Features
* Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
* RRL, --enable-ratelimit at configure time and config options.
* TSIG initialization only fails when there is no digest found at all.
Bugfixes
* Bugfix #478: Declaration after statement (for gcc 2.95).
* Bugfix #483: Better error message in case of TSIG error.
* Bugfix #485: TTL should not be greater than 2^31 - 1.
* Fix RCODE when CNAME loop final answer does not exist,
should return NXDOMAIN as stated by RFC 6604.
* Fix --disable-full-prehash bug, where after multiple incoming IXFRs,
NSEC3 can be removed unjustified.
PR: 175837
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
A serious Multiple Zone Response Policy Zone (RPZ2)
Speed Improvement bug has been fixed.
`./configure --enable-rpz-nsip --enable-rpz-nsdname`
is now the default.
Responses affected by the all-per-second parameter
are always dropped. The slip value has no effect on them.
There are improved log messages for responses that aredropped or "slipped," because they would require an
excessive identical referral.
A serious Multiple Zone Response Policy Zone (RPZ2)
Speed Improvement bug has been fixed.
`./configure --enable-rpz-nsip --enable-rpz-nsdname`
is now the default.
Responses affected by the all-per-second parameter
are always dropped. The slip value has no effect on them.
There are improved log messages for responses that are
dropped or "slipped," because they would require an
excessive identical referral.
- Add a patch to fix ECDSA keys (algorithms 13 & 14) for DNSSEC operation;
will be part of RC5.
- Fix CONFIGURE_ARGS for DNSSEC option (was CONFIGURE_FLAGS for some
mysterious reason) so cryptopp is actually compiled in.
Changelog: http://rtfm.powerdns.com/changelog.html#changelog-auth-3-2
PR: ports/175185
Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer)
released version of January 5, 2013.
This also includes performance patches to the BIND9
Response Policy Zones (DNS RPZ), Single Zone Response
Policy Zone (RPZ) Speed Improvement, in the same
patch.
More information: http://ss.vix.su/~vjs/rrlrpz.html
- Use CXXFLAGS, PTHREAD_LIBS during build
- Fix typo in pkg-descr
- Give maintainership to submitter
PR: ports/174005 [1]
Submitted by: Rodrigo (ros) OSORIO <rodrigo@bebik.net>
and no longer seems neccessary.
- Remove superfluous PORTVERSION and space
- Remove COPYING from PORTDOCS since LICENSE is defined
- Drop ABI version from LIB_DEPENDS
- Tab -> space in pkg-descr WWW line
- Remove FreeBSD keyword from pkg-plist
Upstream changes:
Fix regression which broke forwarding of queries sent via
TCP which are not for A and AAAA and which were directed to
non-default servers. Thanks to Niax for the bug report.
Fix failure to build with DHCP support excluded. Thanks to
Gustavo Zacarias for the patch.
Fix nasty regression in 2.64 which completely broke cacheing.
Upstream changes:
TCP which are not for A and AAAA and which were directed to
non-default servers. Thanks to Niax for the bug report.
Fix failure to build with DHCP support excluded. Thanks to
Gustavo Zacarias for the patch.
Fix nasty regression in 2.64 which completely broke cacheing.
For dns/openresolv give proper attribution. This was a copy/paste
mistake the submitter made, which incorrectly gave me attribution
for that file. I did not create it.
BIND 9 nameservers using the DNS64 IPv6 transition mechanism are
vulnerable to a software defect that allows a crafted query to
crash the server with a REQUIRE assertion failure. Remote
exploitation of this defect can be achieved without extensive
effort, resulting in a denial-of-service (DoS) vector against
affected servers.
Security: 2892a8e2-3d68-11e2-8e01-0800273fe665
CVE-2012-5688
Feature safe: yes
Feature safe: yes
Changelog for version 2.64:
Handle DHCP FQDN options with all flag bits zero and --dhcp-client-update set.
Thanks to Bernd Krumbroeck for spotting the problem.
Finesse the check for /etc/hosts names which conflict with DHCP names.
Previously a name/address pair in /etc/hosts which didn't match the
name/address of a DHCP lease would generate a warning. Now that only
happesn if there is not also a match. This allows multiple addresses for
a name in /etc/hosts with one of them assigned via DHCP.
Fix broken vendor-option processing for BOOTP. Thanks to Hans-Joachim
Baader for the bug report.
Don't report spurious netlink errors, regression in 2.63. Thanks to
Vladislav Grishenko for the patch.
Flag DHCP or DHCPv6 in starup logging. Thanks to Vladislav Grishenko for
the patch.
Add SetServersEx method in DBus interface. Thanks to Dan Williams for
the patch.
Add SetDomainServers method in DBus interface. Thanks to Roy Marples for
the patch.
Fix build with later Lua libraries. Thansk to Cristian Rodriguez for the
patch.
Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker for the patch.
Fix breakage of --host-record parsing, resulting in infinte loop at
startup. Regression in 2.63. Thanks to Haim Gelfenbeyn for spotting
this.
Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6 socket, this
allows multiple instances of dnsmasq on a single machine, in the same
way as for DHCPv4. Thanks to Gene Czarcinski and Vladislav Grishenko for
work on this.
Fix DHCPv6 to do access control correctly when it's configured with
--listen-address. Thanks to Gene Czarcinski for sorting this out.
Add a "wildcard" dhcp-range which works for any IPv6 subnet,
--dhcp-range=::,static Useful for Stateless DHCPv6. Thanks to Vladislav
Grishenko for the patch.
Don't include lease-time in DHCPACK replies to DHCPINFORM queries, since
RFC-2131 says we shouldn't. Thanks to Wouter Ibens for pointing this
out.
Makefile tweak to do dependency checking on header files. Thanks to
Johan Peeters for the patch.
Check interface for outgoing unsolicited router advertisements, rather
than relying on interface address configuration. Thanks to Gene
Czarinski for the patch.
Handle better attempts to transmit on interfaces which are still doing
DAD, and specifically do not just transmit without setting source
address and interface, since this can cause very puzzling effects when a
router advertisement goes astray. Thanks again to Gene Czarinski.
Get RA timers right when there is more than one dhcp-range on a subnet.
2012-11-26 irc/tr-ircd: No more public distfiles
2012-11-26 lang/imp-interpreter: No more public distfiles
2012-11-26 games/xquarto: No more public distfiles
2012-11-26 games/six: No more public distfiles
2012-11-26 finance/gfp: No more public distfiles
2012-11-26 games/44bsd-hunt: No more public distfiles
2012-11-26 graphics/ale: No more public distfiles
2012-11-26 german/digibux: No more public distfiles
2012-11-26 java/eclipse-clay-core: No more public distfiles
2012-11-26 games/xbloody: No more public distfiles
2012-11-26 dns/sqldjbdns: No more public distfiles
Feature safe: yes
ldns 1.6.14 and ldns 1.6.15 had a bug in creating empty
bitmaps for NSEC3 on empty non-terminals; and were
unable to build a loadable pyldns module.
This release has those two bugs resolved.
PR: 173626
Submitted by: Geoffroy Desvernay <dgeo@centrale-marseille.fr>
Approved by: maintainer
Feature safe: yes
- Shorten GOST option description, to fit in old dialog's line restrictions on 8.x
- Use standard EXAMPLES/DOXYGEN descriptions
- Remove quotes from option descriptions
Approved by: Jaap Akkerhuis <jaap at NLnetLabs.nl> (maintainer)
Feature safe: yes
- Trim header
Changes:
* Bugfixes
* New Feature: Use of writev, to improve TCP response time
PR: ports/173261
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Feature safe: yes
chroot (NanoBSD for example). So use truncate -s... instead of dd
if=/dev/zero... to initialise the pdns DB.
PR: pors/172268
Submitted by: n_hibma
Feature safe: yes
- Add an entry to UPDATING about binary incompatibility in previous version of ldns
- Fix OptionsNG
- Bump PORTREVISION for all ports dependent on dns/ldns
- Remove ABI version numbers from LIB_DEPENDS while I'm here
PR: ports/173080 [1]
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) [1]
Approved by: portmgr (erwin)
Feature safe: yes
2012-10-20 games/xripple: No more public distfiles
2012-10-20 games/wolf3d: No more public distfiles
2012-10-20 games/pets: No more public distfiles
2012-10-20 games/linux-enemyterritory-fortress: No more public distfiles
2012-10-20 games/linux-enemyterritory-etpub: No more public distfiles (for the .pk3)
2012-10-20 games/freesci: No more public distfiles
2012-10-20 dns/gresolver: No more public distfiles
2012-10-20 devel/vb2c: No more public distfiles
2012-10-20 devel/portlet-api: No more public distfiles
2012-10-20 devel/libsigc++: Abandoned upstream, no more depending ports
2012-10-20 devel/klassmodeler: Abandonware, depends on the deprecated wxGTK 2.4
2012-10-20 devel/ecos-tools: Depends on an obsolete version of wx, broken with gcc4.2 for long
2012-10-20 devel/datadesigner: Abandonware, depends on the deprecated wxGTK 2.4
Feature safe: yes
- add dns/py-dnspython to RUN_DEPENDS too, because easyzone will not
work w/o it
- remove some redundant python specific knobs: PYDISTUTILS_NOEGGINFO,
PYDISTUTILS_PKGNAME
- use PYEASYINSTALL_EGG in pkg-plist instead of redundant passing
PORTVERSION and PYTHON_VER there
- bump PORTREVISION because of dependencies change
PR: 172446
Submitted by: rm (myself)
Approved by: Attila Nagy <bra at fsn dot hu> (maintainer, by mail)
Feature safe: yes
- convert to optionsng
while here:
- limit python version to 2.x only
- remove deprecated attribution in pkg-descr
PR: 171786
Submitted by: William Grzybowski <william88 at gmail dot com>
Approved by: Andy Greenwood <greenwood.andy at gmail dot com> (prev maintainer)
Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.
Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.
ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.
A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.
For more information: https://kb.isc.org/article/AA-00788
- Update WWW to new location [1]
- Switch to GNU_CONFIGURE so that PREFIX is
properly respected on install, when not
set to LOCALBASE
PR: ports/170817 [1]
Submitted by: Stefan Caunter <stef@scaleengine.com> (maintainer)
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
is already the default, so for those ports where we are doing:
@${MV} ${WRKDIR}/${PORTNAME} ${WRKSRC}
to avoid the problem of conflicts with the rc.d script of the same
name it is not necessary to define WRKSRC separately.
Clean up this mistake of mine, and standardize for the others.
This port is based on dns/dnsmasq 2.62_1,1 and has been updated to 2.63rc2.
Description (by Simon Kelley, the upstream maintainer):
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server.
It is designed to provide DNS and, optionally, DHCP, to a small network. It
can serve the names of local machines which are not in the global DNS. The
DHCP server integrates with the DNS server and allows machines with
DHCP-allocated addresses to appear in the DNS with names configured either
in each host or in a central configuration file. Dnsmasq supports static and
dynamic DHCP leases and BOOTP/TFTP/PXE for network booting of diskless
machines.
command=foo >/dev/null 2>&1
|
v
command=foo
command_args='>/dev/null 2>&1'
This is clearly what should have been done, for several reasons.
No PORTREVISION bump because the old version simply ignored everything
after the space, and does not seem to have done any harm. However
it's good to clean these up so that similar errors aren't pasted into
a new script where they might actually matter.
I've also updated MASTER_SITES as the maintainer's site doesn't have version 1.0.
This can be changed back if/when the maintainer comes back.
Maintainer timeout after: 5 days
- Convert to new OptionsNG
- Add DNSSEC knob by popular demand. Disabling this will disable DNSSEC algorithms 13 and 14 and remove dependency on libcryptopp.
- Disabled botan support since it's broken with 1.8. When 1.10 becomes part of the ports tree it can be enabled again.
PR: ports/170196
Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer)
- Convert to new OptionsNG
- Add DNSSEC knob by popular demand. Disabling this will disable DNSSEC algorithms 13 and 14 and remove dependency on
libcryptopp.
- Also disabled botan support since it's broken with 1.8. When 1.10 becomes part of the ports tree it can be enabled again.
PR: ports/170195
Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer)
are no more self hosting so we are stuck with 0.25 version while pkgconf provide
the same set of features as 0.27 and a compatible frontend. A symlink to
pkg-config has been added for convenience and compatibility
This also introduces a new macro to use pkgconf in your ports:
USE_PKGCONFIG
it can take the following arguments:
- yes (meaning build only dep)
- build (meaning build only dep)
- run (meaning run only dep)
- both (meaning run and build dep)
From now USE_GNOME= pkgconfig is deprecated in favour of USE_PKGCONFIG
The old gnome macro has been modified to use pkgconf but still the sameway: run
and build dep to avoid large breakage.
While here fix some ports relying on pkg-config but not specifying it, fix some
ports broken because testing wrong .pc files, and fix ports using pkg-config
--version to determine pkg-config version instead of
pkg-config --modversion pkg-config like recommanded by pkg-config
With Hat: portmgr
Exp-runs by: bapt (pointhat-west), beat (pointyhat)
in BIND9
High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.
CVE: CVE-2012-3817
Posting date: 24 July, 2012
BUG FIXES:
- Fix for VU#624931 CVE-2012-2978: NSD denial of service
vulnerability from non-standard DNS packet from any host
on the internet.
PR: ports/170001
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Security: CVE-2012-2978
This module allows you to get the public suffix of a domain name using
the Public Suffix List from http://publicsuffix.org
A public suffix is one under which Internet users can directly register names.
Some examples of public suffixes are .com, .co.uk and pvt.k12.wy.us.
Accurately knowing the public suffix of a domain is useful when handling web
browser cookies, highlighting the most important part of a domain name in a
user interface or sorting URLs by web site
WWW: http://pypi.python.org/pypi/publicsuffix/
PR: ports/169326
Submitted by: d.pryadko@rambler-co.ru
The initial g stands for Geographic, as gdnsd offers a plugin system for
geographic (or other sorts of) balancing, redirection, and service-state-conscious
failover. If you don't care about that feature, it's still quite good at being
a very fast, lean, and resilient authoritative-only server for static DNS data.
gdnsd is written in C using libev and pthreads with a focus on highi performance,
low latency service. It does not offer any form of caching or recursive service,
and does not support DNSSEC.
WWW: http://code.google.com/p/gdnsd/
PR: ports/167946
Submitted by: Stefan Caunter <stef@scaleengine.com>
from ISC. These patched versions contain a critical bugfix:
Processing of DNS resource records where the rdata field is zero length
may cause various issues for the servers handling them.
Processing of these records may lead to unexpected outcomes. Recursive
servers may crash or disclose some portion of memory to the client.
Secondary servers may crash on restart after transferring a zone
containing these records. Master servers may corrupt zone data if the
zone option "auto-dnssec" is set to "maintain". Other unexpected
problems that are not listed here may also be encountered.
All BIND users are strongly encouraged to upgrade.
This is mostly a bugfix release. Most notable new features are ECDSA
support (RFC 6605) and command-line options for ldns-verify-zone for
validating against given keys and for safety margins on signatures
inception and expiration times.
- The examples and drill programs will now built by default.
PR: ports/168296
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Approved by: itetcu (mentor)
the latest from ISC. These versions all contain the following:
Feature Change
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
Bug Fix
* The locking strategy around the handling of iterative queries
has been tuned to reduce unnecessary contention in a multi-
threaded environment.
Each version also contains other critical bug fixes.
All BIND users are encouraged to upgrade to these latest versions.
- set NO_LATEST_LINK
- while I'm here, add LICENSE (GPL2) and remove mention of it from pkg-descr
PR: 168192
Submitted by: Ralf van der Enden <tremere at cainites dot net> (maintainer)
- while I'm here, add LICENSE (GPL2) and remove mention of it from pkg-descr
changelog: http://doc.powerdns.com/changelog.html#changelog-auth-3-1
PR: 168198
Submitted by: Ralf van der Enden <tremere at cainites dot net> (maintainer)
The Net::DNS::Zone::Parser should be considered a preprocessor that "normalizes"
a zonefile.
It will read a zonefile in a format conforming to the relevant RFCs with the
addition of BIND's GENERATE directive from disk and will write fully specified
resource records (RRs) to a filehandle. Whereby:
- All comments are stripped
- There is one RR per line
- Each RR is fully expanded i.e. all domain names are fully qualified
(canonicalised) and the CLASS and TTLs are specified.
- Some RRs may be 'stripped' from the source or otherwise processed. For details
see the 'read' method.
Note that this module does not have a notion of what constitutes a valid zone,
it only parses. For example, the parser will happilly parse RRs with ownernames
that are below in another zone because a NS RR elsewhere in the zone.
WWW: http://search.cpan.org/dist/Net-DNS-Zone-Parser/
PR: ports/167708
Submitted by: Jimmy Bergman <jimmy@sigint.se>
should use to boost online privacy and security. It works
by encrypting all DNS traffic between the user and OpenDNS,
preventing any spying, spoofing or man-in-the-middle attacks.
WWW: https://www.opendns.com/technology/dnscrypt/
PR: ports/167833
Submitted by: Leo Vandewoestijne <freebsd@dns-lab.com>
Re-write interface discovery code on *BSD to use getifaddrs. This
is more portable, more straightforward, and allows us to find the
prefix length for IPv6 addresses.
Add ra-names, ra-stateless and slaac keywords for DHCPv6. Dnsmasq
can now synthesise AAAA records for dual-stack hosts which get IPv6
addresses via SLAAC. It is also now possible to use SLAAC and
stateless DHCPv6, and to tell clients to use SLAAC addresses as
well as DHCP ones. Thanks to Dave Taht for help with this.
Add --dhcp-duid to allow DUID-EN uids to be used.
Explicity send DHCPv6 replies to the correct port, instead of relying
on clients to send requests with the correct source address, since
at least one client in the wild gets this wrong. Thanks to Conrda
Kostecki for help tracking this down.
Send a preference value of 255 in DHCPv6 replies when --dhcp-authoritative
is in effect. This tells clients not to wait around for other DHCP
servers.
Better logging of DHCPv6 options.
Add --host-record. Thanks to Rob Zwissler for the suggestion.
Invoke the DHCP script with action "tftp" when a TFTP file transfer
completes. The size of the file, address to which it was sent and
complete pathname are supplied. Note that version 2.60 introduced
some script incompatibilties associated with DHCPv6, and this is a
further change. To be safe, scripts should ignore unknown actions,
and if not IPv6-aware, should exit if the environment variable
DNSMASQ_IAID is set. The use-case for this is to track netboot/install.
Suggestion from Shantanu Gadgil.
Update contrib/port-forward/dnsmasq-portforward to reflect the
above.
Set the environment variable DNSMASQ_LOG_DHCP when running the
script id --log-dhcp is in effect, so that script can taylor their
logging verbosity. Suggestion from Malte Forkel.
Arrange that addresses specified with --listen-address work even
if there is no interface carrying the address. This is chiefly
useful for IPv4 loopback addresses, where any address in 127.0.0.0/8
is a valid loopback address, but normally only 127.0.0.1 appears
on the lo interface. Thanks to Mathieu Trudel-Lapierre for the idea
and initial patch.
Fix crash, introduced in 2.60, when a DHCPINFORM is received from
a network which has no valid dhcp-range. Thanks to Stephane Glondu
for the bug report.
Add a new DHCP lease time keyword, "deprecated" for --dhcp-range.
This is only valid for IPv6, and sets the preffered lease time for
both DHCP and RA to zero. The effect is that clients can continue
to use the address for existing connections, but new connections
will use other addresses, if they exist. This makes hitless renumbering
at least possible.
Fix bug in address6_available() which caused DHCPv6 lease aquisition
to fail if more than one dhcp-range in use.
Provide RDNSS and DNSSL data in router advertisements, using the
settings provided for DHCP options option6:domain-search and
option6:dns-server.
Tweak logo/favicon.ico to add some transparency. Thanks to SamLT
for work on this.
Don't cache data from non-recursive nameservers, since it may
erroneously look like a valid CNAME to a non-exitant name. Thanks
to Ben Winslow for finding this.
Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP on exactly
one interface and --bind-interfaces is set. This makes the OpenStack
use-case of one dnsmasq per virtual interface work. This is only
available on Linux; it's not supported on other platforms. Thanks
to Vishvananda Ishaya and the OpenStack team for the suggestion.
Updated French translation. Thanks to Gildas Le Nadan.
Give correct from-cache answers to explict CNAME queries. Thanks
to Rob Zwissler for spotting this.
Add --tftp-lowercase option. Thanks to Oliver Rath for the patch.
Ensure that the DBus DhcpLeaseUpdated events are generated when a
lease goes through INIT_REBOOT state, even if the dhcp-script is
not in use. thanks to Antoaneta-Ecaterina Ene for the patch.
Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks to Brad
Smith for spotting this.
was noticed by ISC at:
https://lists.isc.org/pipermail/bind-users/2012-April/087345.html
and verified by me both by comparing the contents of the old and new
distfiles and by verifying the PGP signature on the new distfile.
No PORTREVISION bump because these files were not installed.
For the port, switch to using the PORTDOCS macro.
Also, switch to the (identical) pkg-message in ../bind97 which was apparently missed
when the other ports were converted.
Feature safe: yes
Mozilla::PublicSuffix provides a single function that returns the public suffix
of a domain name by referencing a parsed copy of Mozilla's Public Suffix List.
From the official website at http://publicsuffix.org:
A "public suffix" is one under which Internet users can directly register names.
Some examples of public suffixes are .com, .co.uk and pvt.k12.wy.us. The Public
Suffix List is a list of all known public suffixes.
A copy of the official list is bundled with the distribution. As the official
list continues to be updated, the bundled copy will inevitably fall out of date.
Therefore, if the bundled copy of found to be over thirty days old, this
distribution's installer provides the option to check for a new version of the
list and download/use it if one is found.
WWW: http://search.cpan.org/dist/Mozilla-PublicSuffix/
Feature safe: yes
maintainer, wrote in message <4F70361B.7080306@thekelleys.org.uk>:
A bug has been found in dnsmasq 2.60 that can cause crashes. This is
configuration dependent: it either crashes frequently or not at all.
The configuration required is one which allows dnsmasq to receive
DHCPINFORM requests for which there is no valid dhcp-range. This is
rare.
Adding the patch he offers for download.
Feature safe: yes
- The LUA port option enables Lua support for DHCP lease-change scripts
- DHCPv6 support
- IPv6 Router Advertisement support
Changelog: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
Feature safe: yes
