Module Name: src
Committed By: snj
Date: Fri Apr 21 05:16:42 UTC 2017
Modified Files:
src/doc [netbsd-7-0]: 3RDPARTY
src/external/bsd/bind/dist [netbsd-7-0]: CHANGES COPYRIGHT README
bind.keys bind.keys.h configure srcid version
src/external/bsd/bind/dist/bin/named [netbsd-7-0]: query.c
src/external/bsd/bind/dist/bin/tests/system/dname [netbsd-7-0]:
tests.sh
src/external/bsd/bind/dist/bin/tests/system/dname/ans3 [netbsd-7-0]:
ans.pl
src/external/bsd/bind/dist/bin/tests/system/dname/ns1 [netbsd-7-0]:
root.db
src/external/bsd/bind/dist/bin/tests/system/dname/ns2 [netbsd-7-0]:
example.db
src/external/bsd/bind/dist/bin/tests/system/rndc [netbsd-7-0]: tests.sh
src/external/bsd/bind/dist/bin/tests/system/rpz [netbsd-7-0]: tests.sh
src/external/bsd/bind/dist/doc/arm [netbsd-7-0]: Bv9ARM.ch01.html
Bv9ARM.ch02.html Bv9ARM.ch03.html Bv9ARM.ch04.html Bv9ARM.ch05.html
Bv9ARM.ch06.html Bv9ARM.ch07.html Bv9ARM.ch08.html Bv9ARM.ch09.html
Bv9ARM.ch10.html Bv9ARM.ch11.html Bv9ARM.ch12.html Bv9ARM.ch13.html
Bv9ARM.html Bv9ARM.pdf man.arpaname.html man.ddns-confgen.html
man.delv.html man.dig.html man.dnssec-checkds.html
man.dnssec-coverage.html man.dnssec-dsfromkey.html
man.dnssec-importkey.html man.dnssec-keyfromlabel.html
man.dnssec-keygen.html man.dnssec-revoke.html
man.dnssec-settime.html man.dnssec-signzone.html
man.dnssec-verify.html man.genrandom.html man.host.html
man.isc-hmac-fixup.html man.lwresd.html man.named-checkconf.html
man.named-checkzone.html man.named-journalprint.html
man.named-rrchecker.html man.named.conf.html man.named.html
man.nsec3hash.html man.nsupdate.html man.rndc-confgen.html
man.rndc.conf.html man.rndc.html notes.html notes.pdf notes.xml
src/external/bsd/bind/dist/lib/dns [netbsd-7-0]: api rdataset.c
resolver.c
src/external/bsd/bind/dist/lib/isc [netbsd-7-0]: lex.c
src/external/bsd/bind/dist/lib/isc/include/isc [netbsd-7-0]: lex.h
Log Message:
Pull up following revision(s) (requested by spz in ticket #1404):
doc/3RDPARTY: 1.1430 via patch
external/bsd/bind/dist/CHANGES: up to 1.26
external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.11
external/bsd/bind/dist/README: up to 1.14
external/bsd/bind/dist/bin/named/query.c: up to 1.24
external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.2
external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.4
external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to
1.1.1.4
external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.6
external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.9
external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.13
external/bsd/bind/dist/bind.keys: up to 1.1.1.6
external/bsd/bind/dist/bind.keys.h: up to 1.1.1.4
external/bsd/bind/dist/configure: up to 1.7
external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.24
external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.21
external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.26
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.27
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.23
external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.12
external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.12
external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.12
external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.14
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.19
external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.host.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.6
external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.6
external/bsd/bind/dist/doc/arm/man.named.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.14
external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.14
external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.12
external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.12
external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.12
external/bsd/bind/dist/lib/dns/api: up to 1.14
external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.10
external/bsd/bind/dist/lib/dns/resolver.c: up to 1.30
external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.5
external/bsd/bind/dist/lib/isc/lex.c: up to 1.8
external/bsd/bind/dist/srcid: up to 1.20
external/bsd/bind/dist/version: up to 1.24
Update BIND to 9.10.4-P8.
To generate a diff of this commit:
cvs rdiff -u -r1.1145.2.18.2.18 -r1.1145.2.18.2.19 src/doc/3RDPARTY
cvs rdiff -u -r1.12.2.5.2.5 -r1.12.2.5.2.6 src/external/bsd/bind/dist/CHANGES
cvs rdiff -u -r1.1.1.8.4.1.2.1 -r1.1.1.8.4.1.2.2 \
src/external/bsd/bind/dist/COPYRIGHT
cvs rdiff -u -r1.1.1.14.2.5.2.5 -r1.1.1.14.2.5.2.6 \
src/external/bsd/bind/dist/README
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.14.1 src/external/bsd/bind/dist/bind.keys
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.10.1 src/external/bsd/bind/dist/bind.keys.h
cvs rdiff -u -r1.2.2.2.2.2 -r1.2.2.2.2.3 src/external/bsd/bind/dist/configure
cvs rdiff -u -r1.6.2.5.2.5 -r1.6.2.5.2.6 src/external/bsd/bind/dist/srcid
cvs rdiff -u -r1.10.2.5.2.5 -r1.10.2.5.2.6 src/external/bsd/bind/dist/version
cvs rdiff -u -r1.16.2.3.2.3 -r1.16.2.3.2.4 \
src/external/bsd/bind/dist/bin/named/query.c
cvs rdiff -u -r1.1.1.3.12.2 -r1.1.1.3.12.3 \
src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh
cvs rdiff -u -r1.1.1.1.4.2 -r1.1.1.1.4.3 \
src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl
cvs rdiff -u -r1.1.1.2.14.1 -r1.1.1.2.14.2 \
src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db
cvs rdiff -u -r1.1.1.2.14.1 -r1.1.1.2.14.2 \
src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db
cvs rdiff -u -r1.1.1.5.4.1.2.2 -r1.1.1.5.4.1.2.3 \
src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh
cvs rdiff -u -r1.1.1.9.4.2.2.1 -r1.1.1.9.4.2.2.2 \
src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh
cvs rdiff -u -r1.1.1.11.2.4.2.5 -r1.1.1.11.2.4.2.6 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html
cvs rdiff -u -r1.1.1.8.2.4.2.5 -r1.1.1.8.2.4.2.6 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html
cvs rdiff -u -r1.1.1.13.2.4.2.5 -r1.1.1.13.2.4.2.6 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html
cvs rdiff -u -r1.1.1.15.2.5.2.5 -r1.1.1.15.2.5.2.6 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.html \
src/external/bsd/bind/dist/doc/arm/man.dig.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html \
src/external/bsd/bind/dist/doc/arm/man.host.html \
src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html \
src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html \
src/external/bsd/bind/dist/doc/arm/man.named.html \
src/external/bsd/bind/dist/doc/arm/man.nsupdate.html \
src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html \
src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html \
src/external/bsd/bind/dist/doc/arm/man.rndc.html
cvs rdiff -u -r1.1.1.14.2.4.2.5 -r1.1.1.14.2.4.2.6 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html
cvs rdiff -u -r1.1.1.10.2.4.2.5 -r1.1.1.10.2.4.2.6 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html
cvs rdiff -u -r1.1.1.1.2.4.2.5 -r1.1.1.1.2.4.2.6 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html \
src/external/bsd/bind/dist/doc/arm/notes.html \
src/external/bsd/bind/dist/doc/arm/notes.pdf \
src/external/bsd/bind/dist/doc/arm/notes.xml
cvs rdiff -u -r1.7.2.4.2.4 -r1.7.2.4.2.5 \
src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
cvs rdiff -u -r1.1.1.12.2.5.2.5 -r1.1.1.12.2.5.2.6 \
src/external/bsd/bind/dist/doc/arm/man.arpaname.html \
src/external/bsd/bind/dist/doc/arm/man.genrandom.html \
src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html \
src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html
cvs rdiff -u -r1.1.1.13.2.5.2.5 -r1.1.1.13.2.5.2.6 \
src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
cvs rdiff -u -r1.1.1.1.4.5.2.5 -r1.1.1.1.4.5.2.6 \
src/external/bsd/bind/dist/doc/arm/man.delv.html
cvs rdiff -u -r1.1.1.3.2.5.2.5 -r1.1.1.3.2.5.2.6 \
src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html \
src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
cvs rdiff -u -r1.1.1.2.2.5.2.5 -r1.1.1.2.2.5.2.6 \
src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html \
src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
cvs rdiff -u -r1.1.1.5.2.5.2.5 -r1.1.1.5.2.5.2.6 \
src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
cvs rdiff -u -r1.1.1.11.2.5.2.5 -r1.1.1.11.2.5.2.6 \
src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
cvs rdiff -u -r1.1.1.2.2.5 -r1.1.1.2.2.6 \
src/external/bsd/bind/dist/doc/arm/man.lwresd.html \
src/external/bsd/bind/dist/doc/arm/man.named.conf.html
cvs rdiff -u -r1.1.1.16.2.5.2.5 -r1.1.1.16.2.5.2.6 \
src/external/bsd/bind/dist/lib/dns/api
cvs rdiff -u -r1.6.10.1.2.1 -r1.6.10.1.2.2 \
src/external/bsd/bind/dist/lib/dns/rdataset.c
cvs rdiff -u -r1.19.2.3.2.5 -r1.19.2.3.2.6 \
src/external/bsd/bind/dist/lib/dns/resolver.c
cvs rdiff -u -r1.5.6.1 -r1.5.6.2 src/external/bsd/bind/dist/lib/isc/lex.c
cvs rdiff -u -r1.3 -r1.3.14.1 \
src/external/bsd/bind/dist/lib/isc/include/isc/lex.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/doc/3RDPARTY
diff -u src/doc/3RDPARTY:1.1145.2.18.2.18 src/doc/3RDPARTY:1.1145.2.18.2.19
--- src/doc/3RDPARTY:1.1145.2.18.2.18 Thu Apr 20 06:42:09 2017
+++ src/doc/3RDPARTY Fri Apr 21 05:16:38 2017
@@ -1,4 +1,4 @@
-# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.18 2017/04/20 06:42:09 snj Exp $
+# $NetBSD: 3RDPARTY,v 1.1145.2.18.2.19 2017/04/21 05:16:38 snj Exp $
#
# This file contains a list of the software that has been integrated into
# NetBSD where we are not the primary maintainer.
@@ -113,8 +113,8 @@ Notes:
bc includes dc, both of which are in the NetBSD tree.
Package: bind [named and utils]
-Version: 9.10.4-P6
-Current Vers: 9.10.4-P6
+Version: 9.10.4-P8
+Current Vers: 9.10.4-P8
Maintainer: Paul Vixie <vi...@vix.com>
Archive Site: ftp://ftp.isc.org/isc/bind9/
Home Page: http://www.isc.org/software/bind/
Index: src/external/bsd/bind/dist/CHANGES
diff -u src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.5 src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.6
--- src/external/bsd/bind/dist/CHANGES:1.12.2.5.2.5 Mon Feb 20 16:27:13 2017
+++ src/external/bsd/bind/dist/CHANGES Fri Apr 21 05:16:39 2017
@@ -1,7 +1,27 @@
+ --- 9.10.4-P8 released ---
+
+4582. [security] 'rndc ""' could trigger a assertion failure in named.
+ (CVE-2017-3138) [RT #44924]
+
+4580. [bug] 4578 introduced a regression when handling CNAME to
+ referral below the current domain. [RT #44850]
+
+ --- 9.10.4-P7 released ---
+
+4578. [security] Some chaining (CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures.
+ (CVE-2017-3137) [RT #44734]
+
+4575. [security] DNS64 with "break-dnssec yes;" can result in an
+ assertion failure. (CVE-2017-3136) [RT #44653]
+
+4564. [maint] Update the built in managed keys to include the
+ upcoming root KSK. [RT #44579]
+
--- 9.10.4-P6 released ---
4558. [bug] Synthesised CNAME before matching DNAME was still
- being cached when it should have been. [RT #44318]
+ being cached when it should not have been. [RT #44318]
4557. [security] Combining dns64 and rpz can result in dereferencing
a NULL pointer (read). (CVE-2017-3135) [RT#44434]
Index: src/external/bsd/bind/dist/COPYRIGHT
diff -u src/external/bsd/bind/dist/COPYRIGHT:1.1.1.8.4.1.2.1 src/external/bsd/bind/dist/COPYRIGHT:1.1.1.8.4.1.2.2
--- src/external/bsd/bind/dist/COPYRIGHT:1.1.1.8.4.1.2.1 Sun Mar 13 08:00:24 2016
+++ src/external/bsd/bind/dist/COPYRIGHT Fri Apr 21 05:16:39 2017
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any
Index: src/external/bsd/bind/dist/README
diff -u src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.5 src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.6
--- src/external/bsd/bind/dist/README:1.1.1.14.2.5.2.5 Mon Feb 20 16:27:13 2017
+++ src/external/bsd/bind/dist/README Fri Apr 21 05:16:39 2017
@@ -51,6 +51,11 @@ BIND 9
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
+BIND 9.10.4-P7
+
+ This version contains fixes for CVE-2017-3136 and CVE-2017-3137,
+ and updates the built in trusted keys for the root zone.
+
BIND 9.10.4-P6
This version contains a fix for CVE-2017-3135, and a bug fix
Index: src/external/bsd/bind/dist/bind.keys
diff -u src/external/bsd/bind/dist/bind.keys:1.1.1.5 src/external/bsd/bind/dist/bind.keys:1.1.1.5.14.1
--- src/external/bsd/bind/dist/bind.keys:1.1.1.5 Mon Jun 4 17:53:12 2012
+++ src/external/bsd/bind/dist/bind.keys Fri Apr 21 05:16:39 2017
@@ -15,32 +15,55 @@
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of January 2011. If any key fails to
+# These keys are current as of Feburary 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.
- # NOTE: This key is activated by setting "dnssec-lookaside auto;"
- # in named.conf.
- dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
- TDN0YUuWrBNh";
+ # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+ #
+ # NOTE: The ISC DLV zone is being phased out as of February 2017;
+ # the key will remain in place but the zone will be otherwise empty.
+ # Configuring "dnssec-lookaside auto;" to activate this key is
+ # harmless, but is no longer useful and is not recommended.
+ dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+ TDN0YUuWrBNh";
- # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
- # for current trust anchor information.
- # NOTE: This key is activated by setting "dnssec-validation auto;"
+ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+ # for current trust anchor information.
+ #
+ # These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
- . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
- QxA+Uk1ihz0=";
+ #
+ # This key (19036) is to be phased out starting in 2017. It will
+ # remain in the root zone for some time after its successor key
+ # has been added. It will remain this file until it is removed from
+ # the root zone.
+ . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+ QxA+Uk1ihz0=";
+
+ # This key (20326) is to be published in the root zone in 2017.
+ # Servers which were already using the old key should roll to the
+ # new # one seamlessly. Servers being set up for the first time
+ # can use either of the keys in this file to verify the root keys
+ # for the first time; thereafter the keys in the zone will be
+ # trusted and maintained automatically.
+ . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+ R1AkUTV74bU=";
};
Index: src/external/bsd/bind/dist/bind.keys.h
diff -u src/external/bsd/bind/dist/bind.keys.h:1.1.1.1 src/external/bsd/bind/dist/bind.keys.h:1.1.1.1.10.1
--- src/external/bsd/bind/dist/bind.keys.h:1.1.1.1 Fri Feb 28 17:40:04 2014
+++ src/external/bsd/bind/dist/bind.keys.h Fri Apr 21 05:16:39 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: bind.keys.h,v 1.1.1.1 2014/02/28 17:40:04 christos Exp $ */
+/* $NetBSD: bind.keys.h,v 1.1.1.1.10.1 2017/04/21 05:16:39 snj Exp $ */
/*
* Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp
@@ -21,34 +21,57 @@
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of January 2011. If any key fails to\n\
+# These keys are current as of Feburary 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
trusted-keys {\n\
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
- # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
- # in named.conf.\n\
- dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
- TDN0YUuWrBNh\";\n\
-\n\
- # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
- # for current trust anchor information.\n\
- # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+ # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+ #\n\
+ # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
+ # the key will remain in place but the zone will be otherwise empty.\n\
+ # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
+ # harmless, but is no longer useful and is not recommended.\n\
+ dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+ TDN0YUuWrBNh\";\n\
+\n\
+ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+ # for current trust anchor information.\n\
+ #\n\
+ # These keys are activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
- . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
- QxA+Uk1ihz0=\";\n\
+ #\n\
+ # This key (19036) is to be phased out starting in 2017. It will\n\
+ # remain in the root zone for some time after its successor key\n\
+ # has been added. It will remain this file until it is removed from\n\
+ # the root zone.\n\
+ . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+ QxA+Uk1ihz0=\";\n\
+\n\
+ # This key (20326) is to be published in the root zone in 2017.\n\
+ # Servers which were already using the old key should roll to the\n\
+ # new # one seamlessly. Servers being set up for the first time\n\
+ # can use either of the keys in this file to verify the root keys\n\
+ # for the first time; thereafter the keys in the zone will be\n\
+ # trusted and maintained automatically.\n\
+ . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
+ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
+ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
+ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
+ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
+ R1AkUTV74bU=\";\n\
};\n\
"
@@ -69,33 +92,56 @@ trusted-keys {\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
-# These keys are current as of January 2011. If any key fails to\n\
+# These keys are current as of Feburary 2017. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
managed-keys {\n\
- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
- # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
- # in named.conf.\n\
- dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
- TDN0YUuWrBNh\";\n\
-\n\
- # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
- # for current trust anchor information.\n\
- # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+ # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+ #\n\
+ # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
+ # the key will remain in place but the zone will be otherwise empty.\n\
+ # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
+ # harmless, but is no longer useful and is not recommended.\n\
+ dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+ TDN0YUuWrBNh\";\n\
+\n\
+ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+ # for current trust anchor information.\n\
+ #\n\
+ # These keys are activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
- . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
- QxA+Uk1ihz0=\";\n\
+ #\n\
+ # This key (19036) is to be phased out starting in 2017. It will\n\
+ # remain in the root zone for some time after its successor key\n\
+ # has been added. It will remain this file until it is removed from\n\
+ # the root zone.\n\
+ . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+ QxA+Uk1ihz0=\";\n\
+\n\
+ # This key (20326) is to be published in the root zone in 2017.\n\
+ # Servers which were already using the old key should roll to the\n\
+ # new # one seamlessly. Servers being set up for the first time\n\
+ # can use either of the keys in this file to verify the root keys\n\
+ # for the first time; thereafter the keys in the zone will be\n\
+ # trusted and maintained automatically.\n\
+ . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
+ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
+ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
+ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
+ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
+ R1AkUTV74bU=\";\n\
};\n\
"
Index: src/external/bsd/bind/dist/configure
diff -u src/external/bsd/bind/dist/configure:1.2.2.2.2.2 src/external/bsd/bind/dist/configure:1.2.2.2.2.3
--- src/external/bsd/bind/dist/configure:1.2.2.2.2.2 Fri Oct 14 11:42:26 2016
+++ src/external/bsd/bind/dist/configure Fri Apr 21 05:16:39 2017
@@ -1,5 +1,5 @@
#! /bin/sh
-# Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1996-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
Index: src/external/bsd/bind/dist/srcid
diff -u src/external/bsd/bind/dist/srcid:1.6.2.5.2.5 src/external/bsd/bind/dist/srcid:1.6.2.5.2.6
--- src/external/bsd/bind/dist/srcid:1.6.2.5.2.5 Mon Feb 20 16:27:13 2017
+++ src/external/bsd/bind/dist/srcid Fri Apr 21 05:16:39 2017
@@ -1 +1 @@
-SRCID=a6837d0
+SRCID=9f5232e
Index: src/external/bsd/bind/dist/version
diff -u src/external/bsd/bind/dist/version:1.10.2.5.2.5 src/external/bsd/bind/dist/version:1.10.2.5.2.6
--- src/external/bsd/bind/dist/version:1.10.2.5.2.5 Mon Feb 20 16:27:13 2017
+++ src/external/bsd/bind/dist/version Fri Apr 21 05:16:39 2017
@@ -7,5 +7,5 @@ MAJORVER=9
MINORVER=10
PATCHVER=4
RELEASETYPE=-P
-RELEASEVER=6
+RELEASEVER=8
EXTENSIONS=
Index: src/external/bsd/bind/dist/bin/named/query.c
diff -u src/external/bsd/bind/dist/bin/named/query.c:1.16.2.3.2.3 src/external/bsd/bind/dist/bin/named/query.c:1.16.2.3.2.4
--- src/external/bsd/bind/dist/bin/named/query.c:1.16.2.3.2.3 Mon Feb 20 16:27:13 2017
+++ src/external/bsd/bind/dist/bin/named/query.c Fri Apr 21 05:16:39 2017
@@ -1,7 +1,7 @@
-/* $NetBSD: query.c,v 1.16.2.3.2.3 2017/02/20 16:27:13 sborrill Exp $ */
+/* $NetBSD: query.c,v 1.16.2.3.2.4 2017/04/21 05:16:39 snj Exp $ */
/*
- * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -8221,6 +8221,7 @@ query_find(ns_client_t *client, dns_fetc
result = query_dns64(client, &fname, rdataset,
sigrdataset, dbuf,
DNS_SECTION_ANSWER);
+ noqname = NULL;
dns_rdataset_disassociate(rdataset);
dns_message_puttemprdataset(client->message, &rdataset);
if (result == ISC_R_NOMORE) {
Index: src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh
diff -u src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh:1.1.1.3.12.2 src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh:1.1.1.3.12.3
--- src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh:1.1.1.3.12.2 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/bin/tests/system/dname/tests.sh Fri Apr 21 05:16:39 2017
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011, 2012, 2017 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -57,10 +57,19 @@ grep "status: YXDOMAIN" dig.out.ns2.tool
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-echo "I:checking (too) long dname from recursive"
+echo "I:checking (too) long dname from recursive with cached DNAME"
+ret=0
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
+grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking (too) long dname from recursive without cached DNAME"
ret=0
-$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1
-grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1
+grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
+grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
Index: src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl
diff -u src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl:1.1.1.1.4.2 src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl:1.1.1.1.4.3
--- src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl:1.1.1.1.4.2 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl Fri Apr 21 05:16:39 2017
@@ -1,10 +1,18 @@
#!/usr/bin/env perl
#
-# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
use strict;
use warnings;
Index: src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db
diff -u src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db:1.1.1.2.14.1 src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db:1.1.1.2.14.2
--- src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db:1.1.1.2.14.1 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db Fri Apr 21 05:16:39 2017
@@ -1,4 +1,4 @@
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011, 2017 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
Index: src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db
diff -u src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db:1.1.1.2.14.1 src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db:1.1.1.2.14.2
--- src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db:1.1.1.2.14.1 Mon Jan 16 11:56:43 2017
+++ src/external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db Fri Apr 21 05:16:39 2017
@@ -1,4 +1,4 @@
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2011, 2017 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
@@ -29,6 +29,7 @@ a.short A 10.0.0.1
short-dname DNAME short
a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
+toolong-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
cname CNAME a.cnamedname
cnamedname DNAME target
a.target A 10.0.0.3
Index: src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh
diff -u src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh:1.1.1.5.4.1.2.2 src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh:1.1.1.5.4.1.2.3
--- src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh:1.1.1.5.4.1.2.2 Fri Oct 14 11:42:37 2016
+++ src/external/bsd/bind/dist/bin/tests/system/rndc/tests.sh Fri Apr 21 05:16:39 2017
@@ -393,5 +393,13 @@ sleep 1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo "I:check 'rndc \"\"' is handled ($n)"
+ret=0
+$RNDCCMD "" > rndc.out.test$n 2>&1 && ret=1
+grep "rndc: '' failed: failure" rndc.out.test$n > /dev/null
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
Index: src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh
diff -u src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh:1.1.1.9.4.2.2.1 src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh:1.1.1.9.4.2.2.2
--- src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh:1.1.1.9.4.2.2.1 Fri Oct 14 11:42:38 2016
+++ src/external/bsd/bind/dist/bin/tests/system/rpz/tests.sh Fri Apr 21 05:16:39 2017
@@ -1,4 +1,4 @@
-# Copyright (C) 2011-2016 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2011-2017 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -383,7 +383,7 @@ nxdomain a0-1s-cname.tld2s +dnssec @$ns
drop a3-8.tld2 any @$ns6 # 20 drop
end_group
-ckstatsrange $ns3 test1 ns3 22 25
+ckstatsrange $ns3 test1 ns3 22 28
ckstats $ns5 test1 ns5 0
ckstats $ns6 test1 ns6 0
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html:1.1.1.11.2.4.2.5 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html Fri Apr 21 05:16:40 2017
@@ -555,6 +555,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html:1.1.1.8.2.4.2.5 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html Fri Apr 21 05:16:40 2017
@@ -153,6 +153,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html:1.1.1.13.2.4.2.5 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html Fri Apr 21 05:16:40 2017
@@ -669,6 +669,6 @@ controls {
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html Fri Apr 21 05:16:40 2017
@@ -2326,6 +2326,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html Fri Apr 21 05:16:40 2017
@@ -12845,6 +12845,6 @@ HOST-127.EXAMPLE. MX 0 .
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html Fri Apr 21 05:16:40 2017
@@ -248,6 +248,6 @@ zone "example.com" {
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html Fri Apr 21 05:16:40 2017
@@ -134,6 +134,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html Fri Apr 21 05:16:40 2017
@@ -44,10 +44,11 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
@@ -60,7 +61,7 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P8</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
@@ -68,6 +69,11 @@
This document summarizes changes since BIND 9.10.4:
</p>
<p>
+ BIND 9.10.4-P7 addresses the security issue described in
+ CVE-2017-3136, and updates the built in trusted keys for
+ the root zone.
+ </p>
+<p>
BIND 9.10.4-P6 addresses the security issue described in
CVE-2017-3135, and fixes a regression introduced in a prior
security release.
@@ -109,9 +115,52 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+<p>
+ ICANN is in the process of introducing a new Key Signing Key (KSK) for
+ the global root zone. BIND has multiple methods for managing DNSSEC
+ trust anchors, with somewhat different behaviors. If the root
+ key is configured using the <span class="command"><strong>managed-keys</strong></span>
+ statement, or if the pre-configured root key is enabled by using
+ <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+ keys up to date automatically. Servers configured in this way
+ will roll seamlessly to the new key when it is published in
+ the root zone. However, keys configured using the
+ <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+ maintained. If your server is performing DNSSEC validation
+ and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+ advised to change your configuration before the root zone begins
+ signing with the new KSK. This is currently scheduled for
+ October 11, 2017.
+ </p>
+<p>
+ This release includes an updated version of the
+ <code class="filename">bind.keys</code> file containing the new root
+ key. This file can also be downloaded from
+ <a class="link" href="https://www.isc.org/bind-keys"; target="_top">
+ https://www.isc.org/bind-keys
+ </a>.
+ </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
+ 'rndc ""' could trigger a assertion failure in named. This flaw
+ is disclosed in (CVE-2017-3138). [RT #44924]
+ </p></li>
+<li class="listitem"><p>
+ Some chaining (i.e., type CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures. This flaw is disclosed
+ in CVE-2017-3137. [RT #44734]
+ </p></li>
+<li class="listitem"><p>
+ <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
+ can result in an assertion failure. This flaw is disclosed in
+ CVE-2017-3136. [RT #44653]
+ </p></li>
+<li class="listitem"><p>
If a server is configured with a response policy zone (RPZ)
that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read
@@ -245,6 +294,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.html Fri Apr 21 05:16:40 2017
@@ -40,7 +40,7 @@
<div>
<div><h1 class="title">
<a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.10.4-P6</p></div>
+<div><p class="releaseinfo">BIND Version 9.10.4-P8</p></div>
<div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
</div>
@@ -239,10 +239,11 @@
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
<dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
@@ -385,6 +386,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dig.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dig.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dig.html Fri Apr 21 05:16:42 2017
@@ -809,6 +809,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html Fri Apr 21 05:16:42 2017
@@ -213,6 +213,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html Fri Apr 21 05:16:42 2017
@@ -381,6 +381,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html Fri Apr 21 05:16:42 2017
@@ -455,6 +455,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html Fri Apr 21 05:16:42 2017
@@ -564,6 +564,6 @@ db.example.com.signed
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.host.html
diff -u src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.host.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.host.html Fri Apr 21 05:16:42 2017
@@ -247,6 +247,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html Fri Apr 21 05:16:42 2017
@@ -151,6 +151,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html Fri Apr 21 05:16:42 2017
@@ -338,6 +338,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.named.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named.html Fri Apr 21 05:16:42 2017
@@ -369,6 +369,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.nsupdate.html
diff -u src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.nsupdate.html Fri Apr 21 05:16:42 2017
@@ -663,6 +663,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
diff -u src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html Fri Apr 21 05:16:42 2017
@@ -223,6 +223,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html
diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html Fri Apr 21 05:16:42 2017
@@ -246,6 +246,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.rndc.html
diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.1.1.15.2.5.2.5 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/doc/arm/man.rndc.html Fri Apr 21 05:16:42 2017
@@ -621,6 +621,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html:1.1.1.14.2.4.2.5 Mon Feb 20 16:27:14 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html Fri Apr 21 05:16:40 2017
@@ -138,6 +138,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html:1.1.1.10.2.4.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html Fri Apr 21 05:16:40 2017
@@ -155,6 +155,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html Fri Apr 21 05:16:40 2017
@@ -497,6 +497,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html Fri Apr 21 05:16:40 2017
@@ -543,6 +543,6 @@ $ <strong class="userinput"><code>sample
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html
diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:15 2017
+++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html Fri Apr 21 05:16:40 2017
@@ -154,6 +154,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/notes.html
diff -u src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/notes.html:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/doc/arm/notes.html Fri Apr 21 05:16:42 2017
@@ -21,7 +21,7 @@
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P8</h2></div></div></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
@@ -29,6 +29,11 @@
This document summarizes changes since BIND 9.10.4:
</p>
<p>
+ BIND 9.10.4-P7 addresses the security issue described in
+ CVE-2017-3136, and updates the built in trusted keys for
+ the root zone.
+ </p>
+<p>
BIND 9.10.4-P6 addresses the security issue described in
CVE-2017-3135, and fixes a regression introduced in a prior
security release.
@@ -70,9 +75,52 @@
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+<p>
+ ICANN is in the process of introducing a new Key Signing Key (KSK) for
+ the global root zone. BIND has multiple methods for managing DNSSEC
+ trust anchors, with somewhat different behaviors. If the root
+ key is configured using the <span class="command"><strong>managed-keys</strong></span>
+ statement, or if the pre-configured root key is enabled by using
+ <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+ keys up to date automatically. Servers configured in this way
+ will roll seamlessly to the new key when it is published in
+ the root zone. However, keys configured using the
+ <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+ maintained. If your server is performing DNSSEC validation
+ and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+ advised to change your configuration before the root zone begins
+ signing with the new KSK. This is currently scheduled for
+ October 11, 2017.
+ </p>
+<p>
+ This release includes an updated version of the
+ <code class="filename">bind.keys</code> file containing the new root
+ key. This file can also be downloaded from
+ <a class="link" href="https://www.isc.org/bind-keys"; target="_top">
+ https://www.isc.org/bind-keys
+ </a>.
+ </p>
+</div>
+<div class="section">
+<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>
+ 'rndc ""' could trigger a assertion failure in named. This flaw
+ is disclosed in (CVE-2017-3138). [RT #44924]
+ </p></li>
+<li class="listitem"><p>
+ Some chaining (i.e., type CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures. This flaw is disclosed
+ in CVE-2017-3137. [RT #44734]
+ </p></li>
+<li class="listitem"><p>
+ <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span>
+ can result in an assertion failure. This flaw is disclosed in
+ CVE-2017-3136. [RT #44653]
+ </p></li>
+<li class="listitem"><p>
If a server is configured with a response policy zone (RPZ)
that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read
Index: src/external/bsd/bind/dist/doc/arm/notes.pdf
Binary files are different
Index: src/external/bsd/bind/dist/doc/arm/notes.xml
diff -u src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.5 src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.6
--- src/external/bsd/bind/dist/doc/arm/notes.xml:1.1.1.1.2.4.2.5 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/doc/arm/notes.xml Fri Apr 21 05:16:42 2017
@@ -2,7 +2,7 @@
<!ENTITY mdash "—">
<!ENTITY ouml "ö">]>
<!--
- - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2014-2017 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
@@ -24,6 +24,11 @@
This document summarizes changes since BIND 9.10.4:
</para>
<para>
+ BIND 9.10.4-P7 addresses the security issue described in
+ CVE-2017-3136, and updates the built in trusted keys for
+ the root zone.
+ </para>
+ <para>
BIND 9.10.4-P6 addresses the security issue described in
CVE-2017-3135, and fixes a regression introduced in a prior
security release.
@@ -64,10 +69,59 @@
</para>
</section>
+ <section xml:id="root_key"><info><title>New DNSSEC Root Key</title></info>
+ <para>
+ ICANN is in the process of introducing a new Key Signing Key (KSK) for
+ the global root zone. BIND has multiple methods for managing DNSSEC
+ trust anchors, with somewhat different behaviors. If the root
+ key is configured using the <command>managed-keys</command>
+ statement, or if the pre-configured root key is enabled by using
+ <command>dnssec-validation auto</command>, then BIND can keep
+ keys up to date automatically. Servers configured in this way
+ will roll seamlessly to the new key when it is published in
+ the root zone. However, keys configured using the
+ <command>trusted-keys</command> statement are not automatically
+ maintained. If your server is performing DNSSEC validation
+ and is configured using <command>trusted-keys</command>, you are
+ advised to change your configuration before the root zone begins
+ signing with the new KSK. This is currently scheduled for
+ October 11, 2017.
+ </para>
+ <para>
+ This release includes an updated version of the
+ <filename>bind.keys</filename> file containing the new root
+ key. This file can also be downloaded from
+ <link xmlns:xlink="http://www.w3.org/1999/xlink";
+ xlink:href="https://www.isc.org/bind-keys";>
+ https://www.isc.org/bind-keys
+ </link>.
+ </para>
+ </section>
+
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
+ 'rndc ""' could trigger a assertion failure in named. This flaw
+ is disclosed in (CVE-2017-3138). [RT #44924]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Some chaining (i.e., type CNAME or DNAME) responses to upstream
+ queries could trigger assertion failures. This flaw is disclosed
+ in CVE-2017-3137. [RT #44734]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>dns64</command> with <command>break-dnssec yes;</command>
+ can result in an assertion failure. This flaw is disclosed in
+ CVE-2017-3136. [RT #44653]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
If a server is configured with a response policy zone (RPZ)
that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read
Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
Binary files are different
Index: src/external/bsd/bind/dist/doc/arm/man.arpaname.html
diff -u src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.arpaname.html Fri Apr 21 05:16:42 2017
@@ -81,6 +81,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.genrandom.html
diff -u src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.genrandom.html Fri Apr 21 05:16:42 2017
@@ -102,6 +102,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html Fri Apr 21 05:16:42 2017
@@ -102,6 +102,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html
diff -u src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.1.1.12.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html Fri Apr 21 05:16:42 2017
@@ -103,6 +103,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
diff -u src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.1.1.13.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html Fri Apr 21 05:16:42 2017
@@ -185,6 +185,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.1.1.13.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html Fri Apr 21 05:16:42 2017
@@ -134,6 +134,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.1.1.13.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html Fri Apr 21 05:16:42 2017
@@ -264,6 +264,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.delv.html
diff -u src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.5 src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.delv.html:1.1.1.1.4.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.delv.html Fri Apr 21 05:16:42 2017
@@ -498,6 +498,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.1.1.3.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html Fri Apr 21 05:16:42 2017
@@ -112,6 +112,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.1.1.3.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html Fri Apr 21 05:16:42 2017
@@ -219,6 +219,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.1.1.2.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html Fri Apr 21 05:16:42 2017
@@ -177,6 +177,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.1.1.2.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html Fri Apr 21 05:16:42 2017
@@ -104,6 +104,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.1.1.5.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html Fri Apr 21 05:16:42 2017
@@ -164,6 +164,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
diff -u src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.5 src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.6
--- src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.1.1.11.2.5.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html Fri Apr 21 05:16:42 2017
@@ -112,6 +112,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.lwresd.html
diff -u src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.5 src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.6
--- src/external/bsd/bind/dist/doc/arm/man.lwresd.html:1.1.1.2.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.lwresd.html Fri Apr 21 05:16:42 2017
@@ -253,6 +253,6 @@
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/doc/arm/man.named.conf.html
diff -u src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.5 src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.6
--- src/external/bsd/bind/dist/doc/arm/man.named.conf.html:1.1.1.2.2.5 Mon Feb 20 16:27:16 2017
+++ src/external/bsd/bind/dist/doc/arm/man.named.conf.html Fri Apr 21 05:16:42 2017
@@ -676,6 +676,6 @@ zone <em class="replaceable"><code>strin
</tr>
</table>
</div>
-<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P6</p>
+<p xmlns:db="http://docbook.org/ns/docbook"; style="text-align: center;">BIND 9.10.4-P8</p>
</body>
</html>
Index: src/external/bsd/bind/dist/lib/dns/api
diff -u src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.5 src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.6
--- src/external/bsd/bind/dist/lib/dns/api:1.1.1.16.2.5.2.5 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/lib/dns/api Fri Apr 21 05:16:42 2017
@@ -6,5 +6,5 @@
# 9.9-sub: 130-139, 150-159
# 9.10: 140-149, 160-169
LIBINTERFACE = 165
-LIBREVISION = 5
+LIBREVISION = 7
LIBAGE = 0
Index: src/external/bsd/bind/dist/lib/dns/rdataset.c
diff -u src/external/bsd/bind/dist/lib/dns/rdataset.c:1.6.10.1.2.1 src/external/bsd/bind/dist/lib/dns/rdataset.c:1.6.10.1.2.2
--- src/external/bsd/bind/dist/lib/dns/rdataset.c:1.6.10.1.2.1 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/lib/dns/rdataset.c Fri Apr 21 05:16:42 2017
@@ -1,7 +1,7 @@
-/* $NetBSD: rdataset.c,v 1.6.10.1.2.1 2017/02/20 16:27:17 sborrill Exp $ */
+/* $NetBSD: rdataset.c,v 1.6.10.1.2.2 2017/04/21 05:16:42 snj Exp $ */
/*
- * Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012, 2014, 2015, 2017 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
Index: src/external/bsd/bind/dist/lib/dns/resolver.c
diff -u src/external/bsd/bind/dist/lib/dns/resolver.c:1.19.2.3.2.5 src/external/bsd/bind/dist/lib/dns/resolver.c:1.19.2.3.2.6
--- src/external/bsd/bind/dist/lib/dns/resolver.c:1.19.2.3.2.5 Mon Feb 20 16:27:17 2017
+++ src/external/bsd/bind/dist/lib/dns/resolver.c Fri Apr 21 05:16:42 2017
@@ -1,7 +1,7 @@
-/* $NetBSD: resolver.c,v 1.19.2.3.2.5 2017/02/20 16:27:17 sborrill Exp $ */
+/* $NetBSD: resolver.c,v 1.19.2.3.2.6 2017/04/21 05:16:42 snj Exp $ */
/*
- * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -4469,6 +4469,7 @@ is_lame(fetchctx_t *fctx) {
isc_result_t result;
if (message->rcode != dns_rcode_noerror &&
+ message->rcode != dns_rcode_yxdomain &&
message->rcode != dns_rcode_nxdomain)
return (ISC_FALSE);
@@ -6081,79 +6082,6 @@ chase_additional(fetchctx_t *fctx) {
goto again;
}
-static inline isc_result_t
-cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_cname_t cname;
-
- result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
- return (result);
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &cname, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- dns_name_init(tname, NULL);
- dns_name_clone(&cname.cname, tname);
- dns_rdata_freestruct(&cname);
-
- return (ISC_R_SUCCESS);
-}
-
-/*%
- * Construct the synthesised CNAME from the existing QNAME and
- * the DNAME RR and store it in 'target'.
- */
-static inline isc_result_t
-dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
- unsigned int nlabels, dns_name_t *target)
-{
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_dname_t dname;
- dns_fixedname_t prefix;
-
- /*
- * Get the target name of the DNAME.
- */
- result = dns_rdataset_first(rdataset);
- if (result != ISC_R_SUCCESS)
- return (result);
- dns_rdataset_current(rdataset, &rdata);
- result = dns_rdata_tostruct(&rdata, &dname, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
-
- dns_fixedname_init(&prefix);
- dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
- result = dns_name_concatenate(dns_fixedname_name(&prefix),
- &dname.dname, target, NULL);
- dns_rdata_freestruct(&dname);
- return (result);
-}
-
-/*%
- * Check if it was possible to construct 'qname' from 'lastcname'
- * and 'rdataset'.
- */
-static inline isc_result_t
-fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname,
- unsigned int nlabels, const dns_name_t *qname)
-{
- dns_fixedname_t fixed;
- isc_result_t result;
- dns_name_t *target;
-
- dns_fixedname_init(&fixed);
- target = dns_fixedname_name(&fixed);
- result = dname_target(rdataset, lastcname, nlabels, target);
- if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target))
- return (ISC_R_NOTFOUND);
-
- return (ISC_R_SUCCESS);
-}
-
static isc_boolean_t
is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
dns_rdataset_t *rdataset)
@@ -6229,9 +6157,8 @@ is_answeraddress_allowed(dns_view_t *vie
}
static isc_boolean_t
-is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
- dns_rdatatype_t type, dns_name_t *tname,
- dns_name_t *domain)
+is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
{
isc_result_t result;
dns_rbtnode_t *node = NULL;
@@ -6239,8 +6166,57 @@ is_answertarget_allowed(dns_view_t *view
char tnamebuf[DNS_NAME_FORMATSIZE];
char classbuf[64];
char typebuf[64];
+ dns_name_t *tname = NULL;
+ dns_rdata_cname_t cname;
+ dns_rdata_dname_t dname;
+ dns_view_t *view = fctx->res->view;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ unsigned int nlabels;
+ dns_fixedname_t fixed;
+ dns_name_t prefix;
+
+ REQUIRE(rdataset != NULL);
+ REQUIRE(rdataset->type == dns_rdatatype_cname ||
+ rdataset->type == dns_rdatatype_dname);
+
+ /*
+ * By default, we allow any target name.
+ * If newqname != NULL we also need to extract the newqname.
+ */
+ if (chainingp == NULL && view->denyanswernames == NULL)
+ return (ISC_TRUE);
+
+ result = dns_rdataset_first(rdataset);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ dns_rdataset_current(rdataset, &rdata);
+ switch (rdataset->type) {
+ case dns_rdatatype_cname:
+ result = dns_rdata_tostruct(&rdata, &cname, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ tname = &cname.cname;
+ break;
+ case dns_rdatatype_dname:
+ result = dns_rdata_tostruct(&rdata, &dname, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ dns_name_init(&prefix, NULL);
+ dns_fixedname_init(&fixed);
+ tname = dns_fixedname_name(&fixed);
+ nlabels = dns_name_countlabels(qname) -
+ dns_name_countlabels(rname);
+ dns_name_split(qname, nlabels, &prefix, NULL);
+ result = dns_name_concatenate(&prefix, &dname.dname, tname,
+ NULL);
+ if (result == DNS_R_NAMETOOLONG)
+ return (ISC_TRUE);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ break;
+ default:
+ INSIST(0);
+ }
+
+ if (chainingp != NULL)
+ *chainingp = ISC_TRUE;
- /* By default, we allow any target name. */
if (view->denyanswernames == NULL)
return (ISC_TRUE);
@@ -6249,8 +6225,8 @@ is_answertarget_allowed(dns_view_t *view
* or partially, allow it.
*/
if (view->answernames_exclude != NULL) {
- result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
- &node, NULL, 0, NULL, NULL);
+ result = dns_rbt_findnode(view->answernames_exclude, qname,
+ NULL, &node, NULL, 0, NULL, NULL);
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
return (ISC_TRUE);
}
@@ -6258,7 +6234,7 @@ is_answertarget_allowed(dns_view_t *view
/*
* If the target name is a subdomain of the search domain, allow it.
*/
- if (dns_name_issubdomain(tname, domain))
+ if (dns_name_issubdomain(tname, &fctx->domain))
return (ISC_TRUE);
/*
@@ -6267,9 +6243,9 @@ is_answertarget_allowed(dns_view_t *view
result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
NULL, 0, NULL, NULL);
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
- dns_name_format(name, qnamebuf, sizeof(qnamebuf));
+ dns_name_format(qname, qnamebuf, sizeof(qnamebuf));
dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
- dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+ dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
dns_rdataclass_format(view->rdclass, classbuf,
sizeof(classbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
@@ -6765,473 +6741,301 @@ noanswer_response(fetchctx_t *fctx, dns_
return (ISC_R_SUCCESS);
}
+static isc_boolean_t
+validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) {
+ if (rdataset->type == dns_rdatatype_nsec3) {
+ /*
+ * NSEC3 records are not allowed to
+ * appear in the answer section.
+ */
+ log_formerr(fctx, "NSEC3 in answer");
+ return (ISC_FALSE);
+ }
+ if (rdataset->type == dns_rdatatype_tkey) {
+ /*
+ * TKEY is not a valid record in a
+ * response to any query we can make.
+ */
+ log_formerr(fctx, "TKEY in answer");
+ return (ISC_FALSE);
+ }
+ if (rdataset->rdclass != fctx->res->rdclass) {
+ log_formerr(fctx, "Mismatched class in answer");
+ return (ISC_FALSE);
+ }
+ return (ISC_TRUE);
+}
+
static isc_result_t
answer_response(fetchctx_t *fctx) {
isc_result_t result;
- dns_message_t *message;
- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
- dns_name_t *cname = NULL, *lastcname = NULL;
- dns_rdataset_t *rdataset, *ns_rdataset;
- isc_boolean_t done, external, aa, found, want_chaining;
- isc_boolean_t have_answer, found_cname, found_dname, found_type;
- isc_boolean_t wanted_chaining;
- unsigned int aflag, chaining;
+ dns_message_t *message = NULL;
+ dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL;
+ dns_name_t *aname = NULL, *cname = NULL, *dname = NULL;
+ dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+ dns_rdataset_t *ardataset = NULL, *crdataset = NULL;
+ dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL;
+ isc_boolean_t done = ISC_FALSE, aa;
+ unsigned int dname_labels, domain_labels;
+ isc_boolean_t chaining = ISC_FALSE;
dns_rdatatype_t type;
- dns_fixedname_t fdname, fqname;
- dns_view_t *view;
+ dns_view_t *view = NULL;
+ dns_trust_t trust;
+
+ REQUIRE(VALID_FCTX(fctx));
FCTXTRACE("answer_response");
message = fctx->rmessage;
+ qname = &fctx->name;
+ view = fctx->res->view;
+ type = fctx->type;
/*
- * Examine the answer section, marking those rdatasets which are
- * part of the answer and should be cached.
+ * There can be multiple RRSIG and SIG records at a name so
+ * we treat these types as a subset of ANY.
*/
+ if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) {
+ type = dns_rdatatype_any;
+ }
- done = ISC_FALSE;
- found_cname = ISC_FALSE;
- found_dname = ISC_FALSE;
- found_type = ISC_FALSE;
- have_answer = ISC_FALSE;
- want_chaining = ISC_FALSE;
- chaining = 0;
- POST(want_chaining);
- if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
- aa = ISC_TRUE;
- else
- aa = ISC_FALSE;
- qname = &fctx->name;
- type = fctx->type;
- view = fctx->res->view;
- result = dns_message_firstname(message, DNS_SECTION_ANSWER);
- while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln, lastreln;
- int order, lastorder;
- unsigned int nlabels, lastnlabels;
+ /*
+ * Bigger than any valid DNAME label count.
+ */
+ dname_labels = dns_name_countlabels(qname);
+ domain_labels = dns_name_countlabels(&fctx->domain);
+
+ /*
+ * Perform a single pass looking for the answer, cname or covering
+ * dname.
+ */
+ for (result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ result == ISC_R_SUCCESS;
+ result = dns_message_nextname(message, DNS_SECTION_ANSWER))
+ {
+ int order;
+ unsigned int nlabels;
+ dns_namereln_t namereln;
name = NULL;
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
- external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-
- if (namereln == dns_namereln_equal) {
- wanted_chaining = ISC_FALSE;
+ switch (namereln) {
+ case dns_namereln_equal:
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
- rdataset = ISC_LIST_NEXT(rdataset, link)) {
- found = ISC_FALSE;
- want_chaining = ISC_FALSE;
- aflag = 0;
- if (rdataset->type == dns_rdatatype_nsec3) {
- /*
- * NSEC3 records are not allowed to
- * appear in the answer section.
- */
- log_formerr(fctx, "NSEC3 in answer");
- return (DNS_R_FORMERR);
- }
- if (rdataset->type == dns_rdatatype_tkey) {
- /*
- * TKEY is not a valid record in a
- * response to any query we can make.
- */
- log_formerr(fctx, "TKEY in answer");
- return (DNS_R_FORMERR);
- }
- if (rdataset->rdclass != fctx->res->rdclass) {
- log_formerr(fctx, "Mismatched class "
- "in answer");
- return (DNS_R_FORMERR);
- }
-
- /*
- * Apply filters, if given, on answers to reject
- * a malicious attempt of rebinding.
- */
- if ((rdataset->type == dns_rdatatype_a ||
- rdataset->type == dns_rdatatype_aaaa) &&
- !is_answeraddress_allowed(view, name,
- rdataset)) {
- return (DNS_R_SERVFAIL);
- }
-
- if (rdataset->type == type && !found_cname) {
- /*
- * We've found an ordinary answer.
- */
- found = ISC_TRUE;
- found_type = ISC_TRUE;
- done = ISC_TRUE;
- aflag = DNS_RDATASETATTR_ANSWER;
- } else if (type == dns_rdatatype_any) {
- /*
- * We've found an answer matching
- * an ANY query. There may be
- * more.
- */
- found = ISC_TRUE;
- aflag = DNS_RDATASETATTR_ANSWER;
- } else if (rdataset->type == dns_rdatatype_rrsig
- && rdataset->covers == type
- && !found_cname) {
- /*
- * We've found a signature that
- * covers the type we're looking for.
- */
- found = ISC_TRUE;
- found_type = ISC_TRUE;
- aflag = DNS_RDATASETATTR_ANSWERSIG;
- } else if (rdataset->type ==
- dns_rdatatype_cname
- && !found_type) {
- /*
- * We're looking for something else,
- * but we found a CNAME.
- *
- * Getting a CNAME response for some
- * query types is an error, see
- * RFC 4035, Section 2.5.
- */
- if (type == dns_rdatatype_rrsig ||
- type == dns_rdatatype_key ||
- type == dns_rdatatype_nsec) {
- char buf[DNS_RDATATYPE_FORMATSIZE];
- dns_rdatatype_format(fctx->type,
- buf, sizeof(buf));
- log_formerr(fctx,
- "CNAME response "
- "for %s RR", buf);
- return (DNS_R_FORMERR);
- }
- found = ISC_TRUE;
- found_cname = ISC_TRUE;
- want_chaining = ISC_TRUE;
- aflag = DNS_RDATASETATTR_ANSWER;
- result = cname_target(rdataset,
- &tname);
- if (result != ISC_R_SUCCESS)
- return (result);
- /* Apply filters on the target name. */
- if (!is_answertarget_allowed(view,
- name,
- rdataset->type,
- &tname,
- &fctx->domain)) {
- return (DNS_R_SERVFAIL);
+ rdataset = ISC_LIST_NEXT(rdataset, link))
+ {
+ if (rdataset->type == type ||
+ type == dns_rdatatype_any)
+ {
+ aname = name;
+ if (type != dns_rdatatype_any) {
+ ardataset = rdataset;
}
- lastcname = name;
- } else if (rdataset->type == dns_rdatatype_rrsig
- && rdataset->covers ==
- dns_rdatatype_cname
- && !found_type) {
- /*
- * We're looking for something else,
- * but we found a SIG CNAME.
- */
- found = ISC_TRUE;
- found_cname = ISC_TRUE;
- aflag = DNS_RDATASETATTR_ANSWERSIG;
+ break;
}
-
- if (found) {
- /*
- * We've found an answer to our
- * question.
- */
- name->attributes |=
- DNS_NAMEATTR_CACHE;
- rdataset->attributes |=
- DNS_RDATASETATTR_CACHE;
- rdataset->trust = dns_trust_answer;
- if (chaining == 0) {
- /*
- * This data is "the" answer
- * to our question only if
- * we're not chaining (i.e.
- * if we haven't followed
- * a CNAME or DNAME).
- */
- INSIST(!external);
- /*
- * Don't use found_cname here
- * as we have just set it
- * above.
- */
- if (cname == NULL &&
- !found_dname &&
- aflag ==
- DNS_RDATASETATTR_ANSWER)
- {
- have_answer = ISC_TRUE;
- if (found_cname &&
- cname == NULL)
- cname = name;
- name->attributes |=
- DNS_NAMEATTR_ANSWER;
- }
- rdataset->attributes |= aflag;
- if (aa)
- rdataset->trust =
- dns_trust_authanswer;
- } else if (external) {
- /*
- * This data is outside of
- * our query domain, and
- * may not be cached.
- */
- rdataset->attributes |=
- DNS_RDATASETATTR_EXTERNAL;
- }
-
- /*
- * Mark any additional data related
- * to this rdataset.
- */
- (void)dns_rdataset_additionaldata(
- rdataset,
- check_related,
- fctx);
-
- /*
- * CNAME chaining.
- */
- if (want_chaining) {
- wanted_chaining = ISC_TRUE;
- name->attributes |=
- DNS_NAMEATTR_CHAINING;
- rdataset->attributes |=
- DNS_RDATASETATTR_CHAINING;
- qname = &tname;
- }
+ if (rdataset->type == dns_rdatatype_cname) {
+ cname = name;
+ crdataset = rdataset;
+ break;
}
- /*
- * We could add an "else" clause here and
- * log that we're ignoring this rdataset.
- */
}
+ break;
+
+ case dns_namereln_subdomain:
/*
- * If wanted_chaining is true, we've done
- * some chaining as the result of processing
- * this node, and thus we need to set
- * chaining to true.
- *
- * We don't set chaining inside of the
- * rdataset loop because doing that would
- * cause us to ignore the signatures of
- * CNAMEs.
+ * In-scope DNAME records must have at least
+ * as many labels as the domain being queried.
+ * They also must be less that qname's labels
+ * and any previously found dname.
*/
- if (wanted_chaining && chaining < 2U)
- chaining++;
- } else {
- dns_rdataset_t *dnameset = NULL;
- isc_boolean_t synthcname = ISC_FALSE;
-
- if (lastcname != NULL) {
- lastreln = dns_name_fullcompare(lastcname,
- name,
- &lastorder,
- &lastnlabels);
- if (lastreln == dns_namereln_subdomain &&
- lastnlabels == dns_name_countlabels(name))
- synthcname = ISC_TRUE;
+ if (nlabels >= dname_labels || nlabels < domain_labels)
+ {
+ continue;
}
/*
- * Look for a DNAME (or its SIG). Anything else is
- * ignored.
+ * We are looking for the shortest DNAME if there
+ * are multiple ones (which there shouldn't be).
*/
- wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
- if (rdataset->rdclass != fctx->res->rdclass) {
- log_formerr(fctx, "Mismatched class "
- "in answer");
- return (DNS_R_FORMERR);
- }
-
- /*
- * Only pass DNAME or RRSIG(DNAME).
- */
- if (rdataset->type != dns_rdatatype_dname &&
- (rdataset->type != dns_rdatatype_rrsig ||
- rdataset->covers != dns_rdatatype_dname))
+ if (rdataset->type != dns_rdatatype_dname) {
continue;
-
- /*
- * If we're not chaining, then the DNAME and
- * its signature should not be external.
- */
- if (chaining == 0 && external) {
- char qbuf[DNS_NAME_FORMATSIZE];
- char obuf[DNS_NAME_FORMATSIZE];
-
- dns_name_format(name, qbuf,
- sizeof(qbuf));
- dns_name_format(&fctx->domain, obuf,
- sizeof(obuf));
- log_formerr(fctx, "external DNAME or "
- "RRSIG covering DNAME "
- "in answer: %s is "
- "not in %s", qbuf, obuf);
- return (DNS_R_FORMERR);
- }
-
- /*
- * If DNAME + synthetic CNAME then the
- * namereln is dns_namereln_subdomain.
- */
- if (namereln != dns_namereln_subdomain &&
- !synthcname)
- {
- char qbuf[DNS_NAME_FORMATSIZE];
- char obuf[DNS_NAME_FORMATSIZE];
-
- dns_name_format(qname, qbuf,
- sizeof(qbuf));
- dns_name_format(name, obuf,
- sizeof(obuf));
- log_formerr(fctx, "unrelated DNAME "
- "in answer: %s is "
- "not in %s", qbuf, obuf);
- return (DNS_R_FORMERR);
}
+ dname = name;
+ drdataset = rdataset;
+ dname_labels = nlabels;
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+ }
- aflag = 0;
- if (rdataset->type == dns_rdatatype_dname) {
- want_chaining = ISC_TRUE;
- POST(want_chaining);
- aflag = DNS_RDATASETATTR_ANSWER;
- dns_fixedname_init(&fdname);
- dname = dns_fixedname_name(&fdname);
- if (synthcname) {
- result = fromdname(rdataset,
- lastcname,
- lastnlabels,
- qname);
- } else {
- result = dname_target(rdataset,
- qname,
- nlabels,
- dname);
- }
- if (result == ISC_R_NOSPACE) {
- /*
- * We can't construct the
- * DNAME target. Do not
- * try to continue.
- */
- want_chaining = ISC_FALSE;
- POST(want_chaining);
- } else if (result != ISC_R_SUCCESS)
- return (result);
- else
- dnameset = rdataset;
+ if (dname != NULL) {
+ aname = NULL;
+ ardataset = NULL;
+ cname = NULL;
+ crdataset = NULL;
+ } else if (aname != NULL) {
+ cname = NULL;
+ crdataset = NULL;
+ }
- if (!synthcname &&
- !is_answertarget_allowed(view,
- qname, rdataset->type,
- dname, &fctx->domain))
- {
- return (DNS_R_SERVFAIL);
- }
- } else {
- /*
- * We've found a signature that
- * covers the DNAME.
- */
- aflag = DNS_RDATASETATTR_ANSWERSIG;
- }
+ aa = ISC_TF((message->flags & DNS_MESSAGEFLAG_AA) != 0);
+ trust = aa ? dns_trust_authanswer : dns_trust_answer;
- /*
- * We've found an answer to our
- * question.
- */
- name->attributes |= DNS_NAMEATTR_CACHE;
- rdataset->attributes |= DNS_RDATASETATTR_CACHE;
- rdataset->trust = dns_trust_answer;
- /*
- * If we are not chaining or the first CNAME
- * is a synthesised CNAME before the DNAME.
- */
- if ((chaining == 0) ||
- (chaining == 1U && synthcname))
- {
- /*
- * This data is "the" answer to
- * our question only if we're
- * not chaining.
- */
- INSIST(!external);
- if (aflag == DNS_RDATASETATTR_ANSWER) {
- have_answer = ISC_TRUE;
- found_dname = ISC_TRUE;
- if (cname != NULL &&
- synthcname)
- {
- cname->attributes &=
- ~DNS_NAMEATTR_ANSWER;
- }
- name->attributes |=
- DNS_NAMEATTR_ANSWER;
- }
- rdataset->attributes |= aflag;
- if (aa)
- rdataset->trust =
- dns_trust_authanswer;
- } else if (external) {
- rdataset->attributes |=
- DNS_RDATASETATTR_EXTERNAL;
- }
+ if (aname != NULL && type == dns_rdatatype_any) {
+ for (rdataset = ISC_LIST_HEAD(aname->list);
+ rdataset != NULL;
+ rdataset = ISC_LIST_NEXT(rdataset, link))
+ {
+ if (!validinanswer(rdataset, fctx)) {
+ return (DNS_R_FORMERR);
}
-
- /*
- * DNAME chaining.
- */
- if (dnameset != NULL) {
- if (!synthcname) {
- /*
- * Copy the dname into the qname fixed
- * name.
- *
- * Although we check for failure of the
- * copy operation, in practice it
- * should never fail since we already
- * know that the result fits in a
- * fixedname.
- */
- dns_fixedname_init(&fqname);
- qname = dns_fixedname_name(&fqname);
- result = dns_name_copy(dname, qname,
- NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- }
- wanted_chaining = ISC_TRUE;
- name->attributes |= DNS_NAMEATTR_CHAINING;
- dnameset->attributes |=
- DNS_RDATASETATTR_CHAINING;
+ if ((fctx->type == dns_rdatatype_sig ||
+ fctx->type == dns_rdatatype_rrsig) &&
+ rdataset->type != fctx->type)
+ {
+ continue;
}
- /*
- * Ensure that we can't ever get chaining == 1
- * above if we have processed a DNAME.
- */
- if (wanted_chaining && chaining < 2U)
- chaining += 2;
+ if ((rdataset->type == dns_rdatatype_a ||
+ rdataset->type == dns_rdatatype_aaaa) &&
+ !is_answeraddress_allowed(view, aname, rdataset))
+ {
+ return (DNS_R_SERVFAIL);
+ }
+ if ((rdataset->type == dns_rdatatype_cname ||
+ rdataset->type == dns_rdatatype_dname) &&
+ !is_answertarget_allowed(fctx, qname, aname,
+ rdataset, NULL))
+ {
+ return (DNS_R_SERVFAIL);
+ }
+ aname->attributes |= DNS_NAMEATTR_CACHE;
+ aname->attributes |= DNS_NAMEATTR_ANSWER;
+ rdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+ rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ rdataset->trust = trust;
+ (void)dns_rdataset_additionaldata(rdataset,
+ check_related,
+ fctx);
}
- result = dns_message_nextname(message, DNS_SECTION_ANSWER);
- }
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
- if (result != ISC_R_SUCCESS)
- return (result);
-
- /*
- * We should have found an answer.
- */
- if (!have_answer) {
+ } else if (aname != NULL) {
+ if (!validinanswer(ardataset, fctx))
+ return (DNS_R_FORMERR);
+ if ((ardataset->type == dns_rdatatype_a ||
+ ardataset->type == dns_rdatatype_aaaa) &&
+ !is_answeraddress_allowed(view, aname, ardataset)) {
+ return (DNS_R_SERVFAIL);
+ }
+ if ((ardataset->type == dns_rdatatype_cname ||
+ ardataset->type == dns_rdatatype_dname) &&
+ !is_answertarget_allowed(fctx, qname, aname, ardataset,
+ NULL))
+ {
+ return (DNS_R_SERVFAIL);
+ }
+ aname->attributes |= DNS_NAMEATTR_CACHE;
+ aname->attributes |= DNS_NAMEATTR_ANSWER;
+ ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
+ ardataset->attributes |= DNS_RDATASETATTR_CACHE;
+ ardataset->trust = trust;
+ (void)dns_rdataset_additionaldata(ardataset, check_related,
+ fctx);
+ for (sigrdataset = ISC_LIST_HEAD(aname->list);
+ sigrdataset != NULL;
+ sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+ if (!validinanswer(sigrdataset, fctx))
+ return (DNS_R_FORMERR);
+ if (sigrdataset->type != dns_rdatatype_rrsig ||
+ sigrdataset->covers != type)
+ continue;
+ sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+ sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ sigrdataset->trust = trust;
+ break;
+ }
+ } else if (cname != NULL) {
+ if (!validinanswer(crdataset, fctx)) {
+ return (DNS_R_FORMERR);
+ }
+ if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key ||
+ type == dns_rdatatype_nsec)
+ {
+ char buf[DNS_RDATATYPE_FORMATSIZE];
+ dns_rdatatype_format(type, buf, sizeof(buf));
+ log_formerr(fctx, "CNAME response for %s RR", buf);
+ return (DNS_R_FORMERR);
+ }
+ if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
+ NULL))
+ {
+ return (DNS_R_SERVFAIL);
+ }
+ cname->attributes |= DNS_NAMEATTR_CACHE;
+ cname->attributes |= DNS_NAMEATTR_ANSWER;
+ cname->attributes |= DNS_NAMEATTR_CHAINING;
+ crdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+ crdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ crdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+ crdataset->trust = trust;
+ for (sigrdataset = ISC_LIST_HEAD(cname->list);
+ sigrdataset != NULL;
+ sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+ {
+ if (!validinanswer(sigrdataset, fctx)) {
+ return (DNS_R_FORMERR);
+ }
+ if (sigrdataset->type != dns_rdatatype_rrsig ||
+ sigrdataset->covers != dns_rdatatype_cname)
+ {
+ continue;
+ }
+ sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+ sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ sigrdataset->trust = trust;
+ break;
+ }
+ chaining = ISC_TRUE;
+ } else if (dname != NULL) {
+ if (!validinanswer(drdataset, fctx)) {
+ return (DNS_R_FORMERR);
+ }
+ if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
+ &chaining)) {
+ return (DNS_R_SERVFAIL);
+ }
+ dname->attributes |= DNS_NAMEATTR_CACHE;
+ dname->attributes |= DNS_NAMEATTR_ANSWER;
+ dname->attributes |= DNS_NAMEATTR_CHAINING;
+ drdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+ drdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ drdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+ drdataset->trust = trust;
+ for (sigrdataset = ISC_LIST_HEAD(dname->list);
+ sigrdataset != NULL;
+ sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+ {
+ if (!validinanswer(sigrdataset, fctx)) {
+ return (DNS_R_FORMERR);
+ }
+ if (sigrdataset->type != dns_rdatatype_rrsig ||
+ sigrdataset->covers != dns_rdatatype_dname)
+ {
+ continue;
+ }
+ sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+ sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ sigrdataset->trust = trust;
+ break;
+ }
+ } else {
log_formerr(fctx, "reply has no answer");
return (DNS_R_FORMERR);
}
@@ -7244,14 +7048,8 @@ answer_response(fetchctx_t *fctx) {
/*
* Did chaining end before we got the final answer?
*/
- if (chaining != 0) {
- /*
- * Yes. This may be a negative reply, so hand off
- * authority section processing to the noanswer code.
- * If it isn't a noanswer response, no harm will be
- * done.
- */
- return (noanswer_response(fctx, qname, 0));
+ if (chaining) {
+ return (ISC_R_SUCCESS);
}
/*
@@ -7270,11 +7068,9 @@ answer_response(fetchctx_t *fctx) {
* We expect there to be only one owner name for all the rdatasets
* in this section, and we expect that it is not external.
*/
- done = ISC_FALSE;
- ns_name = NULL;
- ns_rdataset = NULL;
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
while (!done && result == ISC_R_SUCCESS) {
+ isc_boolean_t external;
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
@@ -7293,12 +7089,13 @@ answer_response(fetchctx_t *fctx) {
DNS_NAMEATTR_CACHE;
rdataset->attributes |=
DNS_RDATASETATTR_CACHE;
- if (aa && chaining == 0)
+ if (aa && !chaining) {
rdataset->trust =
dns_trust_authauthority;
- else
+ } else {
rdataset->trust =
dns_trust_additional;
+ }
if (rdataset->type == dns_rdatatype_ns)
{
@@ -8099,6 +7896,7 @@ resquery_response(isc_task_t *task, isc_
* Is the remote server broken, or does it dislike us?
*/
if (message->rcode != dns_rcode_noerror &&
+ message->rcode != dns_rcode_yxdomain &&
message->rcode != dns_rcode_nxdomain) {
isc_buffer_t b;
char code[64];
@@ -8163,13 +7961,6 @@ resquery_response(isc_task_t *task, isc_
log_formerr(fctx, "server sent FORMERR");
result = DNS_R_FORMERR;
}
- } else if (message->rcode == dns_rcode_yxdomain) {
- /*
- * DNAME mapping failed because the new name
- * was too long. There's no chance of success
- * for this fetch.
- */
- result = DNS_R_YXDOMAIN;
} else if (message->rcode == dns_rcode_badvers) {
unsigned int flags, mask;
unsigned int version;
@@ -8328,6 +8119,7 @@ resquery_response(isc_task_t *task, isc_
*/
if (message->counts[DNS_SECTION_ANSWER] > 0 &&
(message->rcode == dns_rcode_noerror ||
+ message->rcode == dns_rcode_yxdomain ||
message->rcode == dns_rcode_nxdomain)) {
/*
* [normal case]
Index: src/external/bsd/bind/dist/lib/isc/lex.c
diff -u src/external/bsd/bind/dist/lib/isc/lex.c:1.5.6.1 src/external/bsd/bind/dist/lib/isc/lex.c:1.5.6.2
--- src/external/bsd/bind/dist/lib/isc/lex.c:1.5.6.1 Sun Mar 13 08:00:37 2016
+++ src/external/bsd/bind/dist/lib/isc/lex.c Fri Apr 21 05:16:42 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: lex.c,v 1.5.6.1 2016/03/13 08:00:37 martin Exp $ */
+/* $NetBSD: lex.c,v 1.5.6.2 2017/04/21 05:16:42 snj Exp $ */
/*
* Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
@@ -96,9 +96,10 @@ isc_lex_create(isc_mem_t *mctx, size_t m
/*
* Create a lexer.
*/
-
REQUIRE(lexp != NULL && *lexp == NULL);
- REQUIRE(max_token > 0U);
+
+ if (max_token == 0U)
+ max_token = 1;
lex = isc_mem_get(mctx, sizeof(*lex));
if (lex == NULL)
Index: src/external/bsd/bind/dist/lib/isc/include/isc/lex.h
diff -u src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.3 src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.3.14.1
--- src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.3 Tue Jun 5 00:42:36 2012
+++ src/external/bsd/bind/dist/lib/isc/include/isc/lex.h Fri Apr 21 05:16:42 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: lex.h,v 1.3 2012/06/05 00:42:36 christos Exp $ */
+/* $NetBSD: lex.h,v 1.3.14.1 2017/04/21 05:16:42 snj Exp $ */
/*
* Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
@@ -154,8 +154,6 @@ isc_lex_create(isc_mem_t *mctx, size_t m
* Requires:
*\li '*lexp' is a valid lexer.
*
- *\li max_token > 0.
- *
* Ensures:
*\li On success, *lexp is attached to the newly created lexer.
*
