Update Bind to 9.8.5-P2

New Features

   Adds a new configuration option, "check-spf"; valid values are
   "warn" (default) and "ignore".  When set to "warn", checks SPF
   and TXT records in spf format, warning if either resource record
   type occurs without a corresponding record of the other resource
   record type.  [RT #33355]

   Adds support for Uniform Resource Identifier (URI) resource
   records. [RT #23386]

   Adds support for the EUI48 and EUI64 RR types. [RT #33082]

   Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
   and L64). [RT #31836]

Feature Changes

   Changes timing of when slave zones send NOTIFY messages after
   loading a new copy of the zone.  They now send the NOTIFY before
   writing the zone data to disk.  This will result in quicker
   propagation of updates in multi-level server structures. [RT #27242]
   "named -V" can now report a source ID string.  (This is will be
   of most interest to developers and troubleshooters).  The source

   ID for ISC's production versions of BIND is defined in the "srcid"
   file in the build tree and is normally set to the most recent
   git hash. [RT #31494]

   Response Policy Zone performance enhancements.  New "response-policy"
   option "min-ns-dots".  "nsip" and "nsdname" now enabled by default
   with RPZ. [RT #32251]

Approved by:	delphij (mentor)
Sponsored by:	DK Hostmaster A/S

1 files changed, 21 insertions, 3 deletions

diff --git a/contrib/bind9/lib/dns/ncache.c b/contrib/bind9/lib/dns/ncache.c
index c0e99d4..bcb3d05 100644
--- a/contrib/bind9/lib/dns/ncache.c
+++ b/contrib/bind9/lib/dns/ncache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2010-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -47,6 +47,12 @@
  *
  */
 
+static isc_result_t
+addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  isc_boolean_t optout, isc_boolean_t secure,
+	  dns_rdataset_t *addedrdataset);
+
 static inline isc_result_t
 copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
 	isc_result_t result;
@@ -96,8 +102,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset)
 {
-	return (dns_ncache_addoptout(message, cache, node, covers, now, maxttl,
-				    ISC_FALSE, addedrdataset));
+	return (addoptout(message, cache, node, covers, now, maxttl,
+			  ISC_FALSE, ISC_FALSE, addedrdataset));
 }
 
 isc_result_t
@@ -106,6 +112,16 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 		     isc_stdtime_t now, dns_ttl_t maxttl,
 		     isc_boolean_t optout, dns_rdataset_t *addedrdataset)
 {
+	return (addoptout(message, cache, node, covers, now, maxttl,
+			  optout, ISC_TRUE, addedrdataset));
+}
+
+static isc_result_t
+addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  isc_boolean_t optout, isc_boolean_t secure,
+	  dns_rdataset_t *addedrdataset)
+{
 	isc_result_t result;
 	isc_buffer_t buffer;
 	isc_region_t r;
@@ -242,6 +258,8 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 	dns_rdataset_init(&ncrdataset);
 	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
 		      == ISC_R_SUCCESS);
+	if (!secure && trust > dns_trust_answer)
+		trust = dns_trust_answer;
 	ncrdataset.trust = trust;
 	ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
 	if (message->rcode == dns_rcode_nxdomain)