All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31 in
order to avoid validation failures for names in .COM as described here:
https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
In addition the fixes for this and other bugs, there are also the following:
* Various fixes to kerberos support, including GSS-TSIG
* Various fixes to avoid leaking memory, and to problems that could prevent
a clean shutdown of named
Feature safe: yes
2011-01-24 dns/staticcharge: abandoned by author
2011-01-21 shells/bash3-static: Use shells/bash or shells/bash-static instead
shells/bash3 is still used by devel/quilt
Feature safe: yes
the following new features:
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view.
* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See the
draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project.
* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones is likely to be refined in
future releases. Contributed by Andrew Tridgell of the Samba Project.
* numerous GSS-TSIG improvements
* There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with an
external daemon. Contributed by Andrew Tridgell of the Samba Project.
* many other improvements
Feature safe: yes
2010-12-30 databases/p5-sqlrelay: broken and upstream disapeared
2010-12-30 devel/php-dbg2: No upstream support
2010-12-30 dns/fourcdns: upstream has disapeared
2010-12-31 emulators/win4bsd: Development has ceased and distfile is no longer available
2010-12-31 french/mozilla-flp: www/seamonkey port is deprecated. Consider using the www/firefox-i18n.
2010-12-31 french/xtel: Minitel services will be discontinued at the end of 2010.
2010-12-30 ftp/ftpq: upstream has disapeared
2010-12-30 graphics/paintlib: does not compile with new tiff and no more maintained upstream
2010-12-30 graphics/g3dviewer: does not build with gcc 4.2, upstream disapeared
2010-12-30 lang/scriba: Does not compile with gcc 4.2+, looks like abandonware
2010-12-30 math/rascal: Broken on every arch since 2008, looks like an abandonware
2010-12-31 net-mgmt/nrg: Project has vanished. Use cacti instead.
2010-12-31 security/hostsentry: Project is dead.
2010-12-31 sysutils/kcube: Project has vanished
2010-12-31 www/cybercalendar: has been unmaintained since 2001 and is unusable with dates after 2010 (see ports/150974)
2010-12-31 www/flock: Flock 3 moves from Firefox to Chromium
2010-12-31 www/linux-flock: Flock 3 moves from Firefox to Chromium
2010-12-30 x11-clocks/xtu: Looks like abandonware
Leave java/tya in for now, as it has outstanding PRs.
with DNS64. Once 9.8.0 is released officially the -devel tag will be
removed.
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture. Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support
BIND 9.8 includes a number of changes from BIND 9.7 and earlier releases,
including:
Preliminary DNS64 support (AAAA synthesis only initially)
See the CHANGES file for more information on features.
WWW: https://www.isc.org/software/bind
the following security vulnerability.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC,
and querying zones which are in a key rollover period.
The bug will cause answers to incorrectly be marked as insecure.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Remove MD5 from distinfo
5. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Using "allow-query" in the "options" or "view" statements to
restrict access to authoritative zones has no effect.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
Affects authoritative server operators who wish to generally
restrict queries to their authoritative zones, and are running
9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized
end users to receive answers to queries they should not.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
1. Add CONFLICT for the ../bind-tools port
2. Remove CONFLICT for the removed ../bind9 port
3. Remove OPTION for threads on < RELENG_7
4. Remove MD5 from distinfo
5. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Using "allow-query" in the "options" or "view" statements to
restrict access to authoritative zones has no effect.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
Affects authoritative server operators who wish to generally
restrict queries to their authoritative zones, and are running
9.6.2-P2 or any version of 9.7.x. The bug will allow unauthorized
end users to receive answers to queries they should not.
3. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who have 9.7.2-P2 installed,
are validating with DNSSEC, and querying zones which are
in a key rollover period. The bug will cause answers to
incorrectly be marked as insecure.
For the port:
1. Add CONFLICT for the ../bind-tools port
2. Switch to pkg-install to create the symlinks to /etc/namedb/ as
requested in [1]
PR: ports/151635 [1]
Submitted by: Benjamin Lee <ben@b1c1l1.com> [1]
- support reload command
- use nsdc cli has command and let it perform the actual start,stop,... of the daemon
- at start check if the database exists if not built it (this prevent the daemon to fail at starting)
- remove the now userless sleep in stop command
bump portrevision
PR: ports/152331
Submitted by: Philippe Pepiot <phil _at_ philpep.org>
Approved by: Jaap Akkerhuis <jaap _at_ NLnetLabs.nl> (maintainer)
