Module Name: src Committed By: snj Date: Fri Apr 21 05:16:42 UTC 2017
Modified Files: src/doc [netbsd-7-0]: 3RDPARTY src/external/bsd/bind/dist [netbsd-7-0]: CHANGES COPYRIGHT README bind.keys bind.keys.h configure srcid version src/external/bsd/bind/dist/bin/named [netbsd-7-0]: query.c src/external/bsd/bind/dist/bin/tests/system/dname [netbsd-7-0]: tests.sh src/external/bsd/bind/dist/bin/tests/system/dname/ans3 [netbsd-7-0]: ans.pl src/external/bsd/bind/dist/bin/tests/system/dname/ns1 [netbsd-7-0]: root.db src/external/bsd/bind/dist/bin/tests/system/dname/ns2 [netbsd-7-0]: example.db src/external/bsd/bind/dist/bin/tests/system/rndc [netbsd-7-0]: tests.sh src/external/bsd/bind/dist/bin/tests/system/rpz [netbsd-7-0]: tests.sh src/external/bsd/bind/dist/doc/arm [netbsd-7-0]: Bv9ARM.ch01.html Bv9ARM.ch02.html Bv9ARM.ch03.html Bv9ARM.ch04.html Bv9ARM.ch05.html Bv9ARM.ch06.html Bv9ARM.ch07.html Bv9ARM.ch08.html Bv9ARM.ch09.html Bv9ARM.ch10.html Bv9ARM.ch11.html Bv9ARM.ch12.html Bv9ARM.ch13.html Bv9ARM.html Bv9ARM.pdf man.arpaname.html man.ddns-confgen.html man.delv.html man.dig.html man.dnssec-checkds.html man.dnssec-coverage.html man.dnssec-dsfromkey.html man.dnssec-importkey.html man.dnssec-keyfromlabel.html man.dnssec-keygen.html man.dnssec-revoke.html man.dnssec-settime.html man.dnssec-signzone.html man.dnssec-verify.html man.genrandom.html man.host.html man.isc-hmac-fixup.html man.lwresd.html man.named-checkconf.html man.named-checkzone.html man.named-journalprint.html man.named-rrchecker.html man.named.conf.html man.named.html man.nsec3hash.html man.nsupdate.html man.rndc-confgen.html man.rndc.conf.html man.rndc.html notes.html notes.pdf notes.xml src/external/bsd/bind/dist/lib/dns [netbsd-7-0]: api rdataset.c resolver.c src/external/bsd/bind/dist/lib/isc [netbsd-7-0]: lex.c src/external/bsd/bind/dist/lib/isc/include/isc [netbsd-7-0]: lex.h Log Message: Pull up following revision(s) (requested by spz in ticket #1404): doc/3RDPARTY: 1.1430 via patch external/bsd/bind/dist/CHANGES: up to 1.26 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.11 external/bsd/bind/dist/README: up to 1.14 external/bsd/bind/dist/bin/named/query.c: up to 1.24 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bind.keys: up to 1.1.1.6 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.4 external/bsd/bind/dist/configure: up to 1.7 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.19 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.14 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.12 external/bsd/bind/dist/lib/dns/api: up to 1.14 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.30 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.5 external/bsd/bind/dist/lib/isc/lex.c: up to 1.8 external/bsd/bind/dist/srcid: up to 1.20 external/bsd/bind/dist/version: up to 1.24 Update BIND to 9.10.4-P8. To generate a diff of this commit: cvs rdiff -u -r1.1145.2.18.2.18 -r1.1145.2.18.2.19 src/doc/3RDPARTY cvs rdiff -u -r1.12.2.5.2.5 -r1.12.2.5.2.6 src/external/bsd/bind/dist/CHANGES cvs rdiff -u -r1.1.1.8.4.1.2.1 -r1.1.1.8.4.1.2.2 \ src/external/bsd/bind/dist/COPYRIGHT cvs rdiff -u -r1.1.1.14.2.5.2.5 -r1.1.1.14.2.5.2.6 \ src/external/bsd/bind/dist/README cvs rdiff -u -r1.1.1.5 -r1.1.1.5.14.1 src/external/bsd/bind/dist/bind.keys cvs rdiff -u -r1.1.1.1 -r1.1.1.1.10.1 src/external/bsd/bind/dist/bind.keys.h cvs rdiff -u -r1.2.2.2.2.2 -r1.2.2.2.2.3 src/external/bsd/bind/dist/configure cvs rdiff -u -r1.6.2.5.2.5 -r1.6.2.5.2.6 src/external/bsd/bind/dist/srcid cvs rdiff -u -r1.10.2.5.2.5 -r1.10.2.5.2.6 src/external/bsd/bind/dist/version cvs rdiff -u -r1.16.2.3.2.3 -r1.16.2.3.2.4 \ src/external/bsd/bind/dist/bin/named/query.c cvs rdiff -u -r1.1.1.3.12.2 -r1.1.1.3.12.3 \ src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh cvs rdiff -u -r1.1.1.1.4.2 -r1.1.1.1.4.3 \ src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl cvs rdiff -u -r1.1.1.2.14.1 -r1.1.1.2.14.2 \ src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db cvs rdiff -u -r1.1.1.2.14.1 -r1.1.1.2.14.2 \ src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db cvs rdiff -u -r1.1.1.5.4.1.2.2 -r1.1.1.5.4.1.2.3 \ src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh cvs rdiff -u -r1.1.1.9.4.2.2.1 -r1.1.1.9.4.2.2.2 \ src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh cvs rdiff -u -r1.1.1.11.2.4.2.5 -r1.1.1.11.2.4.2.6 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html cvs rdiff -u -r1.1.1.8.2.4.2.5 -r1.1.1.8.2.4.2.6 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html cvs rdiff -u -r1.1.1.13.2.4.2.5 -r1.1.1.13.2.4.2.6 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html cvs rdiff -u -r1.1.1.15.2.5.2.5 -r1.1.1.15.2.5.2.6 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.html \ src/external/bsd/bind/dist/doc/arm/man.dig.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html \ src/external/bsd/bind/dist/doc/arm/man.host.html \ src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html \ src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html \ src/external/bsd/bind/dist/doc/arm/man.named.html \ src/external/bsd/bind/dist/doc/arm/man.nsupdate.html \ src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html \ src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html \ src/external/bsd/bind/dist/doc/arm/man.rndc.html cvs rdiff -u -r1.1.1.14.2.4.2.5 -r1.1.1.14.2.4.2.6 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html cvs rdiff -u -r1.1.1.10.2.4.2.5 -r1.1.1.10.2.4.2.6 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html cvs rdiff -u -r1.1.1.1.2.4.2.5 -r1.1.1.1.2.4.2.6 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html \ src/external/bsd/bind/dist/doc/arm/notes.html \ src/external/bsd/bind/dist/doc/arm/notes.pdf \ src/external/bsd/bind/dist/doc/arm/notes.xml cvs rdiff -u -r1.7.2.4.2.4 -r1.7.2.4.2.5 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf cvs rdiff -u -r1.1.1.12.2.5.2.5 -r1.1.1.12.2.5.2.6 \ src/external/bsd/bind/dist/doc/arm/man.arpaname.html \ src/external/bsd/bind/dist/doc/arm/man.genrandom.html \ src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html \ src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html cvs rdiff -u -r1.1.1.13.2.5.2.5 -r1.1.1.13.2.5.2.6 \ src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html cvs rdiff -u -r1.1.1.1.4.5.2.5 -r1.1.1.1.4.5.2.6 \ src/external/bsd/bind/dist/doc/arm/man.delv.html cvs rdiff -u -r1.1.1.3.2.5.2.5 -r1.1.1.3.2.5.2.6 \ src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html cvs rdiff -u -r1.1.1.2.2.5.2.5 -r1.1.1.2.2.5.2.6 \ src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html \ src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html cvs rdiff -u -r1.1.1.5.2.5.2.5 -r1.1.1.5.2.5.2.6 \ src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html cvs rdiff -u -r1.1.1.11.2.5.2.5 -r1.1.1.11.2.5.2.6 \ src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html cvs rdiff -u -r1.1.1.2.2.5 -r1.1.1.2.2.6 \ src/external/bsd/bind/dist/doc/arm/man.lwresd.html \ src/external/bsd/bind/dist/doc/arm/man.named.conf.html cvs rdiff -u -r1.1.1.16.2.5.2.5 -r1.1.1.16.2.5.2.6 \ src/external/bsd/bind/dist/lib/dns/api cvs rdiff -u -r1.6.10.1.2.1 -r1.6.10.1.2.2 \ src/external/bsd/bind/dist/lib/dns/rdataset.c cvs rdiff -u -r1.19.2.3.2.5 -r1.19.2.3.2.6 \ src/external/bsd/bind/dist/lib/dns/resolver.c cvs rdiff -u -r1.5.6.1 -r1.5.6.2 src/external/bsd/bind/dist/lib/isc/lex.c cvs rdiff -u -r1.3 -r1.3.14.1 \ src/external/bsd/bind/dist/lib/isc/include/isc/lex.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/doc/3RDPARTY diff -u src/doc/3RDPARTY:1.1145.2.18.2.18 src/doc/3RDPARTY:1.1145.2.18.2.19 --- src/doc/3RDPARTY:1.1145.2.18.2.18 Thu Apr 20 06:42:09 2017 +++ src/doc/3RDPARTY Fri Apr 21 05:16:38 2017 @@ -1,4 +1,4 @@ -# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.18 2017/04/20 06:42:09 snj Exp $ +# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.19 2017/04/21 05:16:38 snj Exp $ # # This file contains a list of the software that has been integrated into # NetBSD where we are not the primary maintainer. @@ -113,8 +113,8 @@ Notes: bc includes dc, both of which are in the NetBSD tree. Package: bind [named and utils] -Version: 9.10.4-P6 -Current Vers: 9.10.4-P6 +Version: 9.10.4-P8 +Current Vers: 9.10.4-P8 Maintainer: Paul Vixie <vi...@vix.com> Archive Site: ftp://ftp.isc.org/isc/bind9/ Home Page: http://www.isc.org/software/bind/ Index: src/external/bsd/bind/dist/CHANGES diff -u src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.5 src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.6 --- src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.5 Mon Feb 20 16:27:13 2017 +++ src/external/bsd/bind/dist/CHANGES Fri Apr 21 05:16:39 2017 @@ -1,7 +1,27 @@ + --- 9.10.4-P8 released --- + +4582. [security] 'rndc ""' could trigger a assertion failure in named. + (CVE-2017-3138) [RT #44924] + +4580. [bug] 4578 introduced a regression when handling CNAME to + referral below the current domain. [RT #44850] + + --- 9.10.4-P7 released --- + +4578. [security] Some chaining (CNAME or DNAME) responses to upstream + queries could trigger assertion failures. + (CVE-2017-3137) [RT #44734] + +4575. [security] DNS64 with "break-dnssec yes;" can result in an + assertion failure. (CVE-2017-3136) [RT #44653] + +4564. [maint] Update the built in managed keys to include the + upcoming root KSK. [RT #44579] + --- 9.10.4-P6 released --- 4558. [bug] Synthesised CNAME before matching DNAME was still - being cached when it should have been. [RT #44318] + being cached when it should not have been. [RT #44318] 4557. [security] Combining dns64 and rpz can result in dereferencing a NULL pointer (read). (CVE-2017-3135) [RT#44434] Index: src/external/bsd/bind/dist/COPYRIGHT diff -u src/external/bsd/bind/dist/COPYRIGHT:1.1.1.8.4.1.2.1 src/external/bsd/bind/dist/COPYRIGHT:1.1.1.8.4.1.2.2 --- src/external/bsd/bind/dist/COPYRIGHT:1.1.1.8.4.1.2.1 Sun Mar 13 08:00:24 2016 +++ src/external/bsd/bind/dist/COPYRIGHT Fri Apr 21 05:16:39 2017 @@ -1,4 +1,4 @@ -Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. Permission to use, copy, modify, and/or distribute this software for any Index: src/external/bsd/bind/dist/README diff -u src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.5 src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.6 --- src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.5 Mon Feb 20 16:27:13 2017 +++ src/external/bsd/bind/dist/README Fri Apr 21 05:16:39 2017 @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.10.4-P7 + + This version contains fixes for CVE-2017-3136 and CVE-2017-3137, + and updates the built in trusted keys for the root zone. + BIND 9.10.4-P6 This version contains a fix for CVE-2017-3135, and a bug fix Index: src/external/bsd/bind/dist/bind.keys diff -u src/external/bsd/bind/dist/bind.keys:1.1.1.5 src/external/bsd/bind/dist/bind.keys:1.1.1.5.14.1 --- src/external/bsd/bind/dist/bind.keys:1.1.1.5 Mon Jun 4 17:53:12 2012 +++ src/external/bsd/bind/dist/bind.keys Fri Apr 21 05:16:39 2017 @@ -15,32 +15,55 @@ # # This file is NOT expected to be user-configured. # -# These keys are current as of January 2011. If any key fails to +# These keys are current as of Feburary 2017. If any key fails to # initialize correctly, it may have expired. In that event you should # replace this file with a current version. The latest version of # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. managed-keys { - # ISC DLV: See https://www.isc.org/solutions/dlv for details. - # NOTE: This key is activated by setting "dnssec-lookaside auto;" - # in named.conf. - dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 - brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ - 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 - ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk - Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM - QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt - TDN0YUuWrBNh"; + # ISC DLV: See https://www.isc.org/solutions/dlv for details. + # + # NOTE: The ISC DLV zone is being phased out as of February 2017; + # the key will remain in place but the zone will be otherwise empty. + # Configuring "dnssec-lookaside auto;" to activate this key is + # harmless, but is no longer useful and is not recommended. + dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; - # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml - # for current trust anchor information. - # NOTE: This key is activated by setting "dnssec-validation auto;" + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # + # These keys are activated by setting "dnssec-validation auto;" # in named.conf. - . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; + # + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) is to be published in the root zone in 2017. + # Servers which were already using the old key should roll to the + # new # one seamlessly. Servers being set up for the first time + # can use either of the keys in this file to verify the root keys + # for the first time; thereafter the keys in the zone will be + # trusted and maintained automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; }; Index: src/external/bsd/bind/dist/bind.keys.h diff -u src/external/bsd/bind/dist/bind.keys.h:1.1.1.1 src/external/bsd/bind/dist/bind.keys.h:1.1.1.1.10.1 --- src/external/bsd/bind/dist/bind.keys.h:1.1.1.1 Fri Feb 28 17:40:04 2014 +++ src/external/bsd/bind/dist/bind.keys.h Fri Apr 21 05:16:39 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: bind.keys.h,v 1.1.1.1 2014/02/28 17:40:04 christos Exp $ */ +/* $NetBSD: bind.keys.h,v 1.1.1.1.10.1 2017/04/21 05:16:39 snj Exp $ */ /* * Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp @@ -21,34 +21,57 @@ #\n\ # This file is NOT expected to be user-configured.\n\ #\n\ -# These keys are current as of January 2011. If any key fails to\n\ +# These keys are current as of Feburary 2017. If any key fails to\n\ # initialize correctly, it may have expired. In that event you should\n\ # replace this file with a current version. The latest version of\n\ # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ \n\ trusted-keys {\n\ - # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\ - # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\ - # in named.conf.\n\ - dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\ - brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\ - 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\ - ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\ - Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\ - QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\ - TDN0YUuWrBNh\";\n\ -\n\ - # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\ - # for current trust anchor information.\n\ - # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\ + # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\ + #\n\ + # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\ + # the key will remain in place but the zone will be otherwise empty.\n\ + # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\ + # harmless, but is no longer useful and is not recommended.\n\ + dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\ + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\ + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\ + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\ + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\ + TDN0YUuWrBNh\";\n\ +\n\ + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\ + # for current trust anchor information.\n\ + #\n\ + # These keys are activated by setting \"dnssec-validation auto;\"\n\ # in named.conf.\n\ - . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ - QxA+Uk1ihz0=\";\n\ + #\n\ + # This key (19036) is to be phased out starting in 2017. It will\n\ + # remain in the root zone for some time after its successor key\n\ + # has been added. It will remain this file until it is removed from\n\ + # the root zone.\n\ + . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ + QxA+Uk1ihz0=\";\n\ +\n\ + # This key (20326) is to be published in the root zone in 2017.\n\ + # Servers which were already using the old key should roll to the\n\ + # new # one seamlessly. Servers being set up for the first time\n\ + # can use either of the keys in this file to verify the root keys\n\ + # for the first time; thereafter the keys in the zone will be\n\ + # trusted and maintained automatically.\n\ + . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\ + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\ + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\ + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\ + R1AkUTV74bU=\";\n\ };\n\ " @@ -69,33 +92,56 @@ trusted-keys {\n\ #\n\ # This file is NOT expected to be user-configured.\n\ #\n\ -# These keys are current as of January 2011. If any key fails to\n\ +# These keys are current as of Feburary 2017. If any key fails to\n\ # initialize correctly, it may have expired. In that event you should\n\ # replace this file with a current version. The latest version of\n\ # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ \n\ managed-keys {\n\ - # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\ - # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\ - # in named.conf.\n\ - dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\ - brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\ - 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\ - ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\ - Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\ - QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\ - TDN0YUuWrBNh\";\n\ -\n\ - # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\ - # for current trust anchor information.\n\ - # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\ + # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\ + #\n\ + # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\ + # the key will remain in place but the zone will be otherwise empty.\n\ + # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\ + # harmless, but is no longer useful and is not recommended.\n\ + dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\ + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\ + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\ + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\ + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\ + TDN0YUuWrBNh\";\n\ +\n\ + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\ + # for current trust anchor information.\n\ + #\n\ + # These keys are activated by setting \"dnssec-validation auto;\"\n\ # in named.conf.\n\ - . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ - QxA+Uk1ihz0=\";\n\ + #\n\ + # This key (19036) is to be phased out starting in 2017. It will\n\ + # remain in the root zone for some time after its successor key\n\ + # has been added. It will remain this file until it is removed from\n\ + # the root zone.\n\ + . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ + QxA+Uk1ihz0=\";\n\ +\n\ + # This key (20326) is to be published in the root zone in 2017.\n\ + # Servers which were already using the old key should roll to the\n\ + # new # one seamlessly. Servers being set up for the first time\n\ + # can use either of the keys in this file to verify the root keys\n\ + # for the first time; thereafter the keys in the zone will be\n\ + # trusted and maintained automatically.\n\ + . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\ + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\ + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\ + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\ + R1AkUTV74bU=\";\n\ };\n\ " Index: src/external/bsd/bind/dist/configure diff -u src/external/bsd/bind/dist/configure:1.2.2.2.2.2 src/external/bsd/bind/dist/configure:1.2.2.2.2.3 --- src/external/bsd/bind/dist/configure:1.2.2.2.2.2 Fri Oct 14 11:42:26 2016 +++ src/external/bsd/bind/dist/configure Fri Apr 21 05:16:39 2017 @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1996-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Index: src/external/bsd/bind/dist/srcid diff -u src/external/bsd/bind/dist/srcid:1.6.2.5.2.5 src/external/bsd/bind/dist/srcid:1.6.2.5.2.6 --- src/external/bsd/bind/dist/srcid:1.6.2.5.2.5 Mon Feb 20 16:27:13 2017 +++ src/external/bsd/bind/dist/srcid Fri Apr 21 05:16:39 2017 @@ -1 +1 @@ -SRCID=a6837d0 +SRCID=9f5232e Index: src/external/bsd/bind/dist/version diff -u src/external/bsd/bind/dist/version:1.10.2.5.2.5 src/external/bsd/bind/dist/version:1.10.2.5.2.6 --- src/external/bsd/bind/dist/version:1.10.2.5.2.5 Mon Feb 20 16:27:13 2017 +++ src/external/bsd/bind/dist/version Fri Apr 21 05:16:39 2017 @@ -7,5 +7,5 @@ MAJORVER=9 MINORVER=10 PATCHVER=4 RELEASETYPE=-P -RELEASEVER=6 +RELEASEVER=8 EXTENSIONS= Index: src/external/bsd/bind/dist/bin/named/query.c diff -u src/external/bsd/bind/dist/bin/named/query.c:1.16.2.3.2.3 src/external/bsd/bind/dist/bin/named/query.c:1.16.2.3.2.4 --- src/external/bsd/bind/dist/bin/named/query.c:1.16.2.3.2.3 Mon Feb 20 16:27:13 2017 +++ src/external/bsd/bind/dist/bin/named/query.c Fri Apr 21 05:16:39 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: query.c,v 1.16.2.3.2.3 2017/02/20 16:27:13 sborrill Exp $ */ +/* $NetBSD: query.c,v 1.16.2.3.2.4 2017/04/21 05:16:39 snj Exp $ */ /* - * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -8221,6 +8221,7 @@ query_find(ns_client_t *client, dns_fetc result = query_dns64(client, &fname, rdataset, sigrdataset, dbuf, DNS_SECTION_ANSWER); + noqname = NULL; dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, &rdataset); if (result == ISC_R_NOMORE) { Index: src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh diff -u src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh:1.1.1.3.12.2 src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh:1.1.1.3.12.3 --- src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh:1.1.1.3.12.2 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh Fri Apr 21 05:16:39 2017 @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2011, 2012, 2017 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -57,10 +57,19 @@ grep "status: YXDOMAIN" dig.out.ns2.tool if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` -echo "I:checking (too) long dname from recursive" +echo "I:checking (too) long dname from recursive with cached DNAME" +ret=0 +$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1 +grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking (too) long dname from recursive without cached DNAME" ret=0 -$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1 -grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1 +$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1 +grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1 +grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` Index: src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl diff -u src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl:1.1.1.1.4.2 src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl:1.1.1.1.4.3 --- src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl:1.1.1.1.4.2 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl Fri Apr 21 05:16:39 2017 @@ -1,10 +1,18 @@ #!/usr/bin/env perl # -# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") # -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. use strict; use warnings; Index: src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db diff -u src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db:1.1.1.2.14.1 src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db:1.1.1.2.14.2 --- src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db:1.1.1.2.14.1 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db Fri Apr 21 05:16:39 2017 @@ -1,4 +1,4 @@ -; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011, 2017 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above Index: src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db diff -u src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db:1.1.1.2.14.1 src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db:1.1.1.2.14.2 --- src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db:1.1.1.2.14.1 Mon Jan 16 11:56:43 2017 +++ src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db Fri Apr 21 05:16:39 2017 @@ -1,4 +1,4 @@ -; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; Copyright (C) 2011, 2017 Internet Systems Consortium, Inc. ("ISC") ; ; Permission to use, copy, modify, and/or distribute this software for any ; purpose with or without fee is hereby granted, provided that the above @@ -29,6 +29,7 @@ a.short A 10.0.0.1 short-dname DNAME short a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2 long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong +toolong-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong cname CNAME a.cnamedname cnamedname DNAME target a.target A 10.0.0.3 Index: src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh diff -u src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh:1.1.1.5.4.1.2.2 src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh:1.1.1.5.4.1.2.3 --- src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh:1.1.1.5.4.1.2.2 Fri Oct 14 11:42:37 2016 +++ src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh Fri Apr 21 05:16:39 2017 @@ -393,5 +393,13 @@ sleep 1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:check 'rndc \"\"' is handled ($n)" +ret=0 +$RNDCCMD "" > rndc.out.test$n 2>&1 && ret=1 +grep "rndc: '' failed: failure" rndc.out.test$n > /dev/null +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status Index: src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh diff -u src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh:1.1.1.9.4.2.2.1 src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh:1.1.1.9.4.2.2.2 --- src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh:1.1.1.9.4.2.2.1 Fri Oct 14 11:42:38 2016 +++ src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh Fri Apr 21 05:16:39 2017 @@ -1,4 +1,4 @@ -# Copyright (C) 2011-2016 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2011-2017 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -383,7 +383,7 @@ nxdomain a0-1s-cname.tld2s +dnssec @$ns drop a3-8.tld2 any @$ns6 # 20 drop end_group -ckstatsrange $ns3 test1 ns3 22 25 +ckstatsrange $ns3 test1 ns3 22 28 ckstats $ns5 test1 ns5 0 ckstats $ns6 test1 ns6 0 Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.5 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html Fri Apr 21 05:16:40 2017 @@ -555,6 +555,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.5 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html Fri Apr 21 05:16:40 2017 @@ -153,6 +153,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.5 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html Fri Apr 21 05:16:40 2017 @@ -669,6 +669,6 @@ controls { </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html Fri Apr 21 05:16:40 2017 @@ -2326,6 +2326,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2. </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html Fri Apr 21 05:16:40 2017 @@ -12845,6 +12845,6 @@ HOST-127.EXAMPLE. MX 0 . </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html Fri Apr 21 05:16:40 2017 @@ -248,6 +248,6 @@ zone "example.com" { </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html Fri Apr 21 05:16:40 2017 @@ -134,6 +134,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html Fri Apr 21 05:16:40 2017 @@ -44,10 +44,11 @@ <div class="toc"> <p><b>Table of Contents</b></p> <dl class="toc"> -<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt> <dd><dl> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> @@ -60,7 +61,7 @@ </div> <div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div> +<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P8</h2></div></div></div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_intro"></a>Introduction</h3></div></div></div> @@ -68,6 +69,11 @@ This document summarizes changes since BIND 9.10.4: </p> <p> + BIND 9.10.4-P7 addresses the security issue described in + CVE-2017-3136, and updates the built in trusted keys for + the root zone. + </p> +<p> BIND 9.10.4-P6 addresses the security issue described in CVE-2017-3135, and fixes a regression introduced in a prior security release. @@ -109,9 +115,52 @@ </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> +<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div> +<p> + ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the <span class="command"><strong>managed-keys</strong></span> + statement, or if the pre-configured root key is enabled by using + <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + <span class="command"><strong>trusted-keys</strong></span> statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. + </p> +<p> + This release includes an updated version of the + <code class="filename">bind.keys</code> file containing the new root + key. This file can also be downloaded from + <a class="link" href="https://www.isc.org/bind-keys" target="_top"> + https://www.isc.org/bind-keys + </a>. + </p> +</div> +<div class="section"> +<div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_security"></a>Security Fixes</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> <li class="listitem"><p> + 'rndc ""' could trigger a assertion failure in named. This flaw + is disclosed in (CVE-2017-3138). [RT #44924] + </p></li> +<li class="listitem"><p> + Some chaining (i.e., type CNAME or DNAME) responses to upstream + queries could trigger assertion failures. This flaw is disclosed + in CVE-2017-3137. [RT #44734] + </p></li> +<li class="listitem"><p> + <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span> + can result in an assertion failure. This flaw is disclosed in + CVE-2017-3136. [RT #44653] + </p></li> +<li class="listitem"><p> If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read @@ -245,6 +294,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.html Fri Apr 21 05:16:40 2017 @@ -40,7 +40,7 @@ <div> <div><h1 class="title"> <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div> -<div><p class="releaseinfo">BIND Version 9.10.4-P6</p></div> +<div><p class="releaseinfo">BIND Version 9.10.4-P8</p></div> <div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div> <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div> </div> @@ -239,10 +239,11 @@ </dl></dd> <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt> <dd><dl> -<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt> <dd><dl> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> @@ -385,6 +386,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dig.html diff -u src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dig.html Fri Apr 21 05:16:42 2017 @@ -809,6 +809,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html Fri Apr 21 05:16:42 2017 @@ -213,6 +213,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html Fri Apr 21 05:16:42 2017 @@ -381,6 +381,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html Fri Apr 21 05:16:42 2017 @@ -455,6 +455,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html Fri Apr 21 05:16:42 2017 @@ -564,6 +564,6 @@ db.example.com.signed </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.host.html diff -u src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.host.html Fri Apr 21 05:16:42 2017 @@ -247,6 +247,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html Fri Apr 21 05:16:42 2017 @@ -151,6 +151,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html Fri Apr 21 05:16:42 2017 @@ -338,6 +338,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named.html diff -u src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named.html Fri Apr 21 05:16:42 2017 @@ -369,6 +369,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.nsupdate.html diff -u src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.nsupdate.html Fri Apr 21 05:16:42 2017 @@ -663,6 +663,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html diff -u src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html Fri Apr 21 05:16:42 2017 @@ -223,6 +223,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html Fri Apr 21 05:16:42 2017 @@ -246,6 +246,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.rndc.html diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/doc/arm/man.rndc.html Fri Apr 21 05:16:42 2017 @@ -621,6 +621,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.5 Mon Feb 20 16:27:14 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html Fri Apr 21 05:16:40 2017 @@ -138,6 +138,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html Fri Apr 21 05:16:40 2017 @@ -155,6 +155,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html Fri Apr 21 05:16:40 2017 @@ -497,6 +497,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html Fri Apr 21 05:16:40 2017 @@ -543,6 +543,6 @@ $ <strong class="userinput"><code>sample </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:15 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html Fri Apr 21 05:16:40 2017 @@ -154,6 +154,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/notes.html diff -u src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/doc/arm/notes.html Fri Apr 21 05:16:42 2017 @@ -21,7 +21,7 @@ </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div> +<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P8</h2></div></div></div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_intro"></a>Introduction</h3></div></div></div> @@ -29,6 +29,11 @@ This document summarizes changes since BIND 9.10.4: </p> <p> + BIND 9.10.4-P7 addresses the security issue described in + CVE-2017-3136, and updates the built in trusted keys for + the root zone. + </p> +<p> BIND 9.10.4-P6 addresses the security issue described in CVE-2017-3135, and fixes a regression introduced in a prior security release. @@ -70,9 +75,52 @@ </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> +<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div> +<p> + ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the <span class="command"><strong>managed-keys</strong></span> + statement, or if the pre-configured root key is enabled by using + <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + <span class="command"><strong>trusted-keys</strong></span> statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. + </p> +<p> + This release includes an updated version of the + <code class="filename">bind.keys</code> file containing the new root + key. This file can also be downloaded from + <a class="link" href="https://www.isc.org/bind-keys" target="_top"> + https://www.isc.org/bind-keys + </a>. + </p> +</div> +<div class="section"> +<div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_security"></a>Security Fixes</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> <li class="listitem"><p> + 'rndc ""' could trigger a assertion failure in named. This flaw + is disclosed in (CVE-2017-3138). [RT #44924] + </p></li> +<li class="listitem"><p> + Some chaining (i.e., type CNAME or DNAME) responses to upstream + queries could trigger assertion failures. This flaw is disclosed + in CVE-2017-3137. [RT #44734] + </p></li> +<li class="listitem"><p> + <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span> + can result in an assertion failure. This flaw is disclosed in + CVE-2017-3136. [RT #44653] + </p></li> +<li class="listitem"><p> If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read Index: src/external/bsd/bind/dist/doc/arm/notes.pdf Binary files are different Index: src/external/bsd/bind/dist/doc/arm/notes.xml diff -u src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.6 --- src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/doc/arm/notes.xml Fri Apr 21 05:16:42 2017 @@ -2,7 +2,7 @@ <!ENTITY mdash "—"> <!ENTITY ouml "ö">]> <!-- - - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -24,6 +24,11 @@ This document summarizes changes since BIND 9.10.4: </para> <para> + BIND 9.10.4-P7 addresses the security issue described in + CVE-2017-3136, and updates the built in trusted keys for + the root zone. + </para> + <para> BIND 9.10.4-P6 addresses the security issue described in CVE-2017-3135, and fixes a regression introduced in a prior security release. @@ -64,10 +69,59 @@ </para> </section> + <section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info> + <para> + ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the <command>managed-keys</command> + statement, or if the pre-configured root key is enabled by using + <command>dnssec-validation auto</command>, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + <command>trusted-keys</command> statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using <command>trusted-keys</command>, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. + </para> + <para> + This release includes an updated version of the + <filename>bind.keys</filename> file containing the new root + key. This file can also be downloaded from + <link xmlns:xlink="http://www.w3.org/1999/xlink" + xlink:href="https://www.isc.org/bind-keys"> + https://www.isc.org/bind-keys + </link>. + </para> + </section> + <section xml:id="relnotes_security"><info><title>Security Fixes</title></info> <itemizedlist> <listitem> <para> + 'rndc ""' could trigger a assertion failure in named. This flaw + is disclosed in (CVE-2017-3138). [RT #44924] + </para> + </listitem> + <listitem> + <para> + Some chaining (i.e., type CNAME or DNAME) responses to upstream + queries could trigger assertion failures. This flaw is disclosed + in CVE-2017-3137. [RT #44734] + </para> + </listitem> + <listitem> + <para> + <command>dns64</command> with <command>break-dnssec yes;</command> + can result in an assertion failure. This flaw is disclosed in + CVE-2017-3136. [RT #44653] + </para> + </listitem> + <listitem> + <para> If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf Binary files are different Index: src/external/bsd/bind/dist/doc/arm/man.arpaname.html diff -u src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.arpaname.html Fri Apr 21 05:16:42 2017 @@ -81,6 +81,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.genrandom.html diff -u src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.genrandom.html Fri Apr 21 05:16:42 2017 @@ -102,6 +102,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html Fri Apr 21 05:16:42 2017 @@ -102,6 +102,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html diff -u src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html Fri Apr 21 05:16:42 2017 @@ -103,6 +103,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html diff -u src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html Fri Apr 21 05:16:42 2017 @@ -185,6 +185,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html Fri Apr 21 05:16:42 2017 @@ -134,6 +134,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html Fri Apr 21 05:16:42 2017 @@ -264,6 +264,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.delv.html diff -u src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.5 src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.delv.html Fri Apr 21 05:16:42 2017 @@ -498,6 +498,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html Fri Apr 21 05:16:42 2017 @@ -112,6 +112,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html Fri Apr 21 05:16:42 2017 @@ -219,6 +219,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html Fri Apr 21 05:16:42 2017 @@ -177,6 +177,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html Fri Apr 21 05:16:42 2017 @@ -104,6 +104,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html Fri Apr 21 05:16:42 2017 @@ -164,6 +164,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html diff -u src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.6 --- src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html Fri Apr 21 05:16:42 2017 @@ -112,6 +112,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.lwresd.html diff -u src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.5 src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.6 --- src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.lwresd.html Fri Apr 21 05:16:42 2017 @@ -253,6 +253,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named.conf.html diff -u src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.5 src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.6 --- src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.5 Mon Feb 20 16:27:16 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named.conf.html Fri Apr 21 05:16:42 2017 @@ -676,6 +676,6 @@ zone <em class="replaceable"><code>strin </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/lib/dns/api diff -u src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.5 src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.6 --- src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.5 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/lib/dns/api Fri Apr 21 05:16:42 2017 @@ -6,5 +6,5 @@ # 9.9-sub: 130-139, 150-159 # 9.10: 140-149, 160-169 LIBINTERFACE = 165 -LIBREVISION = 5 +LIBREVISION = 7 LIBAGE = 0 Index: src/external/bsd/bind/dist/lib/dns/rdataset.c diff -u src/external/bsd/bind/dist/lib/dns/rdataset.c:1.6.10.1.2.1 src/external/bsd/bind/dist/lib/dns/rdataset.c:1.6.10.1.2.2 --- src/external/bsd/bind/dist/lib/dns/rdataset.c:1.6.10.1.2.1 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/lib/dns/rdataset.c Fri Apr 21 05:16:42 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: rdataset.c,v 1.6.10.1.2.1 2017/02/20 16:27:17 sborrill Exp $ */ +/* $NetBSD: rdataset.c,v 1.6.10.1.2.2 2017/04/21 05:16:42 snj Exp $ */ /* - * Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012, 2014, 2015, 2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any Index: src/external/bsd/bind/dist/lib/dns/resolver.c diff -u src/external/bsd/bind/dist/lib/dns/resolver.c:1.19.2.3.2.5 src/external/bsd/bind/dist/lib/dns/resolver.c:1.19.2.3.2.6 --- src/external/bsd/bind/dist/lib/dns/resolver.c:1.19.2.3.2.5 Mon Feb 20 16:27:17 2017 +++ src/external/bsd/bind/dist/lib/dns/resolver.c Fri Apr 21 05:16:42 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: resolver.c,v 1.19.2.3.2.5 2017/02/20 16:27:17 sborrill Exp $ */ +/* $NetBSD: resolver.c,v 1.19.2.3.2.6 2017/04/21 05:16:42 snj Exp $ */ /* - * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -4469,6 +4469,7 @@ is_lame(fetchctx_t *fctx) { isc_result_t result; if (message->rcode != dns_rcode_noerror && + message->rcode != dns_rcode_yxdomain && message->rcode != dns_rcode_nxdomain) return (ISC_FALSE); @@ -6081,79 +6082,6 @@ chase_additional(fetchctx_t *fctx) { goto again; } -static inline isc_result_t -cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_cname_t cname; - - result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &cname, NULL); - if (result != ISC_R_SUCCESS) - return (result); - dns_name_init(tname, NULL); - dns_name_clone(&cname.cname, tname); - dns_rdata_freestruct(&cname); - - return (ISC_R_SUCCESS); -} - -/*% - * Construct the synthesised CNAME from the existing QNAME and - * the DNAME RR and store it in 'target'. - */ -static inline isc_result_t -dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, - unsigned int nlabels, dns_name_t *target) -{ - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_dname_t dname; - dns_fixedname_t prefix; - - /* - * Get the target name of the DNAME. - */ - result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &dname, NULL); - if (result != ISC_R_SUCCESS) - return (result); - - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); - result = dns_name_concatenate(dns_fixedname_name(&prefix), - &dname.dname, target, NULL); - dns_rdata_freestruct(&dname); - return (result); -} - -/*% - * Check if it was possible to construct 'qname' from 'lastcname' - * and 'rdataset'. - */ -static inline isc_result_t -fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname, - unsigned int nlabels, const dns_name_t *qname) -{ - dns_fixedname_t fixed; - isc_result_t result; - dns_name_t *target; - - dns_fixedname_init(&fixed); - target = dns_fixedname_name(&fixed); - result = dname_target(rdataset, lastcname, nlabels, target); - if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target)) - return (ISC_R_NOTFOUND); - - return (ISC_R_SUCCESS); -} - static isc_boolean_t is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, dns_rdataset_t *rdataset) @@ -6229,9 +6157,8 @@ is_answeraddress_allowed(dns_view_t *vie } static isc_boolean_t -is_answertarget_allowed(dns_view_t *view, dns_name_t *name, - dns_rdatatype_t type, dns_name_t *tname, - dns_name_t *domain) +is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + dns_rdataset_t *rdataset, isc_boolean_t *chainingp) { isc_result_t result; dns_rbtnode_t *node = NULL; @@ -6239,8 +6166,57 @@ is_answertarget_allowed(dns_view_t *view char tnamebuf[DNS_NAME_FORMATSIZE]; char classbuf[64]; char typebuf[64]; + dns_name_t *tname = NULL; + dns_rdata_cname_t cname; + dns_rdata_dname_t dname; + dns_view_t *view = fctx->res->view; + dns_rdata_t rdata = DNS_RDATA_INIT; + unsigned int nlabels; + dns_fixedname_t fixed; + dns_name_t prefix; + + REQUIRE(rdataset != NULL); + REQUIRE(rdataset->type == dns_rdatatype_cname || + rdataset->type == dns_rdatatype_dname); + + /* + * By default, we allow any target name. + * If newqname != NULL we also need to extract the newqname. + */ + if (chainingp == NULL && view->denyanswernames == NULL) + return (ISC_TRUE); + + result = dns_rdataset_first(rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, &rdata); + switch (rdataset->type) { + case dns_rdatatype_cname: + result = dns_rdata_tostruct(&rdata, &cname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + tname = &cname.cname; + break; + case dns_rdatatype_dname: + result = dns_rdata_tostruct(&rdata, &dname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_name_init(&prefix, NULL); + dns_fixedname_init(&fixed); + tname = dns_fixedname_name(&fixed); + nlabels = dns_name_countlabels(qname) - + dns_name_countlabels(rname); + dns_name_split(qname, nlabels, &prefix, NULL); + result = dns_name_concatenate(&prefix, &dname.dname, tname, + NULL); + if (result == DNS_R_NAMETOOLONG) + return (ISC_TRUE); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: + INSIST(0); + } + + if (chainingp != NULL) + *chainingp = ISC_TRUE; - /* By default, we allow any target name. */ if (view->denyanswernames == NULL) return (ISC_TRUE); @@ -6249,8 +6225,8 @@ is_answertarget_allowed(dns_view_t *view * or partially, allow it. */ if (view->answernames_exclude != NULL) { - result = dns_rbt_findnode(view->answernames_exclude, name, NULL, - &node, NULL, 0, NULL, NULL); + result = dns_rbt_findnode(view->answernames_exclude, qname, + NULL, &node, NULL, 0, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) return (ISC_TRUE); } @@ -6258,7 +6234,7 @@ is_answertarget_allowed(dns_view_t *view /* * If the target name is a subdomain of the search domain, allow it. */ - if (dns_name_issubdomain(tname, domain)) + if (dns_name_issubdomain(tname, &fctx->domain)) return (ISC_TRUE); /* @@ -6267,9 +6243,9 @@ is_answertarget_allowed(dns_view_t *view result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node, NULL, 0, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { - dns_name_format(name, qnamebuf, sizeof(qnamebuf)); + dns_name_format(qname, qnamebuf, sizeof(qnamebuf)); dns_name_format(tname, tnamebuf, sizeof(tnamebuf)); - dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); dns_rdataclass_format(view->rdclass, classbuf, sizeof(classbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, @@ -6765,473 +6741,301 @@ noanswer_response(fetchctx_t *fctx, dns_ return (ISC_R_SUCCESS); } +static isc_boolean_t +validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) { + if (rdataset->type == dns_rdatatype_nsec3) { + /* + * NSEC3 records are not allowed to + * appear in the answer section. + */ + log_formerr(fctx, "NSEC3 in answer"); + return (ISC_FALSE); + } + if (rdataset->type == dns_rdatatype_tkey) { + /* + * TKEY is not a valid record in a + * response to any query we can make. + */ + log_formerr(fctx, "TKEY in answer"); + return (ISC_FALSE); + } + if (rdataset->rdclass != fctx->res->rdclass) { + log_formerr(fctx, "Mismatched class in answer"); + return (ISC_FALSE); + } + return (ISC_TRUE); +} + static isc_result_t answer_response(fetchctx_t *fctx) { isc_result_t result; - dns_message_t *message; - dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; - dns_name_t *cname = NULL, *lastcname = NULL; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_dname, found_type; - isc_boolean_t wanted_chaining; - unsigned int aflag, chaining; + dns_message_t *message = NULL; + dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL; + dns_name_t *aname = NULL, *cname = NULL, *dname = NULL; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_rdataset_t *ardataset = NULL, *crdataset = NULL; + dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL; + isc_boolean_t done = ISC_FALSE, aa; + unsigned int dname_labels, domain_labels; + isc_boolean_t chaining = ISC_FALSE; dns_rdatatype_t type; - dns_fixedname_t fdname, fqname; - dns_view_t *view; + dns_view_t *view = NULL; + dns_trust_t trust; + + REQUIRE(VALID_FCTX(fctx)); FCTXTRACE("answer_response"); message = fctx->rmessage; + qname = &fctx->name; + view = fctx->res->view; + type = fctx->type; /* - * Examine the answer section, marking those rdatasets which are - * part of the answer and should be cached. + * There can be multiple RRSIG and SIG records at a name so + * we treat these types as a subset of ANY. */ + if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) { + type = dns_rdatatype_any; + } - done = ISC_FALSE; - found_cname = ISC_FALSE; - found_dname = ISC_FALSE; - found_type = ISC_FALSE; - have_answer = ISC_FALSE; - want_chaining = ISC_FALSE; - chaining = 0; - POST(want_chaining); - if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) - aa = ISC_TRUE; - else - aa = ISC_FALSE; - qname = &fctx->name; - type = fctx->type; - view = fctx->res->view; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { - dns_namereln_t namereln, lastreln; - int order, lastorder; - unsigned int nlabels, lastnlabels; + /* + * Bigger than any valid DNAME label count. + */ + dname_labels = dns_name_countlabels(qname); + domain_labels = dns_name_countlabels(&fctx->domain); + + /* + * Perform a single pass looking for the answer, cname or covering + * dname. + */ + for (result = dns_message_firstname(message, DNS_SECTION_ANSWER); + result == ISC_R_SUCCESS; + result = dns_message_nextname(message, DNS_SECTION_ANSWER)) + { + int order; + unsigned int nlabels; + dns_namereln_t namereln; name = NULL; dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); namereln = dns_name_fullcompare(qname, name, &order, &nlabels); - - if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; + switch (namereln) { + case dns_namereln_equal: for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) { - found = ISC_FALSE; - want_chaining = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_nsec3) { - /* - * NSEC3 records are not allowed to - * appear in the answer section. - */ - log_formerr(fctx, "NSEC3 in answer"); - return (DNS_R_FORMERR); - } - if (rdataset->type == dns_rdatatype_tkey) { - /* - * TKEY is not a valid record in a - * response to any query we can make. - */ - log_formerr(fctx, "TKEY in answer"); - return (DNS_R_FORMERR); - } - if (rdataset->rdclass != fctx->res->rdclass) { - log_formerr(fctx, "Mismatched class " - "in answer"); - return (DNS_R_FORMERR); - } - - /* - * Apply filters, if given, on answers to reject - * a malicious attempt of rebinding. - */ - if ((rdataset->type == dns_rdatatype_a || - rdataset->type == dns_rdatatype_aaaa) && - !is_answeraddress_allowed(view, name, - rdataset)) { - return (DNS_R_SERVFAIL); - } - - if (rdataset->type == type && !found_cname) { - /* - * We've found an ordinary answer. - */ - found = ISC_TRUE; - found_type = ISC_TRUE; - done = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - } else if (type == dns_rdatatype_any) { - /* - * We've found an answer matching - * an ANY query. There may be - * more. - */ - found = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == type - && !found_cname) { - /* - * We've found a signature that - * covers the type we're looking for. - */ - found = ISC_TRUE; - found_type = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } else if (rdataset->type == - dns_rdatatype_cname - && !found_type) { - /* - * We're looking for something else, - * but we found a CNAME. - * - * Getting a CNAME response for some - * query types is an error, see - * RFC 4035, Section 2.5. - */ - if (type == dns_rdatatype_rrsig || - type == dns_rdatatype_key || - type == dns_rdatatype_nsec) { - char buf[DNS_RDATATYPE_FORMATSIZE]; - dns_rdatatype_format(fctx->type, - buf, sizeof(buf)); - log_formerr(fctx, - "CNAME response " - "for %s RR", buf); - return (DNS_R_FORMERR); - } - found = ISC_TRUE; - found_cname = ISC_TRUE; - want_chaining = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - result = cname_target(rdataset, - &tname); - if (result != ISC_R_SUCCESS) - return (result); - /* Apply filters on the target name. */ - if (!is_answertarget_allowed(view, - name, - rdataset->type, - &tname, - &fctx->domain)) { - return (DNS_R_SERVFAIL); + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (rdataset->type == type || + type == dns_rdatatype_any) + { + aname = name; + if (type != dns_rdatatype_any) { + ardataset = rdataset; } - lastcname = name; - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_cname - && !found_type) { - /* - * We're looking for something else, - * but we found a SIG CNAME. - */ - found = ISC_TRUE; - found_cname = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; + break; } - - if (found) { - /* - * We've found an answer to our - * question. - */ - name->attributes |= - DNS_NAMEATTR_CACHE; - rdataset->attributes |= - DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - if (chaining == 0) { - /* - * This data is "the" answer - * to our question only if - * we're not chaining (i.e. - * if we haven't followed - * a CNAME or DNAME). - */ - INSIST(!external); - /* - * Don't use found_cname here - * as we have just set it - * above. - */ - if (cname == NULL && - !found_dname && - aflag == - DNS_RDATASETATTR_ANSWER) - { - have_answer = ISC_TRUE; - if (found_cname && - cname == NULL) - cname = name; - name->attributes |= - DNS_NAMEATTR_ANSWER; - } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - /* - * This data is outside of - * our query domain, and - * may not be cached. - */ - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; - } - - /* - * Mark any additional data related - * to this rdataset. - */ - (void)dns_rdataset_additionaldata( - rdataset, - check_related, - fctx); - - /* - * CNAME chaining. - */ - if (want_chaining) { - wanted_chaining = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_CHAINING; - rdataset->attributes |= - DNS_RDATASETATTR_CHAINING; - qname = &tname; - } + if (rdataset->type == dns_rdatatype_cname) { + cname = name; + crdataset = rdataset; + break; } - /* - * We could add an "else" clause here and - * log that we're ignoring this rdataset. - */ } + break; + + case dns_namereln_subdomain: /* - * If wanted_chaining is true, we've done - * some chaining as the result of processing - * this node, and thus we need to set - * chaining to true. - * - * We don't set chaining inside of the - * rdataset loop because doing that would - * cause us to ignore the signatures of - * CNAMEs. + * In-scope DNAME records must have at least + * as many labels as the domain being queried. + * They also must be less that qname's labels + * and any previously found dname. */ - if (wanted_chaining && chaining < 2U) - chaining++; - } else { - dns_rdataset_t *dnameset = NULL; - isc_boolean_t synthcname = ISC_FALSE; - - if (lastcname != NULL) { - lastreln = dns_name_fullcompare(lastcname, - name, - &lastorder, - &lastnlabels); - if (lastreln == dns_namereln_subdomain && - lastnlabels == dns_name_countlabels(name)) - synthcname = ISC_TRUE; + if (nlabels >= dname_labels || nlabels < domain_labels) + { + continue; } /* - * Look for a DNAME (or its SIG). Anything else is - * ignored. + * We are looking for the shortest DNAME if there + * are multiple ones (which there shouldn't be). */ - wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (rdataset->rdclass != fctx->res->rdclass) { - log_formerr(fctx, "Mismatched class " - "in answer"); - return (DNS_R_FORMERR); - } - - /* - * Only pass DNAME or RRSIG(DNAME). - */ - if (rdataset->type != dns_rdatatype_dname && - (rdataset->type != dns_rdatatype_rrsig || - rdataset->covers != dns_rdatatype_dname)) + if (rdataset->type != dns_rdatatype_dname) { continue; - - /* - * If we're not chaining, then the DNAME and - * its signature should not be external. - */ - if (chaining == 0 && external) { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(name, qbuf, - sizeof(qbuf)); - dns_name_format(&fctx->domain, obuf, - sizeof(obuf)); - log_formerr(fctx, "external DNAME or " - "RRSIG covering DNAME " - "in answer: %s is " - "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } - - /* - * If DNAME + synthetic CNAME then the - * namereln is dns_namereln_subdomain. - */ - if (namereln != dns_namereln_subdomain && - !synthcname) - { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(qname, qbuf, - sizeof(qbuf)); - dns_name_format(name, obuf, - sizeof(obuf)); - log_formerr(fctx, "unrelated DNAME " - "in answer: %s is " - "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); } + dname = name; + drdataset = rdataset; + dname_labels = nlabels; + break; + } + break; + default: + break; + } + } - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; - dns_fixedname_init(&fdname); - dname = dns_fixedname_name(&fdname); - if (synthcname) { - result = fromdname(rdataset, - lastcname, - lastnlabels, - qname); - } else { - result = dname_target(rdataset, - qname, - nlabels, - dname); - } - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the - * DNAME target. Do not - * try to continue. - */ - want_chaining = ISC_FALSE; - POST(want_chaining); - } else if (result != ISC_R_SUCCESS) - return (result); - else - dnameset = rdataset; + if (dname != NULL) { + aname = NULL; + ardataset = NULL; + cname = NULL; + crdataset = NULL; + } else if (aname != NULL) { + cname = NULL; + crdataset = NULL; + } - if (!synthcname && - !is_answertarget_allowed(view, - qname, rdataset->type, - dname, &fctx->domain)) - { - return (DNS_R_SERVFAIL); - } - } else { - /* - * We've found a signature that - * covers the DNAME. - */ - aflag = DNS_RDATASETATTR_ANSWERSIG; - } + aa = ISC_TF((message->flags & DNS_MESSAGEFLAG_AA) != 0); + trust = aa ? dns_trust_authanswer : dns_trust_answer; - /* - * We've found an answer to our - * question. - */ - name->attributes |= DNS_NAMEATTR_CACHE; - rdataset->attributes |= DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - /* - * If we are not chaining or the first CNAME - * is a synthesised CNAME before the DNAME. - */ - if ((chaining == 0) || - (chaining == 1U && synthcname)) - { - /* - * This data is "the" answer to - * our question only if we're - * not chaining. - */ - INSIST(!external); - if (aflag == DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; - found_dname = ISC_TRUE; - if (cname != NULL && - synthcname) - { - cname->attributes &= - ~DNS_NAMEATTR_ANSWER; - } - name->attributes |= - DNS_NAMEATTR_ANSWER; - } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; - } + if (aname != NULL && type == dns_rdatatype_any) { + for (rdataset = ISC_LIST_HEAD(aname->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (!validinanswer(rdataset, fctx)) { + return (DNS_R_FORMERR); } - - /* - * DNAME chaining. - */ - if (dnameset != NULL) { - if (!synthcname) { - /* - * Copy the dname into the qname fixed - * name. - * - * Although we check for failure of the - * copy operation, in practice it - * should never fail since we already - * know that the result fits in a - * fixedname. - */ - dns_fixedname_init(&fqname); - qname = dns_fixedname_name(&fqname); - result = dns_name_copy(dname, qname, - NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - wanted_chaining = ISC_TRUE; - name->attributes |= DNS_NAMEATTR_CHAINING; - dnameset->attributes |= - DNS_RDATASETATTR_CHAINING; + if ((fctx->type == dns_rdatatype_sig || + fctx->type == dns_rdatatype_rrsig) && + rdataset->type != fctx->type) + { + continue; } - /* - * Ensure that we can't ever get chaining == 1 - * above if we have processed a DNAME. - */ - if (wanted_chaining && chaining < 2U) - chaining += 2; + if ((rdataset->type == dns_rdatatype_a || + rdataset->type == dns_rdatatype_aaaa) && + !is_answeraddress_allowed(view, aname, rdataset)) + { + return (DNS_R_SERVFAIL); + } + if ((rdataset->type == dns_rdatatype_cname || + rdataset->type == dns_rdatatype_dname) && + !is_answertarget_allowed(fctx, qname, aname, + rdataset, NULL)) + { + return (DNS_R_SERVFAIL); + } + aname->attributes |= DNS_NAMEATTR_CACHE; + aname->attributes |= DNS_NAMEATTR_ANSWER; + rdataset->attributes |= DNS_RDATASETATTR_ANSWER; + rdataset->attributes |= DNS_RDATASETATTR_CACHE; + rdataset->trust = trust; + (void)dns_rdataset_additionaldata(rdataset, + check_related, + fctx); } - result = dns_message_nextname(message, DNS_SECTION_ANSWER); - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - if (result != ISC_R_SUCCESS) - return (result); - - /* - * We should have found an answer. - */ - if (!have_answer) { + } else if (aname != NULL) { + if (!validinanswer(ardataset, fctx)) + return (DNS_R_FORMERR); + if ((ardataset->type == dns_rdatatype_a || + ardataset->type == dns_rdatatype_aaaa) && + !is_answeraddress_allowed(view, aname, ardataset)) { + return (DNS_R_SERVFAIL); + } + if ((ardataset->type == dns_rdatatype_cname || + ardataset->type == dns_rdatatype_dname) && + !is_answertarget_allowed(fctx, qname, aname, ardataset, + NULL)) + { + return (DNS_R_SERVFAIL); + } + aname->attributes |= DNS_NAMEATTR_CACHE; + aname->attributes |= DNS_NAMEATTR_ANSWER; + ardataset->attributes |= DNS_RDATASETATTR_ANSWER; + ardataset->attributes |= DNS_RDATASETATTR_CACHE; + ardataset->trust = trust; + (void)dns_rdataset_additionaldata(ardataset, check_related, + fctx); + for (sigrdataset = ISC_LIST_HEAD(aname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { + if (!validinanswer(sigrdataset, fctx)) + return (DNS_R_FORMERR); + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != type) + continue; + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + } else if (cname != NULL) { + if (!validinanswer(crdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key || + type == dns_rdatatype_nsec) + { + char buf[DNS_RDATATYPE_FORMATSIZE]; + dns_rdatatype_format(type, buf, sizeof(buf)); + log_formerr(fctx, "CNAME response for %s RR", buf); + return (DNS_R_FORMERR); + } + if (!is_answertarget_allowed(fctx, qname, cname, crdataset, + NULL)) + { + return (DNS_R_SERVFAIL); + } + cname->attributes |= DNS_NAMEATTR_CACHE; + cname->attributes |= DNS_NAMEATTR_ANSWER; + cname->attributes |= DNS_NAMEATTR_CHAINING; + crdataset->attributes |= DNS_RDATASETATTR_ANSWER; + crdataset->attributes |= DNS_RDATASETATTR_CACHE; + crdataset->attributes |= DNS_RDATASETATTR_CHAINING; + crdataset->trust = trust; + for (sigrdataset = ISC_LIST_HEAD(cname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) + { + if (!validinanswer(sigrdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != dns_rdatatype_cname) + { + continue; + } + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + chaining = ISC_TRUE; + } else if (dname != NULL) { + if (!validinanswer(drdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (!is_answertarget_allowed(fctx, qname, dname, drdataset, + &chaining)) { + return (DNS_R_SERVFAIL); + } + dname->attributes |= DNS_NAMEATTR_CACHE; + dname->attributes |= DNS_NAMEATTR_ANSWER; + dname->attributes |= DNS_NAMEATTR_CHAINING; + drdataset->attributes |= DNS_RDATASETATTR_ANSWER; + drdataset->attributes |= DNS_RDATASETATTR_CACHE; + drdataset->attributes |= DNS_RDATASETATTR_CHAINING; + drdataset->trust = trust; + for (sigrdataset = ISC_LIST_HEAD(dname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) + { + if (!validinanswer(sigrdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != dns_rdatatype_dname) + { + continue; + } + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + } else { log_formerr(fctx, "reply has no answer"); return (DNS_R_FORMERR); } @@ -7244,14 +7048,8 @@ answer_response(fetchctx_t *fctx) { /* * Did chaining end before we got the final answer? */ - if (chaining != 0) { - /* - * Yes. This may be a negative reply, so hand off - * authority section processing to the noanswer code. - * If it isn't a noanswer response, no harm will be - * done. - */ - return (noanswer_response(fctx, qname, 0)); + if (chaining) { + return (ISC_R_SUCCESS); } /* @@ -7270,11 +7068,9 @@ answer_response(fetchctx_t *fctx) { * We expect there to be only one owner name for all the rdatasets * in this section, and we expect that it is not external. */ - done = ISC_FALSE; - ns_name = NULL; - ns_rdataset = NULL; result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (!done && result == ISC_R_SUCCESS) { + isc_boolean_t external; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); @@ -7293,12 +7089,13 @@ answer_response(fetchctx_t *fctx) { DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; - if (aa && chaining == 0) + if (aa && !chaining) { rdataset->trust = dns_trust_authauthority; - else + } else { rdataset->trust = dns_trust_additional; + } if (rdataset->type == dns_rdatatype_ns) { @@ -8099,6 +7896,7 @@ resquery_response(isc_task_t *task, isc_ * Is the remote server broken, or does it dislike us? */ if (message->rcode != dns_rcode_noerror && + message->rcode != dns_rcode_yxdomain && message->rcode != dns_rcode_nxdomain) { isc_buffer_t b; char code[64]; @@ -8163,13 +7961,6 @@ resquery_response(isc_task_t *task, isc_ log_formerr(fctx, "server sent FORMERR"); result = DNS_R_FORMERR; } - } else if (message->rcode == dns_rcode_yxdomain) { - /* - * DNAME mapping failed because the new name - * was too long. There's no chance of success - * for this fetch. - */ - result = DNS_R_YXDOMAIN; } else if (message->rcode == dns_rcode_badvers) { unsigned int flags, mask; unsigned int version; @@ -8328,6 +8119,7 @@ resquery_response(isc_task_t *task, isc_ */ if (message->counts[DNS_SECTION_ANSWER] > 0 && (message->rcode == dns_rcode_noerror || + message->rcode == dns_rcode_yxdomain || message->rcode == dns_rcode_nxdomain)) { /* * [normal case] Index: src/external/bsd/bind/dist/lib/isc/lex.c diff -u src/external/bsd/bind/dist/lib/isc/lex.c:1.5.6.1 src/external/bsd/bind/dist/lib/isc/lex.c:1.5.6.2 --- src/external/bsd/bind/dist/lib/isc/lex.c:1.5.6.1 Sun Mar 13 08:00:37 2016 +++ src/external/bsd/bind/dist/lib/isc/lex.c Fri Apr 21 05:16:42 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: lex.c,v 1.5.6.1 2016/03/13 08:00:37 martin Exp $ */ +/* $NetBSD: lex.c,v 1.5.6.2 2017/04/21 05:16:42 snj Exp $ */ /* * Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC") @@ -96,9 +96,10 @@ isc_lex_create(isc_mem_t *mctx, size_t m /* * Create a lexer. */ - REQUIRE(lexp != NULL && *lexp == NULL); - REQUIRE(max_token > 0U); + + if (max_token == 0U) + max_token = 1; lex = isc_mem_get(mctx, sizeof(*lex)); if (lex == NULL) Index: src/external/bsd/bind/dist/lib/isc/include/isc/lex.h diff -u src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.3 src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.3.14.1 --- src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.3 Tue Jun 5 00:42:36 2012 +++ src/external/bsd/bind/dist/lib/isc/include/isc/lex.h Fri Apr 21 05:16:42 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: lex.h,v 1.3 2012/06/05 00:42:36 christos Exp $ */ +/* $NetBSD: lex.h,v 1.3.14.1 2017/04/21 05:16:42 snj Exp $ */ /* * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") @@ -154,8 +154,6 @@ isc_lex_create(isc_mem_t *mctx, size_t m * Requires: *\li '*lexp' is a valid lexer. * - *\li max_token > 0. - * * Ensures: *\li On success, *lexp is attached to the newly created lexer. *