9.9.2

parent c450e7bf
--- 9.9.1-P4 released ---
--- 9.9.2 released ---
3383. [security] A certain combination of records in the RBT could
cause named to hang while populating the additional
section of a response. [RT #31090]
--- 9.9.1-P3 released ---
3373. [bug] win32: open raw files in binary mode. [RT #30944]
3364. [security] Named could die on specially crafted record.
[RT #30416]
--- 9.9.1-P2 released ---
--- 9.9.2rc1 released ---
3370. [bug] Address use after free while shutting down. [RT #30241]
3369. [bug] nsupdate terminated unexpectedly in interactive mode
if built with readline support. [RT #29550]
3368. [bug] <dns/iptable.h>, <dns/private.h> and <dns/zone.h>
were not C++ safe.
3367. [bug] dns_dnsseckey_create() result was not being checked.
[RT #30685]
3366. [bug] Fixed Read-After-Write dependency violation for IA64
atomic operations. [RT #25181]
3365. [bug] Removed spurious newlines from log messages in
zone.c [RT #30675]
3363. [bug] Need to allow "forward" and "fowarders" options
in static-stub zones; this had been overlooked.
[RT #30482]
3362. [bug] Setting some option values to 0 in named.conf
could trigger an assertion failure on startup.
[RT #27730]
3361. [bug] "rndc signing -nsec3param" didn't work correctly
when salt was set to '-' (no salt). [RT #30099]
3360. [bug] 'host -w' could die. [RT #18723]
3359. [bug] An improperly-formed TSIG secret could cause a
memory leak. [RT #30607]
3357. [port] Add support for libxml2-2.8.x [RT #30440]
3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
approaching their expiry, so they don't remain
in caches after expiry. [RT #26429]
3355. [port] Use more portable awk in verify system test.
3354. [func] Improve OpenSSL error logging. [RT #29932]
--- 9.9.2b1 released ---
3353. [bug] Use a single task for task exclusive operations.
[RT #29872]
3352. [bug] Ensure that learned server attributes timeout of the
adb cache. [RT #29856]
3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report
caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
memory debugging flags are set. [RT #30243]
3350. [bug] Memory read overrun in isc___mem_reallocate if
ISC_MEM_DEBUGCTX memory debugging flag is set.
[RT #30240]
3349. [bug] Change #3345 was incomplete. [RT #30233]
3348. [bug] Prevent RRSIG data from being cached if a negative
record matching the covering type exists at a higher
trust level. Such data already can't be retrieved from
the cache since change 3218 -- this prevents it
being inserted into the cache as well. [RT #26809]
3347. [bug] dnssec-settime: Issue a warning when writing a new
private key file would cause a change in the
permissions of the existing file. [RT #27724]
3346. [security] Bad-cache data could be used before it was
initialized, causing an assert. [RT #30025]
......@@ -20,15 +89,73 @@
or inserting the first item in an ISC_QUEUE.
[RT #29539]
3344. [func] New "dnssec-checkds" command checks a zone to
determine which DS records should be published
in the parent zone, or which DLV records should be
published in a DLV zone, and queries the DNS to
ensure that it exists. (Note: This tool depends
on python; it will not be built or installed on
systems that do not have a python interpreter.)
[RT #28099]
3342. [bug] Change #3314 broke saving of stub zones to disk
resulting in excessive cpu usage in some cases.
[RT #29952]
--- 9.9.1-P1 released ---
3341. [func] New "dnssec-verify" command checks a signed zone
to ensure correctness of signatures and of NSEC/NSEC3
chains. [RT #23673]
3339. [func] Allow the maximum supported rsa exponent size to be
specified: "max-rsa-exponent-size <value>;" [RT #29228]
3338. [bug] Address race condition in units tests: asyncload_zone
and asyncload_zt. [RT #26100]
3337. [bug] Change #3294 broke support for the multiple keys
in controls. [RT #29694]
3335. [func] nslookup: return a nonzero exit code when unable
to get an answer. [RT #29492]
3334. [bug] Hold a zone table reference while performing a
asyncronous load of a zone. [RT #28326]
3333. [bug] Setting resolver-query-timeout too low can cause
named to not recover if it loses connectivity.
[RT #29623]
3332. [bug] Re-use cached DS rrsets if possible. [RT #29446]
3331. [security] dns_rdataslab_fromrdataset could produce bad
rdataslabs. [RT #29644]
3330. [func] Fix missing signatures on NOERROR results despite
RPZ rewriting. Also
- add optional "recursive-only yes|no" to the
response-policy statement
- add optional "max-policy-ttl" to the response-policy
statement to limit the false data that
"recursive-only no" can introduce into
resolvers' caches
- add a RPZ performance test to bin/tests/system/rpz
when queryperf is available.
- the encoding of PASSTHRU action to "rpz-passthru".
(The old encoding is still accepted.)
[RT #26172]
3329. [bug] Handle RRSIG signer-name case consistently: We
generate RRSIG records with the signer-name in
lower case. We accept them with any case, but if
they fail to validate, we try again in lower case.
[RT #27451]
3328. [bug] Fixed inconsistent data checking in dst_parse.c.
[RT #29401]
3317. [func] Add ECDSA support (RFC 6605). [RT #21918]
--- 9.9.1 released ---
3318. [tuning] Reduce the amount of work performed while holding a
......
# Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......
......@@ -51,6 +51,11 @@ BIND 9
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
BIND 9.9.2
BIND 9.9.2 is a maintenance release and patches the security
flaw described in CVE-2012-4244.
BIND 9.9.1
BIND 9.9.1 is a maintenance release.
......@@ -178,7 +183,8 @@ Building
CFLAGS
C compiler flags. Defaults to include -g and/or -O2
as supported by the compiler.
as supported by the compiler. Please include '-g'
if you need to set CFLAGS.
STD_CINCLUDES
System header file directories. Can be used to specify
......@@ -295,6 +301,10 @@ Building
libraries. sh-utils-1.16 provides a "printf" which compiles
on SunOS 4.
Known limitations
Linux requires kernel build 2.6.39 or later to get the
performance benefits from using multiple sockets.
Documentation
......
/*
* Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004, 2005, 2007, 2008, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
......@@ -138,6 +138,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA
/* Define if OpenSSL includes ECDSA support */
#undef HAVE_OPENSSL_ECDSA
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
......
# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -20,7 +20,7 @@ VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tests tools nsupdate \
check confgen @PKCS11_TOOLS@
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
@BIND9_MAKE_RULES@
# Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......
......@@ -640,6 +640,9 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
{
isc_result_t result;
FILE *output = stdout;
const char *flags;
flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
if (debug) {
if (filename != NULL && strcmp(filename, "-") != 0)
......@@ -650,7 +653,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
}
if (filename != NULL && strcmp(filename, "-") != 0) {
result = isc_stdio_open(filename, "w+", &output);
result = isc_stdio_open(filename, flags, &output);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "could not open output "
......
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
......
# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
......
# Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2005, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......
/*
* Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
......@@ -65,6 +65,7 @@ static isc_boolean_t in_use = ISC_FALSE;
static char defclass[MXRD] = "IN";
static char deftype[MXRD] = "A";
static isc_event_t *global_event = NULL;
static int query_error = 1, print_error = 0;
static char domainopt[DNS_NAME_MAXTEXT];
......@@ -414,6 +415,9 @@ isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
char servtext[ISC_SOCKADDR_FORMATSIZE];
/* I've we've gotten this far, we've reached a server. */
query_error = 0;
debug("printmessage()");
isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
......@@ -441,6 +445,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
(msg->rcode != dns_rcode_nxdomain) ? nametext :
query->lookup->textname, rcode_totext(msg->rcode));
debug("returning with rcode == 0");
/* the lookup failed */
print_error |= 1;
return (ISC_R_SUCCESS);
}
......@@ -909,5 +916,5 @@ main(int argc, char **argv) {
destroy_libs();
isc_app_finish();
return (0);
return (query_error | print_error);
}
# Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.42 2009/12/05 23:31:40 each Exp $
# $Id: Makefile.in,v 1.42.332.1 2011/03/16 06:37:51 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
......@@ -44,19 +44,23 @@ NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@
dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
dnssec-verify@EXEEXT@
OBJS = dnssectool.@O@
SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
dnssec-revoke.c dnssec-settime.c dnssec-signzone.c dnssectool.c
dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \
dnssec-verify.c dnssectool.c
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
dnssec-verify.8
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html
dnssec-settime.html dnssec-signzone.html \
dnssec-verify.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
......@@ -82,6 +86,14 @@ dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
......
.\" Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
......@@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm.
.RS 4
Select the digest algorithm. The value of
\fBalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive.
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
.RE
.PP
\-T \fITTL\fR
......@@ -153,5 +153,5 @@ RFC 4509.
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
.br
/*
* Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -327,7 +327,7 @@ usage(void) {
fprintf(stderr, " -K <directory>: directory in which to find "
"key file or keyset file\n");
fprintf(stderr, " -a algorithm: digest algorithm "
"(SHA-1, SHA-256 or GOST)\n");
"(SHA-1, SHA-256, GOST or SHA-384)\n");
fprintf(stderr, " -1: use SHA-1\n");
fprintf(stderr, " -2: use SHA-256\n");
fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
......@@ -450,6 +450,9 @@ main(int argc, char **argv) {
else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST;
#endif
else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
dtype = DNS_DSDIGEST_SHA384;
else
fatal("unknown algorithm %s", algname);
}
......
......@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
......@@ -40,6 +40,7 @@
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
......@@ -110,7 +111,8 @@
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive.
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
......
<!--
- Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
......@@ -32,14 +32,14 @@
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543485"></a><h2>DESCRIPTION</h2>
<a name="id2543489"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543497"></a><h2>OPTIONS</h2>
<a name="id2543500"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
......@@ -54,7 +54,8 @@
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256) or GOST. These values are case insensitive.
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
......@@ -115,7 +116,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543723"></a><h2>EXAMPLE</h2>
<a name="id2543726"></a><h2>EXAMPLE</h2>