aboutsummaryrefslogtreecommitdiffstats
path: root/dns/bind99
Commit message (Collapse)AuthorAgeFilesLines
* Update to 9.9.3-P1erwin2013-06-052-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Security Fixes Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688] Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141] See release notes for further features and bug fixes: https://kb.isc.org/article/AA-00970/0/BIND-9.9.3-P1-Extended-Support-Version-Release-Notes.html Security: CVE-2013-3919 CVE-2013-2266 CVE-2012-5688 CVE-2012-5689
* Update to 9.9.3erwin2013-05-313-7/+8
|
* Update RPZ and RRL patch set:erwin2013-05-312-3/+3
| | | | | | | | | | | | | | - address the issue raised by Bob Harold. RRL on recursive servers applies rate limits after waiting for recursion except on sub-domains of domains for which the server is authoritative. - fix the bug reported by Roy Arends in which "slipped" NXDOMAIN responses had rcode values of 0 (NoError) instead of 3 (NXDOMAIN). - move reports of RRL drop and slip actions from the "queries" log category to the "query-errors" category. Because they are not in the "queres" category, enabling or disabling query logging no longer affects them.
* Fix typo in RPZRRL_PATCHerwin2013-05-061-1/+1
| | | | Submitted by: Alexander Yerenkow <yerenkow@gmail.com>
* Readd dns/bind-tools.zeising2013-04-241-9/+22
| | | | | | | | | This is done in a similar manner as the old bind-tools, but uses bind99 instead of bind97 as master port. Change bind99 to facilitate the bind-tools slave, in a simlar way as was done for bind97. Approved by: erwin (maintainer)
* Make pkg-message and pkg-install a local file to the bind98 and bind99erwin2013-04-233-2/+31
| | | | | ports and not include the one from the deprecated bind97 port, which is to be removed.
* Update RPZ+RRL patchset to the latest version.erwin2013-04-172-3/+3
| | | | | | | | | | | | | The change makes "slip 1;" send only truncated (TC=1) responses. Without the change, "slip 1;" is the same as the default of "slip 2;". That default, which alternates truncated with dropped responses when the rate limit is exceeded, is better for authoritative DNS servers, because it further reduces the amplification of an attack from about 1X to about 0.5X. DNS RRL is not recommended for recursive servers. Feature safe: yes
* Update to 9.9.2-P2erwin2013-03-272-4/+4
| | | | | | | | | Removed the check for regex.h in configure in order to disable regex syntax checking, as it exposes BIND to a critical flaw in libregex on some platforms. [RT #32688] Security: CVE-2013-2266
* Update the RPZ+RRL patch files which removeerwin2013-03-152-3/+3
| | | | | | | | working files that should not have been in the patches[1] Also move to a versioned filename for the patches[2] Submitted by: Robert Sargent <robtsgt@gmail.com> [1], Vernon Schryver <vjs@rhyolite.com> [2]
* Update RPZ+RRL patch to 028.23erwin2013-02-051-2/+2
| | | | | | | | | | | | | | | A serious Multiple Zone Response Policy Zone (RPZ2) Speed Improvement bug has been fixed. `./configure --enable-rpz-nsip --enable-rpz-nsdname` is now the default. Responses affected by the all-per-second parameter are always dropped. The slip value has no effect on them. There are improved log messages for responses that are dropped or "slipped," because they would require an excessive identical referral.
* Reduce lenght of the option description for RPZRRL_PATCH toerwin2013-01-101-1/+1
| | | | | | avoid problems with the older dialog(1) on FreeBSD 8.x Noticed by: Terry Kennedy <terry@tmk.com>
* Update the response rate limiting patch to the latesterwin2013-01-092-7/+7
| | | | | | | | | | | released version of January 5, 2013. This also includes performance patches to the BIND9 Response Policy Zones (DNS RPZ), Single Zone Response Policy Zone (RPZ) Speed Improvement, in the same patch. More information: http://ss.vix.su/~vjs/rrlrpz.html
* Add LICENSE.erwin2013-01-041-0/+2
|
* Add experimental option for Response Rate Limiting patch.erwin2013-01-042-1/+9
|
* - Use new OPTIONS_GROUP for DLZ options.[1]erwin2012-12-141-3/+3
| | | | | | | | - This also allows more than one DLZ option to be set.[2] Submitted by: bapt [1] (as RADIO) Suggested by: az [2] (thus GROUP instead)
* Update to the latest patch level from ISC:erwin2012-12-052-6/+4
| | | | | | | | | | | | | BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers. Security: 2892a8e2-3d68-11e2-8e01-0800273fe665 CVE-2012-5688 Feature safe: yes
* Improve the SSL option descriptionerwin2012-12-031-1/+1
| | | | | Submitted by: Kazunori Fujiwara <fujiwara@jprs.co.jp> Feature safe: yes
* Remove gpg signature checking that in itself does noterwin2012-12-031-5/+0
| | | | | | provide any additional security. Feature safe: yes
* - Update CONFLICTSerwin2012-11-271-4/+19
| | | | | | | | | | - Fix a typo in the OPTIONSNG conversion - Add FIXED_RRSET option - Add RPZ options (9.8 and 9.8 only) PR: 172586 Submitted by: Craig Leres <leres@ee.lbl.gov> Feature safe: yes
* Reduce lenght of the option description for DLZ_MYSQL toerwin2012-10-261-1/+1
| | | | | | | avoid problems with the older dialog(1) on FreeBSD 8.x Noticed by: Terry Kennedy <terry@tmk.com> Feature safe: yes
* - Convert to OPTIONSNGerwin2012-10-251-37/+39
| | | | | | - Turn on IPv6 support by default Feature safe: yes
* Force python off to disable build time detection of python.erwin2012-10-191-1/+2
| | | | | Submitted by: zeising Feature safe: yes
* Update to 9.9.2erwin2012-10-193-6/+8
| | | | Feature safe: yes
* Upgrade to the latest BIND patch level:erwin2012-10-102-6/+6
| | | | | | | A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. Security: http://www.vuxml.org/freebsd/57a700f9-12c0-11e2-9f86-001d923933b6.html
* Take maintainership of the BIND ports while I'm working on the latesterwin2012-10-101-1/+1
| | | | security releases.
* Throw my ports back in the pool, and make my intentions clear for thedougb2012-10-081-7/+1
| | | | | | | | various ports that I've created. I bid fond fare well A chapter closes for me What opens for you?
* Upgrade to the latest BIND patch level:dougb2012-09-192-11/+9
| | | | | | | | | | | | | | | | | | | Prevents a crash when queried for a record whose RDATA exceeds 65535 bytes. Prevents a crash when validating caused by using "Bad cache" data before it has been initialized. ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. For more information: https://kb.isc.org/article/AA-00788
* Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failuredougb2012-07-252-8/+7
| | | | | | | | | | | in BIND9 High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized. CVE: CVE-2012-3817 Posting date: 24 July, 2012
* Upgrade to 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, and 9.9.1-P1, the latestdougb2012-06-052-6/+6
| | | | | | | | | | | | | | | | from ISC. These patched versions contain a critical bugfix: Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered. All BIND users are strongly encouraged to upgrade.
* Upgrade to BIND versions 9.9.1, 9.8.3, 9.7.6, and 9.6-ESV-R7,dougb2012-05-233-7/+7
| | | | | | | | | | | | | | | | | | | | the latest from ISC. These versions all contain the following: Feature Change * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fix * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi- threaded environment. Each version also contains other critical bug fixes. All BIND users are encouraged to upgrade to these latest versions.
* Remove patch that is incorporated into version 9.9.1dougb2012-05-231-11/+0
|
* Switch to using the PORTDOCS macrodougb2012-04-052-51/+1
| | | | Feature safe: yes
* Add a patch from ISC slated for 9.9.1 which fixes an assertion failuredougb2012-03-172-0/+12
| | | | Feature safe: yes
* Release version of 9.9.0. Code is identical to rc4.dougb2012-03-012-7/+6
|
* Upgrade to rc4, rndc and dlz fixes, including DNSSEC key maintenance timerdougb2012-02-242-6/+6
|
* Upgrade to 9.9.0rc3, various small bug fixesdougb2012-02-192-6/+6
|
* Update to 9.9.0rc2, which addresses mostly in-line signing bugsdougb2012-02-012-6/+6
|
* By popular demand add a port for the newest BIND branch, 9.9.x. This willdougb2012-01-284-0/+545
stay as a -devel until it's formally released, which should be soon'ish. BIND 9.9 includes a number of changes from BIND 9.8 and earlier releases, including: NXDOMAIN redirection Improved startup and reconfiguration time, especially with large numbers of authoritative zones New "inline-signing" option, allows named to sign zones completely transparently, including static zones Many other new features, especially for DNSSEC See the CHANGES file for more information on features. https://kb.isc.org/article/AA-00592