Update to new upstream release 2.52. Changelog excerpt below the approval.
Approved by: miwi (mentor)
Upstream changelog excerpt (omitting Linux, Solaris and MacOS X specifics):
[...] Re-read the set of network interfaces when re-loading /etc/resolv.conf
if --bind-interfaces is not set. This handles the case that loopback
interfaces do not exist when dnsmasq is first started.
Tweak the PXE code to support port 4011. This should reduce broadcasts and
make things more reliable when other servers are around. It also improves
inter-operability with certain clients.
Make a pxe-service configuration with no filename or boot service type legal:
this does a local boot. eg. pxe-service=x86PC, "Local boot"
Be more conservative in detecting "A for A" queries. Dnsmasq checks if the
name in a type=A query looks like a dotted-quad IP address and answers the
query itself if so, rather than forwarding it. Previously dnsmasq relied in
the library function inet_addr() to convert addresses, and that will accept
some things which are confusing in this context, like 1.2.3 or even just
1234. Now we only do A for A processing for four decimal numbers delimited by
dots.
[...]
Increased the default limit on number of leases to 1000 (from 150). This is
mainly a defence against DoS attacks, and for the average "one for two class
C networks" installation, IP address exhaustion does that just as well.
Making the limit greater than the number of IP addresses available in such an
installation removes a surprise which otherwise can catch people out.
Removed extraneous trailing space in the value of the DNSMASQ_TIME_REMAINING
DNSMASQ_LEASE_LENGTH and DNSMASQ_LEASE_EXPIRES environment variables. Thanks
to Gildas Le Nadan for spotting this.
Provide the network-id tags for a DHCP transaction to the lease-change script
in the environment variable DNSMASQ_TAGS. A good suggestion from Gildas Le
Nadan.
Add support for RFC3925 "Vendor-Identifying Vendor Options". The syntax looks
like this:
--dhcp-option=vi-encap:<enterprise number>, .........
Add support to --dhcp-match to allow matching against RFC3925
"Vendor-Identifying Vendor Classes". The syntax looks like this:
--dhcp-match=tag,vi-encap<enterprise number>, <value>
Add some application specific code to assist in implementing the Broadband
forum TR069 CPE-WAN specification. The details are in contrib/CPE-WAN/README
Increase the default DNS packet size limit to 4096, as recommended by RFC5625
section 4.4.3. This can be reconfigured using --edns-packet-max if needed.
Thanks to Francis Dupont for pointing this out.
Rewrite query-ids even for DNSSEC signed packets, since this is allowed by
RFC5625 section 4.5.
[...]
Fix link error when including Dbus but excluding DHCP.
Thanks to Oschtan for the bug report.
Updated French translation. Thanks to Gildas Le Nadan.
Updated Polish translation. Thanks to Jan Psota.
Updated Spanish translation. Thanks to Chris Chatham.
DNSSEC. It secures zone data just before it is published in an
authoritative name server.
WWW: http://www.opendnssec.org
PR: ports/142103
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
to thoroughly test this version before updating production systems.
For the port, introduce a new dependency, security/p5-Digest-SHA
Changes in this version, in addition to numerous minor bug fixes:
Feature: Truncation for Nameserver
TAKE CARE:
this feature may cause unexpected behavior for your nameservers
Net::DNS::Packet::truncate is a new method that is called from
within Net::DNS::Nameserver that truncates a packet according to
the rules of RFC2181 section 9.
Feature: Added Net::DNS::Domain
Net::DNS::Domain is an attemt to consistently approach the various
ways we interface with what RFC 1035 calls <domain-name>.
Feature: KX RR
Added support for the KX RR, RFC2230
Feature: HIP RR
Added support for the HIP RR, RFC5205
Feature: DHCID RR
Added rudimentary support for the DHCID RR.
Fix improved fuzzy matching of CLASS and TYPE in the Question
constructor method.
Fix AAAA dynamic update
PR: ports/136065 ports/127469
Submitted by: N.J. Mann <njm@njm.me.uk> and Aldis Berjoza <killasmurf86@gmail.com>
- Early identify port CONFLICTS
PR: 137855
Submitted by: Piotr Smyrak <smyru@heron.pl>
- Add --no-same-permissions to the EXTRACT_AFTER_ARGS command.
Tijl Coosemans has been reported an issue that when root is extracting from the
tarball, and the tarball contains world writable files
(sysutils/policykit as an example), there is a chance that the files
gets changed by malicious third parties right after the extraction,
which makes it possible to inject code into the package thus compromise
the system.
Submitted by: Tijl Coosemans <tijl@coosemans.org> Xin LI (delphij@)
- Fix some whitespaces
Tested with: exp-run
is designed to help you as a user determine what name services
are the best to use for an individual machine.
WWW: http://namebench.googlecode.com/
PR: ports/141202
Submitted by: Sahil Tandon <sahil at tandon.net>
e-mail addresses from the pkg-descr file that could reasonably
be mistaken for maintainer contact information in order to avoid
confusion on the part of users looking for support. As a pleasant
side effect this also avoids confusion and/or frustration for people
who are no longer maintaining those ports.
start testing it sooner rather than later. When the final version
is released the -devel will be removed.
Some of the new features of BIND 9.7.x are:
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option
- New named option "attach-cache" that allows multiple views to
share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details)
- Smart signing: simplified tools for zone signing and key
maintenance
- Improved PKCS#11 support
Subsequently installing the package will result in a plist entry to remove a
directory that does not exist
So, change @dirrm to @dirrmtry to make them both happy.
this is designed to fix is related to DNSSEC validation on a resolving
name server that allows access to untrusted users. If your system does
not fall into all 3 of these categories you do not need to update
immediately.
This patch or something similar will likely be included in a future
BIND release.
PR: bin/138061
Submitted by: Michael Baker <michael.baker@diversit.com.au>
Original patch submitted by: Volker <volker@vwsoft.com>
Patch reviewed and tweaked by: ISC
Port installs configuration file in 640 mode
and poweradmin will fail to find it when apache server
with www account is used.
PR: 139475
Submitted by: Edmondas Girkantas <eg@fbsd.lt> (maintainer)
- Add pkg-message
- Add NLS and IDN option (currently linked together in one option, this will
be changed in future releases hopefully)
- Properly handle example configuration files
PR: ports/139273
Submitted by: Matthias Andree <matthias.andree@gmx.de> (maintainer)
Add an OPTION (on by default) to install the appropriate symlinks for
named.conf and rndc.key in /usr/local/etc and /var/named/usr/local/etc.
For bind9[456]:
Add OPTIONs (off by default) for the DLZ configure options, and their
corresponding ports knobs. [1] The basic infrastructure for this was
provided in the PR, but this version is slightly different in a few
details so responsibility for bugs is mine.
PR: ports/122974 [1]
Submitted by: Michael Schout <mschout@gkg.net> [1]
complete DNS client implementation, including full DNSSEC
support.
WWW: http://rubyforge.org/projects/dnsruby/
PR: ports/138203
Submitted by: Wen Heping <wenheping at gmail.com>
The most popular use of this patch is to send web site visitors to their
nearest web server. Suppose you have a site called www.example555.com with
two web servers: one in the US and one in England. You can use this patch
in order for visitors from Europe to connect to the server in England and
all other visitors to the server in the US. This is just one example of
its usage. There are probably many others.
WWW: http://www.caraytech.com/geodns/
I created a slave port rather than making this an option but other than
that I was able to use the excellent work in the PR.
PR: ports/119997
Submitted by: Jui-Nan Lin <jnlin@csie.nctu.edu.tw>
- load configuration earlier so that we don't run without config file,
analyzed, reported and patch suggested by Fumiyuki Shimizu
- mention /etc/rc.conf.local (as suggested in the Porter's handbook)
- mention dnsmasq_flags for additional command line arguments
- pass pidfile and dnsmasq_conf as arguments to dnsmasq (previously,
overriding dnsmasq_conf had no effect).
* Fix COMMENT to mention TFTP server; shorten it so it fully fits on the
pkg_info list.
PR: 137506
Submitted by: Matthias Andree <matthias.andree@gmx.de> (maintainer)
BIND 9.6.0. Originally from older versions of BIND, they have been
continually maintained and improved but not installed by default with
BIND 9. This standard resolver library contains the same historical
functions and headers included with many Unix operating systems.
In fact, most implementations are based on the same original code.
ISC's libbind provides the standard resolver library, along with header
files and documentation, for communicating with domain name servers,
retrieving network host entries from /etc/hosts or via DNS, converting
CIDR network addresses, performing Hesiod information lookups, retrieving
network entries from /etc/networks, implementing TSIG transaction/request
security of DNS messages, performing name-to-address and address-to-name
translations, and utilizing /etc/resolv.conf for resolver configuration.
WWW: https://www.isc.org/software/libbind
- Doug Barton
DougB@FreeBSD.org
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.
It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.
With help: marcus and kwm
Pointyhat-exp: a few times by pav
Tested by: pgollucci, "Romain Tartière" <romain@blogreen.org>, and
a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by: marcus
Approved by: portmgr
DoS vulnerability:
Receipt of a specially-crafted dynamic update message may
cause BIND 9 servers to exit. This vulnerability affects all
servers -- it is not limited to those that are configured to
allow dynamic updates. Access controls will not provide an
effective workaround.
More details can be found here: https://www.isc.org/node/474
All BIND users are encouraged to update to a patched version ASAP.
Receipt of a specially-crafted dynamic update message may
cause BIND 9 servers to exit. This vulnerability affects all
servers -- it is not limited to those that are configured to
allow dynamic updates. Access controls will not provide an
effective workaround.
More details can be found here: https://www.isc.org/node/474
All BIND users are encouraged to update to a patched version ASAP.
- Split boost port to separate components, with boost-all metaport
PR: ports/137054
Submitted by: Alexander Churanov <churanov.port.maintainer@gmail.com> (maintainer)
propogated by copy and paste.
1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).
No PORTREVISION bumps because all of these changes are noops.
and answers with records pointing back to localhost. Combined with
packet filter pf(4) this works as a bandwidth efficient spamtrap.
WWW: http://www.wolfermann.org/dnsreflector.html
PR: ports/135077
Submitted by: ismail.yenigul at endersys.com.tr
hostname to the nearest mirrors (as defined by geography; on the
country / continent level).
It is used for search.cpan.org/cpansearch.perl.org and for
ftp.perl.org/ftp.cpan.org; to provide nearby-ish
servers for the NTP Pool; and to balance svn.apache.org to
svn.us.apache.org and svn.eu.apache.org.
WWW: http://geo.bitnames.com/
in DNSSEC lookaside validation (DLV): unrecognized signature algorithms,
which should have been treated as the equivalent of an unsigned zone,
were instead treated as a validation failure.
in DNSSEC lookaside validation (DLV): unrecognized signature algorithms,
which should have been treated as the equivalent of an unsigned zone,
were instead treated as a validation failure.
Matthew Dempsky. Also, fix the quoting of the BROKEN messages.
PR: 132366, 132349
Submitted by: Renato Botelho <garga@FreeBSD.org>,
Howard Goldstein <hg@queue.to>
- Add selection for mysql or pgsql backend
- Pass maintainership to submitter
PR: ports/131035
Submitted by: Edmondas Girkantas <eg@fbsd.lt>
Approved by: maintainer timeout (no activity since 2005)
- turn devel/py-twisted into a meta port.
- Update USE_TWISTED{,_BUILD,_RUN} in bsd.python.mk:
* Remove flow, pair, xish, which are deprecated
(but still update them to latest release in the tree)
* Remove USE_TWISTED=13 (no port uses this)
* Fix typos in twisted components _DEPENDS
PR: ports/130001
Submitted by: lwhsu
Approved by: maintainer timeout
the fix for the following vulnerability: https://www.isc.org/node/373
Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.
Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).
In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.
While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.
PR: ports/126297
Submitted by: Ronald F.Guilmette <rfg@tristatelogic.com>
improvements, including, "Additional support for query port randomization
including performance improvement and port range specification."
When building on amd64 ports' configure doesn't properly recognize our
arch, so help it along a bit. [1]
Submitted by: ivan jr sy <ivan_jr@yahoo.com> [1]
- Remove EXTRACT_SUFX as it uses USE_ZIP which automatically sets EXTRACT_SUFX
- Bump PORTREVISION
PR: ports/129812
Submitted by: Joseph S. Atkinson <jsatkinson at embarqmail.com>
Approved by: Alex Samorukov <samm at os2.kiev.ua> (maintainer)
Add a note to pkg-message indicating that ISC declared this version EOL
as of 1 December, but that we will support the port through the RELENG_6
lifetime.
lookups for the .local domain and self assigned IP addresses, rejecting
others. This can be used to speed up the resolution of non mdns registered
host names.
PR: ports/128107
Submitted by: Andrew <andrew@ugh.net.au>
Approved by: Ashish Shukla <wahjava@gmail.com> (maintainer)
