head	1.21;
access;
symbols
	RELENG_8_4:1.21.0.2
	RELENG_9_1_0_RELEASE:1.18.2.2
	RELENG_9_1:1.18.2.2.0.2
	RELENG_9_1_BP:1.18.2.2
	RELENG_8_3_0_RELEASE:1.7.2.8
	RELENG_8_3:1.7.2.8.0.2
	RELENG_8_3_BP:1.7.2.8
	RELENG_9_0_0_RELEASE:1.18
	RELENG_9_0:1.18.0.4
	RELENG_9_0_BP:1.18
	RELENG_9:1.18.0.2
	RELENG_9_BP:1.18
	RELENG_7_4_0_RELEASE:1.1.1.6.2.8
	RELENG_8_2_0_RELEASE:1.7.2.5
	RELENG_7_4:1.1.1.6.2.8.0.2
	RELENG_7_4_BP:1.1.1.6.2.8
	RELENG_8_2:1.7.2.5.0.2
	RELENG_8_2_BP:1.7.2.5
	RELENG_8_1_0_RELEASE:1.7.2.3
	RELENG_8_1:1.7.2.3.0.2
	RELENG_8_1_BP:1.7.2.3
	RELENG_7_3_0_RELEASE:1.1.1.6.2.5
	RELENG_7_3:1.1.1.6.2.5.0.2
	RELENG_7_3_BP:1.1.1.6.2.5
	RELENG_8_0_0_RELEASE:1.7
	RELENG_8_0:1.7.0.4
	RELENG_8_0_BP:1.7
	RELENG_8:1.7.0.2
	RELENG_8_BP:1.7
	RELENG_7_2_0_RELEASE:1.1.1.6.2.4
	RELENG_7_2:1.1.1.6.2.4.0.2
	RELENG_7_2_BP:1.1.1.6.2.4
	RELENG_7_1_0_RELEASE:1.1.1.6.2.3
	RELENG_6_4_0_RELEASE:1.1.1.2.2.6
	RELENG_7_1:1.1.1.6.2.3.0.2
	RELENG_7_1_BP:1.1.1.6.2.3
	RELENG_6_4:1.1.1.2.2.6.0.2
	RELENG_6_4_BP:1.1.1.2.2.6
	RELENG_7_0_0_RELEASE:1.1.1.6.2.1
	RELENG_6_3_0_RELEASE:1.1.1.2.2.3
	RELENG_7_0:1.1.1.6.2.1.0.2
	RELENG_7_0_BP:1.1.1.6.2.1
	BIND_9_4_2:1.1.1.7
	RELENG_6_3:1.1.1.2.2.3.0.2
	RELENG_6_3_BP:1.1.1.2.2.3
	RELENG_7:1.1.1.6.0.2
	RELENG_7_BP:1.1.1.6
	BIND_9_4_1_P1:1.1.1.6
	BIND_9_4_1:1.1.1.6
	BIND_9_3_4:1.1.1.5
	RELENG_6_2_0_RELEASE:1.1.1.2.2.1.4.1
	BIND_9_3_3:1.1.1.4
	RELENG_6_2:1.1.1.2.2.1.0.4
	RELENG_6_2_BP:1.1.1.2.2.1
	RELENG_5_5_0_RELEASE:1.1.1.1.2.3
	RELENG_5_5:1.1.1.1.2.3.0.2
	RELENG_5_5_BP:1.1.1.1.2.3
	RELENG_6_1_0_RELEASE:1.1.1.2.2.1
	RELENG_6_1:1.1.1.2.2.1.0.2
	RELENG_6_1_BP:1.1.1.2.2.1
	BIND_9_3_2:1.1.1.3
	RELENG_6_0_0_RELEASE:1.1.1.2
	RELENG_6_0:1.1.1.2.0.4
	RELENG_6_0_BP:1.1.1.2
	RELENG_6:1.1.1.2.0.2
	RELENG_6_BP:1.1.1.2
	RELENG_5_4_0_RELEASE:1.1.1.1.2.2
	RELENG_5_4:1.1.1.1.2.2.0.2
	RELENG_5_4_BP:1.1.1.1.2.2
	BIND_9_3_1:1.1.1.2
	RELENG_5_3_0_RELEASE:1.1.1.1.2.1
	RELENG_5_3:1.1.1.1.2.1.0.2
	RELENG_5_3_BP:1.1.1.1.2.1
	RELENG_5:1.1.1.1.0.2
	BIND_9_3_0:1.1.1.1
	BIND_9_3_0_RC4:1.1.1.1
	ISC:1.1.1;
locks; strict;
comment	@# @;


1.21
date	2012.12.07.12.43.13;	author svnexp;	state Exp;
branches
	1.21.2.1;
next	1.20;

1.20
date	2012.05.28.19.47.56;	author dougb;	state Exp;
branches;
next	1.19;

1.19
date	2012.04.05.04.29.35;	author dougb;	state Exp;
branches;
next	1.18;

1.18
date	2011.09.03.07.13.45;	author dougb;	state Exp;
branches
	1.18.2.1;
next	1.17;

1.17
date	2011.07.16.11.12.09;	author dougb;	state Exp;
branches;
next	1.16;

1.16
date	2011.07.06.00.48.31;	author dougb;	state Exp;
branches;
next	1.15;

1.15
date	2011.05.28.00.21.28;	author dougb;	state Exp;
branches;
next	1.14;

1.14
date	2011.02.06.22.46.07;	author dougb;	state Exp;
branches;
next	1.13;

1.13
date	2010.12.04.05.58.56;	author dougb;	state Exp;
branches;
next	1.12;

1.12
date	2010.10.31.04.45.53;	author dougb;	state Exp;
branches;
next	1.11;

1.11
date	2010.05.20.08.15.06;	author dougb;	state Exp;
branches;
next	1.10;

1.10
date	2010.03.18.19.00.35;	author dougb;	state Exp;
branches;
next	1.9;

1.9
date	2010.03.03.05.45.24;	author dougb;	state Exp;
branches;
next	1.8;

1.8
date	2009.11.30.03.38.34;	author dougb;	state Exp;
branches;
next	1.7;

1.7
date	2009.06.25.19.16.29;	author dougb;	state Exp;
branches
	1.7.2.1;
next	1.6;

1.6
date	2009.05.31.05.42.58;	author dougb;	state Exp;
branches;
next	1.5;

1.5
date	2009.01.09.11.45.45;	author dougb;	state Exp;
branches;
next	1.4;

1.4
date	2008.12.23.22.47.56;	author dougb;	state Exp;
branches;
next	1.3;

1.3
date	2008.09.01.22.54.49;	author dougb;	state Exp;
branches;
next	1.2;

1.2
date	2008.07.12.09.38.35;	author dougb;	state Exp;
branches;
next	1.1;

1.1
date	2004.09.19.01.30.18;	author trhodes;	state Exp;
branches
	1.1.1.1;
next	;

1.21.2.1
date	2012.12.07.12.43.13;	author svnexp;	state dead;
branches;
next	1.21.2.2;

1.21.2.2
date	2013.03.28.13.00.21;	author svnexp;	state Exp;
branches;
next	;

1.18.2.1
date	2012.04.08.01.43.41;	author dougb;	state Exp;
branches;
next	1.18.2.2;

1.18.2.2
date	2012.06.01.03.46.28;	author dougb;	state Exp;
branches;
next	1.18.2.3;

1.18.2.3
date	2013.01.08.10.02.28;	author svnexp;	state Exp;
branches;
next	1.18.2.4;

1.18.2.4
date	2013.08.16.08.01.50;	author svnexp;	state Exp;
branches;
next	1.18.2.5;

1.18.2.5
date	2013.08.26.08.01.49;	author svnexp;	state Exp;
branches;
next	1.18.2.6;

1.18.2.6
date	2014.03.03.10.08.04;	author svnexp;	state Exp;
branches;
next	;

1.7.2.1
date	2009.12.11.01.23.58;	author dougb;	state Exp;
branches;
next	1.7.2.2;

1.7.2.2
date	2010.03.29.06.31.58;	author dougb;	state Exp;
branches;
next	1.7.2.3;

1.7.2.3
date	2010.05.23.21.15.36;	author dougb;	state Exp;
branches;
next	1.7.2.4;

1.7.2.4
date	2010.11.04.21.48.39;	author dougb;	state Exp;
branches;
next	1.7.2.5;

1.7.2.5
date	2010.12.08.19.59.53;	author dougb;	state Exp;
branches;
next	1.7.2.6;

1.7.2.6
date	2011.02.05.19.13.34;	author dougb;	state Exp;
branches;
next	1.7.2.7;

1.7.2.7
date	2011.05.28.00.33.06;	author dougb;	state Exp;
branches;
next	1.7.2.8;

1.7.2.8
date	2011.07.06.00.50.54;	author dougb;	state Exp;
branches;
next	1.7.2.9;

1.7.2.9
date	2012.04.05.04.31.17;	author dougb;	state Exp;
branches;
next	1.7.2.10;

1.7.2.10
date	2012.05.28.19.48.37;	author dougb;	state Exp;
branches;
next	1.7.2.11;

1.7.2.11
date	2013.01.04.14.22.20;	author svnexp;	state Exp;
branches;
next	1.7.2.12;

1.7.2.12
date	2013.02.11.12.33.25;	author svnexp;	state Exp;
branches;
next	1.7.2.13;

1.7.2.13
date	2014.03.03.10.23.39;	author svnexp;	state Exp;
branches;
next	;

1.1.1.1
date	2004.09.19.01.30.18;	author trhodes;	state Exp;
branches
	1.1.1.1.2.1;
next	1.1.1.2;

1.1.1.2
date	2005.03.17.08.03.33;	author dougb;	state Exp;
branches
	1.1.1.2.2.1;
next	1.1.1.3;

1.1.1.3
date	2005.12.29.04.22.42;	author dougb;	state Exp;
branches;
next	1.1.1.4;

1.1.1.4
date	2006.12.10.07.09.04;	author dougb;	state Exp;
branches;
next	1.1.1.5;

1.1.1.5
date	2007.01.29.18.31.52;	author dougb;	state Exp;
branches;
next	1.1.1.6;

1.1.1.6
date	2007.06.02.23.21.36;	author dougb;	state Exp;
branches
	1.1.1.6.2.1;
next	1.1.1.7;

1.1.1.7
date	2007.12.02.19.10.37;	author dougb;	state Exp;
branches;
next	;

1.1.1.1.2.1
date	2004.09.26.03.09.51;	author des;	state Exp;
branches;
next	1.1.1.1.2.2;

1.1.1.1.2.2
date	2005.03.23.18.16.29;	author dougb;	state Exp;
branches;
next	1.1.1.1.2.3;

1.1.1.1.2.3
date	2006.01.14.10.42.07;	author dougb;	state Exp;
branches;
next	1.1.1.1.2.4;

1.1.1.1.2.4
date	2006.12.13.09.57.08;	author dougb;	state Exp;
branches;
next	1.1.1.1.2.5;

1.1.1.1.2.5
date	2007.02.07.00.46.34;	author dougb;	state Exp;
branches;
next	;

1.1.1.2.2.1
date	2006.01.14.10.13.44;	author dougb;	state Exp;
branches
	1.1.1.2.2.1.4.1;
next	1.1.1.2.2.2;

1.1.1.2.2.2
date	2006.12.13.09.46.56;	author dougb;	state Exp;
branches;
next	1.1.1.2.2.3;

1.1.1.2.2.3
date	2007.02.07.00.42.08;	author dougb;	state Exp;
branches
	1.1.1.2.2.3.2.1;
next	1.1.1.2.2.4;

1.1.1.2.2.4
date	2008.06.03.05.38.10;	author dougb;	state Exp;
branches;
next	1.1.1.2.2.5;

1.1.1.2.2.5
date	2008.07.12.10.07.33;	author dougb;	state Exp;
branches;
next	1.1.1.2.2.6;

1.1.1.2.2.6
date	2008.09.01.22.56.10;	author dougb;	state Exp;
branches;
next	1.1.1.2.2.7;

1.1.1.2.2.7
date	2009.01.10.04.30.27;	author dougb;	state Exp;
branches;
next	;

1.1.1.2.2.1.4.1
date	2006.12.13.09.52.24;	author dougb;	state Exp;
branches;
next	;

1.1.1.2.2.3.2.1
date	2008.07.13.18.42.38;	author cperciva;	state Exp;
branches;
next	;

1.1.1.6.2.1
date	2007.12.07.08.31.14;	author dougb;	state Exp;
branches
	1.1.1.6.2.1.2.1;
next	1.1.1.6.2.2;

1.1.1.6.2.2
date	2008.07.13.18.42.38;	author cperciva;	state Exp;
branches;
next	1.1.1.6.2.3;

1.1.1.6.2.3
date	2008.11.14.11.00.34;	author dougb;	state Exp;
branches;
next	1.1.1.6.2.4;

1.1.1.6.2.4
date	2009.01.10.03.00.21;	author dougb;	state Exp;
branches;
next	1.1.1.6.2.5;

1.1.1.6.2.5
date	2009.12.11.02.23.04;	author dougb;	state Exp;
branches;
next	1.1.1.6.2.6;

1.1.1.6.2.6
date	2010.05.24.06.41.57;	author dougb;	state Exp;
branches;
next	1.1.1.6.2.7;

1.1.1.6.2.7
date	2010.11.04.21.50.19;	author dougb;	state Exp;
branches;
next	1.1.1.6.2.8;

1.1.1.6.2.8
date	2010.12.09.21.11.53;	author dougb;	state Exp;
branches;
next	1.1.1.6.2.9;

1.1.1.6.2.9
date	2011.05.28.00.58.19;	author dougb;	state Exp;
branches;
next	1.1.1.6.2.10;

1.1.1.6.2.10
date	2011.08.02.09.42.58;	author dougb;	state Exp;
branches;
next	;

1.1.1.6.2.1.2.1
date	2008.07.13.18.42.38;	author cperciva;	state Exp;
branches;
next	;


desc
@@


1.21
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/243981
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@# LIBINTERFACE ranges
# 9.6: 50-59, 110-119
# 9.7: 60-79
# 9.8: 80-89
# 9.9: 90-109
LIBINTERFACE = 89
LIBREVISION = 1
LIBAGE = 1
@


1.21.2.1
log
@file api was added on branch RELENG_8_4 on 2013-03-28 13:00:21 +0000
@
text
@d1 8
@


1.21.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 8
# LIBINTERFACE ranges
# 9.6: 50-59, 110-119
# 9.7: 60-79
# 9.8: 80-89
# 9.9: 90-109
LIBINTERFACE = 89
LIBREVISION = 1
LIBAGE = 1
@


1.20
log
@SVN rev 236196 on 2012-05-28 19:47:56Z by dougb

Upgrade to BIND version 9.8.3, the latest from ISC.

Feature Change

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)

Bug Fix

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-
   threaded environment.

Other critical bug fixes are included.

All BIND users are encouraged to upgrade.
@
text
@d6 1
a6 1
LIBINTERFACE = 87
d8 1
a8 1
LIBAGE = 6
@


1.19
log
@SVN rev 233914 on 2012-04-05 04:29:35Z by dougb

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
@
text
@d7 1
a7 1
LIBREVISION = 0
@


1.18
log
@SVN rev 225361 on 2011-09-03 07:13:45Z by dougb

Upgrade to BIND version 9.8.1. Release notes at:

https://deepthought.isc.org/article/AA-00446/81/
or
/usr/src/contrib/bind9/

Approved by:	re (kib)
@
text
@d1 8
a8 3
LIBINTERFACE = 84
LIBREVISION = 1
LIBAGE = 3
@


1.18.2.1
log
@SVN rev 234010 on 2012-04-08 01:43:41Z by dougb

MFC r233909:

Add Bv9ARM.pdf to the list of docs to install.

MFV/MFC r233914:

Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
@
text
@d1 3
a3 8
# LIBINTERFACE ranges
# 9.6: 50-59, 110-119
# 9.7: 60-79
# 9.8: 80-89
# 9.9: 90-109
LIBINTERFACE = 87
LIBREVISION = 0
LIBAGE = 6
@


1.18.2.2
log
@SVN rev 236374 on 2012-06-01 03:46:28Z by dougb

MFV r236171, MFC r236196:

Upgrade to BIND version 9.8.3, the latest from ISC.

Feature Change

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)

Bug Fix

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-
   threaded environment.

Other critical bug fixes are included.

All BIND users are encouraged to upgrade.
@
text
@d7 1
a7 1
LIBREVISION = 1
@


1.18.2.3
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/245163
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r245163 | erwin | 2013-01-08 09:05:09 +0000 (Tue, 08 Jan 2013) | 21 lines
## SVN ##
## SVN ## MFC r243981,243987:
## SVN ##
## SVN ##   Update to 9.8.4-P1.
## SVN ##
## SVN ##   New Features
## SVN ##
## SVN ##   *  Elliptic Curve Digital Signature Algorithm keys and signatures in
## SVN ##      DNSSEC are now supported per RFC 6605. [RT #21918]
## SVN ##
## SVN ##   Feature Changes
## SVN ##
## SVN ##   *  Improves OpenSSL error logging [RT #29932]
## SVN ##
## SVN ##   *  nslookup now returns a nonzero exit code when it is unable to get
## SVN ##      an answer.  [RT #29492]
## SVN ##
## SVN ##   Other critical bug fixes are included.
## SVN ##
## SVN ##   Approved by:  delphij (mentor)
## SVN ##   Sponsored by: DK Hostmaster A/S
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d6 1
a6 1
LIBINTERFACE = 89
d8 1
a8 1
LIBAGE = 1
@


1.18.2.4
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/254402
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d4 1
a4 1
# 9.8: 80-89, 120-129
d6 1
a6 2
# 9.9-sub: 130-139
LIBINTERFACE = 122
d8 1
a8 1
LIBAGE = 0
@


1.18.2.5
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/254897
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d7 1
a7 1
LIBINTERFACE = 99
@


1.18.2.6
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/262706
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d7 3
a9 3
LIBINTERFACE = 102
LIBREVISION = 2
LIBAGE = 2
@


1.17
log
@SVN rev 224092 on 2011-07-16 11:12:09Z by dougb

Upgrade to version 9.8.0-P4

This version has many new features, see /usr/share/doc/bind9/README
for details.
@
text
@d1 3
a3 3
LIBINTERFACE = 82
LIBREVISION = 3
LIBAGE = 1
@


1.16
log
@SVN rev 223812 on 2011-07-06 00:48:31Z by dougb

Update to version 9.6-ESV-R4-P3

ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY

This update addresses the following vulnerability:

CVE-2011-2464
=============
Severity:	High
Exploitable:	Remotely

Description:

A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This
defect affects both recursive and authoritative servers. The code location
of the defect makes it impossible to protect BIND using ACLs configured
within named.conf or by disabling any features at compile-time or run-time.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
https://www.isc.org/software/bind/advisories/cve-2011-2464
@
text
@d1 2
a2 2
LIBINTERFACE = 59
LIBREVISION = 5
@


1.15
log
@SVN rev 222395 on 2011-05-28 00:21:28Z by dougb

Upgrade to 9.6-ESV-R4-P1, which address the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
@
text
@d2 1
a2 1
LIBREVISION = 4
@


1.14
log
@SVN rev 218384 on 2011-02-06 22:46:07Z by dougb

Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.

All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

  * Various fixes to kerberos support, including GSS-TSIG
  * Various fixes to avoid leaking memory, and to problems that could
    prevent a clean shutdown of named
@
text
@d2 1
a2 1
LIBREVISION = 2
@


1.13
log
@SVN rev 216175 on 2010-12-04 05:58:56Z by dougb

Update to version 9.6-ESV-R3, the latest from ISC, which addresses
the following security vulnerabilities.

For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

1. Cache incorrectly allows ncache and rrsig for the same type

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

   Affects resolver operators whose servers are open to potential
   attackers. Triggering the bug will cause the server to crash.

   This bug applies even if you do not have DNSSEC enabled.

2. Key algorithm rollover

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614

   Affects resolver operators who are validating with DNSSEC, and
   querying zones which are in a key rollover period. The bug will
   cause answers to incorrectly be marked as insecure.
@
text
@d1 3
a3 3
LIBINTERFACE = 58
LIBREVISION = 0
LIBAGE = 0
@


1.12
log
@SVN rev 214586 on 2010-10-31 04:45:53Z by dougb

Update to 9.6-ESV-R2, the latest from ISC.

This version contains bug fixes that are relevant to any
caching/resolving name server; as well as DNSSEC-related
fixes.
@
text
@d1 1
a1 1
LIBINTERFACE = 57
d3 1
a3 1
LIBAGE = 2
@


1.11
log
@SVN rev 208337 on 2010-05-20 08:15:06Z by dougb

Upgrade to 9.6.2-P2, which addresses the following;

   Named could return SERVFAIL for negative responses
   from unsigned zones.
@
text
@d1 3
a3 3
LIBINTERFACE = 56
LIBREVISION = 1
LIBAGE = 1
@


1.10
log
@SVN rev 205292 on 2010-03-18 19:00:35Z by dougb

Update to 9.6.2-P1, the latest patchfix release which deals with
the problems related to the handling of broken DNSSEC trust chains.

This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.
@
text
@d2 1
a2 1
LIBREVISION = 0
@


1.9
log
@SVN rev 204619 on 2010-03-03 05:45:24Z by dougb

Upgrade to version 9.6.2. This version includes all previously released
security patches to the 9.6.1 version, as well as many other bug fixes.

This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.

Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.
@
text
@d1 3
a3 3
LIBINTERFACE = 55
LIBREVISION = 1
LIBAGE = 0
@


1.8
log
@SVN rev 199958 on 2009-11-30 03:38:34Z by dougb

Update to BIND 9.6.1-P2. The vulnerability this is designed to fix is
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.
@
text
@d1 2
a2 2
LIBINTERFACE = 53
LIBREVISION = 0
@


1.7
log
@SVN rev 194995 on 2009-06-25 19:16:29Z by dougb

Update to the final release version of BIND 9.6.1. It has the following
changes from the 9.6.1rc1 version. The first 2 only affect DNSSEC.

          named could incorrectly delete NSEC3 records for
          empty nodes when processing a update request.

          Accept DS responses from delegation only zones.

          "delegation-only" was not being accepted in
          delegation-only type zones.
@
text
@d1 1
a1 1
LIBINTERFACE = 52
d3 1
a3 1
LIBAGE = 2
@


1.7.2.1
log
@SVN rev 200383 on 2009-12-11 01:23:58Z by dougb

MFC r199958:

Update to BIND 9.6.1-P2. The vulnerability this is designed to fix is
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.
@
text
@d1 1
a1 1
LIBINTERFACE = 53
d3 1
a3 1
LIBAGE = 0
@


1.7.2.2
log
@SVN rev 205820 on 2010-03-29 06:31:58Z by dougb

Update to 9.6.2-P1, the latest patchfix release which deals with
the problems related to the handling of broken DNSSEC trust chains.

This fix is only relevant for those who have DNSSEC validation
enabled and configure trust anchors from third parties, either
manually, or through a system like DLV.
@
text
@d1 1
a1 1
LIBINTERFACE = 56
d3 1
a3 1
LIBAGE = 1
@


1.7.2.3
log
@SVN rev 208473 on 2010-05-23 21:15:36Z by dougb

Upgrade to 9.6.2-P2, which addresses the following;

	Named could return SERVFAIL for negative responses
	from unsigned zones.
@
text
@d2 1
a2 1
LIBREVISION = 1
@


1.7.2.4
log
@SVN rev 214811 on 2010-11-04 21:48:39Z by dougb

Update to 9.6-ESV-R2, the latest from ISC.

This version contains bug fixes that are relevant to any
caching/resolving name server; as well as DNSSEC-related
fixes.
@
text
@d1 3
a3 3
LIBINTERFACE = 57
LIBREVISION = 0
LIBAGE = 2
@


1.7.2.5
log
@SVN rev 216307 on 2010-12-08 19:59:53Z by dougb

Update to version 9.6-ESV-R4, the latest from ISC, which addresses
the following security vulnerabilities.

For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

1. Cache incorrectly allows ncache and rrsig for the same type

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

   Affects resolver operators whose servers are open to potential
   attackers. Triggering the bug will cause the server to crash.

   This bug applies even if you do not have DNSSEC enabled.

2. Key algorithm rollover

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614

   Affects resolver operators who are validating with DNSSEC, and
   querying zones which are in a key rollover period. The bug will
   cause answers to incorrectly be marked as insecure.

Approved by:	re (kensmith)
@
text
@d1 1
a1 1
LIBINTERFACE = 58
d3 1
a3 1
LIBAGE = 0
@


1.7.2.6
log
@SVN rev 218334 on 2011-02-05 19:13:34Z by dougb

Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.

All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:

https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record

In addition the fixes for this and other bugs, there are also the
following:

  * Various fixes to kerberos support, including GSS-TSIG
  * Various fixes to avoid leaking memory, and to problems that could
    prevent a clean shutdown of named
@
text
@d1 3
a3 3
LIBINTERFACE = 59
LIBREVISION = 2
LIBAGE = 1
@


1.7.2.7
log
@SVN rev 222396 on 2011-05-28 00:33:06Z by dougb

Upgrade to 9.6-ESV-R4-P1, which address the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
@
text
@d2 1
a2 1
LIBREVISION = 4
@


1.7.2.8
log
@SVN rev 223815 on 2011-07-06 00:50:54Z by dougb

Update to version 9.6-ESV-R4-P3

ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY

This update addresses the following vulnerability:

CVE-2011-2464
=============
Severity:	High
Exploitable:	Remotely

Description:

A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This
defect affects both recursive and authoritative servers. The code location
of the defect makes it impossible to protect BIND using ACLs configured
within named.conf or by disabling any features at compile-time or run-time.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
https://www.isc.org/software/bind/advisories/cve-2011-2464
@
text
@d2 1
a2 1
LIBREVISION = 5
@


1.7.2.9
log
@SVN rev 233915 on 2012-04-05 04:31:17Z by dougb

Update to version 9.6-ESV-R6, the latest from ISC, which contains numerous
bug fixes.
@
text
@d1 3
a3 8
# LIBINTERFACE ranges
# 9.6: 50-59, 110-119
# 9.7: 60-79
# 9.8: 80-89
# 9.9: 90-109
LIBINTERFACE = 110
LIBREVISION = 1
LIBAGE = 0
@


1.7.2.10
log
@SVN rev 236197 on 2012-05-28 19:48:37Z by dougb

Upgrade to BIND version 9.6-ESV-R7, the latest from ISC.

Feature Change

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)

Bug Fix

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-
   threaded environment.

Other critical bug fixes are included.

All BIND users are encouraged to upgrade.
@
text
@d7 1
a7 1
LIBREVISION = 2
@


1.7.2.11
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/245039
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r245039 | erwin | 2013-01-04 13:36:31 +0000 (Fri, 04 Jan 2013) | 7 lines
## SVN ##
## SVN ## Update to 9.6-ESV-R8.
## SVN ##
## SVN ## All security fixes were previously merged.
## SVN ## Release notes: https://kb.isc.org/article/AA-00795
## SVN ##
## SVN ## Approved by:	delphij (mentor)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d6 1
a6 1
LIBINTERFACE = 111
d8 1
a8 1
LIBAGE = 1
@


1.7.2.12
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/246656
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d6 2
a7 2
LIBINTERFACE = 89
LIBREVISION = 1
@


1.7.2.13
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/262707
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d4 1
a4 1
# 9.8: 80-89, 120-129
d6 3
a8 4
# 9.9-sub: 130-139
LIBINTERFACE = 124
LIBREVISION = 2
LIBAGE = 2
@


1.6
log
@SVN rev 193149 on 2009-05-31 05:42:58Z by dougb

Update BIND to version 9.6.1rc1. This version has better performance and
lots of new features compared to 9.4.x, including:

	Full NSEC3 support
	Automatic zone re-signing
	New update-policy methods tcp-self and 6to4-self
	DHCID support.
	More detailed statistics counters including those supported in BIND 8.
	Faster ACL processing.
	Efficient LRU cache-cleaning mechanism.
	NSID support.
@
text
@d1 3
a3 3
LIBINTERFACE = 51
LIBREVISION = 1
LIBAGE = 1
@


1.5
log
@SVN rev 186942 on 2009-01-09 11:45:45Z by dougb

Merge from vendor/bind9/dist as of the 9.4.3-P1 import
@
text
@d1 3
a3 3
LIBINTERFACE = 36
LIBREVISION = 2
LIBAGE = 0
@


1.4
log
@SVN rev 186462 on 2008-12-23 22:47:56Z by dougb

Merge from vendor/bind9/dist as of the 9.4.3 import
@
text
@d2 1
a2 1
LIBREVISION = 1
@


1.3
log
@SVN rev 182645 on 2008-09-01 22:54:49Z by dougb

Merge from vendor/bind9/dist as of the 9.4.2-P2 import
@
text
@d1 1
a1 1
LIBINTERFACE = 35
@


1.2
log
@SVN rev 180477 on 2008-07-12 09:38:35Z by dougb

Merge from vendor/bind9/dist as of the 9.4.2-P1 import, including
the patch from ISC for lib/bind9/check.c and deletion of unused
files in lib/bind.

This version will by default randomize the UDP query source port
(and sequence number of course) for every query.

In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] options.

The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.

Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.

This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.

All users of BIND are strongly encouraged to upgrade to the latest
version, and to utilize the source port randomization feature.

This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
@
text
@d2 1
a2 1
LIBREVISION = 0
@


1.1
log
@Initial revision
@
text
@d1 1
a1 1
LIBINTERFACE = 20
@


1.1.1.1
log
@Vender import of BIND 9.3.0rc4.
@
text
@@


1.1.1.2
log
@Vendor import of BIND 9.3.1
@
text
@d2 1
a2 1
LIBREVISION = 2
@


1.1.1.2.2.1
log
@MFC import of BIND 9.3.2
@
text
@d1 2
a2 2
LIBINTERFACE = 21
LIBREVISION = 1
@


1.1.1.2.2.1.4.1
log
@MFC upgrade to version 9.3.3

Approved by:    re (kensmith)
@
text
@d1 2
a2 2
LIBINTERFACE = 22
LIBREVISION = 7
@


1.1.1.2.2.2
log
@MFC upgrade to version 9.3.3

Approved by:	re (kensmith)
@
text
@d1 2
a2 2
LIBINTERFACE = 22
LIBREVISION = 7
@


1.1.1.2.2.3
log
@MFC the upgrade to BIND 9.3.4
@
text
@d1 3
a3 3
LIBINTERFACE = 23
LIBREVISION = 0
LIBAGE = 1
@


1.1.1.2.2.3.2.1
log
@SVN rev 180499 on 2008-07-13 18:42:38Z by cperciva

Improve randomization in BIND to prevent response spoofing.

Security:	FreeBSD-SA-08:06.bind
Approved by:	so (cperciva)
Thanks to:	remko, csjp
No thanks to:	bronchitis
@
text
@d1 3
a3 3
LIBINTERFACE = 24
LIBREVISION = 2
LIBAGE = 2
@


1.1.1.2.2.4
log
@SVN rev 179502 on 2008-06-03 05:38:10Z by dougb

Update to version 9.3.5. It contains the latest bug fixes, updates
to root server addresses, and a fix for the vulnerability mentioned
here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0122

Users of BIND 9.3.x are strongly encouraged to upgrade to this
version. Also, the 9.3.x branch is now in maintenance-only mode.
Users are encouraged to investigate BIND 9.4.x or perhaps 9.5.x.

http://www.isc.org/index.pl?/sw/bind/versions_and_support.php

This udpate is being done by updating the files directly in this
branch rather than an import + MFC because BIND in HEAD is 9.4.x.
@
text
@d1 3
a3 3
LIBINTERFACE = 24
LIBREVISION = 2
LIBAGE = 2
@


1.1.1.2.2.5
log
@SVN rev 180479 on 2008-07-12 10:07:33Z by dougb

Merge from vendor/bind9/dist-9.3 as of the 9.3.5-P1 import.

This version will by default randomize the UDP query source port
(and sequence number of course) for every query.

In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] options.

The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.

Also please note, this issue applies only to UDP query ports. A random
ephemeral port is always chosen for TCP queries.

This issue applies primarily to name servers whose main purpose is to
resolve random queries (sometimes referred to as "caching" servers, or
more properly as "resolving" servers), although even an "authoritative"
name server will make some queries, primarily at startup time.

All users of BIND are strongly encouraged to upgrade to the latest
version, and to utilize the source port randomization feature.

This update addresses issues raised in:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
@
text
@d1 3
a3 3
LIBINTERFACE = 25
LIBREVISION = 0
LIBAGE = 0
@


1.1.1.2.2.6
log
@SVN rev 182647 on 2008-09-01 22:56:10Z by dougb

Merge from vendor/bind9/dist-9.3 as of the 9.3.5-P2 import
@
text
@d2 1
a2 1
LIBREVISION = 1
@


1.1.1.2.2.7
log
@SVN rev 186999 on 2009-01-10 04:30:27Z by dougb

Merge from vendor/bind9/dist-9.3 as of the 9.3.6-P1 import
@
text
@d1 2
a2 2
LIBINTERFACE = 26
LIBREVISION = 2
@


1.1.1.3
log
@Vendor import of BIND 9.3.2
@
text
@d1 2
a2 2
LIBINTERFACE = 21
LIBREVISION = 1
@


1.1.1.4
log
@Vendor import of BIND 9.3.3
@
text
@d1 2
a2 2
LIBINTERFACE = 22
LIBREVISION = 7
@


1.1.1.5
log
@Vendor import of BIND 9.3.4
@
text
@d1 3
a3 3
LIBINTERFACE = 23
LIBREVISION = 0
LIBAGE = 1
@


1.1.1.6
log
@Vendor import of BIND 9.4.1
@
text
@d1 2
a2 2
LIBINTERFACE = 33
LIBREVISION = 1
@


1.1.1.6.2.1
log
@MFC contrib code and bmake changes for BIND version 9.4.2

Approved by:	re (kensmith)
@
text
@d1 3
a3 3
LIBINTERFACE = 34
LIBREVISION = 2
LIBAGE = 2
@


1.1.1.6.2.2
log
@SVN rev 180499 on 2008-07-13 18:42:38Z by cperciva

Improve randomization in BIND to prevent response spoofing.

Security:	FreeBSD-SA-08:06.bind
Approved by:	so (cperciva)
Thanks to:	remko, csjp
No thanks to:	bronchitis
@
text
@d1 3
a3 3
LIBINTERFACE = 35
LIBREVISION = 0
LIBAGE = 0
@


1.1.1.6.2.3
log
@SVN rev 184967 on 2008-11-14 11:00:34Z by dougb

MFC the BIND 9.4.2-P2 update

Approved by:	re (kib)
@
text
@d2 1
a2 1
LIBREVISION = 1
@


1.1.1.6.2.4
log
@SVN rev 186996 on 2009-01-10 03:00:21Z by dougb

MFC the BIND 9.4.3 and 9.4.3-P1 updates
@
text
@d1 2
a2 2
LIBINTERFACE = 36
LIBREVISION = 2
@


1.1.1.6.2.5
log
@SVN rev 200393 on 2009-12-11 02:23:04Z by dougb

Update to version 9.4.3-P4. The vulnerability this is designed to fix is
related to DNSSEC validation on a resolving name server that allows
access to untrusted users. If your system does not fall into all 3 of
these categories you do not need to update immediately.
@
text
@d1 2
a2 2
LIBINTERFACE = 38
LIBREVISION = 0
@


1.1.1.6.2.6
log
@SVN rev 208485 on 2010-05-24 06:41:57Z by dougb

Upgrade to 9.4-ESV-R2, which addresses the following:

	Named could return SERVFAIL for negative responses
	from unsigned zones.
@
text
@d2 1
a2 1
LIBREVISION = 1
@


1.1.1.6.2.7
log
@SVN rev 214812 on 2010-11-04 21:50:19Z by dougb

MFV version 9.4-ESV-R3

This version contains several fixes for DNSSEC and DLV, as well as
fixes relevant to any resolving name server.
@
text
@d1 3
a3 3
LIBINTERFACE = 39
LIBREVISION = 0
LIBAGE = 1
@


1.1.1.6.2.8
log
@SVN rev 216336 on 2010-12-09 21:11:53Z by dougb

MFV: vendor/bind9/dist-9.4

Update to version 9.4-ESV-R4, the latest from ISC, which addresses
the following security vulnerabilities.

For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

1. Cache incorrectly allows ncache and rrsig for the same type

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

   Affects resolver operators whose servers are open to potential
   attackers. Triggering the bug will cause the server to crash.

   This bug applies even if you do not have DNSSEC enabled.

2. Key algorithm rollover

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614

   Affects resolver operators who are validating with DNSSEC, and
   querying zones which are in a key rollover period. The bug will
   cause answers to incorrectly be marked as insecure.

Approved by:	re (kib)
@
text
@d2 1
a2 1
LIBREVISION = 1
@


1.1.1.6.2.9
log
@SVN rev 222399 on 2011-05-28 00:58:19Z by dougb

Upgrade to 9.4-ESV-R4-P1, which addresses the following issues:

1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
@
text
@d2 1
a2 1
LIBREVISION = 3
@


1.1.1.6.2.10
log
@SVN rev 224601 on 2011-08-02 09:42:58Z by dougb

Update to version 9.4-ESV-R5 which contains various bug fixes
and improvements

See RELEASE-NOTES-BIND-9.4-ESV.* for details

This is expected to be the final release of the BIND 9.4 branch
@
text
@d2 1
a2 1
LIBREVISION = 4
@


1.1.1.6.2.1.2.1
log
@SVN rev 180499 on 2008-07-13 18:42:38Z by cperciva

Improve randomization in BIND to prevent response spoofing.

Security:	FreeBSD-SA-08:06.bind
Approved by:	so (cperciva)
Thanks to:	remko, csjp
No thanks to:	bronchitis
@
text
@d1 3
a3 3
LIBINTERFACE = 35
LIBREVISION = 0
LIBAGE = 0
@


1.1.1.7
log
@Vendor import of BIND 9.4.2
@
text
@d1 3
a3 3
LIBINTERFACE = 34
LIBREVISION = 2
LIBAGE = 2
@


1.1.1.1.2.1
log
@MFC: BIND 9 and related bits.

Approved by:	re
@
text
@@


1.1.1.1.2.2
log
@MFC BIND 9.3.1 and related bmake updates

Approved by:	re (kensmith)
@
text
@d2 1
a2 1
LIBREVISION = 2
@


1.1.1.1.2.3
log
@MFC import of BIND 9.3.2
@
text
@d1 2
a2 2
LIBINTERFACE = 21
LIBREVISION = 1
@


1.1.1.1.2.4
log
@MFC upgrade to version 9.3.3
@
text
@d1 2
a2 2
LIBINTERFACE = 22
LIBREVISION = 7
@


1.1.1.1.2.5
log
@MFC the upgrade to BIND 9.3.4
@
text
@d1 3
a3 3
LIBINTERFACE = 23
LIBREVISION = 0
LIBAGE = 1
@


