| Commit History - (may be incomplete: see CVSWeb link above for full details) |
| Date | By | Description |
23 May 2012 04:41:19
  9.8.3
|
dougb  |
Upgrade to BIND versions 9.9.1, 9.8.3, 9.7.6, and 9.6-ESV-R7,
the latest from ISC. These versions all contain the following:
Feature Change
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
Bug Fix
* The locking strategy around the handling of iterative queries
has been tuned to reduce unnecessary contention in a multi-
threaded environment.
Each version also contains other critical bug fixes.
All BIND users are encouraged to upgrade to these latest versions. |
12 Apr 2012 00:56:32
9.8.2
|
dougb |
BIND 9.8.2 tarball was re-rolled to remove 9.8.1 release notes. This change
was noticed by ISC at:
https://lists.isc.org/pipermail/bind-users/2012-April/087345.html
and verified by me both by comparing the contents of the old and new
distfiles and by verifying the PGP signature on the new distfile.
No PORTREVISION bump because these files were not installed. |
04 Apr 2012 21:41:32
9.8.2
|
dougb |
Update to version 9.8.2, the latest from ISC, which contains numerous bug fixes.
For the port, switch to using the PORTDOCS macro.
Feature safe: yes |
16 Nov 2011 23:41:13
9.8.1.1
|
dougb |
Upgrade to the latest security patch releases to address the
following DDOS bug:
Recursive name servers are failing with an assertion:
INSIST(! dns_rdataset_isassociated(sigrdataset))
At this time it is not thought that authoritative-only servers
are affected, but information about this bug is evolving rapidly.
Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.
For more information see:
https://www.isc.org/software/bind/advisories/cve-2011-tbd
which will be updated as more information becomes available.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313
Feature safe: yes |
24 Oct 2011 04:17:38
9.8.1
 |
dougb |
Remove more tags from pkg-descr files fo the form:
- Name
em@i.l
or variations thereof. While I'm here also fix some whitespace and other
formatting errors, including moving WWW: to the last line in the file. |
01 Sep 2011 04:43:58
9.8.1
|
dougb |
Upgrade to version 9.8.1. Release notes at:
https://deepthought.isc.org/article/AA-00446/81/
or
/usr/local/share/doc/bind98/CHANGES
Remove the patch incorporated upstream, and add new include to plist. |
17 Jul 2011 04:08:59
9.8.0.4
|
dougb |
Fix the location of the default pid file in named.8
Problem pointed out in the PR
PR: conf/155006
Submitted by: Helmut Schneider <jumper99@gmx.de> |
05 Jul 2011 21:19:20
9.8.0.4
|
dougb |
Update to versions 9.8.0-P4, 9.7.3-P3, and 9.6-ESV-R4-P3.
ALL BIND USERS ENCOURAGED TO UPGRADE IMMEDIATELY
This update addresses the following vulnerabilities:
CVE-2011-2464
=============
Severity: High
Exploitable: Remotely
Description:
A defect in the affected BIND 9 versions allows an attacker to remotely
cause the "named" process to exit using a specially crafted packet. This (Only the first 15 lines of the commit message are shown above  ) |
27 May 2011 23:47:56
9.8.0.2
|
dougb |
Upgrade to 9.8.0-P2, which addresses the following issues:
1. Very large RRSIG RRsets included in a negative cache can trigger
an assertion failure that will crash named (BIND 9 DNS) due to an
off-by-one error in a buffer size check.
This bug affects all resolving name servers, whether DNSSEC validation
is enabled or not, on all BIND versions prior to today. There is a
possibility of malicious exploitation of this bug by remote users.
2. Named could fail to validate zones listed in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
Add a patch provided by ru@ and confirmed by ISC to fix a crash at
shutdown time when a SIG(0) key is being used.
Add a patch from ISC that will be in 9.8.1 to handle intermittent
failure of recursive queries involving CNAMEs and previously cached
responses. |
06 May 2011 21:13:52
9.8.0.1
|
dougb |
Upgrade to version 9.8.0-P1:
Certain response policy zone configurations could trigger an INSIST
when receiving a query of type RRSIG.
https://www.isc.org/CVE-2011-1907
This vulnerability is only possible if you have enable the new RPZ feature. |
02 Mar 2011 00:27:33
9.8.0
|
dougb |
This is 9.8.0, the first release version in the 9.8 series.
New features versus previous release candidates include:
* There is a new option in dig, +onesoa, that allows the final SOA
record in an AXFR response to be suppressed. [RT #20929
* There is additional information displayed in the recursing log
(qtype, qclass, qid and whether we are following the original
name). [RT #22043]
* Added option 'resolver-query-timeout' in named.conf (max query
timeout in seconds) to set a different value than the default (30
seconds). A value of 0 means 'use the compiled in default';
anything longer than 30 will be silently set to 30. [RT #22852]
* For Mac OS X, you can now have the test interfaces used during
"make test" stay beyond reboot. See bin/tests/system/README for
details.
There are also numerous bug fixes and enhancements. See
http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html
for more information. |
15 Feb 2011 01:50:19
9.8.0.r1
|
dougb |
Update to 9.8.0rc1, the latest from ISC:
* The ADB hash table stores informations about which authoritative
servers to query about particular domains. Previous versions of
BIND had the hash table size as a fixed value. On a busy recursive
server, this could lead to hash table collisions in the ADB cache,
resulting in degraded response time to queries. Bind 9.8 now has a
dynamically scalable ADB hash table, which helps a busy server to
avoid hash table collisions and maintain a consistent query
response time. |
22 Jan 2011 07:43:53
9.8.0.b1
|
dougb |
Update to 9.8.0b1, which in addition to DNS64 support also has
the following new features:
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's choosing,
on a per zone basis, both globally or per view.
* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See the
draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project. (Only the first 15 lines of the commit message are shown above ) |
18 Dec 2010 09:50:45
9.8.0.a1
|
dougb |
We need _all_ the fixes from ../bind97 |
18 Dec 2010 08:58:26
9.8.0.a1
|
dougb |
We need the fixes from bind97 for the perl problem here, not bind96 |
17 Dec 2010 22:48:55
9.8.0.a1
|
dougb |
Add a -devel port for 9.8.0a1, which will allow people to experiment
with DNS64. Once 9.8.0 is released officially the -devel tag will be
removed.
BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND
architecture. Some of the important features of BIND 9 are:
DNS Security: DNSSEC (signed zones), TSIG (signed DNS requests)
IP version 6: Answers DNS queries on IPv6 sockets, IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
DNS Protocol Enhancements: IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views: One server process can provide multiple "views" of the DNS namespace,
e.g. an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support
BIND 9.8 includes a number of changes from BIND 9.7 and earlier releases,
including:
Preliminary DNS64 support (AAAA synthesis only initially)
See the CHANGES file for more information on features.
WWW: https://www.isc.org/software/bind |
