bind94 9.4.2.1_1 dns =12

The BIND DNS suite with updated DNSSEC and threads
Maintained by: dougb@FreeBSD.org
Port Added: 28 Jan 2007 22:46:22
Also Listed In: net ipv6

---

---

BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture.  Some of the important features of BIND 9 are:

DNS Security
     DNSSEC (signed zones)
     TSIG (signed DNS requests)
IP version 6
     Answers DNS queries on IPv6 sockets
     IPv6 resource records (AAAA)
     Experimental IPv6 Resolver Library
DNS Protocol Enhancements
     IXFR, DDNS, Notify, EDNS0
     Improved standards conformance
Views
     One server process can provide multiple "views" of
     the DNS namespace, e.g. an "inside" view to certain
     clients, and an "outside" view to others.

Multiprocessor Support, including working threads in this version

WWW: http://www.isc.org/index.pl?/sw/bind/index.php

- Doug Barton
DougB@FreeBSD.org

CVSWeb : Sources : Main Web Site : Distfiles Availability : PortsMon

---

To install the port: cd /usr/ports/dns/bind94/ && make install clean
To add the package: pkg_add -r bind94

---

Configuration Options

===> The following configuration options are available for bind94-9.4.2.1_1:
     REPLACE_BASE=off (default) "Replace base BIND with this version"
     LARGE_FILE=off (default) "64-bit file support"
     SIGCHASE=off (default) "dig/host/nslookup will do DNSSEC validation"
     IPV6=off (default) "IPv6 Support (autodetected by default)"
     THREADS=off (default) "Compile w/threads (Not Recommended  Use 'make config' to modify these settings

---

Master Sites:

ftp://ftp.isc.org/isc/bind9/9.4.2-P1/

ftp://ftp.ciril.fr/pub/isc/bind9/9.4.2-P1/

ftp://ftp.funet.fi/pub/mirrors/ftp.isc.org/isc/bind9/9.4.2-P1/

ftp://ftp.freenet.de/pub/ftp.isc.org/isc/bind9/9.4.2-P1/

ftp://ftp.iij.ad.jp/pub/network/isc/bind9/9.4.2-P1/

ftp://ftp.dti.ad.jp/pub/net/isc/bind9/9.4.2-P1/

ftp://ftp.u-aizu.ac.jp/pub/net/isc/bind9/9.4.2-P1/

ftp://ftp.task.gda.pl/mirror/ftp.isc.org/isc/bind9/9.4.2-P1/

ftp://ftp.chl.chalmers.se/pub/isc/bind9/9.4.2-P1/

ftp://ftp.sunet.se/pub/network/isc/bind9/9.4.2-P1/

ftp://ftp.mirrorservice.org/sites/ftp.isc.org/isc/bind9/9.4.2-P1/

ftp://ftp.epix.net/pub/isc/bind9/9.4.2-P1/

ftp://ftp.nominum.com/pub/isc/bind9/9.4.2-P1/

ftp://ftp.ripe.net/mirrors/sites/ftp.isc.org/isc/bind9/9.4.2-P1/

ftp://ftp.ntua.gr/pub/net/isc/isc/bind9/9.4.2-P1/

http://dougbarton.us/Downloads/bind9/9.4.2-P1/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

Add an OPTION to turn on the ability of dns/host/nslookup to do
DNSSEC validation.

This is off by default, so no PORTREVISION bump.

Submitted by:   Andrei V. Lavreniyuk <andy.lavr@reactor-xg.kiev.ua>

Bump PORTREVISION for the patch to named-checkconf

Add the logic for the THREADS OPTION to be on for 7-RELEASE and above
(and off otherwise) that I'm using in dns/bind95

Add a patch to fix named-checkconf. The error condition was not being
properly tested for, so it would not report the error in some cases.

Thanks to marck@FreeBSD and mark@ISC for tracking this one down.

Upgrade to the -P1 versions of each port, which add stronger randomization
of the UDP query-source ports. The server will still use the same query
port for the life of the process, so users for whom the issue of cache
poisoning is highly significant may wish to periodically restart their
server using /etc/rc.d/named restart, or other suitable method.

In order to take advantage of this randomization users MUST have an
appropriate firewall configuration to allow UDP queries to be sent and
answers to be received on random ports; and users MUST NOT specify a
port number using the query-source[-v6] option.

The avoid-v[46]-udp-ports options exist for users who wish to eliminate
certain port numbers from being chosen by named for this purpose. See
the ARM Chatper 6 for more information.

Update CONFLICTS:
1. To take bind95 into account
2. s/bind9-sdb-ldap/bind9-sdb-mysql/
3. Delete references to BIND 8

Update the pkg-message to be even less version-specific, and tell the user
that /etc/rc.d/named will handle everything for them.

Fix pkg-plist by including a new file.

Pointy hat number N:M (where M = many) goes to: dougb
Approved by:    portmgr (erwin)

ISC recently announced that BIND 8 has been End-of-Life'd:
http://www.isc.org/index.pl?/sw/bind/bind8-eol.php

Therefore, per the previous announcement, remove the ports for BIND 8.
This includes the chinese/bind8 slave port, and mail/smc-milter which
has a dependency on libbind_r.a from BIND 8.x. The latter has been
unmaintained since 2005, and is 3 versions behind.

Approved by:    portmgr (linimon)

Update to BIND 9.4.2. Many bugs are fixed, please see the CHANGES
file for more details.

Approved by:    portmgr (erwin)

Update to 9.4.1-P1, which has fixes for the following:

1. The default access control lists (acls) are not being
correctly set. If not set anyone can make recursive queries
and/or query the cache contents.

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925

2. The DNS query id generation is vulnerable to cryptographic
analysis which provides a 1 in 8 chance of guessing the next
query id for 50% of the query ids. This can be used to perform
cache poisoning by an attacker.

This bug only affects outgoing queries, generated by BIND 9 to
answer questions as a resolver, or when it is looking up data
for internal uses, such as when sending NOTIFYs to slave name
servers.

All users are encouraged to upgrade.

See also:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926

- Set --mandir and --infodir in CONFIGURE_ARGS if the configure script
  supports them.  This is determined by running ``configure --help'' in
  do-configure target and set the shell variable _LATE_CONFIGURE_ARGS
  which is then passed to CONFIGURE_ARGS.
- Remove --mandir and --infodir in ports' Makefile where applicable
  Few ports use REINPLACE_CMD to achieve the same effect, remove them too.
- Correct some manual pages location from PREFIX/man to MANPREFIX/man
- Define INFO_PATH where necessary
- Document that .info files are installed in a subdirectory relative to
  PREFIX/INFO_PATH and slightly change add-plist-info to use INFO_PATH and
  subdirectory detection.

PR:             ports/111470
Approved by:    portmgr
Discussed with: stas (Mk/*), gerald (info related stuffs)
Tested by:      pointyhat exp run

Update to version 9.4.1, a security update from ISC:

2172.   [bug]       query_addsoa() was being called with a non zone db.
                    [RT #16834]

        If you are running BIND 9.4.0 (either pre-release or final),
        you are advised to upgrade as soon as possible to BIND 9.4.1.

Update to the release version of 9.4.0.

Complete the update for bind94 after the repocopy, and hook it up.

3 vulnerabilities affecting 4 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities