Update Bind to 9.9.3-P2

Notable new features:

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

*  Introduces a new tool "dnssec-verify" that validates a signed zone,
   checking for the correctness of signatures and NSEC/NSEC3 chains.
   [RT #23673]

*  BIND now recognizes the TLSA resource record type, created to
   support IETF DANE (DNS-based Authentication of Named Entities)
   [RT #28989]

*  The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.

Approved by:	delphij (mentor)
MFC after:	3 days
Sponsored by:	DK Hostmaster A/S

1 files changed, 7 insertions, 4 deletions

diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c
index 3d7518a..8cf7f66 100644
--- a/contrib/bind9/lib/dns/validator.c
+++ b/contrib/bind9/lib/dns/validator.c
@@ -1459,8 +1459,10 @@ isselfsigned(dns_validator_t *val) {
 			if (result != ISC_R_SUCCESS)
 				continue;
 
-			result = dns_dnssec_verify2(name, rdataset, dstkey,
-						    ISC_TRUE, mctx, &sigrdata,
+			result = dns_dnssec_verify3(name, rdataset, dstkey,
+						    ISC_TRUE,
+						    val->view->maxbits,
+						    mctx, &sigrdata,
 						    dns_fixedname_name(&fixed));
 			dst_key_free(&dstkey);
 			if (result != ISC_R_SUCCESS)
@@ -1497,8 +1499,9 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	dns_fixedname_init(&fixed);
 	wild = dns_fixedname_name(&fixed);
  again:
-	result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
-				    key, ignore, val->view->mctx, rdata, wild);
+	result = dns_dnssec_verify3(val->event->name, val->event->rdataset,
+				    key, ignore, val->view->maxbits,
+				    val->view->mctx, rdata, wild);
 	if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
 	    val->view->acceptexpired)
 	{