Update to 9.8.4-P1.

Security Fixes

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of  specific queries that are received.

New Features

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

*  Improves OpenSSL error logging [RT #29932]

*  nslookup now returns a nonzero exit code when it is unable to get
   an answer.  [RT #29492]

Other critical bug fixes are included.

Approved by:	delphij (mentor)
MFC after:	3 days
Security:	CVE-2012-5688
Sponsored by:	DK Hostmaster A/S

1 files changed, 5 insertions, 2 deletions

diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
index c4b157c..93d789b 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -296,7 +296,7 @@ usage(void) {
 	fprintf(stderr, "    -K <directory>: directory in which to find "
 			"key file or keyset file\n");
 	fprintf(stderr, "    -a algorithm: digest algorithm "
-			"(SHA-1, SHA-256 or GOST)\n");
+			"(SHA-1, SHA-256, GOST or SHA-384)\n");
 	fprintf(stderr, "    -1: use SHA-1\n");
 	fprintf(stderr, "    -2: use SHA-256\n");
 	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
@@ -415,6 +415,9 @@ main(int argc, char **argv) {
 		else if (strcasecmp(algname, "GOST") == 0)
 			dtype = DNS_DSDIGEST_GOST;
 #endif
+		else if (strcasecmp(algname, "SHA384") == 0 ||
+			 strcasecmp(algname, "SHA-384") == 0)
+			dtype = DNS_DSDIGEST_SHA384;
 		else
 			fatal("unknown algorithm %s", algname);
 	}