and it's the first publicly released forwarding implementation
that implements the DNSCurve protocol.
WWW: http://curvedns.on2it.net/
PR: ports/153881
Submitted by: Leo Vandewoestijne <freebsd at dns-lab.com>
New features versus previous release candidates include:
* There is a new option in dig, +onesoa, that allows the final SOA
record in an AXFR response to be suppressed. [RT #20929
* There is additional information displayed in the recursing log
(qtype, qclass, qid and whether we are following the original
name). [RT #22043]
* Added option 'resolver-query-timeout' in named.conf (max query
timeout in seconds) to set a different value than the default (30
seconds). A value of 0 means 'use the compiled in default';
anything longer than 30 will be silently set to 30. [RT #22852]
* For Mac OS X, you can now have the test interfaces used during
"make test" stay beyond reboot. See bin/tests/system/README for
details.
There are also numerous bug fixes and enhancements. See
http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html
for more information.
ports. All of them are End of Life (no security updates) since a loooong time.
As they are not the default, I decided to go with a short expiration date (one
month). The maintainer of the few ports which depend upon the f8 infrastructure
is informed to take action (update to the default f10 infrastructure, or to
deprecate).
- Start before named, to unbreak named_wait if /etc/resolv.conf points
to dnsmasq (when named is the resolver that dnsmasq forwards to).
Is also more robust/maintenance friendly if other scripts depend on "named".
- Track if the configuration has changed since start, and upgrade reload
to restart by default in that case (can be disabled with
dnsmasq_restart="NO" in /etc/rc.conf[.local]), to work around dnsmasq
shortcoming
- Add a "logstats" action to the rcscript, and document it.
- Document the "reload" action and the new dnsmasq_restart variable.
- Properly quote variable expansions.
- Enhance pkg-message to point to the rcfile for feature documentation.
- Bump PORTREVISION to 2.
Remove support for FreeBSD releases 6.X.
Allow build with IDN but without NLS (this requires that dns/libidn
is also built WITHOUT_NLS) to expose an upstream change. Useful for embedded
devices.
Warn user if this is requested but libidn needs NLS libraries
because in that case dnsmasq inherits the NLS dependencies from libidn.
Remove files/patch-aa, it was a preview patch from a 2.57 test release,
fixing a regression in 2.56 that caused hex constants to be rejected in
the configuratino if they contained the '*' wildcard.
Further upstream changes:
- use own header for DNS protocol, rather than using arpa/nameser.h
- correct ctype.h function argument casts (isdigit(), isxdigit(), etc.)
- Accept extra empty arguments on command line to avoid libvirt breakage.
* The ADB hash table stores informations about which authoritative
servers to query about particular domains. Previous versions of
BIND had the hash table size as a fixed value. On a busy recursive
server, this could lead to hash table collisions in the ADB cache,
resulting in degraded response time to queries. Bind 9.8 now has a
dynamically scalable ADB hash table, which helps a busy server to
avoid hash table collisions and maintain a consistent query
response time.
* Zones may be dynamically added and removed with the "rndc addzone"
and "rndc delzone" commands. These dynamically added zones are
written to a per-view configuration file. Do not rely on the
configuration file name nor contents as this will change in a
future release. This is an experimental feature at this time.
* A new command "rndc secroots" was added to dump a combined summary
of the currently managed keys combined with statically configured
trust anchors.
* Added support to load new keys into managed zones without signing
immediately with "rndc loadkeys". Added support to link keys with
"dnssec-keygen -S" and "dnssec-settime -S".
All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31 in
order to avoid validation failures for names in .COM as described here:
https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
In addition the fixes for this and other bugs, there are also the following:
* Various fixes to kerberos support, including GSS-TSIG
* Various fixes to avoid leaking memory, and to problems that could prevent
a clean shutdown of named
Feature safe: yes
2011-01-24 dns/staticcharge: abandoned by author
2011-01-21 shells/bash3-static: Use shells/bash or shells/bash-static instead
shells/bash3 is still used by devel/quilt
Feature safe: yes
the following new features:
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view.
* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See the
draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project.
* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones is likely to be refined in
future releases. Contributed by Andrew Tridgell of the Samba Project.
* numerous GSS-TSIG improvements
* There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with an
external daemon. Contributed by Andrew Tridgell of the Samba Project.
* many other improvements
Feature safe: yes
