diff options
| author | dougb <dougb@FreeBSD.org> | 2010-12-04 05:58:56 +0000 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2010-12-04 05:58:56 +0000 |
| commit | 63d4368df223bad2a05f63e74fc3c3d7ba334775 (patch) | |
| tree | f01f0fcdfd363df827bfbc878514d9fc94ccdca9 /contrib/bind9 | |
| parent | 0ff0fd520ddd39c32c55398023b24fe199cbc02b (diff) | |
| parent | d2262df647cb68b7a55a79623696e646c546774e (diff) | |
| download | FreeBSD-src-63d4368df223bad2a05f63e74fc3c3d7ba334775.zip FreeBSD-src-63d4368df223bad2a05f63e74fc3c3d7ba334775.tar.gz | |
Update to version 9.6-ESV-R3, the latest from ISC, which addresses
the following security vulnerabilities.
For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
1. Cache incorrectly allows ncache and rrsig for the same type
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
Affects resolver operators whose servers are open to potential
attackers. Triggering the bug will cause the server to crash.
This bug applies even if you do not have DNSSEC enabled.
2. Key algorithm rollover
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
Affects resolver operators who are validating with DNSSEC, and
querying zones which are in a key rollover period. The bug will
cause answers to incorrectly be marked as insecure.
Diffstat (limited to 'contrib/bind9')
23 files changed, 706 insertions, 91 deletions
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index cb2581a..a44c804 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,3 +1,55 @@ + + --- 9.6-ESV-R3 released --- + +2972. [bug] win32: address windows socket errors. [RT #21906] + +2971. [bug] Fixed a bug that caused journal files not to be + compacted on Windows systems as a result of + non-POSIX-compliant rename() semantics. [RT #22434] + +2970. [security] Adding a NO DATA negative cache entry failed to clear + any matching RRSIG records. A subsequent lookup of + of NO DATA cache entry could trigger a INSIST when the + unexpected RRSIG was also returned with the NO DATA + cache entry. + + CVE-2010-3613, VU#706148. [RT #22288] + +2969. [security] Fix acl type processing so that allow-query works + in options and view statements. Also add a new + set of tests to verify proper functioning. + + CVE-2010-3615, VU#510208. [RT #22418] + +2968. [security] Named could fail to prove a data set was insecure + before marking it as insecure. One set of conditions + that can trigger this occurs naturally when rolling + DNSKEY algorithms. + + CVE-2010-3614, VU#837744. [RT #22309] + +2967. [bug] 'host -D' now turns on debugging messages earlier. + [RT #22361] + +2966. [bug] isc_print_vsnprintf() failed to check if there was + space available in the buffer when adding a left + justified character with a non zero width, + (e.g. "%-1c"). [RT #22270] + +2964. [bug] view->queryacl was being overloaded. Seperate the + usage into view->queryacl, view->cacheacl and + view->queryonacl. [RT #22114] + +2962. [port] win32: add more dependencies to BINDBuild.dsw. + [RT #22062] + +2952. [port] win32: named-checkzone and named-checkconf failed + to initialise winsock. [RT #21932] + +2951. [bug] named failed to generate a correct signed response + in a optout, delegation only zone with no secure + delegations. [RT #22007] + --- 9.6-ESV-R2 released --- 2939. [func] Check that named successfully skips NSEC3 records diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html new file mode 100644 index 0000000..946330d --- /dev/null +++ b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html @@ -0,0 +1,225 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<!-- + - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: RELEASE-NOTES-BIND-9.6-ESV.html,v 1.1.2.2 2010/11/29 01:16:39 tbox Exp $ --> + +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" type="text/css" href="release-notes.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article"><div class="titlepage"><hr /></div> + + <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111950"></a>Introduction</h2></div></div></div> + + <p> + BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV. + </p> + <p> + This document summarizes changes from BIND 9.6-ESV-R1 to BIND 9.6-ESV-R3. + Please see the CHANGES file in the source code release for a + complete list of all changes. + </p> + </div> + + <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112014"></a>Download</h2></div></div></div> + + <p> + The latest release of BIND 9 software can always be found + on our web site at + <a class="ulink" href="http://www.isc.org/software/bind" target="_top">http://www.isc.org/software/bind</a>. + There you will find additional information about each release, + source code, and some pre-compiled versions for certain operating + systems. + </p> + </div> + + <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112037"></a>Support</h2></div></div></div> + + <p>Product support information is available on + <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a> + for paid support options. Free support is provided by our user + community via a mailing list. Information on all public email + lists is available at + <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>. + </p> + </div> + + <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111986"></a>New Features</h2></div></div></div> + + <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112025"></a>9.6-ESV-R2</h3></div></div></div> + + <p>None.</p> + </div> + <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112098"></a>9.6-ESV-R3</h3></div></div></div> + + <p>None.</p> + </div> + </div> + + <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112120"></a>Feature Changes</h2></div></div></div> + + <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112125"></a>9.6-ESV-R2</h3></div></div></div> + + <p>None.</p> + </div> + <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112135"></a>9.6-ESV-R3</h3></div></div></div> + + <p>None.</p> + </div> + </div> + + <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112146"></a>Security Fixes</h2></div></div></div> + + <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112151"></a>9.6-ESV-R2</h3></div></div></div> + + <p>None.</p> + </div> + <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112160"></a>9.6-ESV-R3</h3></div></div></div> + + <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"> + Adding a NO DATA signed negative response to cache failed to clear + any matching RRSIG records already in cache. A subsequent lookup + of the cached NO DATA entry could crash named (INSIST) when the + unexpected RRSIG was also returned with the NO DATA cache entry. + [RT #22288] [CVE-2010-3613] [VU#706148] + </li><li class="listitem"> + BIND, acting as a DNSSEC validator, was determining if the NS RRset + is insecure based on a value that could mean either that the RRset + is actually insecure or that there wasn't a matching key for the RRSIG + in the DNSKEY RRset when resuming from validating the DNSKEY RRset. + This can happen when in the middle of a DNSKEY algorithm rollover, + when two different algorithms were used to sign a zone but only the + new set of keys are in the zone DNSKEY RRset. + [RT #22309] [CVE-2010-3614] [VU#837744] + </li></ul></div> + </div> + </div> + + <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112186"></a>Bug Fixes</h2></div></div></div> + + <div class="section" title="9.6-ESV-R2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112191"></a>9.6-ESV-R2</h3></div></div></div> + + <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"> + Check that named successfully skips NSEC3 records + that fail to match the NSEC3PARAM record currently + in use. + [RT #21868] + </li><li class="listitem"> + Worked around a race condition in the cache database memory + handling. Without this fix a DNS cache DB or ADB could + incorrectly stay in an over memory state, effectively refusing + further caching, which subsequently made a BIND 9 caching + server unworkable. + [RT #21818] + </li><li class="listitem"> + BIND did not properly handle non-cacheable negative responses + from insecure zones. This caused several non-protocol-compliant + zones to become unresolvable. BIND is now more accepting of + responses it receives from less strict servers. + [RT #21555] + </li><li class="listitem"> + The resolver could attempt to destroy a fetch context too + soon, resulting in a crash. + [RT #19878] + </li><li class="listitem"> + The placeholder negative caching element was not + properly constructed triggering a crash (INSIST) in + dns_ncache_towire(). + [RT #21346] + </li><li class="listitem"> + Handle the introduction of new trusted-keys and + DS, DLV RRsets better. + [RT #21097] + </li><li class="listitem"> + Fix arguments to dns_keytable_findnextkeynode() call. + [RT #20877] + </li></ul></div> + </div> + <div class="section" title="9.6-ESV-R3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112232"></a>9.6-ESV-R3</h3></div></div></div> + + <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"> + Microsoft changed the behavior of sockets between NT/XP based + stacks vs Vista/windows7 stacks. Server 2003/2008 have the older + behavior, 2008r2 has the new behavior. With the change, different + error results are possible, so ISC adapted BIND to handle the new + error results. + This resolves an issue where sockets would shut down on + Windows servers causing named to stop responding to queries. + [RT #21906] + </li><li class="listitem"> + Windows has non-POSIX compliant behavior in its rename() and unlink() + calls. This caused journal compaction to fail on Windows BIND servers + with the log error: "dns_journal_compact failed: failure". + [RT #22434] + </li><li class="listitem"> + 'host -D' now turns on debugging messages earlier. + [RT #22361] + </li><li class="listitem"> + isc_print_vsnprintf() failed to check if there was + space available in the buffer when adding a left + justified character with a non zero width, + (e.g. "%-1c"). + [RT #22270] + </li><li class="listitem"> + view->queryacl was being overloaded. Seperate the + usage into view->queryacl, view->cacheacl and + view->queryonacl. + [RT #22114] + </li><li class="listitem"> + win32: add more dependencies to BINDBuild.dsw. + [RT #22062] + </li><li class="listitem"> + win32: named-checkzone and named-checkconf failed + to initialise winsock. + [RT #21932] + </li><li class="listitem"> + named failed to generate a correct signed response + in a optout, delegation only zone with no secure + delegations. + [RT #22007] + </li></ul></div> + </div> + </div> + + <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112280"></a>Known issues in this release</h2></div></div></div> + + <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"> + <p> + "make test" will fail on OSX and possibly other operating systems. + The failure occurs in a new test to check for allow-query ACLs. + The failure is caused because the source address is not specified on + the dig commands issued in the test. + </p> + <p> + If running "make test" is part of your usual acceptance process, + please edit the file <code class="code">bin/tests/system/allow_query/test.sh</code> + and add + </p><p> + <code class="code">-b 10.53.0.2</code> + </p><p> + to the <code class="code">DIGOPTS</code> line. + </p> + </li></ul></div> + </div> + + <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112315"></a>Thank You</h2></div></div></div> + + <p> + Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to make + quality open source software, please visit our donations page at + <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>. + </p> + </div> +</div></body></html> diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf Binary files differnew file mode 100644 index 0000000..60fa9fa --- /dev/null +++ b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt new file mode 100644 index 0000000..028c16d --- /dev/null +++ b/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt @@ -0,0 +1,133 @@ + __________________________________________________________________ + +Introduction + + BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV. + + This document summarizes changes from BIND 9.6-ESV-R1 to BIND + 9.6-ESV-R3. Please see the CHANGES file in the source code release for + a complete list of all changes. + +Download + + The latest release of BIND 9 software can always be found on our web + site at http://www.isc.org/software/bind. There you will find + additional information about each release, source code, and some + pre-compiled versions for certain operating systems. + +Support + + Product support information is available on + http://www.isc.org/services/support for paid support options. Free + support is provided by our user community via a mailing list. + Information on all public email lists is available at + https://lists.isc.org/mailman/listinfo. + +New Features + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + None. + +Feature Changes + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + None. + +Security Fixes + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + * Adding a NO DATA signed negative response to cache failed to clear + any matching RRSIG records already in cache. A subsequent lookup of + the cached NO DATA entry could crash named (INSIST) when the + unexpected RRSIG was also returned with the NO DATA cache entry. + [RT #22288] [CVE-2010-3613] [VU#706148] + * BIND, acting as a DNSSEC validator, was determining if the NS RRset + is insecure based on a value that could mean either that the RRset + is actually insecure or that there wasn't a matching key for the + RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY + RRset. This can happen when in the middle of a DNSKEY algorithm + rollover, when two different algorithms were used to sign a zone + but only the new set of keys are in the zone DNSKEY RRset. [RT + #22309] [CVE-2010-3614] [VU#837744] + +Bug Fixes + +9.6-ESV-R2 + + * Check that named successfully skips NSEC3 records that fail to + match the NSEC3PARAM record currently in use. [RT #21868] + * Worked around a race condition in the cache database memory + handling. Without this fix a DNS cache DB or ADB could incorrectly + stay in an over memory state, effectively refusing further caching, + which subsequently made a BIND 9 caching server unworkable. [RT + #21818] + * BIND did not properly handle non-cacheable negative responses from + insecure zones. This caused several non-protocol-compliant zones to + become unresolvable. BIND is now more accepting of responses it + receives from less strict servers. [RT #21555] + * The resolver could attempt to destroy a fetch context too soon, + resulting in a crash. [RT #19878] + * The placeholder negative caching element was not properly + constructed triggering a crash (INSIST) in dns_ncache_towire(). [RT + #21346] + * Handle the introduction of new trusted-keys and DS, DLV RRsets + better. [RT #21097] + * Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877] + +9.6-ESV-R3 + + * Microsoft changed the behavior of sockets between NT/XP based + stacks vs Vista/windows7 stacks. Server 2003/2008 have the older + behavior, 2008r2 has the new behavior. With the change, different + error results are possible, so ISC adapted BIND to handle the new + error results. This resolves an issue where sockets would shut down + on Windows servers causing named to stop responding to queries. [RT + #21906] + * Windows has non-POSIX compliant behavior in its rename() and + unlink() calls. This caused journal compaction to fail on Windows + BIND servers with the log error: "dns_journal_compact failed: + failure". [RT #22434] + * 'host -D' now turns on debugging messages earlier. [RT #22361] + * isc_print_vsnprintf() failed to check if there was space available + in the buffer when adding a left justified character with a non + zero width, (e.g. "%-1c"). [RT #22270] + * view->queryacl was being overloaded. Seperate the usage into + view->queryacl, view->cacheacl and view->queryonacl. [RT #22114] + * win32: add more dependencies to BINDBuild.dsw. [RT #22062] + * win32: named-checkzone and named-checkconf failed to initialise + winsock. [RT #21932] + * named failed to generate a correct signed response in a optout, + delegation only zone with no secure delegations. [RT #22007] + +Known issues in this release + + * "make test" will fail on OSX and possibly other operating systems. + The failure occurs in a new test to check for allow-query ACLs. The + failure is caused because the source address is not specified on + the dig commands issued in the test. + If running "make test" is part of your usual acceptance process, + please edit the file bin/tests/system/allow_query/test.sh and add + -b 10.53.0.2 + to the DIGOPTS line. + +Thank You + + Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/supportisc. diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c index e0a7208..396f105 100644 --- a/contrib/bind9/bin/check/check-tool.c +++ b/contrib/bind9/bin/check/check-tool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */ +/* $Id: check-tool.c,v 1.35.36.3.24.2 2010/09/07 23:46:25 tbox Exp $ */ /*! \file */ @@ -23,6 +23,10 @@ #include <stdio.h> +#ifdef _WIN32 +#include <Winsock2.h> +#endif + #include "check-tool.h" #include <isc/buffer.h> #include <isc/log.h> @@ -662,3 +666,26 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, return (result); } + +#ifdef _WIN32 +void +InitSockets(void) { + WORD wVersionRequested; + WSADATA wsaData; + int err; + + wVersionRequested = MAKEWORD(2, 0); + + err = WSAStartup( wVersionRequested, &wsaData ); + if (err != 0) { + fprintf(stderr, "WSAStartup() failed: %d\n", err); + exit(1); + } +} + +void +DestroySockets(void) { + WSACleanup(); +} +#endif + diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h index b0ba7e0..0128926 100644 --- a/contrib/bind9/bin/check/check-tool.h +++ b/contrib/bind9/bin/check/check-tool.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */ +/* $Id: check-tool.h,v 1.14.628.2 2010/09/07 23:46:26 tbox Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H @@ -43,6 +43,11 @@ isc_result_t dump_zone(const char *zonename, dns_zone_t *zone, const char *filename, dns_masterformat_t fileformat, const dns_master_style_t *style); +#ifdef _WIN32 +void InitSockets(void); +void DestroySockets(void); +#endif + extern int debug; extern isc_boolean_t nomerge; extern isc_boolean_t docheckmx; diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c index eba0d93..7ed1043 100644 --- a/contrib/bind9/bin/check/named-checkconf.c +++ b/contrib/bind9/bin/check/named-checkconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */ +/* $Id: named-checkconf.c,v 1.46.222.2.24.2 2010/09/07 23:46:26 tbox Exp $ */ /*! \file */ @@ -453,6 +453,10 @@ main(int argc, char **argv) { if (conffile == NULL || conffile[0] == '\0') conffile = NAMED_CONFFILE; +#ifdef _WIN32 + InitSockets(); +#endif + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS); @@ -494,5 +498,9 @@ main(int argc, char **argv) { isc_mem_destroy(&mctx); +#ifdef _WIN32 + DestroySockets(); +#endif + return (exit_status); } diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c index 0b49b51..1fa015a 100644 --- a/contrib/bind9/bin/check/named-checkzone.c +++ b/contrib/bind9/bin/check/named-checkzone.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.51.34.4 2009/11/10 20:01:41 each Exp $ */ +/* $Id: named-checkzone.c,v 1.51.34.4.10.2 2010/09/07 23:46:26 tbox Exp $ */ /*! \file */ @@ -419,6 +419,10 @@ main(int argc, char **argv) { if (isc_commandline_index + 2 != argc) usage(); +#ifdef _WIN32 + InitSockets(); +#endif + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); if (!quiet) RUNTIME_CHECK(setup_logging(mctx, errout, &lctx) @@ -453,5 +457,8 @@ main(int argc, char **argv) { isc_hash_destroy(); isc_entropy_detach(&ectx); isc_mem_destroy(&mctx); +#ifdef _WIN32 + DestroySockets(); +#endif return ((result == ISC_R_SUCCESS) ? 0 : 1); } diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c index 8cd5b3d..1a7d174 100644 --- a/contrib/bind9/bin/dig/host.c +++ b/contrib/bind9/bin/dig/host.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.116.216.3 2009/09/08 23:28:20 marka Exp $ */ +/* $Id: host.c,v 1.116.216.3.10.2 2010/10/19 23:46:25 tbox Exp $ */ /*! \file */ @@ -625,7 +625,9 @@ pre_parse_args(int argc, char **argv) { case 'v': break; case 'w': break; case 'C': break; - case 'D': break; + case 'D': + debugging = ISC_TRUE; + break; case 'N': break; case 'R': break; case 'T': break; @@ -792,7 +794,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) { ndots = atoi(isc_commandline_argument); break; case 'D': - debugging = ISC_TRUE; + /* Handled by pre_parse_args(). */ break; case '4': if (have_ipv4) { diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c index ae5386c..a0e034a 100644 --- a/contrib/bind9/bin/named/client.c +++ b/contrib/bind9/bin/named/client.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */ +/* $Id: client.c,v 1.259.12.3.24.2 2010/09/29 23:46:31 tbox Exp $ */ #include <config.h> @@ -1859,13 +1859,13 @@ client_request(isc_task_t *task, isc_event_t *event) { client->view->recursionacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, NULL, - client->view->queryacl, + client->view->cacheacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, &client->interface->addr, client->view->recursiononacl, ISC_TRUE) == ISC_R_SUCCESS && ns_client_checkaclsilent(client, &client->interface->addr, - client->view->queryonacl, + client->view->cacheonacl, ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h index 500b577..3f019a3 100644 --- a/contrib/bind9/bin/named/include/named/query.h +++ b/contrib/bind9/bin/named/include/named/query.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.h,v 1.40 2007/06/19 23:46:59 tbox Exp $ */ +/* $Id: query.h,v 1.40.626.2 2010/09/29 23:46:31 tbox Exp $ */ #ifndef NAMED_QUERY_H #define NAMED_QUERY_H 1 @@ -71,6 +71,8 @@ struct ns_query { #define NS_QUERYATTR_SECURE 0x0200 #define NS_QUERYATTR_NOAUTHORITY 0x0400 #define NS_QUERYATTR_NOADDITIONAL 0x0800 +#define NS_QUERYATTR_CACHEACLOKVALID 0x1000 +#define NS_QUERYATTR_CACHEACLOK 0x2000 isc_result_t ns_query_init(ns_client_t *client); diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 73ed1a6..0ba708b 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.313.20.16.10.2 2010/06/26 23:46:14 tbox Exp $ */ +/* $Id: query.c,v 1.313.20.16.10.3 2010/09/29 00:03:32 marka Exp $ */ /*! \file */ @@ -820,17 +820,15 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, return (DNS_R_REFUSED); dns_db_attach(client->view->cachedb, &db); - if ((client->query.attributes & - NS_QUERYATTR_QUERYOKVALID) != 0) { + if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) { /* - * We've evaluated the view's queryacl already. If - * NS_QUERYATTR_QUERYOK is set, then the client is + * We've evaluated the view's cacheacl already. If + * NS_QUERYATTR_CACHEACLOK is set, then the client is * allowed to make queries, otherwise the query should * be refused. */ check_acl = ISC_FALSE; - if ((client->query.attributes & - NS_QUERYATTR_QUERYOK) == 0) + if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0) goto refuse; } else { /* @@ -844,16 +842,15 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; result = ns_client_checkaclsilent(client, NULL, - client->view->queryacl, + client->view->cacheacl, ISC_TRUE); if (result == ISC_R_SUCCESS) { /* - * We were allowed by the default - * "allow-query" ACL. Remember this so we - * don't have to check again. + * We were allowed by the "allow-query-cache" ACL. + * Remember this so we don't have to check again. */ client->query.attributes |= - NS_QUERYATTR_QUERYOK; + NS_QUERYATTR_CACHEACLOK; if (log && isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) { @@ -876,9 +873,9 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, } /* * We've now evaluated the view's query ACL, and - * the NS_QUERYATTR_QUERYOK attribute is now valid. + * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid. */ - client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; + client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID; if (result != ISC_R_SUCCESS) goto refuse; diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c index 8f67786..5fbe043 100644 --- a/contrib/bind9/bin/named/server.c +++ b/contrib/bind9/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.520.12.11.10.1 2010/03/03 22:06:36 marka Exp $ */ +/* $Id: server.c,v 1.520.12.11.10.4 2010/11/16 22:42:03 marka Exp $ */ /*! \file */ @@ -1132,6 +1132,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, dns_acache_setcachesize(view->acache, max_acache_size); } + CHECK(configure_view_acl(vconfig, config, "allow-query", actx, + ns_g_mctx, &view->queryacl)); + + if (view->queryacl == NULL) { + CHECK(configure_view_acl(NULL, ns_g_config, "allow-query", actx, + ns_g_mctx, &view->queryacl)); + } + /* * Configure the zones. */ @@ -1606,13 +1614,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * configured in named.conf. */ CHECK(configure_view_acl(vconfig, config, "allow-query-cache", - actx, ns_g_mctx, &view->queryacl)); + actx, ns_g_mctx, &view->cacheacl)); CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", - actx, ns_g_mctx, &view->queryonacl)); - if (view->queryonacl == NULL) + actx, ns_g_mctx, &view->cacheonacl)); + if (view->cacheonacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache-on", actx, - ns_g_mctx, &view->queryonacl)); + ns_g_mctx, &view->cacheonacl)); if (strcmp(view->name, "_bind") != 0) { CHECK(configure_view_acl(vconfig, config, "allow-recursion", actx, ns_g_mctx, @@ -1628,14 +1636,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, * "allow-recursion" inherits from "allow-query-cache" if set, * otherwise from "allow-query" if set. */ - if (view->queryacl == NULL && view->recursionacl != NULL) - dns_acl_attach(view->recursionacl, &view->queryacl); - if (view->queryacl == NULL && view->recursion) + if (view->cacheacl == NULL && view->recursionacl != NULL) + dns_acl_attach(view->recursionacl, &view->cacheacl); + if (view->cacheacl == NULL && view->recursion) CHECK(configure_view_acl(vconfig, config, "allow-query", - actx, ns_g_mctx, &view->queryacl)); + actx, ns_g_mctx, &view->cacheacl)); if (view->recursion && - view->recursionacl == NULL && view->queryacl != NULL) - dns_acl_attach(view->queryacl, &view->recursionacl); + view->recursionacl == NULL && view->cacheacl != NULL) + dns_acl_attach(view->cacheacl, &view->recursionacl); /* * Set default "allow-recursion", "allow-recursion-on" and @@ -1651,16 +1659,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, "allow-recursion-on", actx, ns_g_mctx, &view->recursiononacl)); - if (view->queryacl == NULL) { + if (view->cacheacl == NULL) { if (view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); - else { - if (view->queryacl != NULL) - dns_acl_detach(&view->queryacl); - CHECK(dns_acl_none(ns_g_mctx, &view->queryacl)); - } + ns_g_mctx, &view->cacheacl)); + else + CHECK(dns_acl_none(ns_g_mctx, &view->cacheacl)); } /* diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api index b1adf784..82e6786 100644 --- a/contrib/bind9/lib/dns/api +++ b/contrib/bind9/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 57 +LIBINTERFACE = 58 LIBREVISION = 0 -LIBAGE = 2 +LIBAGE = 0 diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h index 5b53c16..0b4dedc 100644 --- a/contrib/bind9/lib/dns/include/dns/view.h +++ b/contrib/bind9/lib/dns/include/dns/view.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.h,v 1.111.88.4 2009/01/29 22:40:35 jinmei Exp $ */ +/* $Id: view.h,v 1.111.88.4.24.2 2010/09/29 23:46:31 tbox Exp $ */ #ifndef DNS_VIEW_H #define DNS_VIEW_H 1 @@ -118,6 +118,8 @@ struct dns_view { isc_boolean_t enablevalidation; isc_boolean_t acceptexpired; dns_transfer_format_t transfer_format; + dns_acl_t * cacheacl; + dns_acl_t * cacheonacl; dns_acl_t * queryacl; dns_acl_t * queryonacl; dns_acl_t * recursionacl; diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c index 638e647..933576f 100644 --- a/contrib/bind9/lib/dns/journal.c +++ b/contrib/bind9/lib/dns/journal.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.103.48.6 2009/11/04 23:47:25 tbox Exp $ */ +/* $Id: journal.c,v 1.103.48.6.10.2 2010/11/17 23:46:16 tbox Exp $ */ #include <config.h> @@ -2173,6 +2173,12 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, indexend = new->header.end.offset; } + + /* + * Close both journals before trying to rename files (this is + * necessary on WIN32). + */ + dns_journal_destroy(&j); dns_journal_destroy(&new); /* @@ -2180,12 +2186,14 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, * Any IXFR outs will just continue and the old journal will be * removed on final close. * - * With MSDOS / NTFS we need to do a two stage rename triggered - * bu EEXISTS. Hopefully all IXFR's that were active at the last - * rename are now complete. + * With MSDOS / NTFS we need to do a two stage rename, triggered + * by EEXIST. (If any IXFR's are running in other threads, however, + * this will fail, and the journal will not be compacted. But + * if so, hopefully they'll be finished by the next time we + * compact.) */ if (rename(newname, filename) == -1) { - if (errno == EACCES && !is_backup) { + if (errno == EEXIST && !is_backup) { result = isc_file_remove(backup); if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) @@ -2202,7 +2210,6 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, } } - dns_journal_destroy(&j); result = ISC_R_SUCCESS; failure: diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c index 538c228..f61b83b 100644 --- a/contrib/bind9/lib/dns/rbtdb.c +++ b/contrib/bind9/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.16.10.3 2010/08/13 07:25:21 marka Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.16.10.6 2010/11/16 07:46:23 marka Exp $ */ /*! \file */ @@ -5421,14 +5421,14 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, dns_rdataset_t *addedrdataset, isc_stdtime_t now) { rbtdb_changed_t *changed = NULL; - rdatasetheader_t *topheader, *topheader_prev, *header; + rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader; unsigned char *merged; isc_result_t result; isc_boolean_t header_nx; isc_boolean_t newheader_nx; isc_boolean_t merge; dns_rdatatype_t rdtype, covers; - rbtdb_rdatatype_t negtype; + rbtdb_rdatatype_t negtype, sigtype; dns_trust_t trust; int idx; @@ -5466,7 +5466,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE; topheader_prev = NULL; - + sigheader = NULL; negtype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); @@ -5475,26 +5475,34 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, * We're adding a negative cache entry. */ covers = RBTDB_RDATATYPE_EXT(newheader->type); - if (covers == dns_rdatatype_any) { + sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, + covers); + for (topheader = rbtnode->data; + topheader != NULL; + topheader = topheader->next) { /* - * We're adding an negative cache entry + * If we're adding an negative cache entry * which covers all types (NXDOMAIN, * NODATA(QTYPE=ANY)). * * We make all other data stale so that the * only rdataset that can be found at this * node is the negative cache entry. + * + * Otherwise look for any RRSIGs of the + * given type so they can be marked stale + * later. */ - for (topheader = rbtnode->data; - topheader != NULL; - topheader = topheader->next) { + if (covers == dns_rdatatype_any) { set_ttl(rbtdb, topheader, 0); topheader->attributes |= RDATASET_ATTR_STALE; - } - rbtnode->dirty = 1; - goto find_header; + rbtnode->dirty = 1; + } else if (topheader->type == sigtype) + sigheader = topheader; } + if (covers == dns_rdatatype_any) + goto find_header; negtype = RBTDB_RDATATYPE_VALUE(covers, 0); } else { /* @@ -5732,6 +5740,11 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, if (rbtversion == NULL) { set_ttl(rbtdb, header, 0); header->attributes |= RDATASET_ATTR_STALE; + if (sigheader != NULL) { + set_ttl(rbtdb, sigheader, 0); + sigheader->attributes |= + RDATASET_ATTR_STALE; + } } idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { @@ -7071,6 +7084,8 @@ dns_rbtdb_create * change. */ if (!IS_CACHE(rbtdb)) { + dns_rbtnode_t *nsec3node; + rbtdb->origin_node = NULL; result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin, &rbtdb->origin_node); @@ -7094,6 +7109,32 @@ dns_rbtdb_create dns_name_hash(&name, ISC_TRUE) % rbtdb->node_lock_count; #endif + /* + * Add an apex node to the NSEC3 tree so that NSEC3 searches + * return partial matches when there is only a single NSEC3 + * record in the tree. + */ + nsec3node = NULL; + result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin, + &nsec3node); + if (result != ISC_R_SUCCESS) { + INSIST(result != ISC_R_EXISTS); + free_rbtdb(rbtdb, ISC_FALSE, NULL); + return (result); + } + nsec3node->nsec3 = 1; + /* + * We need to give the nsec3 origin node the right locknum. + */ + dns_name_init(&name, NULL); + dns_rbt_namefromnode(nsec3node, &name); +#ifdef DNS_RBT_USEHASH + nsec3node->locknum = nsec3node->hashval % + rbtdb->node_lock_count; +#else + nsec3node->locknum = dns_name_hash(&name, ISC_TRUE) % + rbtdb->node_lock_count; +#endif } /* diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c index 90c18bc..fc6f454 100644 --- a/contrib/bind9/lib/dns/validator.c +++ b/contrib/bind9/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.11.10.6 2010/09/03 02:55:18 marka Exp $ */ +/* $Id: validator.c,v 1.164.12.11.10.7 2010/11/16 01:48:32 marka Exp $ */ #include <config.h> @@ -393,6 +393,7 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; + isc_result_t saved_result; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_FETCHDONE); @@ -429,6 +430,17 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { val->keyset = &val->frdataset; } result = validate(val, ISC_TRUE); + if (result == DNS_R_NOVALIDSIG && + (val->attributes & VALATTR_TRIEDVERIFY) == 0) + { + saved_result = result; + validator_log(val, ISC_LOG_DEBUG(3), + "falling back to insecurity proof"); + val->attributes |= VALATTR_INSECURITY; + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); + if (result == DNS_R_NOTINSECURE) + result = saved_result; + } if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -619,6 +631,7 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { isc_boolean_t want_destroy; isc_result_t result; isc_result_t eresult; + isc_result_t saved_result; UNUSED(task); INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); @@ -645,6 +658,17 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { if (val->frdataset.trust >= dns_trust_secure) (void) get_dst_key(val, val->siginfo, &val->frdataset); result = validate(val, ISC_TRUE); + if (result == DNS_R_NOVALIDSIG && + (val->attributes & VALATTR_TRIEDVERIFY) == 0) + { + saved_result = result; + validator_log(val, ISC_LOG_DEBUG(3), + "falling back to insecurity proof"); + val->attributes |= VALATTR_INSECURITY; + result = proveunsecure(val, ISC_FALSE, ISC_FALSE); + if (result == DNS_R_NOTINSECURE) + result = saved_result; + } if (result != DNS_R_WAIT) validator_done(val, result); } else { @@ -1875,9 +1899,11 @@ validate(dns_validator_t *val, isc_boolean_t resume) { * was known and "sufficiently good". */ if (!dns_resolver_algorithm_supported(val->view->resolver, - event->name, - val->siginfo->algorithm)) + event->name, + val->siginfo->algorithm)) { + resume = ISC_FALSE; continue; + } if (!resume) { result = get_key(val, val->siginfo); @@ -1888,16 +1914,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) { } /* - * The key is insecure, so mark the data as insecure also. + * There isn't a secure DNSKEY for this signature so move + * onto the next RRSIG. */ if (val->key == NULL) { - if (val->mustbesecure) { - validator_log(val, ISC_LOG_WARNING, - "must be secure failure"); - return (DNS_R_MUSTBESECURE); - } - markanswer(val, "validate"); - return (ISC_R_SUCCESS); + resume = ISC_FALSE; + continue; } do { @@ -3703,6 +3725,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) */ result = DNS_R_NOVALIDNSEC; goto out; + } else if (DNS_TRUST_PENDING(val->frdataset.trust) || + DNS_TRUST_ANSWER(val->frdataset.trust)) { + /* + * If we have "trust == answer" then this namespace + * has switched from insecure to should be secure. + */ + result = create_validator(val, tname, + dns_rdatatype_ds, + &val->frdataset, + NULL, dsvalidated, + "proveunsecure"); + if (result != ISC_R_SUCCESS) + goto out; + return (DNS_R_WAIT); } else if (val->frdataset.trust < dns_trust_secure) { /* * This shouldn't happen, since the negative diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c index 3726eef..54f0d26 100644 --- a/contrib/bind9/lib/dns/view.c +++ b/contrib/bind9/lib/dns/view.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.150.84.3.10.1 2010/03/03 22:06:39 marka Exp $ */ +/* $Id: view.c,v 1.150.84.3.10.2 2010/09/29 00:03:32 marka Exp $ */ /*! \file */ @@ -168,6 +168,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->acceptexpired = ISC_FALSE; view->minimalresponses = ISC_FALSE; view->transfer_format = dns_one_answer; + view->cacheacl = NULL; + view->cacheonacl = NULL; view->queryacl = NULL; view->queryonacl = NULL; view->recursionacl = NULL; @@ -294,6 +296,10 @@ destroy(dns_view_t *view) { dns_acl_detach(&view->matchclients); if (view->matchdestinations != NULL) dns_acl_detach(&view->matchdestinations); + if (view->cacheacl != NULL) + dns_acl_detach(&view->cacheacl); + if (view->cacheonacl != NULL) + dns_acl_detach(&view->cacheonacl); if (view->queryacl != NULL) dns_acl_detach(&view->queryacl); if (view->queryonacl != NULL) diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api index 823f692..b765f45 100644 --- a/contrib/bind9/lib/isc/api +++ b/contrib/bind9/lib/isc/api @@ -1,3 +1,3 @@ LIBINTERFACE = 53 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 3 diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c index b892e3a..6b98195 100644 --- a/contrib/bind9/lib/isc/print.c +++ b/contrib/bind9/lib/isc/print.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: print.c,v 1.35 2008/02/18 23:46:59 tbox Exp $ */ +/* $Id: print.c,v 1.35.418.2 2010/10/18 23:46:34 tbox Exp $ */ /*! \file */ @@ -468,7 +468,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) { if (width > 0) { count += width; width--; - if (left) { + if (left && size > 1) { *str++ = c; size--; } diff --git a/contrib/bind9/release-notes.css b/contrib/bind9/release-notes.css new file mode 100644 index 0000000..411eb8b --- /dev/null +++ b/contrib/bind9/release-notes.css @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: release-notes.css,v 1.1.4.3 2010/11/29 01:16:39 tbox Exp $ */ + +body { + background-color: #ffffff; + color: #333333; + font-family: "Helvetica Neue", "ArialMT", "Verdana", "Arial", "Helvetica", sans-serif; + font-size: 14px; + line-height: 18px; + margin: 2em auto; + width: 700px; +} + +.command { + font-family: "Courier New", "Courier", monospace; + font-weight: normal; +} + +.note { + background-color: #ddeedd; + border: 1px solid #aaccaa; + margin: 1em 0 1em 0; + padding: 0.5em 1em 0.5em 1em; + -moz-border-radius: 10px; + -webkit-border-radius: 10px; +} + +.screen { + background-color: #ffffee; + border: 1px solid #ddddaa; + padding: 0.25em 1em 0.25em 1em; + margin: 1em 0 1em 0; + -moz-border-radius: 10px; + -webkit-border-radius: 10px; +} + +.section.title { + font-size: 150%; + font-weight: bold; +} + +.section.section.title { + font-size: 130%; + font-weight: bold; +} diff --git a/contrib/bind9/version b/contrib/bind9/version index a16a96f..d736ecf 100644 --- a/contrib/bind9/version +++ b/contrib/bind9/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.43.12.8.4.3 2010/09/03 02:57:11 marka Exp $ +# $Id: version,v 1.43.12.8.4.4 2010/11/18 23:37:13 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=6 PATCHVER= RELEASETYPE=-ESV -RELEASEVER=-R2 +RELEASEVER=-R3 |
