
--- a/dns/bind98/Makefile
+++ b/dns/bind98/Makefile
@@ -12,7 +12,7 @@
 # release you can generally build it cleanly from the source - Doug
 
 PORTNAME=	bind98
-PORTVERSION=	9.8.0.1
+PORTVERSION=	9.8.0.2
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	${MASTER_SITE_ISC} \
 		http://dougbarton.us/Downloads/%SUBDIR%/
@@ -25,7 +25,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and DNS64
 
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.8.0-P1
+ISCVERSION=	9.8.0-P2
 
 MAKE_JOBS_UNSAFE=	yes
 
diff --git a/dns/bind98/distinfo b/dns/bind98/distinfo
index b02bb018d097..9a107949467f 100644
--- a/dns/bind98/distinfo
+++ b/dns/bind98/distinfo
@@ -1,4 +1,4 @@
-SHA256 (bind-9.8.0-P1.tar.gz) = f0f659079894402d38db4f22aac99ead45401123c2aa2398e13f19dae73bb11e
-SIZE (bind-9.8.0-P1.tar.gz) = 7701530
-SHA256 (bind-9.8.0-P1.tar.gz.asc) = abae8380cbf7312574f4d0b1c2865c60e3d152154e7a2a9e99710f085c2aeee9
-SIZE (bind-9.8.0-P1.tar.gz.asc) = 480
+SHA256 (bind-9.8.0-P2.tar.gz) = da4d3d2e2c3b3b1f5c6cd870ff262af5a2e82082b7a7e9c77ccab637fa11f2bd
+SIZE (bind-9.8.0-P2.tar.gz) = 7702702
+SHA256 (bind-9.8.0-P2.tar.gz.asc) = 091ac4a4d0aa08fa008eb222070e4bfe82afd601a304842b5cc79eb14b0f7c62
+SIZE (bind-9.8.0-P2.tar.gz.asc) = 481
diff --git a/dns/bind98/files/patch-bin__named__query.c b/dns/bind98/files/patch-bin__named__query.c
new file mode 100644
index 000000000000..1216d2bdfe5f
--- /dev/null
+++ b/dns/bind98/files/patch-bin__named__query.c
@@ -0,0 +1,18 @@
+--- bin/named/query.c.orig	2011-04-27 10:06:27.000000000 -0700
++++ bin/named/query.c	2011-05-27 15:00:15.000000000 -0700
+@@ -637,6 +637,7 @@
+ 		dns_db_attach(db, &dbversion->db);
+ 		dns_db_currentversion(db, &dbversion->version);
+ 		dbversion->acl_checked = ISC_FALSE;
++		dbversion->queryok = ISC_FALSE;
+ 		ISC_LIST_APPEND(client->query.activeversions,
+ 				dbversion, link);
+ 	}
+@@ -768,6 +769,7 @@
+ 		dbversion->queryok = ISC_FALSE;
+ 		return (DNS_R_REFUSED);
+ 	}
++	dbversion->queryok = ISC_TRUE;
+ 
+  approved:
+ 	/* Transfer ownership, if necessary. */
diff --git a/dns/bind98/files/patch-bin__nsupdate__nsupdate.c b/dns/bind98/files/patch-bin__nsupdate__nsupdate.c
new file mode 100644
index 000000000000..ad7c274ea16b
--- /dev/null
+++ b/dns/bind98/files/patch-bin__nsupdate__nsupdate.c
@@ -0,0 +1,14 @@
+--- bin/nsupdate/nsupdate.c.orig	2011-01-09 21:32:03.000000000 -0800
++++ bin/nsupdate/nsupdate.c	2011-05-27 14:51:32.000000000 -0700
+@@ -695,8 +695,10 @@
+ 				keyfile, isc_result_totext(result));
+ 			return;
+ 		}
+-	} else
++	} else {
+ 		dst_key_attach(dstkey, &sig0key);
++		dst_key_free(&dstkey);
++	}
+ }
+ 
+ static void