bind96 9.6.1 dns =5

The BIND DNS suite with updated DNSSEC and threads
Maintained by: dougb@FreeBSD.org
Port Added: 04 Jan 2009 07:12:24
Also Listed In: net ipv6

---

---

BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture.  Some of the important features of BIND 9 are:

DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
     Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
     Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
     e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support, including working threads in this version

BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier releases,
including:
	Full NSEC3 support
	Automatic zone re-signing
	New update-policy methods tcp-self and 6to4-self

See the CHANGES file for more information on features.

WWW: https://www.isc.org/software/bind

- Doug Barton
DougB@FreeBSD.org

CVSWeb : Sources : Main Web Site : Distfiles Availability : PortsMon

---

Required Libraries: textproc/libxml2

---

To install the port: cd /usr/ports/dns/bind96/ && make install clean
To add the package: pkg_add -r bind96

---

Configuration Options

===> The following configuration options are available for bind96-9.6.1:
     SSL=on (default) "Building without OpenSSL removes DNSSEC"
     XML=on (default) "Support for xml statistics output"
     IDN=off (default) "Add IDN support to dig, host, etc."
     REPLACE_BASE=off (default) "Replace base BIND with this version"
     LARGE_FILE=off (default) "64-bit file support"
     SIGCHASE=off (default) "dig/host/nslookup will do DNSSEC validation"
     IPV6=off (default) "IPv6 Support (autodetected by default)"
     THREADS=on (default) "Compile with thread support"
===> Use 'make config' to modify these settings

---

Master Sites:

ftp://ftp.isc.org/isc/bind9/9.6.1/

ftp://ftp.ciril.fr/pub/isc/bind9/9.6.1/

ftp://ftp.funet.fi/pub/mirrors/ftp.isc.org/isc/bind9/9.6.1/

ftp://ftp.freenet.de/pub/ftp.isc.org/isc/bind9/9.6.1/

ftp://ftp.iij.ad.jp/pub/network/isc/bind9/9.6.1/

ftp://ftp.dti.ad.jp/pub/net/isc/bind9/9.6.1/

ftp://ftp.u-aizu.ac.jp/pub/net/isc/bind9/9.6.1/

ftp://ftp.task.gda.pl/mirror/ftp.isc.org/isc/bind9/9.6.1/

ftp://ftp.chl.chalmers.se/pub/isc/bind9/9.6.1/

ftp://ftp.sunet.se/pub/network/isc/bind9/9.6.1/

ftp://ftp.mirrorservice.org/sites/ftp.isc.org/isc/bind9/9.6.1/

ftp://ftp.epix.net/pub/isc/bind9/9.6.1/

ftp://ftp.nominum.com/pub/isc/bind9/9.6.1/

ftp://ftp.ripe.net/mirrors/sites/ftp.isc.org/isc/bind9/9.6.1/

ftp://ftp.ntua.gr/pub/net/isc/isc/bind9/9.6.1/

http://dougbarton.us/Downloads/bind9/9.6.1/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

Update to version 9.6.1, the latest from ISC. This version contains
numerous bug fixes and updates, especially in the DNSSEC code, including
the new NSEC3 protocol. Full details are available at:

http://oldwww.isc.org/sw/bind/view/?release=9.6.1&noframes=1

- Flip from MAKE_JOBS_SAFE to MAKE_JOBS_UNSAFE, fails both on pointyhat and on
  my local machine

Fix CONFLICTS (again). The previous example didn't work at all for ports
other than plain bind9 since the real PORTNAMEs for the other ports are
bind9[456]. This fix has the added advantage of covering REPLACE_BASE.

Where it matters, update regarding MAKE_JOBS_{UN}SAFE for my ports

Update to the -P1 versions of the current BIND ports which contain
the fix for the following vulnerability: https://www.isc.org/node/373

Description:
Return values from OpenSSL library functions EVP_VerifyFinal()
and DSA_do_verify() were not checked properly.

Impact:
It is theoretically possible to spoof answers returned from
zones using the DNSKEY algorithms DSA (3) and NSEC3DSA (6).

In short, if you're not using DNSSEC to verify signatures you have
nothing to worry about.

While I'm here, address the issues raised in the PR by adding a knob
to disable building with OpenSSL altogether (which eliminates DNSSEC
capability), and fix the configure arguments to better deal with the
situation where the user has ssl bits in both the base and LOCALBASE.

PR:             ports/126297
Submitted by:   Ronald F.Guilmette <rfg@tristatelogic.com>

Update CONFLICTS to reflect the addition of the bind96 port,
the demise of bind9-dlz, and updates to the bind9-sdb-* ports.

Update after repo-copy for BIND 9.6.0

Forced commit to mark repo-copy from bind95

6 vulnerabilities affecting 11 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities