1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-28 01:06:17 +00:00
freebsd-ports/dns/bind95/Makefile
Doug Barton 49b20cc2f2 Update to version 9.3.2-P2, which addresses the vulnerability
announced by ISC dated 31 October (delivered via e-mail to the
bind-announce@isc.org list today):

Description:
	Because of OpenSSL's recently announced vulnerabilities
	(CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named,
	we are announcing this workaround and releasing patches.  A proof of
	concept attack on OpenSSL has been demonstrated for CAN-2006-4339.

	OpenSSL is required to use DNSSEC with BIND.

Fix for version 9.3.2-P1 and lower:
	Upgrade to BIND 9.2.3-P2, then generate new RSASHA1 and
	RSAMD5 keys for all old keys using the old default exponent
	and perform a key rollover to these new keys.

	These versions also change the default RSA exponent to be
	65537 which is not vulnerable to the attacks described in
	CAN-2006-4339.
2006-11-03 07:47:21 +00:00

134 lines
4.9 KiB
Makefile

# New ports collection makefile for: bind
# Date created: 6 October 2000
# Whom: will
#
# $FreeBSD$
#
# I stay very aware of developments with BIND in general, and with
# BIND 9 in particular. I frequently delay updating this port from
# a known-stable version due to concerns about stability of a newer
# version. If you are concerned about using the most recent ISC
# release you can generally build it cleanly from the source - Doug
PORTNAME= bind9
PORTVERSION= 9.3.2.2
CATEGORIES= dns net ipv6
MASTER_SITES= ${MASTER_SITE_ISC} \
http://dougbarton.us/Downloads/%SUBDIR%/
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
DISTNAME= bind-${ISCVERSION}
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX}
MAINTAINER= DougB@FreeBSD.org
COMMENT= Completely new version of the BIND DNS suite with updated DNSSEC
# ISC releases things like 9.3.0rc1, which our versioning doesn't like
ISCVERSION= 9.3.2-P2
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
--with-randomdev=/dev/random
USE_OPENSSL= yes
CONFLICTS= bind-8.* bind84-8.* bind9-dlz-* bind9-sdb-mysql-* host-* zh-bind-8.*
OPTIONS= REPLACE_BASE "Replace base BIND with this version" off \
THREADS "Compile with thread support (NOT RECOMMENDED!)" off
.include <bsd.port.pre.mk>
.if defined(WITH_OPENSSL_PORT)
CONFIGURE_ARGS+= --with-openssl=${LOCALBASE}
.else
CONFIGURE_ARGS+= --with-openssl
.endif
# ISC staff has informed me that for 9.3.x, threads are always a bad idea.
# Leave the affirmative option for those that want to experiment.
.if defined(WITH_THREADS)
CONFIGURE_ARGS+= --enable-threads
.else
CONFIGURE_ARGS+= --disable-threads
.endif
.if defined(WITH_REPLACE_BASE)
PKGNAMESUFFIX= -base
PREFIX= /usr
BIND_DESTETC= /etc/namedb
CONFIGURE_ARGS+= --prefix=${PREFIX} \
--sysconfdir=${BIND_DESTETC} \
--mandir=${MANPREFIX}/man
.else
BIND_DESTETC= ${PREFIX}/etc
.endif
PLIST_SUB= BIND_DESTETC="${BIND_DESTETC}"
MAN1= dig.1 host.1 nslookup.1
MAN3= lwres.3 lwres_addr_parse.3 lwres_buffer.3 lwres_buffer_add.3 \
lwres_buffer_back.3 lwres_buffer_clear.3 lwres_buffer_first.3 \
lwres_buffer_forward.3 lwres_buffer_getmem.3 lwres_buffer_getuint16.3 \
lwres_buffer_getuint32.3 lwres_buffer_getuint8.3 lwres_buffer_init.3 \
lwres_buffer_invalidate.3 lwres_buffer_putmem.3 \
lwres_buffer_putuint16.3 lwres_buffer_putuint32.3 \
lwres_buffer_putuint8.3 lwres_buffer_subtract.3 lwres_conf_clear.3 \
lwres_conf_get.3 lwres_conf_init.3 lwres_conf_parse.3 \
lwres_conf_print.3 lwres_config.3 lwres_context.3 \
lwres_context_allocmem.3 lwres_context_create.3 \
lwres_context_destroy.3 lwres_context_freemem.3 \
lwres_context_initserial.3 lwres_context_nextserial.3 \
lwres_context_sendrecv.3 lwres_endhostent.3 lwres_endhostent_r.3 \
lwres_freeaddrinfo.3 lwres_freehostent.3 lwres_gabn.3 \
lwres_gabnrequest_free.3 lwres_gabnrequest_parse.3 \
lwres_gabnrequest_render.3 lwres_gabnresponse_free.3 \
lwres_gabnresponse_parse.3 lwres_gabnresponse_render.3 \
lwres_gai_strerror.3 lwres_getaddrinfo.3 lwres_getaddrsbyname.3 \
lwres_gethostbyaddr.3 lwres_gethostbyaddr_r.3 lwres_gethostbyname.3 \
lwres_gethostbyname2.3 lwres_gethostbyname_r.3 lwres_gethostent.3 \
lwres_gethostent_r.3 lwres_getipnode.3 lwres_getipnodebyaddr.3 \
lwres_getipnodebyname.3 lwres_getnamebyaddr.3 lwres_getnameinfo.3 \
lwres_getrrsetbyname.3 lwres_gnba.3 lwres_gnbarequest_free.3 \
lwres_gnbarequest_parse.3 lwres_gnbarequest_render.3 \
lwres_gnbaresponse_free.3 lwres_gnbaresponse_parse.3 \
lwres_gnbaresponse_render.3 lwres_herror.3 lwres_hstrerror.3 \
lwres_inetntop.3 lwres_lwpacket_parseheader.3 \
lwres_lwpacket_renderheader.3 lwres_net_ntop.3 lwres_noop.3 \
lwres_nooprequest_free.3 lwres_nooprequest_parse.3 \
lwres_nooprequest_render.3 lwres_noopresponse_free.3 \
lwres_noopresponse_parse.3 lwres_noopresponse_render.3 \
lwres_packet.3 lwres_resutil.3 lwres_sethostent.3 \
lwres_sethostent_r.3 lwres_string_parse.3
MAN5= named.conf.5 rndc.conf.5
MAN8= dnssec-keygen.8 dnssec-signzone.8 lwresd.8 named-checkconf.8 \
named-checkzone.8 named.8 nsupdate.8 rndc-confgen.8 rndc.8
verify: checksum
gpg --verify ${DISTDIR}/${DISTNAME}${EXTRACT_SUFX}.asc
post-patch:
.for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.8 \
rndc/rndc.8
@${MV} ${WRKSRC}/bin/${FILE} ${WRKSRC}/bin/${FILE}.Dist
@${SED} -e 's#/etc/named.conf#${BIND_DESTETC}/named.conf#g' \
-e 's#/etc/rndc.conf#${BIND_DESTETC}/rndc.conf#g' \
${WRKSRC}/bin/${FILE}.Dist > ${WRKSRC}/bin/${FILE}
.endfor
post-install:
${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \
${BIND_DESTETC}/rndc.conf.sample
.if !defined(NOPORTDOCS)
${MKDIR} ${DOCSDIR}/arm ${DOCSDIR}/misc
${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM*html ${DOCSDIR}/arm
${INSTALL_DATA} ${WRKSRC}/doc/misc/[a-z]* ${DOCSDIR}/misc
${CP} ${WRKSRC}/CHANGES ${WRKSRC}/COPYRIGHT ${WRKSRC}/FAQ \
${WRKSRC}/README ${DOCSDIR}/
.endif
@${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>