svn commit: r216175 - in head/contrib/bind9: . bin/check bin/dig
bin/named bin/named/include/named lib/dns lib/dns/include/dns
lib/isc
Doug Barton
dougb at FreeBSD.org
Sat Dec 4 05:58:57 UTC 2010
Author: dougb
Date: Sat Dec 4 05:58:56 2010
New Revision: 216175
URL: http://svn.freebsd.org/changeset/base/216175
Log:
Update to version 9.6-ESV-R3, the latest from ISC, which addresses
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC, and
querying zones which are in a key rollover period. The bug will
cause answers to incorrectly be marked as insecure.
Added:
head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html
- copied unchanged from r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.html
head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf
- copied unchanged from r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.pdf
head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt
- copied unchanged from r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.txt
head/contrib/bind9/release-notes.css
- copied unchanged from r216170, vendor/bind9/dist/release-notes.css
Modified:
head/contrib/bind9/CHANGES
head/contrib/bind9/bin/check/check-tool.c
head/contrib/bind9/bin/check/check-tool.h
head/contrib/bind9/bin/check/named-checkconf.c
head/contrib/bind9/bin/check/named-checkzone.c
head/contrib/bind9/bin/dig/host.c
head/contrib/bind9/bin/named/client.c
head/contrib/bind9/bin/named/include/named/query.h
head/contrib/bind9/bin/named/query.c
head/contrib/bind9/bin/named/server.c
head/contrib/bind9/lib/dns/api
head/contrib/bind9/lib/dns/include/dns/view.h
head/contrib/bind9/lib/dns/journal.c
head/contrib/bind9/lib/dns/rbtdb.c
head/contrib/bind9/lib/dns/validator.c
head/contrib/bind9/lib/dns/view.c
head/contrib/bind9/lib/isc/api
head/contrib/bind9/lib/isc/print.c
head/contrib/bind9/version
Directory Properties:
head/contrib/bind9/ (props changed)
Modified: head/contrib/bind9/CHANGES
==============================================================================
--- head/contrib/bind9/CHANGES Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/CHANGES Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,3 +1,55 @@
+
+ --- 9.6-ESV-R3 released ---
+
+2972. [bug] win32: address windows socket errors. [RT #21906]
+
+2971. [bug] Fixed a bug that caused journal files not to be
+ compacted on Windows systems as a result of
+ non-POSIX-compliant rename() semantics. [RT #22434]
+
+2970. [security] Adding a NO DATA negative cache entry failed to clear
+ any matching RRSIG records. A subsequent lookup of
+ of NO DATA cache entry could trigger a INSIST when the
+ unexpected RRSIG was also returned with the NO DATA
+ cache entry.
+
+ CVE-2010-3613, VU#706148. [RT #22288]
+
+2969. [security] Fix acl type processing so that allow-query works
+ in options and view statements. Also add a new
+ set of tests to verify proper functioning.
+
+ CVE-2010-3615, VU#510208. [RT #22418]
+
+2968. [security] Named could fail to prove a data set was insecure
+ before marking it as insecure. One set of conditions
+ that can trigger this occurs naturally when rolling
+ DNSKEY algorithms.
+
+ CVE-2010-3614, VU#837744. [RT #22309]
+
+2967. [bug] 'host -D' now turns on debugging messages earlier.
+ [RT #22361]
+
+2966. [bug] isc_print_vsnprintf() failed to check if there was
+ space available in the buffer when adding a left
+ justified character with a non zero width,
+ (e.g. "%-1c"). [RT #22270]
+
+2964. [bug] view->queryacl was being overloaded. Seperate the
+ usage into view->queryacl, view->cacheacl and
+ view->queryonacl. [RT #22114]
+
+2962. [port] win32: add more dependencies to BINDBuild.dsw.
+ [RT #22062]
+
+2952. [port] win32: named-checkzone and named-checkconf failed
+ to initialise winsock. [RT #21932]
+
+2951. [bug] named failed to generate a correct signed response
+ in a optout, delegation only zone with no secure
+ delegations. [RT #22007]
+
--- 9.6-ESV-R2 released ---
2939. [func] Check that named successfully skips NSEC3 records
Copied: head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html (from r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.html)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html Sat Dec 4 05:58:56 2010 (r216175, copy of r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.html)
@@ -0,0 +1,225 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: RELEASE-NOTES-BIND-9.6-ESV.html,v 1.1.2.2 2010/11/29 01:16:39 tbox Exp $ -->
+
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" type="text/css" href="release-notes.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article"><div class="titlepage"><hr /></div>
+
+ <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111950"></a>Introduction</h2></div></div></div>
+
+ <p>
+ BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV.
+ </p>
+ <p>
+ This document summarizes changes from BIND 9.6-ESV-R1 to BIND 9.6-ESV-R3.
+ Please see the CHANGES file in the source code release for a
+ complete list of all changes.
+ </p>
+ </div>
+
+ <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112014"></a>Download</h2></div></div></div>
+
+ <p>
+ The latest release of BIND 9 software can always be found
+ on our web site at
+ <a class="ulink" href="http://www.isc.org/software/bind" target="_top">http://www.isc.org/software/bind</a>.
+ There you will find additional information about each release,
+ source code, and some pre-compiled versions for certain operating
+ systems.
+ </p>
+ </div>
+
+ <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112037"></a>Support</h2></div></div></div>
+
+ <p>Product support information is available on
+ <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+ for paid support options. Free support is provided by our user
+ community via a mailing list. Information on all public email
+ lists is available at
+ <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+ </p>
+ </div>
+
+ <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111986"></a>New Features</h2></div></div></div>
+
+ <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112025"></a>9.6-ESV-R2</h3></div></div></div>
+
+ <p>None.</p>
+ </div>
+ <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112098"></a>9.6-ESV-R3</h3></div></div></div>
+
+ <p>None.</p>
+ </div>
+ </div>
+
+ <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112120"></a>Feature Changes</h2></div></div></div>
+
+ <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112125"></a>9.6-ESV-R2</h3></div></div></div>
+
+ <p>None.</p>
+ </div>
+ <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112135"></a>9.6-ESV-R3</h3></div></div></div>
+
+ <p>None.</p>
+ </div>
+ </div>
+
+ <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112146"></a>Security Fixes</h2></div></div></div>
+
+ <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112151"></a>9.6-ESV-R2</h3></div></div></div>
+
+ <p>None.</p>
+ </div>
+ <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112160"></a>9.6-ESV-R3</h3></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ Adding a NO DATA signed negative response to cache failed to clear
+ any matching RRSIG records already in cache. A subsequent lookup
+ of the cached NO DATA entry could crash named (INSIST) when the
+ unexpected RRSIG was also returned with the NO DATA cache entry.
+ [RT #22288] [CVE-2010-3613] [VU#706148]
+ </li><li class="listitem">
+ BIND, acting as a DNSSEC validator, was determining if the NS RRset
+ is insecure based on a value that could mean either that the RRset
+ is actually insecure or that there wasn't a matching key for the RRSIG
+ in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
+ This can happen when in the middle of a DNSKEY algorithm rollover,
+ when two different algorithms were used to sign a zone but only the
+ new set of keys are in the zone DNSKEY RRset.
+ [RT #22309] [CVE-2010-3614] [VU#837744]
+ </li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112186"></a>Bug Fixes</h2></div></div></div>
+
+ <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112191"></a>9.6-ESV-R2</h3></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ Check that named successfully skips NSEC3 records
+ that fail to match the NSEC3PARAM record currently
+ in use.
+ [RT #21868]
+ </li><li class="listitem">
+ Worked around a race condition in the cache database memory
+ handling. Without this fix a DNS cache DB or ADB could
+ incorrectly stay in an over memory state, effectively refusing
+ further caching, which subsequently made a BIND 9 caching
+ server unworkable.
+ [RT #21818]
+ </li><li class="listitem">
+ BIND did not properly handle non-cacheable negative responses
+ from insecure zones. This caused several non-protocol-compliant
+ zones to become unresolvable. BIND is now more accepting of
+ responses it receives from less strict servers.
+ [RT #21555]
+ </li><li class="listitem">
+ The resolver could attempt to destroy a fetch context too
+ soon, resulting in a crash.
+ [RT #19878]
+ </li><li class="listitem">
+ The placeholder negative caching element was not
+ properly constructed triggering a crash (INSIST) in
+ dns_ncache_towire().
+ [RT #21346]
+ </li><li class="listitem">
+ Handle the introduction of new trusted-keys and
+ DS, DLV RRsets better.
+ [RT #21097]
+ </li><li class="listitem">
+ Fix arguments to dns_keytable_findnextkeynode() call.
+ [RT #20877]
+ </li></ul></div>
+ </div>
+ <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112232"></a>9.6-ESV-R3</h3></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ Microsoft changed the behavior of sockets between NT/XP based
+ stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
+ behavior, 2008r2 has the new behavior. With the change, different
+ error results are possible, so ISC adapted BIND to handle the new
+ error results.
+ This resolves an issue where sockets would shut down on
+ Windows servers causing named to stop responding to queries.
+ [RT #21906]
+ </li><li class="listitem">
+ Windows has non-POSIX compliant behavior in its rename() and unlink()
+ calls. This caused journal compaction to fail on Windows BIND servers
+ with the log error: "dns_journal_compact failed: failure".
+ [RT #22434]
+ </li><li class="listitem">
+ 'host -D' now turns on debugging messages earlier.
+ [RT #22361]
+ </li><li class="listitem">
+ isc_print_vsnprintf() failed to check if there was
+ space available in the buffer when adding a left
+ justified character with a non zero width,
+ (e.g. "%-1c").
+ [RT #22270]
+ </li><li class="listitem">
+ view->queryacl was being overloaded. Seperate the
+ usage into view->queryacl, view->cacheacl and
+ view->queryonacl.
+ [RT #22114]
+ </li><li class="listitem">
+ win32: add more dependencies to BINDBuild.dsw.
+ [RT #22062]
+ </li><li class="listitem">
+ win32: named-checkzone and named-checkconf failed
+ to initialise winsock.
+ [RT #21932]
+ </li><li class="listitem">
+ named failed to generate a correct signed response
+ in a optout, delegation only zone with no secure
+ delegations.
+ [RT #22007]
+ </li></ul></div>
+ </div>
+ </div>
+
+ <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112280"></a>Known issues in this release</h2></div></div></div>
+
+ <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+ <p>
+ "make test" will fail on OSX and possibly other operating systems.
+ The failure occurs in a new test to check for allow-query ACLs.
+ The failure is caused because the source address is not specified on
+ the dig commands issued in the test.
+ </p>
+ <p>
+ If running "make test" is part of your usual acceptance process,
+ please edit the file <code class="code">bin/tests/system/allow_query/test.sh</code>
+ and add
+ </p><p>
+ <code class="code">-b 10.53.0.2</code>
+ </p><p>
+ to the <code class="code">DIGOPTS</code> line.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112315"></a>Thank You</h2></div></div></div>
+
+ <p>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to make
+ quality open source software, please visit our donations page at
+ <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+ </p>
+ </div>
+</div></body></html>
Copied: head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf (from r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.pdf)
==============================================================================
Binary file (source and/or target). No diff available.
Copied: head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt (from r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.txt)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt Sat Dec 4 05:58:56 2010 (r216175, copy of r216170, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6-ESV.txt)
@@ -0,0 +1,133 @@
+ __________________________________________________________________
+
+Introduction
+
+ BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV.
+
+ This document summarizes changes from BIND 9.6-ESV-R1 to BIND
+ 9.6-ESV-R3. Please see the CHANGES file in the source code release for
+ a complete list of all changes.
+
+Download
+
+ The latest release of BIND 9 software can always be found on our web
+ site at http://www.isc.org/software/bind. There you will find
+ additional information about each release, source code, and some
+ pre-compiled versions for certain operating systems.
+
+Support
+
+ Product support information is available on
+ http://www.isc.org/services/support for paid support options. Free
+ support is provided by our user community via a mailing list.
+ Information on all public email lists is available at
+ https://lists.isc.org/mailman/listinfo.
+
+New Features
+
+9.6-ESV-R2
+
+ None.
+
+9.6-ESV-R3
+
+ None.
+
+Feature Changes
+
+9.6-ESV-R2
+
+ None.
+
+9.6-ESV-R3
+
+ None.
+
+Security Fixes
+
+9.6-ESV-R2
+
+ None.
+
+9.6-ESV-R3
+
+ * Adding a NO DATA signed negative response to cache failed to clear
+ any matching RRSIG records already in cache. A subsequent lookup of
+ the cached NO DATA entry could crash named (INSIST) when the
+ unexpected RRSIG was also returned with the NO DATA cache entry.
+ [RT #22288] [CVE-2010-3613] [VU#706148]
+ * BIND, acting as a DNSSEC validator, was determining if the NS RRset
+ is insecure based on a value that could mean either that the RRset
+ is actually insecure or that there wasn't a matching key for the
+ RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
+ RRset. This can happen when in the middle of a DNSKEY algorithm
+ rollover, when two different algorithms were used to sign a zone
+ but only the new set of keys are in the zone DNSKEY RRset. [RT
+ #22309] [CVE-2010-3614] [VU#837744]
+
+Bug Fixes
+
+9.6-ESV-R2
+
+ * Check that named successfully skips NSEC3 records that fail to
+ match the NSEC3PARAM record currently in use. [RT #21868]
+ * Worked around a race condition in the cache database memory
+ handling. Without this fix a DNS cache DB or ADB could incorrectly
+ stay in an over memory state, effectively refusing further caching,
+ which subsequently made a BIND 9 caching server unworkable. [RT
+ #21818]
+ * BIND did not properly handle non-cacheable negative responses from
+ insecure zones. This caused several non-protocol-compliant zones to
+ become unresolvable. BIND is now more accepting of responses it
+ receives from less strict servers. [RT #21555]
+ * The resolver could attempt to destroy a fetch context too soon,
+ resulting in a crash. [RT #19878]
+ * The placeholder negative caching element was not properly
+ constructed triggering a crash (INSIST) in dns_ncache_towire(). [RT
+ #21346]
+ * Handle the introduction of new trusted-keys and DS, DLV RRsets
+ better. [RT #21097]
+ * Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877]
+
+9.6-ESV-R3
+
+ * Microsoft changed the behavior of sockets between NT/XP based
+ stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
+ behavior, 2008r2 has the new behavior. With the change, different
+ error results are possible, so ISC adapted BIND to handle the new
+ error results. This resolves an issue where sockets would shut down
+ on Windows servers causing named to stop responding to queries. [RT
+ #21906]
+ * Windows has non-POSIX compliant behavior in its rename() and
+ unlink() calls. This caused journal compaction to fail on Windows
+ BIND servers with the log error: "dns_journal_compact failed:
+ failure". [RT #22434]
+ * 'host -D' now turns on debugging messages earlier. [RT #22361]
+ * isc_print_vsnprintf() failed to check if there was space available
+ in the buffer when adding a left justified character with a non
+ zero width, (e.g. "%-1c"). [RT #22270]
+ * view->queryacl was being overloaded. Seperate the usage into
+ view->queryacl, view->cacheacl and view->queryonacl. [RT #22114]
+ * win32: add more dependencies to BINDBuild.dsw. [RT #22062]
+ * win32: named-checkzone and named-checkconf failed to initialise
+ winsock. [RT #21932]
+ * named failed to generate a correct signed response in a optout,
+ delegation only zone with no secure delegations. [RT #22007]
+
+Known issues in this release
+
+ * "make test" will fail on OSX and possibly other operating systems.
+ The failure occurs in a new test to check for allow-query ACLs. The
+ failure is caused because the source address is not specified on
+ the dig commands issued in the test.
+ If running "make test" is part of your usual acceptance process,
+ please edit the file bin/tests/system/allow_query/test.sh and add
+ -b 10.53.0.2
+ to the DIGOPTS line.
+
+Thank You
+
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ http://www.isc.org/supportisc.
Modified: head/contrib/bind9/bin/check/check-tool.c
==============================================================================
--- head/contrib/bind9/bin/check/check-tool.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/check/check-tool.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */
+/* $Id: check-tool.c,v 1.35.36.3.24.2 2010/09/07 23:46:25 tbox Exp $ */
/*! \file */
@@ -23,6 +23,10 @@
#include <stdio.h>
+#ifdef _WIN32
+#include <Winsock2.h>
+#endif
+
#include "check-tool.h"
#include <isc/buffer.h>
#include <isc/log.h>
@@ -662,3 +666,26 @@ dump_zone(const char *zonename, dns_zone
return (result);
}
+
+#ifdef _WIN32
+void
+InitSockets(void) {
+ WORD wVersionRequested;
+ WSADATA wsaData;
+ int err;
+
+ wVersionRequested = MAKEWORD(2, 0);
+
+ err = WSAStartup( wVersionRequested, &wsaData );
+ if (err != 0) {
+ fprintf(stderr, "WSAStartup() failed: %d\n", err);
+ exit(1);
+ }
+}
+
+void
+DestroySockets(void) {
+ WSACleanup();
+}
+#endif
+
Modified: head/contrib/bind9/bin/check/check-tool.h
==============================================================================
--- head/contrib/bind9/bin/check/check-tool.h Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/check/check-tool.h Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */
+/* $Id: check-tool.h,v 1.14.628.2 2010/09/07 23:46:26 tbox Exp $ */
#ifndef CHECK_TOOL_H
#define CHECK_TOOL_H
@@ -43,6 +43,11 @@ isc_result_t
dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
dns_masterformat_t fileformat, const dns_master_style_t *style);
+#ifdef _WIN32
+void InitSockets(void);
+void DestroySockets(void);
+#endif
+
extern int debug;
extern isc_boolean_t nomerge;
extern isc_boolean_t docheckmx;
Modified: head/contrib/bind9/bin/check/named-checkconf.c
==============================================================================
--- head/contrib/bind9/bin/check/named-checkconf.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/check/named-checkconf.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: named-checkconf.c,v 1.46.222.2.24.2 2010/09/07 23:46:26 tbox Exp $ */
/*! \file */
@@ -453,6 +453,10 @@ main(int argc, char **argv) {
if (conffile == NULL || conffile[0] == '\0')
conffile = NAMED_CONFFILE;
+#ifdef _WIN32
+ InitSockets();
+#endif
+
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
@@ -494,5 +498,9 @@ main(int argc, char **argv) {
isc_mem_destroy(&mctx);
+#ifdef _WIN32
+ DestroySockets();
+#endif
+
return (exit_status);
}
Modified: head/contrib/bind9/bin/check/named-checkzone.c
==============================================================================
--- head/contrib/bind9/bin/check/named-checkzone.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/check/named-checkzone.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named-checkzone.c,v 1.51.34.4 2009/11/10 20:01:41 each Exp $ */
+/* $Id: named-checkzone.c,v 1.51.34.4.10.2 2010/09/07 23:46:26 tbox Exp $ */
/*! \file */
@@ -419,6 +419,10 @@ main(int argc, char **argv) {
if (isc_commandline_index + 2 != argc)
usage();
+#ifdef _WIN32
+ InitSockets();
+#endif
+
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
if (!quiet)
RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
@@ -453,5 +457,8 @@ main(int argc, char **argv) {
isc_hash_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
+#ifdef _WIN32
+ DestroySockets();
+#endif
return ((result == ISC_R_SUCCESS) ? 0 : 1);
}
Modified: head/contrib/bind9/bin/dig/host.c
==============================================================================
--- head/contrib/bind9/bin/dig/host.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/dig/host.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: host.c,v 1.116.216.3 2009/09/08 23:28:20 marka Exp $ */
+/* $Id: host.c,v 1.116.216.3.10.2 2010/10/19 23:46:25 tbox Exp $ */
/*! \file */
@@ -625,7 +625,9 @@ pre_parse_args(int argc, char **argv) {
case 'v': break;
case 'w': break;
case 'C': break;
- case 'D': break;
+ case 'D':
+ debugging = ISC_TRUE;
+ break;
case 'N': break;
case 'R': break;
case 'T': break;
@@ -792,7 +794,7 @@ parse_args(isc_boolean_t is_batchfile, i
ndots = atoi(isc_commandline_argument);
break;
case 'D':
- debugging = ISC_TRUE;
+ /* Handled by pre_parse_args(). */
break;
case '4':
if (have_ipv4) {
Modified: head/contrib/bind9/bin/named/client.c
==============================================================================
--- head/contrib/bind9/bin/named/client.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/named/client.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */
+/* $Id: client.c,v 1.259.12.3.24.2 2010/09/29 23:46:31 tbox Exp $ */
#include <config.h>
@@ -1859,13 +1859,13 @@ client_request(isc_task_t *task, isc_eve
client->view->recursionacl,
ISC_TRUE) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, NULL,
- client->view->queryacl,
+ client->view->cacheacl,
ISC_TRUE) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, &client->interface->addr,
client->view->recursiononacl,
ISC_TRUE) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, &client->interface->addr,
- client->view->queryonacl,
+ client->view->cacheonacl,
ISC_TRUE) == ISC_R_SUCCESS)
ra = ISC_TRUE;
Modified: head/contrib/bind9/bin/named/include/named/query.h
==============================================================================
--- head/contrib/bind9/bin/named/include/named/query.h Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/named/include/named/query.h Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.h,v 1.40 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: query.h,v 1.40.626.2 2010/09/29 23:46:31 tbox Exp $ */
#ifndef NAMED_QUERY_H
#define NAMED_QUERY_H 1
@@ -71,6 +71,8 @@ struct ns_query {
#define NS_QUERYATTR_SECURE 0x0200
#define NS_QUERYATTR_NOAUTHORITY 0x0400
#define NS_QUERYATTR_NOADDITIONAL 0x0800
+#define NS_QUERYATTR_CACHEACLOKVALID 0x1000
+#define NS_QUERYATTR_CACHEACLOK 0x2000
isc_result_t
ns_query_init(ns_client_t *client);
Modified: head/contrib/bind9/bin/named/query.c
==============================================================================
--- head/contrib/bind9/bin/named/query.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/named/query.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.313.20.16.10.2 2010/06/26 23:46:14 tbox Exp $ */
+/* $Id: query.c,v 1.313.20.16.10.3 2010/09/29 00:03:32 marka Exp $ */
/*! \file */
@@ -820,17 +820,15 @@ query_getcachedb(ns_client_t *client, dn
return (DNS_R_REFUSED);
dns_db_attach(client->view->cachedb, &db);
- if ((client->query.attributes &
- NS_QUERYATTR_QUERYOKVALID) != 0) {
+ if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
/*
- * We've evaluated the view's queryacl already. If
- * NS_QUERYATTR_QUERYOK is set, then the client is
+ * We've evaluated the view's cacheacl already. If
+ * NS_QUERYATTR_CACHEACLOK is set, then the client is
* allowed to make queries, otherwise the query should
* be refused.
*/
check_acl = ISC_FALSE;
- if ((client->query.attributes &
- NS_QUERYATTR_QUERYOK) == 0)
+ if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
goto refuse;
} else {
/*
@@ -844,16 +842,15 @@ query_getcachedb(ns_client_t *client, dn
char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
result = ns_client_checkaclsilent(client, NULL,
- client->view->queryacl,
+ client->view->cacheacl,
ISC_TRUE);
if (result == ISC_R_SUCCESS) {
/*
- * We were allowed by the default
- * "allow-query" ACL. Remember this so we
- * don't have to check again.
+ * We were allowed by the "allow-query-cache" ACL.
+ * Remember this so we don't have to check again.
*/
client->query.attributes |=
- NS_QUERYATTR_QUERYOK;
+ NS_QUERYATTR_CACHEACLOK;
if (log && isc_log_wouldlog(ns_g_lctx,
ISC_LOG_DEBUG(3)))
{
@@ -876,9 +873,9 @@ query_getcachedb(ns_client_t *client, dn
}
/*
* We've now evaluated the view's query ACL, and
- * the NS_QUERYATTR_QUERYOK attribute is now valid.
+ * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid.
*/
- client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
+ client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
if (result != ISC_R_SUCCESS)
goto refuse;
Modified: head/contrib/bind9/bin/named/server.c
==============================================================================
--- head/contrib/bind9/bin/named/server.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/bin/named/server.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.520.12.11.10.1 2010/03/03 22:06:36 marka Exp $ */
+/* $Id: server.c,v 1.520.12.11.10.4 2010/11/16 22:42:03 marka Exp $ */
/*! \file */
@@ -1132,6 +1132,14 @@ configure_view(dns_view_t *view, const c
dns_acache_setcachesize(view->acache, max_acache_size);
}
+ CHECK(configure_view_acl(vconfig, config, "allow-query", actx,
+ ns_g_mctx, &view->queryacl));
+
+ if (view->queryacl == NULL) {
+ CHECK(configure_view_acl(NULL, ns_g_config, "allow-query", actx,
+ ns_g_mctx, &view->queryacl));
+ }
+
/*
* Configure the zones.
*/
@@ -1606,13 +1614,13 @@ configure_view(dns_view_t *view, const c
* configured in named.conf.
*/
CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
- actx, ns_g_mctx, &view->queryacl));
+ actx, ns_g_mctx, &view->cacheacl));
CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
- actx, ns_g_mctx, &view->queryonacl));
- if (view->queryonacl == NULL)
+ actx, ns_g_mctx, &view->cacheonacl));
+ if (view->cacheonacl == NULL)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-query-cache-on", actx,
- ns_g_mctx, &view->queryonacl));
+ ns_g_mctx, &view->cacheonacl));
if (strcmp(view->name, "_bind") != 0) {
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
actx, ns_g_mctx,
@@ -1628,14 +1636,14 @@ configure_view(dns_view_t *view, const c
* "allow-recursion" inherits from "allow-query-cache" if set,
* otherwise from "allow-query" if set.
*/
- if (view->queryacl == NULL && view->recursionacl != NULL)
- dns_acl_attach(view->recursionacl, &view->queryacl);
- if (view->queryacl == NULL && view->recursion)
+ if (view->cacheacl == NULL && view->recursionacl != NULL)
+ dns_acl_attach(view->recursionacl, &view->cacheacl);
+ if (view->cacheacl == NULL && view->recursion)
CHECK(configure_view_acl(vconfig, config, "allow-query",
- actx, ns_g_mctx, &view->queryacl));
+ actx, ns_g_mctx, &view->cacheacl));
if (view->recursion &&
- view->recursionacl == NULL && view->queryacl != NULL)
- dns_acl_attach(view->queryacl, &view->recursionacl);
+ view->recursionacl == NULL && view->cacheacl != NULL)
+ dns_acl_attach(view->cacheacl, &view->recursionacl);
/*
* Set default "allow-recursion", "allow-recursion-on" and
@@ -1651,16 +1659,13 @@ configure_view(dns_view_t *view, const c
"allow-recursion-on",
actx, ns_g_mctx,
&view->recursiononacl));
- if (view->queryacl == NULL) {
+ if (view->cacheacl == NULL) {
if (view->recursion)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-query-cache", actx,
- ns_g_mctx, &view->queryacl));
- else {
- if (view->queryacl != NULL)
- dns_acl_detach(&view->queryacl);
- CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
- }
+ ns_g_mctx, &view->cacheacl));
+ else
+ CHECK(dns_acl_none(ns_g_mctx, &view->cacheacl));
}
/*
Modified: head/contrib/bind9/lib/dns/api
==============================================================================
--- head/contrib/bind9/lib/dns/api Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/lib/dns/api Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,3 +1,3 @@
-LIBINTERFACE = 57
+LIBINTERFACE = 58
LIBREVISION = 0
-LIBAGE = 2
+LIBAGE = 0
Modified: head/contrib/bind9/lib/dns/include/dns/view.h
==============================================================================
--- head/contrib/bind9/lib/dns/include/dns/view.h Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/lib/dns/include/dns/view.h Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: view.h,v 1.111.88.4 2009/01/29 22:40:35 jinmei Exp $ */
+/* $Id: view.h,v 1.111.88.4.24.2 2010/09/29 23:46:31 tbox Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
@@ -118,6 +118,8 @@ struct dns_view {
isc_boolean_t enablevalidation;
isc_boolean_t acceptexpired;
dns_transfer_format_t transfer_format;
+ dns_acl_t * cacheacl;
+ dns_acl_t * cacheonacl;
dns_acl_t * queryacl;
dns_acl_t * queryonacl;
dns_acl_t * recursionacl;
Modified: head/contrib/bind9/lib/dns/journal.c
==============================================================================
--- head/contrib/bind9/lib/dns/journal.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/lib/dns/journal.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: journal.c,v 1.103.48.6 2009/11/04 23:47:25 tbox Exp $ */
+/* $Id: journal.c,v 1.103.48.6.10.2 2010/11/17 23:46:16 tbox Exp $ */
#include <config.h>
@@ -2173,6 +2173,12 @@ dns_journal_compact(isc_mem_t *mctx, cha
indexend = new->header.end.offset;
}
+
+ /*
+ * Close both journals before trying to rename files (this is
+ * necessary on WIN32).
+ */
+ dns_journal_destroy(&j);
dns_journal_destroy(&new);
/*
@@ -2180,12 +2186,14 @@ dns_journal_compact(isc_mem_t *mctx, cha
* Any IXFR outs will just continue and the old journal will be
* removed on final close.
*
- * With MSDOS / NTFS we need to do a two stage rename triggered
- * bu EEXISTS. Hopefully all IXFR's that were active at the last
- * rename are now complete.
+ * With MSDOS / NTFS we need to do a two stage rename, triggered
+ * by EEXIST. (If any IXFR's are running in other threads, however,
+ * this will fail, and the journal will not be compacted. But
+ * if so, hopefully they'll be finished by the next time we
+ * compact.)
*/
if (rename(newname, filename) == -1) {
- if (errno == EACCES && !is_backup) {
+ if (errno == EEXIST && !is_backup) {
result = isc_file_remove(backup);
if (result != ISC_R_SUCCESS &&
result != ISC_R_FILENOTFOUND)
@@ -2202,7 +2210,6 @@ dns_journal_compact(isc_mem_t *mctx, cha
}
}
- dns_journal_destroy(&j);
result = ISC_R_SUCCESS;
failure:
Modified: head/contrib/bind9/lib/dns/rbtdb.c
==============================================================================
--- head/contrib/bind9/lib/dns/rbtdb.c Sat Dec 4 02:42:52 2010 (r216174)
+++ head/contrib/bind9/lib/dns/rbtdb.c Sat Dec 4 05:58:56 2010 (r216175)
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rbtdb.c,v 1.270.12.16.10.3 2010/08/13 07:25:21 marka Exp $ */
+/* $Id: rbtdb.c,v 1.270.12.16.10.6 2010/11/16 07:46:23 marka Exp $ */
/*! \file */
@@ -5421,14 +5421,14 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
dns_rdataset_t *addedrdataset, isc_stdtime_t now)
{
rbtdb_changed_t *changed = NULL;
- rdatasetheader_t *topheader, *topheader_prev, *header;
+ rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
unsigned char *merged;
isc_result_t result;
isc_boolean_t header_nx;
isc_boolean_t newheader_nx;
isc_boolean_t merge;
dns_rdatatype_t rdtype, covers;
- rbtdb_rdatatype_t negtype;
+ rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
@@ -5466,7 +5466,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
topheader_prev = NULL;
-
+ sigheader = NULL;
negtype = 0;
if (rbtversion == NULL && !newheader_nx) {
rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
@@ -5475,26 +5475,34 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
* We're adding a negative cache entry.
*/
covers = RBTDB_RDATATYPE_EXT(newheader->type);
- if (covers == dns_rdatatype_any) {
+ sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
+ covers);
+ for (topheader = rbtnode->data;
+ topheader != NULL;
+ topheader = topheader->next) {
/*
- * We're adding an negative cache entry
+ * If we're adding an negative cache entry
* which covers all types (NXDOMAIN,
* NODATA(QTYPE=ANY)).
*
* We make all other data stale so that the
* only rdataset that can be found at this
* node is the negative cache entry.
+ *
+ * Otherwise look for any RRSIGs of the
+ * given type so they can be marked stale
+ * later.
*/
- for (topheader = rbtnode->data;
- topheader != NULL;
- topheader = topheader->next) {
+ if (covers == dns_rdatatype_any) {
set_ttl(rbtdb, topheader, 0);
topheader->attributes |=
RDATASET_ATTR_STALE;
- }
- rbtnode->dirty = 1;
- goto find_header;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-head
mailing list