Update to 9.8.4-P1.

Security Fixes

   Prevents named from aborting with a require assertion failure
   on servers with DNS64 enabled.  These crashes might occur as a
   result of  specific queries that are received.

New Features

*  Elliptic Curve Digital Signature Algorithm keys and signatures in
   DNSSEC are now supported per RFC 6605. [RT #21918]

Feature Changes

*  Improves OpenSSL error logging [RT #29932]

*  nslookup now returns a nonzero exit code when it is unable to get
   an answer.  [RT #29492]

Other critical bug fixes are included.

Approved by:	delphij (mentor)
MFC after:	3 days
Security:	CVE-2012-5688
Sponsored by:	DK Hostmaster A/S

4 files changed, 16 insertions, 9 deletions

diff --git a/lib/bind/config.h b/lib/bind/config.h
index 22d76bc..5e9d74b 100644
--- a/lib/bind/config.h
+++ b/lib/bind/config.h
@@ -3,7 +3,7 @@
 /* config.h.  Generated from config.h.in by configure.  */
 /* config.h.in.  Generated from configure.in by autoheader.  */
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -141,6 +141,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if OpenSSL includes DSA support */
 #define HAVE_OPENSSL_DSA 1
 
+/* Define if OpenSSL includes ECDSA support */
+#define HAVE_OPENSSL_ECDSA 1
+
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #define ISC_SOCKADDR_LEN_T socklen_t
 
@@ -202,6 +205,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `EVP_sha256' function. */
 #define HAVE_EVP_SHA256 1
 
+/* Define to 1 if you have the `EVP_sha384' function. */
+#define HAVE_EVP_SHA384 1
+
 /* Define to 1 if you have the `EVP_sha512' function. */
 #define HAVE_EVP_SHA512 1
 
diff --git a/lib/bind/config.mk b/lib/bind/config.mk
index ebac59a..88ec258 100644
--- a/lib/bind/config.mk
+++ b/lib/bind/config.mk
@@ -27,10 +27,10 @@ INTERNALLIB=
 .endif
 .endif
 
-# GSSAPI support is incomplete in 9.3.0
-#.if ${MK_KERBEROS} != "no"
-#CFLAGS+=	-DGSSAPI
-#.endif
+# Enable GSSAPI support if available
+.if ${MK_KERBEROS} != "no"
+CFLAGS+=	-DGSSAPI
+.endif
 
 # Enable IPv6 support if available
 .if ${MK_INET6_SUPPORT} != "no"
diff --git a/lib/bind/dns/Makefile b/lib/bind/dns/Makefile
index 159de00..89dfd40 100644
--- a/lib/bind/dns/Makefile
+++ b/lib/bind/dns/Makefile
@@ -26,6 +26,7 @@ SRCS+=		acache.c acl.c adb.c byaddr.c \
 		name.c ncache.c nsec.c nsec3.c \
 		openssl_link.c openssldh_link.c \
 		openssldsa_link.c opensslgost_link.c opensslrsa_link.c \
+		opensslecdsa_link.c \
 		order.c peer.c portlist.c private.c \
 		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
 		rdataset.c rdatasetiter.c rdataslab.c request.c \
diff --git a/lib/bind/isc/isc/platform.h b/lib/bind/isc/isc/platform.h
index 7dab495..61630f4 100644
--- a/lib/bind/isc/isc/platform.h
+++ b/lib/bind/isc/isc/platform.h
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.56 2010-12-18 01:56:23 each Exp $ */
+/* $Id: platform.h.in,v 1.56 2010/12/18 01:56:23 each Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -219,19 +219,19 @@
  * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
  * the GSSAPI header.
  */
-
+#define ISC_PLATFORM_GSSAPIHEADER <gssapi/gssapi.h>
 
 /*
  * Defined to <gssapi_krb5.h> or <gssapi/gssapi_krb5.h> for how to
  * include the GSSAPI KRB5 header.
  */
-
+#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <gssapi/gssapi_krb5.h>
 
 /*
  * Defined to <krb5.h> or <krb5/krb5.h> for how to include
  * the KRB5 header.
  */
-
+#define ISC_PLATFORM_KRB5HEADER <krb5.h>
 
 /*
  * Type used for resource limits.