From owner-svn-src-all@freebsd.org  Wed Dec 16 13:56:44 2015
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 135E6A49D35;
 Wed, 16 Dec 2015 13:56:44 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C79B31133;
 Wed, 16 Dec 2015 13:56:43 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tBG6A7vW094132;
 Wed, 16 Dec 2015 06:10:07 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id tBG6A5ER094107;
 Wed, 16 Dec 2015 06:10:05 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201512160610.tBG6A5ER094107@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 16 Dec 2015 06:10:05 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject: svn commit: r292320 - in stable/9/contrib/bind9: . doc/arm lib/dns
 lib/dns/include/dns lib/lwres/man
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 13:56:44 -0000

Author: delphij
Date: Wed Dec 16 06:10:05 2015
New Revision: 292320
URL: https://svnweb.freebsd.org/changeset/base/292320

Log:
  MFV r292314:
  
  Update BIND to 9.9.8-P2.
  
  See release notes for notable changes:
  https://kb.isc.org/article/AA-01326
  
  Note this is a direct commit to stable/9 as BIND is no longer in head.

Modified:
  stable/9/contrib/bind9/CHANGES
  stable/9/contrib/bind9/README
  stable/9/contrib/bind9/configure.in
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.html
  stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf
  stable/9/contrib/bind9/doc/arm/man.arpaname.html
  stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html
  stable/9/contrib/bind9/doc/arm/man.dig.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html
  stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html
  stable/9/contrib/bind9/doc/arm/man.genrandom.html
  stable/9/contrib/bind9/doc/arm/man.host.html
  stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
  stable/9/contrib/bind9/doc/arm/man.named-checkconf.html
  stable/9/contrib/bind9/doc/arm/man.named-checkzone.html
  stable/9/contrib/bind9/doc/arm/man.named-journalprint.html
  stable/9/contrib/bind9/doc/arm/man.named.html
  stable/9/contrib/bind9/doc/arm/man.nsec3hash.html
  stable/9/contrib/bind9/doc/arm/man.nsupdate.html
  stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html
  stable/9/contrib/bind9/doc/arm/man.rndc.conf.html
  stable/9/contrib/bind9/doc/arm/man.rndc.html
  stable/9/contrib/bind9/doc/arm/notes.html
  stable/9/contrib/bind9/doc/arm/notes.pdf
  stable/9/contrib/bind9/doc/arm/notes.xml
  stable/9/contrib/bind9/lib/dns/api
  stable/9/contrib/bind9/lib/dns/include/dns/message.h
  stable/9/contrib/bind9/lib/dns/message.c
  stable/9/contrib/bind9/lib/dns/opensslrsa_link.c
  stable/9/contrib/bind9/lib/dns/resolver.c
  stable/9/contrib/bind9/lib/dns/rootns.c
  stable/9/contrib/bind9/lib/dns/xfrin.c
  stable/9/contrib/bind9/lib/lwres/man/lwres.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_buffer.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_config.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_context.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gabn.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gethostent.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getipnode.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_gnba.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_inetntop.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_noop.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_packet.html
  stable/9/contrib/bind9/lib/lwres/man/lwres_resutil.html
  stable/9/contrib/bind9/version
Directory Properties:
  stable/9/contrib/bind9/   (props changed)

Modified: stable/9/contrib/bind9/CHANGES
==============================================================================
--- stable/9/contrib/bind9/CHANGES	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/CHANGES	Wed Dec 16 06:10:05 2015	(r292320)
@@ -1,3 +1,21 @@
+	--- 9.9.8-P2 released ---
+
+4270.	[security]	Update allowed OpenSSL versions as named is
+			potentially vulnerable to CVE-2015-3193.
+
+4261.	[maint]		H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53.
+			[RT #40556]
+
+4260.	[security]	Insufficient testing when parsing a message allowed
+			records with an incorrect class to be be accepted,
+			triggering a REQUIRE failure when those records
+			were subsequently cached. (CVE-2015-8000) [RT #40987]
+
+4253.	[security]	Address fetch context reference count handling error
+			on socket error. (CVE-2015-8461) [RT#40945]
+
+	--- 9.9.8-P1 (withdrawn) ---
+
 	--- 9.9.8 released ---
 
 	--- 9.9.8rc1 released ---

Modified: stable/9/contrib/bind9/README
==============================================================================
--- stable/9/contrib/bind9/README	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/README	Wed Dec 16 06:10:05 2015	(r292320)
@@ -51,6 +51,17 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.9.8-P2
+
+	BIND 9.9.8-P2 is a security release addressing the flaws
+	described in CVE-2015-3193 (OpenSSL), CVE-2015-8000 and
+	CVE-2015-8461.
+
+BIND 9.9.8-P1
+
+	BIND 9.9.8-P1 was incomplete and was withdrawn prior to
+	publication.
+
 BIND 9.9.8
 
 	BIND 9.9.8 is a maintenance release and addresses bugs

Modified: stable/9/contrib/bind9/configure.in
==============================================================================
--- stable/9/contrib/bind9/configure.in	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/configure.in	Wed Dec 16 06:10:05 2015	(r292320)
@@ -810,12 +810,17 @@ yes|'')
 int main() {
 	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
 	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-	     OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+	     (OPENSSL_VERSION_NUMBER >= 0x0090804fL &&
+	     OPENSSL_VERSION_NUMBER < 0x10002000L) ||
+	     OPENSSL_VERSION_NUMBER >= 0x1000205fL)
 		return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
 	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x1000000f or greater (1.0.0)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x1000100f or greater (1.0.1)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x1000205f or greater (1.0.2e)\n\n");
 	return (1);
 }
 		],
@@ -4282,15 +4287,16 @@ WARNING         Your OpenSSL crypto libr
 WARNING         one or more of the the following known security         WARNING
 WARNING         flaws:                                                  WARNING
 WARNING                                                                 WARNING
-WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and         WARNING
-WARNING         CVE-2006-2940.                                          WARNING
+WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937,            WARNING
+WARNING         CVE-2006-2940 and CVE-2015-3193.                        WARNING
 WARNING                                                                 WARNING
 WARNING         It is recommended that you upgrade to OpenSSL           WARNING
-WARNING         version 0.9.8d/0.9.7l (or greater).                     WARNING
+WARNING         version 1.0.2e/1.0.1/1.0.0/0.9.9/0.9.8d/0.9.7l          WARNING
+WARNING         (or greater).                                           WARNING
 WARNING                                                                 WARNING
 WARNING         You can disable this warning by specifying:             WARNING
 WARNING                                                                 WARNING
-WARNING               --disable-openssl-version-check          	        WARNING
+WARNING               --disable-openssl-version-check                   WARNING
 WARNING                                                                 WARNING
 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -556,6 +556,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -154,6 +154,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -665,6 +665,6 @@ controls {
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -1935,6 +1935,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -139,6 +139,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -12177,6 +12177,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -247,6 +247,6 @@ zone "example.com" {
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -135,6 +135,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -45,7 +45,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563593">Release Notes for BIND Version 9.9.8</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563593">Release Notes for BIND Version 9.9.8-P2</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -60,13 +60,19 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2563593"></a>Release Notes for BIND Version 9.9.8</h2></div></div></div>
+<a name="id2563593"></a>Release Notes for BIND Version 9.9.8-P2</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
 <p>
-      This document summarizes changes since the last production release
-      of BIND on the corresponding major release branch.
+      This document summarizes changes since BIND 9.9.8:
+    </p>
+<p>
+      BIND 9.9.8-P2 addresses security issues described in CVE-2015-3193
+      (OpenSSL), CVE-2015-8000 and CVE-2015-8461.
+    </p>
+<p>
+      BIND 9.9.8-P1 was incomplete and was withdrawn prior to publication.
     </p>
 </div>
 <div class="sect2" lang="en">
@@ -85,161 +91,39 @@
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc">
 <li><p>
-	  An incorrect boundary check in the OPENPGPKEY rdatatype
-	  could trigger an assertion failure. This flaw is disclosed
-	  in CVE-2015-5986. [RT #40286]
+	  Named is potentially vulnerable to the OpenSSL vulnerabilty
+	  described in CVE-2015-3193.
 	</p></li>
-<li>
-<p>
-	  A buffer accounting error could trigger an assertion failure
-	  when parsing certain malformed DNSSEC keys.
-	</p>
-<p>
-	  This flaw was discovered by Hanno B&#50102;ck of the Fuzzing
-	  Project, and is disclosed in CVE-2015-5722. [RT #40212]
-	</p>
-</li>
-<li>
-<p>
-	  A specially crafted query could trigger an assertion failure
-	  in message.c.
-	</p>
-<p>
-	  This flaw was discovered by Jonathan Foote, and is disclosed
-	  in CVE-2015-5477. [RT #40046]
-	</p>
-</li>
-<li>
-<p>
-	  On servers configured to perform DNSSEC validation, an
-	  assertion failure could be triggered on answers from
-	  a specially configured server.
-	</p>
-<p>
-	  This flaw was discovered by Breno Silveira Soares, and is
-	  disclosed in CVE-2015-4620. [RT #39795]
-	</p>
-</li>
-</ul></div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li>
-<p>
-	  New quotas have been added to limit the queries that are
-	  sent by recursive resolvers to authoritative servers
-	  experiencing denial-of-service attacks. When configured,
-	  these options can both reduce the harm done to authoritative
-	  servers and also avoid the resource exhaustion that can be
-	  experienced by recursives when they are being used as a
-	  vehicle for such an attack.
-	</p>
-<p>
-	  NOTE: These options are not available by default; use
-	  <span><strong class="command">configure --enable-fetchlimit</strong></span> to include
-	  them in the build.
-	</p>
-<div class="itemizedlist"><ul type="circle">
 <li><p>
-	      <code class="option">fetches-per-server</code> limits the number of
-	      simultaneous queries that can be sent to any single
-	      authoritative server.  The configured value is a starting
-	      point; it is automatically adjusted downward if the server is
-	      partially or completely non-responsive. The algorithm used to
-	      adjust the quota can be configured via the
-	      <code class="option">fetch-quota-params</code> option.
-	    </p></li>
-<li><p>
-	      <code class="option">fetches-per-zone</code> limits the number of
-	      simultaneous queries that can be sent for names within a
-	      single domain.  (Note: Unlike "fetches-per-server", this
-	      value is not self-tuning.)
-	    </p></li>
-</ul></div>
-<p>
-	  Statistics counters have also been added to track the number
-	  of queries affected by these quotas.
-	</p>
-</li>
-<li><p>
-	  An <span><strong class="command">--enable-querytrace</strong></span> configure switch is
-	  now available to enable very verbose query tracelogging. This
-	  option can only be set at compile time. This option has a
-	  negative performance impact and should be used only for
-	  debugging.
+	  Incorrect reference counting could result in an INSIST
+	  failure if a socket error occurred while performing a
+	  lookup.  This flaw is disclosed in CVE-2015-8461. [RT#40945]
 	</p></li>
 <li><p>
-	  EDNS COOKIE options content is now displayed as
-	  "COOKIE: &lt;hexvalue&gt;".
+	  Insufficient testing when parsing a message allowed
+	  records with an incorrect class to be be accepted,
+	  triggering a REQUIRE failure when those records
+	  were subsequently cached.  This flaw is disclosed
+	  in CVE-2015-8000. [RT #40987]
 	</p></li>
 </ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-	  Large inline-signing changes should be less disruptive.
-	  Signature generation is now done incrementally; the number
-	  of signatures to be generated in each quantum is controlled
-	  by "sig-signing-signatures <em class="replaceable"><code>number</code></em>;".
-	  [RT #37927]
-	</p></li>
-<li><p>
-	  Retrieving the local port range from net.ipv4.ip_local_port_range
-	  on Linux is now supported.
-	</p></li>
-<li><p>
-	  Active Directory names of the form gc._msdcs.&lt;forest&gt; are
-	  now accepted as valid hostnames when using the
-	  <code class="option">check-names</code> option. &lt;forest&gt; is still
-	  restricted to letters, digits and hyphens.
-	</p></li>
-<li><p>
-	  Names containing rich text are now accepted as valid
-	  hostnames in PTR records in DNS-SD reverse lookup zones,
-	  as specified in RFC 6763. [RT #37889]
-	</p></li>
-</ul></div>
+<div class="itemizedlist"><ul type="disc"><li><p>
+	  Updated the compiled in addresses for H.ROOT-SERVERS.NET.
+	</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-	  Asynchronous zone loads were not handled correctly when the
-	  zone load was already in progress; this could trigger a crash
-	  in zt.c. [RT #37573]
-	</p></li>
-<li><p>
-	  A race during shutdown or reconfiguration could
-	  cause an assertion failure in mem.c. [RT #38979]
-	</p></li>
-<li><p>
-	  Some answer formatting options didn't work correctly with
-	  <span><strong class="command">dig +short</strong></span>. [RT #39291]
-	</p></li>
-<li><p>
-	  Malformed records of some types, including NSAP and UNSPEC,
-	  could trigger assertion failures when loading text zone files.
-	  [RT #40274] [RT #40285]
-	</p></li>
-<li><p>
-	  Fixed a possible crash in ratelimiter.c caused by NOTIFY
-	  messages being removed from the wrong rate limiter queue.
-	  [RT #40350]
-	</p></li>
-<li><p>
-	  The default <code class="option">rrset-order</code> of <code class="literal">random</code>
-	  was inconsistently applied. [RT #40456]
-	</p></li>
-<li><p>
-	  BADVERS responses from broken authoritative name servers were
-	  not handled correctly. [RT #40427]
-	</p></li>
-</ul></div>
+<div class="itemizedlist"><ul type="disc"><li><p>None</p></li></ul></div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
@@ -279,6 +163,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -163,6 +163,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -514,6 +514,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -47,13 +47,13 @@
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612691">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612700">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611701">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611732">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611877">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611904">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612808">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612350">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611541">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611565">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611596">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611673">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611700">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612673">Library References</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -89,7 +89,7 @@
 </ul></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2612691"></a>Prerequisite</h3></div></div></div>
+<a name="id2612350"></a>Prerequisite</h3></div></div></div>
 <p>GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -98,7 +98,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2612700"></a>Compilation</h3></div></div></div>
+<a name="id2611541"></a>Compilation</h3></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
 $ <strong class="userinput"><code>make</code></strong>
@@ -113,7 +113,7 @@ $ <strong class="userinput"><code>make</
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2611701"></a>Installation</h3></div></div></div>
+<a name="id2611565"></a>Installation</h3></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>cd lib/export</code></strong>
 $ <strong class="userinput"><code>make install</code></strong>
@@ -135,7 +135,7 @@ $ <strong class="userinput"><code>make i
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2611732"></a>Known Defects/Restrictions</h3></div></div></div>
+<a name="id2611596"></a>Known Defects/Restrictions</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc">
 <li><p>Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -175,7 +175,7 @@ $ <strong class="userinput"><code>make</
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2611877"></a>The dns.conf File</h3></div></div></div>
+<a name="id2611673"></a>The dns.conf File</h3></div></div></div>
 <p>The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -193,14 +193,14 @@ $ <strong class="userinput"><code>make</
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2611904"></a>Sample Applications</h3></div></div></div>
+<a name="id2611700"></a>Sample Applications</h3></div></div></div>
 <p>Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2611912"></a>sample: a simple stub resolver utility</h4></div></div></div>
+<a name="id2611708"></a>sample: a simple stub resolver utility</h4></div></div></div>
 <p>
   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -264,7 +264,7 @@ $ <strong class="userinput"><code>make</
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612003"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
+<a name="id2611867"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
 <p>
   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -305,7 +305,7 @@ $ <strong class="userinput"><code>make</
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612056"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
+<a name="id2611921"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
 <p>
   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -346,7 +346,7 @@ $ <strong class="userinput"><code>make</
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612325"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
+<a name="id2611985"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
 <p>
   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -363,7 +363,7 @@ $ <strong class="userinput"><code>make</
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612340"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
+<a name="id2612000"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
 <p>
   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -458,7 +458,7 @@ $ <strong class="userinput"><code>sample
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2612471"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
+<a name="id2612131"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
 <p>
   It checks a set
   of domains to see the name servers of the domains behave
@@ -515,7 +515,7 @@ $ <strong class="userinput"><code>sample
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2612808"></a>Library References</h3></div></div></div>
+<a name="id2612673"></a>Library References</h3></div></div></div>
 <p>As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
@@ -540,6 +540,6 @@ $ <strong class="userinput"><code>sample
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -140,6 +140,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -41,7 +41,7 @@
 <div>
 <div><h1 class="title">
 <a name="id2563180"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.9.8</p></div>
+<div><p class="releaseinfo">BIND Version 9.9.8-P2</p></div>
 <div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
@@ -234,7 +234,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563593">Release Notes for BIND Version 9.9.8</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2563593">Release Notes for BIND Version 9.9.8-P2</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -262,13 +262,13 @@
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch12.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612691">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612700">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611701">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611732">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611877">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611904">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612808">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612350">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611541">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611565">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611596">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611673">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2611700">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch12.html#id2612673">Library References</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch13.html">I. Manual pages</a></span></dt>
@@ -365,6 +365,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf
==============================================================================
Binary file (source and/or target). No diff available.

Modified: stable/9/contrib/bind9/doc/arm/man.arpaname.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.arpaname.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/man.arpaname.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -50,20 +50,20 @@
 <div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622539"></a><h2>DESCRIPTION</h2>
+<a name="id2621516"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622554"></a><h2>SEE ALSO</h2>
+<a name="id2621531"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2622568"></a><h2>AUTHOR</h2>
+<a name="id2621545"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -87,6 +87,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656557"></a><h2>DESCRIPTION</h2>
+<a name="id2656558"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">ddns-confgen</strong></span>
       generates a key for use by <span><strong class="command">nsupdate</strong></span>
       and <span><strong class="command">named</strong></span>.  It simplifies configuration
@@ -77,7 +77,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656645"></a><h2>OPTIONS</h2>
+<a name="id2656646"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
@@ -144,7 +144,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2657528"></a><h2>SEE ALSO</h2>
+<a name="id2656915"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -152,7 +152,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2657566"></a><h2>AUTHOR</h2>
+<a name="id2656953"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -176,6 +176,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/man.dig.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dig.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/man.dig.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613208"></a><h2>DESCRIPTION</h2>
+<a name="id2612595"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613310"></a><h2>SIMPLE USAGE</h2>
+<a name="id2612834"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -152,7 +152,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613641"></a><h2>OPTIONS</h2>
+<a name="id2613164"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -280,7 +280,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665766"></a><h2>QUERY OPTIONS</h2>
+<a name="id2665699"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -649,7 +649,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2666982"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2666846"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -695,7 +695,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667067"></a><h2>IDN SUPPORT</h2>
+<a name="id2667000"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -709,14 +709,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667096"></a><h2>FILES</h2>
+<a name="id2667029"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667117"></a><h2>SEE ALSO</h2>
+<a name="id2667118"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -724,7 +724,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667155"></a><h2>BUGS</h2>
+<a name="id2667156"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
@@ -747,6 +747,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614811"></a><h2>DESCRIPTION</h2>
+<a name="id2614266"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-checkds</strong></span>
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614825"></a><h2>OPTIONS</h2>
+<a name="id2614280"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd><p>
@@ -88,14 +88,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614996"></a><h2>SEE ALSO</h2>
+<a name="id2614382"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615713"></a><h2>AUTHOR</h2>
+<a name="id2614417"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -118,6 +118,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-coverage</code>  [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>DNSKEY TTL</code></em></code>] [<code class="option">-m <em class="replaceable"><code>max TTL</code></em></code>] [<code class="option">-r <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-c <em class="replaceable"><code>compilezone path</code></em></code>] [zone]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615805"></a><h2>DESCRIPTION</h2>
+<a name="id2614782"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-coverage</strong></span>
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615832"></a><h2>OPTIONS</h2>
+<a name="id2614809"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
 <dd><p>
@@ -168,7 +168,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616151"></a><h2>SEE ALSO</h2>
+<a name="id2615879"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">dnssec-checkds</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
@@ -177,7 +177,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616195"></a><h2>AUTHOR</h2>
+<a name="id2616264"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -201,6 +201,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -52,14 +52,14 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616643"></a><h2>DESCRIPTION</h2>
+<a name="id2616576"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616657"></a><h2>OPTIONS</h2>
+<a name="id2616589"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -150,7 +150,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617410"></a><h2>EXAMPLE</h2>
+<a name="id2617274"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -165,7 +165,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617446"></a><h2>FILES</h2>
+<a name="id2617310"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -179,13 +179,13 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618580"></a><h2>CAVEAT</h2>
+<a name="id2618649"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618589"></a><h2>SEE ALSO</h2>
+<a name="id2618659"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -195,7 +195,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2618629"></a><h2>AUTHOR</h2>
+<a name="id2618698"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -219,6 +219,6 @@
 </tr>
 </table>
 </div>
-<p style="text-align: center;">BIND 9.9.8 (Extended Support Version)</p>
+<p style="text-align: center;">BIND 9.9.8-P2 (Extended Support Version)</p>
 </body>
 </html>

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html	Wed Dec 16 05:44:53 2015	(r292319)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html	Wed Dec 16 06:10:05 2015	(r292320)
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code cl
 ass="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617876"></a><h2>DESCRIPTION</h2>
+<a name="id2617877"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617901"></a><h2>OPTIONS</h2>
+<a name="id2617902"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -209,7 +209,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2620171"></a><h2>TIMING OPTIONS</h2>
+<a name="id2620377"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -281,7 +281,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2671220"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2670948"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
@@ -320,7 +320,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2671314"></a><h2>SEE ALSO</h2>
+<a name="id2671110"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -328,7 +328,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2671347"></a><h2>AUTHOR</h2>
+<a name="id2671143"></a><h2>AUTHOR</h2>

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***