1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-27 00:57:50 +00:00
Commit Graph

50 Commits

Author SHA1 Message Date
Erwin Lansing
bd33f08ef3 Update to 9.8.6 2013-09-28 12:32:53 +00:00
Erwin Lansing
5efd401380 Add an option for filter-aaaa
Submitted by:	Matej Gregr <matej.gregr@gmail.com>
2013-09-23 10:20:56 +00:00
Baptiste Daroussin
24a1652ff4 Add NO_STAGE all over the place in preparation for the staging support (cat: dns) 2013-09-20 16:31:57 +00:00
Erwin Lansing
8576e9d9a0 Make GSSAPI support optional
PR:		182122
Submitted by:	Uwe Doering <gemini@geminix.org>
2013-09-17 11:31:49 +00:00
Boris Samorodov
54e44467d7 . introduce ICONV_CONFIGURE_BASE variable at Mk/Uses/iconv.mk. It's value is
"--with-libiconv=${LOCALBASE}" at systems pre OSVERSION 100043 and "" (null)
  otherwise;
. convert all ports which has CONFIGURE_ARGS=--with-libiconv=${LOCALBASE}.

Approved by:	portmgr (bapt, implicit)
2013-09-05 20:18:30 +00:00
Ollivier Robert
b3392148de Update the RPZ+RL patches for both versions.
Approved by:	erwin
2013-07-27 21:08:35 +00:00
Ollivier Robert
290764c8ba Put back the two patches for RPZ-RL that were removed during the previous
update.
2013-07-26 22:19:27 +00:00
Ollivier Robert
3726e2cae1 Security update to fix CVE-2013-4854 as reported at
https://kb.isc.org/article/AA-01015/0

9.9.3-p1 -> 9.9.3-P2
9.8.5-p1 -> 9.8.5-P2

9.6.x is not affected, neither is 10.x.

Security:	CVE-2013-4854 Remote DOS
2013-07-26 22:05:05 +00:00
Erwin Lansing
92b781fac4 Update to 9.8.5-P1
Security Fixes

   Prevents exploitation of a runtime_check which can crash named
   when satisfying a recursive query for particular malformed zones.
   (CVE-2013-3919) [RT #33690]

   A deliberately constructed combination of records could cause
   named to hang while populating the additional section of a
   response. (CVE-2012-5166) [RT #31090]

   Now supports NAPTR regular expression validation on all platforms,
   and avoids memory exhaustion compiling pathological regular
   expressions. (CVE-2013-2266)  [RT #32688]

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of specific queries that are received.  (CVE-2012-5688)
   [RT #30792 / #30996]

   Prevents an assertion failure in named when RPZ and DNS64 are
   used together. (CVE-2012-5689) [RT #32141]

See release notes for further features and bug fixes:
https://kb.isc.org/article/AA-00969/0/BIND-9.8.5-P1-Release-Notes.html

Security:	CVE-2013-3919
		CVE-2012-5166
		CVE-2013-2266
		CVE-2012-5688
		CVE-2012-5689
2013-06-05 11:49:51 +00:00
Erwin Lansing
bb37a21123 Update to 9.8.5 2013-05-31 09:32:28 +00:00
Erwin Lansing
56bb308f3e Update RPZ and RRL patch set:
- address the issue raised by Bob Harold. RRL on recursive servers
     applies rate limits after waiting for recursion except on
     sub-domains of domains for which the server is authoritative.

  - fix the bug reported by Roy Arends in which "slipped" NXDOMAIN
     responses had rcode values of 0 (NoError) instead of 3 (NXDOMAIN).

  - move reports of RRL drop and slip actions from the "queries"
     log category to the "query-errors" category. Because they are not
     in the "queres" category, enabling or disabling query logging no
     longer affects them.
2013-05-31 08:10:56 +00:00
Erwin Lansing
2a0e1389ad Make pkg-message and pkg-install a local file to the bind98 and bind99
ports and not include the one from the deprecated bind97 port, which is
to be removed.
2013-04-23 08:26:48 +00:00
Erwin Lansing
fb20fb9362 Update RPZ+RRL patchset to the latest version.
The change makes "slip 1;" send only truncated (TC=1) responses.
Without the change, "slip 1;" is the same as the default of "slip 2;".
That default, which alternates truncated with dropped responses
when the rate limit is exceeded, is better for authoritative DNS
servers, because it further reduces the amplification of an attack
from about 1X to about 0.5X.

DNS RRL is not recommended for recursive servers.

Feature safe:	yes
2013-04-17 07:57:54 +00:00
Erwin Lansing
3311832790 Update to 9.8.4-P2
Removed the check for regex.h in configure in order
to disable regex syntax checking, as it exposes
BIND to a critical flaw in libregex on some
platforms. [RT #32688]

Security:	CVE-2013-2266
2013-03-27 07:55:22 +00:00
Erwin Lansing
715dba2977 Update the RPZ+RRL patch files which remove
working files that should not have been in the patches[1]
Also move to a versioned filename for the patches[2]

Submitted by:	Robert Sargent <robtsgt@gmail.com> [1],
		Vernon Schryver <vjs@rhyolite.com> [2]
2013-03-15 10:56:33 +00:00
Erwin Lansing
2e85b58e49 Update RPZ+RRL patch to 028.23
A serious Multiple Zone Response Policy Zone (RPZ2)
Speed Improvement bug has been fixed.

`./configure --enable-rpz-nsip --enable-rpz-nsdname`
is now the default.

Responses affected by the all-per-second parameter
are always dropped. The slip value has no effect on them.

There are improved log messages for responses that aredropped or "slipped," because they would require an
excessive identical referral.
2013-02-05 09:35:28 +00:00
Erwin Lansing
dc0e56bb80 Reduce lenght of the option description for RPZRRL_PATCH to
avoid problems with the older dialog(1) on FreeBSD 8.x

Noticed by:   Terry Kennedy <terry@tmk.com>
2013-01-10 10:37:18 +00:00
Erwin Lansing
bad9ad12ae Update the response rate limiting patch to the latest
released version of January 5, 2013.

This also includes performance patches to the BIND9
Response Policy Zones (DNS RPZ), Single Zone Response
Policy Zone (RPZ) Speed Improvement, in the same
patch.

More information: http://ss.vix.su/~vjs/rrlrpz.html
2013-01-09 10:20:16 +00:00
Erwin Lansing
d2c1b13640 Add LICENSE. 2013-01-04 10:47:28 +00:00
Erwin Lansing
38649eeb03 Add experimental option for Response Rate Limiting patch. 2013-01-04 10:39:41 +00:00
Erwin Lansing
b0e7b6c04c - Use new OPTIONS_GROUP for DLZ options.[1]
- This also allows more than one DLZ option
  to be set.[2]

Submitted by:	bapt [1] (as RADIO)
Suggested by:	az [2] (thus GROUP instead)
2012-12-14 10:43:35 +00:00
Erwin Lansing
f7345394fe Update to the latest patch level from ISC:
BIND 9 nameservers using the DNS64 IPv6 transition mechanism are
  vulnerable to a software defect that allows a crafted query to
  crash the server with a REQUIRE assertion failure.  Remote
  exploitation of this defect can be achieved without extensive
  effort, resulting in a denial-of-service (DoS) vector against
  affected servers.

Security:	2892a8e2-3d68-11e2-8e01-0800273fe665
		CVE-2012-5688
Feature safe:	yes
2012-12-05 07:46:03 +00:00
Erwin Lansing
534bdf4937 Improve the SSL option description
Submitted by:	Kazunori Fujiwara <fujiwara@jprs.co.jp>
Feature safe:	yes
2012-12-03 10:52:11 +00:00
Erwin Lansing
680f311898 Remove gpg signature checking that in itself does not
provide any additional security.

Feature safe:	yes
2012-12-03 10:48:18 +00:00
Erwin Lansing
e8882f0ecc - Update CONFLICTS
- Fix a typo in the OPTIONSNG conversion
- Add FIXED_RRSET option
- Add RPZ options (9.8 and 9.8 only)

PR:		172586
Submitted by:	Craig Leres <leres@ee.lbl.gov>
Feature safe:	yes
2012-11-27 10:05:32 +00:00
Erwin Lansing
fc2b7bdc9a Reduce lenght of the option description for DLZ_MYSQL to
avoid problems with the older dialog(1) on FreeBSD 8.x

Noticed by:	Terry Kennedy <terry@tmk.com>
Feature safe:	yes
2012-10-26 08:37:10 +00:00
Erwin Lansing
311da8020a - Convert to OPTIONSNG
- Turn on IPv6 support by default

Feature safe:	yes
2012-10-25 10:53:57 +00:00
Erwin Lansing
fee03cc166 Update to 9.8.4
Feature safe:	yes
2012-10-19 09:32:00 +00:00
Erwin Lansing
b6095ca45c Upgrade to the latest BIND patch level:
A deliberately constructed combination of records could cause named
to hang while populating the additional section of a response.

Security:	  http://www.vuxml.org/freebsd/57a700f9-12c0-11e2-9f86-001d923933b6.html
2012-10-10 11:54:44 +00:00
Erwin Lansing
0a8fc4d0e4 Take maintainership of the BIND ports while I'm working on the latest
security releases.
2012-10-10 09:11:41 +00:00
Doug Barton
deda664425 Throw my ports back in the pool, and make my intentions clear for the
various ports that I've created.

I bid fond fare well
A chapter closes for me
What opens for you?
2012-10-08 10:38:47 +00:00
Doug Barton
ece74c7d62 Upgrade to the latest BIND patch level:
Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.

Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.

ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.

A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.

For more information: https://kb.isc.org/article/AA-00788
2012-09-19 03:46:35 +00:00
Doug Barton
e859d6a9bf Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure
in BIND9

High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.

CVE: CVE-2012-3817
Posting date: 24 July, 2012
2012-07-24 19:23:23 +00:00
Doug Barton
543df633d3 Upgrade to 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, and 9.9.1-P1, the latest
from ISC. These patched versions contain a critical bugfix:

  Processing of DNS resource records where the rdata field is zero length
  may cause various issues for the servers handling them.

  Processing of these records may lead to unexpected outcomes. Recursive
  servers may crash or disclose some portion of memory to the client.
  Secondary servers may crash on restart after transferring a zone
  containing these records. Master servers may corrupt zone data if the
  zone option "auto-dnssec" is set to "maintain". Other unexpected
  problems that are not listed here may also be encountered.

All BIND users are strongly encouraged to upgrade.
2012-06-04 21:51:34 +00:00
Doug Barton
7d79b1b01f Upgrade to BIND versions 9.9.1, 9.8.3, 9.7.6, and 9.6-ESV-R7,
the latest from ISC. These versions all contain the following:

Feature Change

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

Bug Fix

*  The locking strategy around the handling of iterative queries
   has been tuned to reduce unnecessary contention in a multi-
   threaded environment.

Each version also contains other critical bug fixes.

All BIND users are encouraged to upgrade to these latest versions.
2012-05-23 04:41:19 +00:00
Doug Barton
a6f06de54e BIND 9.8.2 tarball was re-rolled to remove 9.8.1 release notes. This change
was noticed by ISC at:

https://lists.isc.org/pipermail/bind-users/2012-April/087345.html

and verified by me both by comparing the contents of the old and new
distfiles and by verifying the PGP signature on the new distfile.

No PORTREVISION bump because these files were not installed.
2012-04-12 00:56:32 +00:00
Doug Barton
b0981920bd Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
For the port, switch to using the PORTDOCS macro.

Feature safe:	yes
2012-04-04 21:41:32 +00:00
Doug Barton
59eefda0a9 Upgrade to the latest security patch releases to address the
following DDOS bug:

Recursive name servers are failing with an assertion:
INSIST(! dns_rdataset_isassociated(sigrdataset))

At this time it is not thought that authoritative-only servers
are affected, but information about this bug is evolving rapidly.

Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.

For more information see:
https://www.isc.org/software/bind/advisories/cve-2011-tbd
which will be updated as more information becomes available.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313

Feature safe:	yes
2011-11-16 23:41:13 +00:00
Doug Barton
2b1dacc826 Remove more tags from pkg-descr files fo the form:
- Name
em@i.l

or variations thereof. While I'm here also fix some whitespace and other
formatting errors, including moving WWW: to the last line in the file.
2011-10-24 04:17:37 +00:00
Doug Barton
24bf9016b8 Upgrade to version 9.8.1. Release notes at:
https://deepthought.isc.org/article/AA-00446/81/
or
/usr/local/share/doc/bind98/CHANGES

Remove the patch incorporated upstream, and add new include to plist.
2011-09-01 04:43:58 +00:00
Doug Barton
2b4caa4539 Fix the location of the default pid file in named.8
Problem pointed out in the PR

PR:		conf/155006
Submitted by:	Helmut Schneider <jumper99@gmx.de>
2011-07-17 04:08:59 +00:00
Doug Barton
8ad17aaad7 Update to versions 9.8.0-P4, 9.7.3-P3, and 9.6-ESV-R4-P3.
ALL BIND USERS ENCOURAGED TO UPGRADE IMMEDIATELY

This update addresses the following vulnerabilities:

CVE-2011-2464
=============
Severity:	High
Exploitable:	Remotely

Description:

A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This
defect affects both recursive and authoritative servers. The code location
of the defect makes it impossible to protect BIND using ACLs configured
within named.conf or by disabling any features at compile-time or run-time.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
https://www.isc.org/software/bind/advisories/cve-2011-2464

CVE-2011-2465
=============
Severity:	High
Exploitable:	Remotely

Description:

A defect in the affected versions of BIND could cause the "named" process
to exit when queried, if the server has recursion enabled and was
configured with an RPZ zone containing certain types of records.
Specifically, these are any DNAME record and certain kinds of CNAME
records.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2465
https://www.isc.org/software/bind/advisories/cve-2011-2465

Additional changes in this version:

* If named is configured to be both authoritative and resursive and
  receives a recursive query for a CNAME in a zone that it is
  authoritative for, if that CNAME also points to a zone the server
  is authoritative for, the recursive part of name will not follow
  the CNAME change and the response will not be a complete CNAME
  chain. [RT #24455]

  Thus the patch for this bug has been removed from the port

* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
  with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
  query type independant. [RT #24715] [CVE-2011-1907]
2011-07-05 21:19:20 +00:00
Doug Barton
cc27c4205b Upgrade to 9.8.0-P2, which addresses the following issues:
1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.

This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.

2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.

Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.

Add a patch from ISC that will be in 9.8.1 to handle intermittent
failure of recursive queries involving CNAMEs and previously cached
responses.
2011-05-27 23:47:56 +00:00
Doug Barton
8d169919ad Upgrade to version 9.8.0-P1:
Certain response policy zone configurations could trigger an INSIST
when receiving a query of type RRSIG.

https://www.isc.org/CVE-2011-1907

This vulnerability is only possible if you have enable the new RPZ feature.
2011-05-06 21:13:52 +00:00
Doug Barton
16710e3397 This is 9.8.0, the first release version in the 9.8 series.
New features versus previous release candidates include:

* There is a new option in dig, +onesoa, that allows the final SOA
  record in an AXFR response to be suppressed. [RT #20929
* There is additional information displayed in the recursing log
  (qtype, qclass, qid and whether we are following the original
  name). [RT #22043]
* Added option 'resolver-query-timeout' in named.conf (max query
  timeout in seconds) to set a different value than the default (30
  seconds). A value of 0 means 'use the compiled in default';
  anything longer than 30 will be silently set to 30. [RT #22852]
* For Mac OS X, you can now have the test interfaces used during
  "make test" stay beyond reboot. See bin/tests/system/README for
  details.

There are also numerous bug fixes and enhancements. See
http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html
for more information.
2011-03-02 00:27:33 +00:00
Doug Barton
aeedf88383 Update to 9.8.0rc1, the latest from ISC:
* The ADB hash table stores informations about which authoritative
   servers to query about particular domains. Previous versions of
   BIND had the hash table size as a fixed value. On a busy recursive
   server, this could lead to hash table collisions in the ADB cache,
   resulting in degraded response time to queries. Bind 9.8 now has a
   dynamically scalable ADB hash table, which helps a busy server to
   avoid hash table collisions and maintain a consistent query
   response time.
2011-02-15 01:50:19 +00:00
Doug Barton
7745231f02 Update to 9.8.0b1, which in addition to DNS64 support also has
the following new features:

* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view.

* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See the
draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt

* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project.

* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones is likely to be refined in
future releases. Contributed by Andrew Tridgell of the Samba Project.

* numerous GSS-TSIG improvements

* There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with an
external daemon. Contributed by Andrew Tridgell of the Samba Project.

* many other improvements

Feature safe:	yes
2011-01-22 07:43:53 +00:00
Doug Barton
56edb49edb We need _all_ the fixes from ../bind97 2010-12-18 09:50:45 +00:00
Doug Barton
e8e662732e We need the fixes from bind97 for the perl problem here, not bind96 2010-12-18 08:58:26 +00:00
Doug Barton
1520b8d691 Add a -devel port for 9.8.0a1, which will allow people to experiment
with DNS64. Once 9.8.0 is released officially the -devel tag will be
removed.

BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture.  Some of the important features of BIND 9 are:

DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
     Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
     Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
     e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support

BIND 9.8 includes a number of changes from BIND 9.7 and earlier releases,
including:
	Preliminary DNS64 support (AAAA synthesis only initially)

See the CHANGES file for more information on features.

WWW: https://www.isc.org/software/bind
2010-12-17 22:48:55 +00:00