From owner-svn-src-all@FreeBSD.ORG Sun Feb 6 22:46:07 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C080C1065674; Sun, 6 Feb 2011 22:46:07 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id AA8AB8FC12; Sun, 6 Feb 2011 22:46:07 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p16Mk7MD080946; Sun, 6 Feb 2011 22:46:07 GMT (envelope-from dougb@svn.freebsd.org) Received: (from dougb@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p16Mk7K5080930; Sun, 6 Feb 2011 22:46:07 GMT (envelope-from dougb@svn.freebsd.org) Message-Id: <201102062246.p16Mk7K5080930@svn.freebsd.org> From: Doug Barton Date: Sun, 6 Feb 2011 22:46:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r218384 - in head: contrib/bind9 contrib/bind9/bin/check contrib/bind9/bin/dig contrib/bind9/bin/dnssec contrib/bind9/bin/named contrib/bind9/bin/named/include/named contrib/bind9/bin/n... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Feb 2011 22:46:07 -0000 Author: dougb Date: Sun Feb 6 22:46:07 2011 New Revision: 218384 URL: http://svn.freebsd.org/changeset/base/218384 Log: Update to BIND 9.6.3, the latest from ISC on the 9.6 branch. All 9.6 users with DNSSEC validation enabled should upgrade to this version, or the latest version in the 9.7 branch, prior to 2011-03-31 in order to avoid validation failures for names in .COM as described here: https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record In addition the fixes for this and other bugs, there are also the following: * Various fixes to kerberos support, including GSS-TSIG * Various fixes to avoid leaking memory, and to problems that could prevent a clean shutdown of named Added: head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.html - copied unchanged from r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.html head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.pdf - copied unchanged from r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.pdf head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.txt - copied unchanged from r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.txt Deleted: head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.html head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.pdf head/contrib/bind9/RELEASE-NOTES-BIND-9.6-ESV.txt head/contrib/bind9/release-notes.css Modified: head/contrib/bind9/CHANGES head/contrib/bind9/COPYRIGHT head/contrib/bind9/README head/contrib/bind9/bin/check/check-tool.c head/contrib/bind9/bin/check/check-tool.h head/contrib/bind9/bin/check/named-checkconf.c head/contrib/bind9/bin/check/named-checkzone.c head/contrib/bind9/bin/dig/dig.c head/contrib/bind9/bin/dig/dighost.c head/contrib/bind9/bin/dig/host.c head/contrib/bind9/bin/dig/nslookup.1 head/contrib/bind9/bin/dig/nslookup.docbook head/contrib/bind9/bin/dig/nslookup.html head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html head/contrib/bind9/bin/dnssec/dnssec-keygen.html head/contrib/bind9/bin/dnssec/dnssec-signzone.c head/contrib/bind9/bin/dnssec/dnssec-signzone.html head/contrib/bind9/bin/named/builtin.c head/contrib/bind9/bin/named/client.c head/contrib/bind9/bin/named/control.c head/contrib/bind9/bin/named/include/named/globals.h head/contrib/bind9/bin/named/include/named/query.h head/contrib/bind9/bin/named/main.c head/contrib/bind9/bin/named/query.c head/contrib/bind9/bin/named/server.c head/contrib/bind9/bin/named/update.c head/contrib/bind9/bin/named/xfrout.c head/contrib/bind9/bin/nsupdate/nsupdate.1 head/contrib/bind9/bin/nsupdate/nsupdate.c head/contrib/bind9/bin/nsupdate/nsupdate.docbook head/contrib/bind9/bin/nsupdate/nsupdate.html head/contrib/bind9/config.h.in head/contrib/bind9/config.threads.in head/contrib/bind9/configure.in head/contrib/bind9/doc/arm/Bv9ARM-book.xml head/contrib/bind9/doc/arm/Bv9ARM.ch06.html head/contrib/bind9/doc/arm/Bv9ARM.ch07.html head/contrib/bind9/doc/arm/Bv9ARM.ch08.html head/contrib/bind9/doc/arm/Bv9ARM.ch09.html head/contrib/bind9/doc/arm/Bv9ARM.html head/contrib/bind9/doc/arm/Bv9ARM.pdf head/contrib/bind9/doc/arm/man.dig.html head/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html head/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html head/contrib/bind9/doc/arm/man.dnssec-keygen.html head/contrib/bind9/doc/arm/man.dnssec-signzone.html head/contrib/bind9/doc/arm/man.host.html head/contrib/bind9/doc/arm/man.named-checkconf.html head/contrib/bind9/doc/arm/man.named-checkzone.html head/contrib/bind9/doc/arm/man.named.html head/contrib/bind9/doc/arm/man.nsupdate.html head/contrib/bind9/doc/arm/man.rndc-confgen.html head/contrib/bind9/doc/arm/man.rndc.conf.html head/contrib/bind9/doc/arm/man.rndc.html head/contrib/bind9/doc/misc/options head/contrib/bind9/lib/bind9/api head/contrib/bind9/lib/bind9/check.c head/contrib/bind9/lib/dns/Makefile.in head/contrib/bind9/lib/dns/adb.c head/contrib/bind9/lib/dns/api head/contrib/bind9/lib/dns/dst_api.c head/contrib/bind9/lib/dns/dst_internal.h head/contrib/bind9/lib/dns/gssapictx.c head/contrib/bind9/lib/dns/include/dns/diff.h head/contrib/bind9/lib/dns/include/dns/events.h head/contrib/bind9/lib/dns/include/dns/name.h head/contrib/bind9/lib/dns/include/dns/ncache.h head/contrib/bind9/lib/dns/include/dns/rdataset.h head/contrib/bind9/lib/dns/include/dns/resolver.h head/contrib/bind9/lib/dns/include/dns/result.h head/contrib/bind9/lib/dns/include/dns/tsig.h head/contrib/bind9/lib/dns/include/dns/types.h head/contrib/bind9/lib/dns/include/dns/validator.h head/contrib/bind9/lib/dns/include/dns/view.h head/contrib/bind9/lib/dns/include/dns/zone.h head/contrib/bind9/lib/dns/include/dst/dst.h head/contrib/bind9/lib/dns/journal.c head/contrib/bind9/lib/dns/message.c head/contrib/bind9/lib/dns/name.c head/contrib/bind9/lib/dns/ncache.c head/contrib/bind9/lib/dns/openssl_link.c head/contrib/bind9/lib/dns/rbtdb.c head/contrib/bind9/lib/dns/rdata.c head/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c head/contrib/bind9/lib/dns/rdata/generic/nsec_47.c head/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c head/contrib/bind9/lib/dns/rdatalist.c head/contrib/bind9/lib/dns/rdataset.c head/contrib/bind9/lib/dns/rdataslab.c head/contrib/bind9/lib/dns/resolver.c head/contrib/bind9/lib/dns/result.c head/contrib/bind9/lib/dns/rootns.c head/contrib/bind9/lib/dns/sdb.c head/contrib/bind9/lib/dns/sdlz.c head/contrib/bind9/lib/dns/time.c head/contrib/bind9/lib/dns/tkey.c head/contrib/bind9/lib/dns/tsig.c head/contrib/bind9/lib/dns/validator.c head/contrib/bind9/lib/dns/view.c head/contrib/bind9/lib/dns/zone.c head/contrib/bind9/lib/isc/Makefile.in head/contrib/bind9/lib/isc/api head/contrib/bind9/lib/isc/entropy.c head/contrib/bind9/lib/isc/include/isc/mem.h head/contrib/bind9/lib/isc/include/isc/platform.h.in head/contrib/bind9/lib/isc/include/isc/task.h head/contrib/bind9/lib/isc/mem.c head/contrib/bind9/lib/isc/nothreads/Makefile.in head/contrib/bind9/lib/isc/print.c head/contrib/bind9/lib/isc/pthreads/mutex.c head/contrib/bind9/lib/isc/task.c head/contrib/bind9/lib/isc/unix/socket.c head/contrib/bind9/lib/isccfg/api head/contrib/bind9/lib/isccfg/namedconf.c head/contrib/bind9/lib/lwres/man/lwres.html head/contrib/bind9/lib/lwres/man/lwres_buffer.html head/contrib/bind9/lib/lwres/man/lwres_config.html head/contrib/bind9/lib/lwres/man/lwres_context.html head/contrib/bind9/lib/lwres/man/lwres_gabn.html head/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html head/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html head/contrib/bind9/lib/lwres/man/lwres_gethostent.html head/contrib/bind9/lib/lwres/man/lwres_getipnode.html head/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html head/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html head/contrib/bind9/lib/lwres/man/lwres_gnba.html head/contrib/bind9/lib/lwres/man/lwres_hstrerror.html head/contrib/bind9/lib/lwres/man/lwres_inetntop.html head/contrib/bind9/lib/lwres/man/lwres_noop.html head/contrib/bind9/lib/lwres/man/lwres_packet.html head/contrib/bind9/lib/lwres/man/lwres_resutil.html head/contrib/bind9/lib/lwres/print_p.h head/contrib/bind9/version head/lib/bind/config.h head/lib/bind/dns/code.h head/lib/bind/dns/dns/enumclass.h head/lib/bind/dns/dns/enumtype.h head/lib/bind/dns/dns/rdatastruct.h head/lib/bind/isc/isc/platform.h Directory Properties: head/contrib/bind9/ (props changed) Modified: head/contrib/bind9/CHANGES ============================================================================== --- head/contrib/bind9/CHANGES Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/CHANGES Sun Feb 6 22:46:07 2011 (r218384) @@ -1,5 +1,54 @@ + --- 9.6.3 released --- - --- 9.6-ESV-R3 released --- +3009. [bug] clients-per-query code didn't work as expected with + particular query patterns. [RT #22972] + + --- 9.6.3rc1 released --- + +3007. [bug] Named failed to preserve the case of domain names in + rdata which is not compressible when writing master + files. [RT #22863] + +3002. [bug] isc_mutex_init_errcheck() failed to destroy attr. + [RT #22766] + +2996. [security] Temporarily disable SO_ACCEPTFILTER support. + [RT #22589] + +2995. [bug] The Kerberos realm was not being correctly extracted + from the signer's identity. [RT #22770] + +2994. [port] NetBSD: use pthreads by default on NetBSD >= 5.0, and + do not use threads on earlier versions. Also kill + the unproven-pthreads, mit-pthreads, and ptl2 support. + +2984. [bug] Don't run MX checks when the target of the MX record + is ".". [RT #22645] + +2817. [cleanup] Removed unnecessary isc_task_endexclusive() calls. + [RT #20768] + + --- 9.6.3b1 released --- + +2982. [bug] Reference count dst keys. dst_key_attach() can be used + increment the reference count. + + Note: dns_tsigkey_createfromkey() callers should now + always call dst_key_free() rather than setting it + to NULL on success. [RT #22672] + +2979. [bug] named could deadlock during shutdown if two + "rndc stop" commands were issued at the same + time. [RT #22108] + +2978. [port] hpux: look for [RT #21919] + +2976. [bug] named could die on exit after negotiating a GSS-TSIG + key. [RT #22573] + +2975. [bug] rbtdb.c:cleanup_dead_nodes_callback() aquired the + wrong lock which could lead to server deadlock. + [RT #22614] 2972. [bug] win32: address windows socket errors. [RT #21906] @@ -36,6 +85,9 @@ justified character with a non zero width, (e.g. "%-1c"). [RT #22270] +2965. [func] Test HMAC functions using test data from RFC 2104 and + RFC 4634. [RT #21702] + 2964. [bug] view->queryacl was being overloaded. Seperate the usage into view->queryacl, view->cacheacl and view->queryonacl. [RT #22114] @@ -43,6 +95,25 @@ 2962. [port] win32: add more dependencies to BINDBuild.dsw. [RT #22062] +2960. [func] Check that named accepts non-authoritative answers. + [RT #21594] + +2959. [func] Check that named starts with a missing masterfile. + [RT #22076] + +2957. [bug] entropy_get() and entropy_getpseudo() failed to match + the API for RAND_bytes() and RAND_pseudo_bytes() + respectively. [RT #21962] + +2956. [port] Enable atomic operations on the PowerPC64. [RT #21899] + +2954. [bug] contrib: dlz_mysql_driver.c bad error handling on + build_sqldbinstance failure. [RT #21623] + +2953. [bug] Silence spurious "expected covering NSEC3, got an + exact match" message when returning a wildcard + no data response. [RT #21744] + 2952. [port] win32: named-checkzone and named-checkconf failed to initialise winsock. [RT #21932] @@ -50,7 +121,23 @@ in a optout, delegation only zone with no secure delegations. [RT #22007] - --- 9.6-ESV-R2 released --- +2950. [bug] named failed to perform a SOA up to date check when + falling back to TCP on UDP timeouts when + ixfr-from-differences was set. [RT #21595] + +2946. [doc] Document the default values for the minimum and maximum + zone refresh and retry values in the ARM. [RT #21886] + +2945. [doc] Update empty-zones list in ARM. [RT #21772] + +2944. [maint] Remove ORCHID prefix from built in empty zones. + [RT #21772] + +2942. [contrib] zone2sqlite failed to setup the entropy sources. + [RT #21610] + +2941. [bug] sdb and sdlz (dlz's zone database) failed to support + DNAME at the zone apex. [RT #21610] 2939. [func] Check that named successfully skips NSEC3 records that fail to match the NSEC3PARAM record currently @@ -73,31 +160,173 @@ likely that the bug happens only when enabling threads, but it's not confirmed yet. [RT #21818] +2935. [bug] nsupdate: improve 'file not found' error message. + [RT #21871] + +2934. [bug] Use ANSI C compliant shift range in lib/isc/entropy.c. + [RT #21871] + +2933. [bug] 'dig +nsid' used stack memory after it went out of + scope. This could potentially result in a unknown, + potentially malformed, EDNS option being sent instead + of the desired NSID option. [RT #21781] + +2932. [cleanup] Corrected a numbering error in the "dnssec" test. + [RT #21597] + +2931. [bug] Temporarily and partially disable change 2864 + because it would cause infinite attempts of RRSIG + queries. This is an urgent care fix; we'll + revisit the issue and complete the fix later. + [RT #21710] + +2929. [bug] Improved handling of GSS security contexts: + - added LRU expiration for generated TSIGs + - added the ability to use a non-default realm + - added new "realm" keyword in nsupdate + - limited lifetime of generated keys to 1 hour + or the lifetime of the context (whichever is + smaller) + [RT #19737] + 2925. [bug] Named failed to accept uncachable negative responses from insecure zones. [RT# 21555] +2923. [bug] 'dig +trace' could drop core after "connection + timeout". [RT #21514] + +2922. [contrib] Update zkt to version 1.0. + 2921. [bug] The resolver could attempt to destroy a fetch context too soon. [RT #19878] +2918. [maint] Add AAAA address for I.ROOT-SERVERS.NET. + +2916. [func] Add framework to use IPv6 in tests. + fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7 + +2915. [cleanup] Be smarter about which objects we attempt to compile + based on configure options. [RT #21444] + +2912. [func] Windows clients don't like UPDATE responses that clear + the zone section. [RT #20986] + +2911. [bug] dnssec-signzone didn't handle out of zone records well. + [RT #21367] + +2910. [func] Sanity check Kerberos credentials. [RT #20986] + +2908. [bug] It was possible for re-signing to stop after removing + a DNSKEY. [RT #21384] + +2905. [port] aix: set use_atomic=yes with native compiler. + [RT #21402] + +2904. [bug] When using DLV, sub-zones of the zones in the DLV, + could be incorrectly marked as insecure instead of + secure leading to negative proofs failing. This was + a unintended outcome from change 2890. [RT# 21392] + +2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316] + 2900. [bug] The placeholder negative caching element was not - properly constructed triggering a INSIST in + properly constructed triggering a INSIST in dns_ncache_towire(). [RT #21346] - + +2899. [port] win32: Support linking against OpenSSL 1.0.0. + +2898. [bug] nslookup leaked memory when -domain=value was + specified. [RT #21301] + +2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294] + +2891. [maint] Update empty-zones list to match + draft-ietf-dnsop-default-local-zones-13. [RT# 21099] + 2890. [bug] Handle the introduction of new trusted-keys and DS, DLV RRsets better. [RT #21097] -2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. - [RT #20877] +2889. [bug] Elements of the grammar where not properly reported. + [RT #21046] + +2888. [bug] Only the first EDNS option was displayed. [RT #21273] + +2885. [bug] Improve -fno-strict-aliasing support probing in + configure. [RT #21080] + +2884. [bug] Insufficient validation in dns_name_getlabelsequence(). + [RT #21283] + +2883. [bug] 'dig +short' failed to handle really large datasets. + [RT #21113] + +2882. [bug] Remove memory context from list of active contexts + before clearing 'magic'. [RT #21274] + +2881. [bug] Reduce the amount of time the rbtdb write lock + is held when closing a version. [RT #21198] + +2879. [contrib] DLZ bdbhpt driver fails to close correct cursor. + [RT #21106] - --- 9.6-ESV-R1 released --- +2877. [bug] The validator failed to skip obviously mismatching + RRSIGs. [RT #21138] 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] - --- 9.6-ESV released --- +2875. [bug] dns_time64_fromtext() could accept non digits. + [RT #21033] + +2874. [bug] Cache lack of EDNS support only after the server + successfully responds to the query using plain DNS. + [RT #20930] + +2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET. + +2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. + [RT #20877] + +2868. [cleanup] Run "make clean" at the end of configure to ensure + any changes made by configure are integrated. + Use --with-make-clean=no to disable. [RT #20994] + +2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers + don't like it. [RT #20986] + +2866. [bug] Windows does not like the TSIG name being compressed. + [RT #20986] + +2865. [bug] memset to zero event.data. [RT #20986] + +2864. [bug] Direct SIG/RRSIG queries were not handled correctly. + [RT #21050] + +2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU. + [RT #21056] + +2862. [bug] nsupdate didn't default to the parent zone when + updating DS records. [RT #20896] + +2859. [bug] When cancelling validation it was possible to leak + memory. [RT #20800] + +2858. [bug] RTT estimates were not being adjusted on ICMP errors. + [RT #20772] + +2857. [bug] named-checkconf did not fail on a bad trusted key. + [RT #20705] + +2856. [bug] The size of a memory allocation was not always properly + recorded. [RT #20927] + +2853. [bug] add_sigs() could run out of scratch space. [RT #21015] 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] +2851. [doc] nslookup.1, removed from the docbook + source as it produced bad nroff. [RT #21007] + --- 9.6.2 released --- 2850. [bug] If isc_heap_insert() failed due to memory shortage @@ -138,10 +367,10 @@ 2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781] -2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define +2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define. [RT #20771] -2818. [cleanup] rndc could return an incorrect error code +2818. [cleanup] rndc could return an incorrect error code when a zone was not found. [RT #20767] 2815. [bug] Exclusively lock the task when freezing a zone. @@ -357,7 +586,7 @@ 2621. [doc] Made copyright boilterplate consistent. [RT #19833] -2920. [bug] Delay thawing the zone until the reload of it has +2620. [bug] Delay thawing the zone until the reload of it has completed successfully. [RT #19750] 2618. [bug] The sdb and sdlz db_interator_seek() methods could Modified: head/contrib/bind9/COPYRIGHT ============================================================================== --- head/contrib/bind9/COPYRIGHT Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/COPYRIGHT Sun Feb 6 22:46:07 2011 (r218384) @@ -1,4 +1,4 @@ -Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -$Id: COPYRIGHT,v 1.14.176.2 2010/01/07 23:47:36 tbox Exp $ +$Id: COPYRIGHT,v 1.14.176.3 2011-01-04 23:45:42 tbox Exp $ Portions Copyright (C) 1996-2001 Nominum, Inc. Modified: head/contrib/bind9/README ============================================================================== --- head/contrib/bind9/README Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/README Sun Feb 6 22:46:07 2011 (r218384) @@ -42,11 +42,9 @@ BIND 9 Stichting NLnet - NLnet Foundation Nominum, Inc. -BIND 9.6-ESV (Extended Support Version) +BIND 9.6.3 - BIND 9.6-ESV will be supported until March 31, 2013, at - which time you will need to upgrade to the current release - of BIND. + BIND 9.6.3 is a maintenance release, fixing bugs in 9.6.2. BIND 9.6.2 Copied: head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.html (from r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.html) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.html Sun Feb 6 22:46:07 2011 (r218384, copy of r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.html) @@ -0,0 +1,165 @@ + + +

+ +

Introduction

+ +

+ BIND 9.6.3 is the current release of BIND 9.6. +

+

+ This document summarizes changes from BIND 9.6.2-P2 to BIND 9.6.3. + Please see the CHANGES file in the source code release for a + complete list of all changes. +

+
+ +

Download

+ +

+ The latest development version of BIND 9 software can always be found + on our web site at + http://www.isc.org/downloads/development. + There you will find additional information about each release, + source code, and some pre-compiled versions for certain operating + systems. +

+
+ +

Support

+ +

Product support information is available on + http://www.isc.org/services/support + for paid support options. Free support is provided by our user + community via a mailing list. Information on all public email + lists is available at + https://lists.isc.org/mailman/listinfo. +

+
+ +

New Features

+ +

9.6.3

+ +

None.

+
+
+ +

Feature Changes

+ +

9.6.3

+ +

None.

+
+
+ +

Security Fixes

+ +

9.6.2-P3

+ +
  • + Adding a NO DATA signed negative response to cache failed to clear + any matching RRSIG records already in cache. A subsequent lookup + of the cached NO DATA entry could crash named (INSIST) when the + unexpected RRSIG was also returned with the NO DATA cache entry. + [RT #22288] [CVE-2010-3613] [VU#706148] +
  • + BIND, acting as a DNSSEC validator, was determining if the NS RRset + is insecure based on a value that could mean either that the RRset + is actually insecure or that there wasn't a matching key for the RRSIG + in the DNSKEY RRset when resuming from validating the DNSKEY RRset. + This can happen when in the middle of a DNSKEY algorithm rollover, + when two different algorithms were used to sign a zone but only the + new set of keys are in the zone DNSKEY RRset. + [RT #22309] [CVE-2010-3614] [VU#837744] +
+
+
+ +

Bug Fixes

+ +

9.6.3

+ +
  • + BIND now builds with threads disabled in versions of NetBSD earlier + than 5.0 and with pthreads enabled by default in NetBSD versions 5.0 + and higher. Also removes support for unproven-pthreads, mit-pthreads + and ptl2. [RT #19203] +
  • + HPUX now correctly defaults to using /dev/poll, which should + increase performance. [RT #21919] +
  • + If named is running as a threaded application, after an "rndc stop" + command has been issued, other inbound TCP requests can cause named + to hang and never complete shutdown. [RT #22108] +
  • + When performing a GSS-TSIG signed dynamic zone update, memory could be + leaked. This causes an unclean shutdown and may affect long-running + servers. [RT #22573] +
  • + A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows + for a TCP DoS attack. Until there is a kernel fix, ISC is disabling + SO_ACCEPTFILTER support in BIND. [RT #22589] +
  • + Corrected a defect where a combination of dynamic updates and zone + transfers incorrectly locked the in-memory zone database, causing + named to freeze. [RT #22614] +
  • + Don't run MX checks (check-mx) when the MX record points to ".". + [RT #22645] +
  • + DST key reference counts can now be incremented via dst_key_attach. + [RT #22672] +
  • + isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766] +
  • + The Kerberos realm was being truncated when being pulled from the + the host prinicipal, make krb5-self updates fail. [RT #22770] +
  • + named failed to preserve the case of domain names in RDATA which is not compressible when writing master files. [RT #22863] +
  • +There was a bug in how the clients-per-query code worked with some +query patterns. This could result, in rare circumstances, in having all +the client query slots filled with queries for the same DNS label, +essentially ignoring the max-clients-per-query setting. +[RT #22972] +
+
+

9.6.2-P3

+ +
  • + Worked around a race condition in the cache database memory + handling. Without this fix a DNS cache DB or ADB could + incorrectly stay in an over memory state, effectively refusing + further caching, which subsequently made a BIND 9 caching + server unworkable. + [RT #21818] +
  • + Microsoft changed the behavior of sockets between NT/XP based + stacks vs Vista/windows7 stacks. Server 2003/2008 have the older + behavior, 2008r2 has the new behavior. With the change, different + error results are possible, so ISC adapted BIND to handle the new + error results. + This resolves an issue where sockets would shut down on + Windows servers causing named to stop responding to queries. + [RT #21906] +
  • + Windows has non-POSIX compliant behavior in its rename() and unlink() + calls. This caused journal compaction to fail on Windows BIND servers + with the log error: "dns_journal_compact failed: failure". + [RT #22434] +
+ +
+
+ +

Thank You

+ +

+ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to make + quality open source software, please visit our donations page at + http://www.isc.org/supportisc. +

+
+
Copied: head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.pdf (from r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.pdf) ============================================================================== Binary file (source and/or target). No diff available. Copied: head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.txt (from r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.txt) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.txt Sun Feb 6 22:46:07 2011 (r218384, copy of r218352, vendor/bind9/dist/RELEASE-NOTES-BIND-9.6.3.txt) @@ -0,0 +1,118 @@ + __________________________________________________________________ + +Introduction + + BIND 9.6.3 is the current release of BIND 9.6. + + This document summarizes changes from BIND 9.6.2-P2 to BIND 9.6.3. + Please see the CHANGES file in the source code release for a complete + list of all changes. + +Download + + The latest development version of BIND 9 software can always be found + on our web site at http://www.isc.org/downloads/development. There you + will find additional information about each release, source code, and + some pre-compiled versions for certain operating systems. + +Support + + Product support information is available on + http://www.isc.org/services/support for paid support options. Free + support is provided by our user community via a mailing list. + Information on all public email lists is available at + https://lists.isc.org/mailman/listinfo. + +New Features + +9.6.3 + + None. + +Feature Changes + +9.6.3 + + None. + +Security Fixes + +9.6.2-P3 + + * Adding a NO DATA signed negative response to cache failed to clear + any matching RRSIG records already in cache. A subsequent lookup of + the cached NO DATA entry could crash named (INSIST) when the + unexpected RRSIG was also returned with the NO DATA cache entry. + [RT #22288] [CVE-2010-3613] [VU#706148] + * BIND, acting as a DNSSEC validator, was determining if the NS RRset + is insecure based on a value that could mean either that the RRset + is actually insecure or that there wasn't a matching key for the + RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY + RRset. This can happen when in the middle of a DNSKEY algorithm + rollover, when two different algorithms were used to sign a zone + but only the new set of keys are in the zone DNSKEY RRset. [RT + #22309] [CVE-2010-3614] [VU#837744] + +Bug Fixes + +9.6.3 + + * BIND now builds with threads disabled in versions of NetBSD earlier + than 5.0 and with pthreads enabled by default in NetBSD versions + 5.0 and higher. Also removes support for unproven-pthreads, + mit-pthreads and ptl2. [RT #19203] + * HPUX now correctly defaults to using /dev/poll, which should + increase performance. [RT #21919] + * If named is running as a threaded application, after an "rndc stop" + command has been issued, other inbound TCP requests can cause named + to hang and never complete shutdown. [RT #22108] + * When performing a GSS-TSIG signed dynamic zone update, memory could + be leaked. This causes an unclean shutdown and may affect + long-running servers. [RT #22573] + * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled + allows for a TCP DoS attack. Until there is a kernel fix, ISC is + disabling SO_ACCEPTFILTER support in BIND. [RT #22589] + * Corrected a defect where a combination of dynamic updates and zone + transfers incorrectly locked the in-memory zone database, causing + named to freeze. [RT #22614] + * Don't run MX checks (check-mx) when the MX record points to ".". + [RT #22645] + * DST key reference counts can now be incremented via dst_key_attach. + [RT #22672] + * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy + attr. [RT #22766] + * The Kerberos realm was being truncated when being pulled from the + the host prinicipal, make krb5-self updates fail. [RT #22770] + * named failed to preserve the case of domain names in RDATA which is + not compressible when writing master files. [RT #22863] + * There was a bug in how the clients-per-query code worked with some + query patterns. This could result, in rare circumstances, in having + all the client query slots filled with queries for the same DNS + label, essentially ignoring the max-clients-per-query setting. [RT + #22972] + +9.6.2-P3 + + * Worked around a race condition in the cache database memory + handling. Without this fix a DNS cache DB or ADB could incorrectly + stay in an over memory state, effectively refusing further caching, + which subsequently made a BIND 9 caching server unworkable. [RT + #21818] + * Microsoft changed the behavior of sockets between NT/XP based + stacks vs Vista/windows7 stacks. Server 2003/2008 have the older + behavior, 2008r2 has the new behavior. With the change, different + error results are possible, so ISC adapted BIND to handle the new + error results. This resolves an issue where sockets would shut down + on Windows servers causing named to stop responding to queries. [RT + #21906] + * Windows has non-POSIX compliant behavior in its rename() and + unlink() calls. This caused journal compaction to fail on Windows + BIND servers with the log error: "dns_journal_compact failed: + failure". [RT #22434] + +Thank You + + Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/supportisc. Modified: head/contrib/bind9/bin/check/check-tool.c ============================================================================== --- head/contrib/bind9/bin/check/check-tool.c Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/check/check-tool.c Sun Feb 6 22:46:07 2011 (r218384) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.c,v 1.35.36.3.24.2 2010/09/07 23:46:25 tbox Exp $ */ +/* $Id: check-tool.c,v 1.35.36.5 2010-09-07 23:46:05 tbox Exp $ */ /*! \file */ Modified: head/contrib/bind9/bin/check/check-tool.h ============================================================================== --- head/contrib/bind9/bin/check/check-tool.h Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/check/check-tool.h Sun Feb 6 22:46:07 2011 (r218384) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check-tool.h,v 1.14.628.2 2010/09/07 23:46:26 tbox Exp $ */ +/* $Id: check-tool.h,v 1.14.334.2 2010-09-07 23:46:05 tbox Exp $ */ #ifndef CHECK_TOOL_H #define CHECK_TOOL_H Modified: head/contrib/bind9/bin/check/named-checkconf.c ============================================================================== --- head/contrib/bind9/bin/check/named-checkconf.c Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/check/named-checkconf.c Sun Feb 6 22:46:07 2011 (r218384) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.46.222.2.24.2 2010/09/07 23:46:26 tbox Exp $ */ +/* $Id: named-checkconf.c,v 1.46.222.4 2010-09-07 23:46:05 tbox Exp $ */ /*! \file */ Modified: head/contrib/bind9/bin/check/named-checkzone.c ============================================================================== --- head/contrib/bind9/bin/check/named-checkzone.c Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/check/named-checkzone.c Sun Feb 6 22:46:07 2011 (r218384) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.51.34.4.10.2 2010/09/07 23:46:26 tbox Exp $ */ +/* $Id: named-checkzone.c,v 1.51.34.6 2010-09-07 23:46:06 tbox Exp $ */ /*! \file */ Modified: head/contrib/bind9/bin/dig/dig.c ============================================================================== --- head/contrib/bind9/bin/dig/dig.c Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/dig/dig.c Sun Feb 6 22:46:07 2011 (r218384) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */ +/* $Id: dig.c,v 1.225.26.7 2010-05-13 00:43:37 marka Exp $ */ /*! \file */ @@ -306,6 +306,8 @@ say_message(dns_rdata_t *rdata, dig_quer ADD_STRING(buf, " "); } result = dns_rdata_totext(rdata, NULL, buf); + if (result == ISC_R_NOSPACE) + return (result); check_result(result, "dns_rdata_totext"); if (query->lookup->identify) { TIME_NOW(&now); @@ -328,10 +330,8 @@ short_answer(dns_message_t *msg, dns_mes { dns_name_t *name; dns_rdataset_t *rdataset; - isc_buffer_t target; isc_result_t result, loopresult; dns_name_t empty_name; - char t[4096]; dns_rdata_t rdata = DNS_RDATA_INIT; UNUSED(flags); @@ -347,8 +347,6 @@ short_answer(dns_message_t *msg, dns_mes name = NULL; dns_message_currentname(msg, DNS_SECTION_ANSWER, &name); - isc_buffer_init(&target, t, sizeof(t)); - for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { @@ -357,6 +355,8 @@ short_answer(dns_message_t *msg, dns_mes dns_rdataset_current(rdataset, &rdata); result = say_message(&rdata, query, buf); + if (result == ISC_R_NOSPACE) + return (result); check_result(result, "say_message"); loopresult = dns_rdataset_next(rdataset); dns_rdata_reset(&rdata); @@ -505,6 +505,8 @@ printmessage(dig_query_t *query, dns_mes printf(" ad"); if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) printf(" cd"); + if ((msg->flags & 0x0040U) != 0) + printf("; MBZ: 0x4"); printf("; QUERY: %u, ANSWER: %u, " "AUTHORITY: %u, ADDITIONAL: %u\n", Modified: head/contrib/bind9/bin/dig/dighost.c ============================================================================== --- head/contrib/bind9/bin/dig/dighost.c Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/dig/dighost.c Sun Feb 6 22:46:07 2011 (r218384) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.311.70.11 2009/11/10 17:27:13 each Exp $ */ +/* $Id: dighost.c,v 1.311.70.17 2010-12-09 01:12:54 marka Exp $ */ /*! \file * \note @@ -246,7 +246,7 @@ isc_result_t opentmpkey(isc_mem_t *mct char **tempp, FILE **fp); isc_result_t removetmpkey(isc_mem_t *mctx, const char *file); void clean_trustedkey(void); -void insert_trustedkey(dst_key_t * key); +void insert_trustedkey(dst_key_t **key); #if DIG_SIGCHASE_BU isc_result_t getneededrr(dns_message_t *msg); void sigchase_bottom_up(dns_message_t *msg); @@ -970,7 +970,6 @@ setup_file_key(void) { keynametext, isc_result_totext(result)); goto failure; } - dstkey = NULL; failure: if (dstkey != NULL) dst_key_free(&dstkey); @@ -990,12 +989,21 @@ make_searchlist_entry(char *domain) { } static void +clear_searchlist(void) { + dig_searchlist_t *search; + while ((search = ISC_LIST_HEAD(search_list)) != NULL) { + ISC_LIST_UNLINK(search_list, search, link); + isc_mem_free(mctx, search); + } +} + +static void create_search_list(lwres_conf_t *confdata) { int i; dig_searchlist_t *search; debug("create_search_list()"); - ISC_LIST_INIT(search_list); + clear_searchlist(); for (i = 0; i < confdata->searchnxt; i++) { search = make_searchlist_entry(confdata->search[i]); @@ -1038,7 +1046,7 @@ setup_system(void) { else { /* No search list. Use the domain name if any */ if (lwconf->domainname != NULL) { domain = make_searchlist_entry(lwconf->domainname); - ISC_LIST_INITANDAPPEND(search_list, domain, link); + ISC_LIST_APPEND(search_list, domain, link); domain = NULL; } } @@ -1093,15 +1101,6 @@ setup_system(void) { } -static void -clear_searchlist(void) { - dig_searchlist_t *search; - while ((search = ISC_LIST_HEAD(search_list)) != NULL) { - ISC_LIST_UNLINK(search_list, search, link); - isc_mem_free(mctx, search); - } -} - /*% * Override the search list derived from resolv.conf by 'domain'. */ @@ -1201,14 +1200,15 @@ add_opt(dns_message_t *msg, isc_uint16_t if (dnssec) rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO; if (nsid) { - unsigned char data[4]; - isc_buffer_t buf; + isc_buffer_t *b = NULL; - isc_buffer_init(&buf, data, sizeof(data)); - isc_buffer_putuint16(&buf, DNS_OPT_NSID); - isc_buffer_putuint16(&buf, 0); - rdata->data = data; - rdata->length = sizeof(data); + result = isc_buffer_allocate(mctx, &b, 4); + check_result(result, "isc_buffer_allocate"); + isc_buffer_putuint16(b, DNS_OPT_NSID); + isc_buffer_putuint16(b, 0); + rdata->data = isc_buffer_base(b); + rdata->length = isc_buffer_usedlength(b); + dns_message_takebuffer(msg, &b); } else { rdata->data = NULL; rdata->length = 0; @@ -2218,6 +2218,15 @@ force_timeout(dig_lookup_t *l, dig_query isc_result_totext(ISC_R_NOMEMORY)); } isc_task_send(global_task, &event); + + /* + * The timer may have expired if, for example, get_address() takes + * long time and the timer was running on a different thread. + * We need to cancel the possible timeout event not to confuse + * ourselves due to the duplicate events. + */ + if (l->timer != NULL) + isc_timer_detach(&l->timer); } @@ -2241,7 +2250,7 @@ send_tcp_connect(dig_query_t *query) { query->waiting_connect = ISC_TRUE; query->lookup->current_query = query; result = get_address(query->servname, port, &query->sockaddr); - if (result == ISC_R_NOTFOUND) { + if (result != ISC_R_SUCCESS) { /* * This servname doesn't have an address. Try the next server * by triggering an immediate 'timeout' (we lie, but the effect @@ -2323,7 +2332,7 @@ send_udp(dig_query_t *query) { /* XXX Check the sense of this, need assertion? */ query->waiting_connect = ISC_FALSE; result = get_address(query->servname, port, &query->sockaddr); - if (result == ISC_R_NOTFOUND) { + if (result != ISC_R_SUCCESS) { /* This servname doesn't have an address. */ force_timeout(l, query); return; @@ -3858,14 +3867,15 @@ sigchase_scanname(dns_rdatatype_t type, } void -insert_trustedkey(dst_key_t * key) +insert_trustedkey(dst_key_t **keyp) { - if (key == NULL) + if (*keyp == NULL) return; if (tk_list.nb_tk >= MAX_TRUSTED_KEY) return; - tk_list.key[tk_list.nb_tk++] = key; + tk_list.key[tk_list.nb_tk++] = *keyp; + *keyp = NULL; return; } @@ -4039,11 +4049,12 @@ get_trusted_key(isc_mem_t *mctx) fclose(fp); return (ISC_R_FAILURE); } - insert_trustedkey(key); #if 0 dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp"); #endif - key = NULL; + insert_trustedkey(&key); + if (key != NULL) + dst_key_free(&key); } return (ISC_R_SUCCESS); } Modified: head/contrib/bind9/bin/dig/host.c ============================================================================== --- head/contrib/bind9/bin/dig/host.c Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/dig/host.c Sun Feb 6 22:46:07 2011 (r218384) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.116.216.3.10.2 2010/10/19 23:46:25 tbox Exp $ */ +/* $Id: host.c,v 1.116.216.5 2010-10-19 23:45:58 tbox Exp $ */ /*! \file */ Modified: head/contrib/bind9/bin/dig/nslookup.1 ============================================================================== --- head/contrib/bind9/bin/dig/nslookup.1 Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/dig/nslookup.1 Sun Feb 6 22:46:07 2011 (r218384) @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: nslookup.1,v 1.14.354.1 2009/07/11 01:55:20 tbox Exp $ +.\" $Id: nslookup.1,v 1.14.354.2 2010-02-23 01:56:02 tbox Exp $ .\" .hy 0 .ad l @@ -54,7 +54,13 @@ when the first argument is a hyphen (\-) Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. .PP Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: -.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE +.sp +.RS 4 +.nf +nslookup \-query=hinfo \-timeout=10 +.fi +.RE +.sp .SH "INTERACTIVE COMMANDS" .PP \fBhost\fR [server] @@ -248,5 +254,5 @@ Try the next nameserver if a nameserver .PP Andrew Cherenson .SH "COPYRIGHT" -Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004\-2007, 2010 Internet Systems Consortium, Inc. ("ISC") .br Modified: head/contrib/bind9/bin/dig/nslookup.docbook ============================================================================== --- head/contrib/bind9/bin/dig/nslookup.docbook Sun Feb 6 22:21:18 2011 (r218383) +++ head/contrib/bind9/bin/dig/nslookup.docbook Sun Feb 6 22:46:07 2011 (r218384) @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> - +