Date: Fri, 7 Dec 2012 12:39:59 +0000 (UTC) From: Erwin Lansing <erwin@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r243981 - in head: contrib/bind9 contrib/bind9/bin contrib/bind9/bin/check contrib/bind9/bin/confgen contrib/bind9/bin/confgen/unix contrib/bind9/bin/dig contrib/bind9/bin/dnssec contri... Message-ID: <201212071239.qB7CdxKQ095115@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: erwin Date: Fri Dec 7 12:39:58 2012 New Revision: 243981 URL: http://svnweb.freebsd.org/changeset/base/243981 Log: Update to 9.8.4-P1. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Other critical bug fixes are included. Approved by: delphij (mentor) MFC after: 3 days Security: CVE-2012-5688 Sponsored by: DK Hostmaster A/S Added: head/contrib/bind9/lib/dns/opensslecdsa_link.c - copied unchanged from r243890, vendor/bind9/dist/lib/dns/opensslecdsa_link.c Modified: head/contrib/bind9/CHANGES head/contrib/bind9/Makefile.in head/contrib/bind9/README head/contrib/bind9/acconfig.h head/contrib/bind9/bin/Makefile.in head/contrib/bind9/bin/check/Makefile.in head/contrib/bind9/bin/check/check-tool.c head/contrib/bind9/bin/confgen/Makefile.in head/contrib/bind9/bin/confgen/unix/Makefile.in head/contrib/bind9/bin/dig/Makefile.in head/contrib/bind9/bin/dig/nslookup.c head/contrib/bind9/bin/dnssec/Makefile.in head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html head/contrib/bind9/bin/dnssec/dnssec-keygen.8 head/contrib/bind9/bin/dnssec/dnssec-keygen.c head/contrib/bind9/bin/dnssec/dnssec-keygen.docbook head/contrib/bind9/bin/dnssec/dnssec-keygen.html head/contrib/bind9/bin/dnssec/dnssec-settime.c head/contrib/bind9/bin/dnssec/dnssec-signzone.c head/contrib/bind9/bin/named/Makefile.in head/contrib/bind9/bin/named/builtin.c head/contrib/bind9/bin/named/config.c head/contrib/bind9/bin/named/controlconf.c head/contrib/bind9/bin/named/convertxsl.pl head/contrib/bind9/bin/named/query.c head/contrib/bind9/bin/named/server.c head/contrib/bind9/bin/named/statschannel.c head/contrib/bind9/bin/named/unix/Makefile.in head/contrib/bind9/bin/nsupdate/Makefile.in head/contrib/bind9/bin/nsupdate/nsupdate.c head/contrib/bind9/bin/rndc/Makefile.in head/contrib/bind9/bin/tools/Makefile.in head/contrib/bind9/config.h.in head/contrib/bind9/configure.in head/contrib/bind9/doc/Makefile.in head/contrib/bind9/doc/arm/Bv9ARM-book.xml head/contrib/bind9/doc/arm/Bv9ARM.ch04.html head/contrib/bind9/doc/arm/Bv9ARM.ch06.html head/contrib/bind9/doc/arm/Bv9ARM.ch07.html head/contrib/bind9/doc/arm/Bv9ARM.ch08.html head/contrib/bind9/doc/arm/Bv9ARM.ch09.html head/contrib/bind9/doc/arm/Bv9ARM.html head/contrib/bind9/doc/arm/Bv9ARM.pdf head/contrib/bind9/doc/arm/Makefile.in head/contrib/bind9/doc/arm/man.arpaname.html head/contrib/bind9/doc/arm/man.ddns-confgen.html head/contrib/bind9/doc/arm/man.dig.html head/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html head/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html head/contrib/bind9/doc/arm/man.dnssec-keygen.html head/contrib/bind9/doc/arm/man.dnssec-revoke.html head/contrib/bind9/doc/arm/man.dnssec-settime.html head/contrib/bind9/doc/arm/man.dnssec-signzone.html head/contrib/bind9/doc/arm/man.genrandom.html head/contrib/bind9/doc/arm/man.host.html head/contrib/bind9/doc/arm/man.isc-hmac-fixup.html head/contrib/bind9/doc/arm/man.named-checkconf.html head/contrib/bind9/doc/arm/man.named-checkzone.html head/contrib/bind9/doc/arm/man.named-journalprint.html head/contrib/bind9/doc/arm/man.named.html head/contrib/bind9/doc/arm/man.nsec3hash.html head/contrib/bind9/doc/arm/man.nsupdate.html head/contrib/bind9/doc/arm/man.rndc-confgen.html head/contrib/bind9/doc/arm/man.rndc.conf.html head/contrib/bind9/doc/arm/man.rndc.html head/contrib/bind9/doc/misc/Makefile.in head/contrib/bind9/doc/misc/format-options.pl head/contrib/bind9/doc/misc/options head/contrib/bind9/doc/misc/sort-options.pl head/contrib/bind9/isc-config.sh.in head/contrib/bind9/lib/Makefile.in head/contrib/bind9/lib/bind9/Makefile.in head/contrib/bind9/lib/bind9/api head/contrib/bind9/lib/bind9/check.c head/contrib/bind9/lib/bind9/include/Makefile.in head/contrib/bind9/lib/bind9/include/bind9/Makefile.in head/contrib/bind9/lib/dns/Makefile.in head/contrib/bind9/lib/dns/adb.c head/contrib/bind9/lib/dns/api head/contrib/bind9/lib/dns/db.c head/contrib/bind9/lib/dns/dnssec.c head/contrib/bind9/lib/dns/ds.c head/contrib/bind9/lib/dns/dst_api.c head/contrib/bind9/lib/dns/dst_internal.h head/contrib/bind9/lib/dns/dst_openssl.h head/contrib/bind9/lib/dns/dst_parse.c head/contrib/bind9/lib/dns/dst_parse.h head/contrib/bind9/lib/dns/dst_result.c head/contrib/bind9/lib/dns/include/Makefile.in head/contrib/bind9/lib/dns/include/dns/db.h head/contrib/bind9/lib/dns/include/dns/dnssec.h head/contrib/bind9/lib/dns/include/dns/ds.h head/contrib/bind9/lib/dns/include/dns/iptable.h head/contrib/bind9/lib/dns/include/dns/keyvalues.h head/contrib/bind9/lib/dns/include/dns/log.h head/contrib/bind9/lib/dns/include/dns/rdataset.h head/contrib/bind9/lib/dns/include/dns/rpz.h head/contrib/bind9/lib/dns/include/dns/stats.h head/contrib/bind9/lib/dns/include/dns/view.h head/contrib/bind9/lib/dns/include/dns/zone.h head/contrib/bind9/lib/dns/include/dst/Makefile.in head/contrib/bind9/lib/dns/include/dst/dst.h head/contrib/bind9/lib/dns/include/dst/result.h head/contrib/bind9/lib/dns/log.c head/contrib/bind9/lib/dns/master.c head/contrib/bind9/lib/dns/masterdump.c head/contrib/bind9/lib/dns/openssl_link.c head/contrib/bind9/lib/dns/openssldh_link.c head/contrib/bind9/lib/dns/openssldsa_link.c head/contrib/bind9/lib/dns/opensslgost_link.c head/contrib/bind9/lib/dns/opensslrsa_link.c head/contrib/bind9/lib/dns/rbtdb.c head/contrib/bind9/lib/dns/rcode.c head/contrib/bind9/lib/dns/rdata.c head/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c head/contrib/bind9/lib/dns/rdata/generic/ds_43.c head/contrib/bind9/lib/dns/rdataset.c head/contrib/bind9/lib/dns/resolver.c head/contrib/bind9/lib/dns/rpz.c head/contrib/bind9/lib/dns/spnego_asn1.pl head/contrib/bind9/lib/dns/validator.c head/contrib/bind9/lib/dns/view.c head/contrib/bind9/lib/dns/zone.c head/contrib/bind9/lib/export/Makefile.in head/contrib/bind9/lib/export/dns/Makefile.in head/contrib/bind9/lib/export/dns/include/Makefile.in head/contrib/bind9/lib/export/dns/include/dns/Makefile.in head/contrib/bind9/lib/export/dns/include/dst/Makefile.in head/contrib/bind9/lib/export/irs/include/irs/Makefile.in head/contrib/bind9/lib/export/isc/Makefile.in head/contrib/bind9/lib/export/isc/include/isc/Makefile.in head/contrib/bind9/lib/export/isc/nls/Makefile.in head/contrib/bind9/lib/export/isc/nothreads/Makefile.in head/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in head/contrib/bind9/lib/export/isc/pthreads/Makefile.in head/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in head/contrib/bind9/lib/export/isc/unix/Makefile.in head/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in head/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in head/contrib/bind9/lib/export/samples/Makefile-postinstall.in head/contrib/bind9/lib/export/samples/Makefile.in head/contrib/bind9/lib/irs/Makefile.in head/contrib/bind9/lib/irs/include/Makefile.in head/contrib/bind9/lib/irs/include/irs/Makefile.in head/contrib/bind9/lib/isc/alpha/Makefile.in head/contrib/bind9/lib/isc/alpha/include/Makefile.in head/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in head/contrib/bind9/lib/isc/api head/contrib/bind9/lib/isc/ia64/Makefile.in head/contrib/bind9/lib/isc/ia64/include/Makefile.in head/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in head/contrib/bind9/lib/isc/ia64/include/isc/atomic.h head/contrib/bind9/lib/isc/include/Makefile.in head/contrib/bind9/lib/isc/include/isc/file.h head/contrib/bind9/lib/isc/include/isc/namespace.h head/contrib/bind9/lib/isc/include/isc/task.h head/contrib/bind9/lib/isc/mem.c head/contrib/bind9/lib/isc/mips/Makefile.in head/contrib/bind9/lib/isc/mips/include/Makefile.in head/contrib/bind9/lib/isc/mips/include/isc/Makefile.in head/contrib/bind9/lib/isc/nls/Makefile.in head/contrib/bind9/lib/isc/noatomic/Makefile.in head/contrib/bind9/lib/isc/noatomic/include/Makefile.in head/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in head/contrib/bind9/lib/isc/nothreads/Makefile.in head/contrib/bind9/lib/isc/nothreads/include/Makefile.in head/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in head/contrib/bind9/lib/isc/powerpc/Makefile.in head/contrib/bind9/lib/isc/powerpc/include/Makefile.in head/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in head/contrib/bind9/lib/isc/pthreads/Makefile.in head/contrib/bind9/lib/isc/pthreads/condition.c head/contrib/bind9/lib/isc/pthreads/include/Makefile.in head/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in head/contrib/bind9/lib/isc/sparc64/Makefile.in head/contrib/bind9/lib/isc/sparc64/include/Makefile.in head/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in head/contrib/bind9/lib/isc/task.c head/contrib/bind9/lib/isc/task_api.c head/contrib/bind9/lib/isc/unix/Makefile.in head/contrib/bind9/lib/isc/unix/file.c head/contrib/bind9/lib/isc/unix/include/Makefile.in head/contrib/bind9/lib/isc/unix/include/isc/Makefile.in head/contrib/bind9/lib/isc/x86_32/Makefile.in head/contrib/bind9/lib/isc/x86_32/include/Makefile.in head/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in head/contrib/bind9/lib/isc/x86_64/Makefile.in head/contrib/bind9/lib/isc/x86_64/include/Makefile.in head/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in head/contrib/bind9/lib/isccc/api head/contrib/bind9/lib/isccc/cc.c head/contrib/bind9/lib/isccc/include/Makefile.in head/contrib/bind9/lib/isccc/include/isccc/Makefile.in head/contrib/bind9/lib/isccfg/api head/contrib/bind9/lib/isccfg/include/Makefile.in head/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in head/contrib/bind9/lib/isccfg/namedconf.c head/contrib/bind9/lib/lwres/Makefile.in head/contrib/bind9/lib/lwres/api head/contrib/bind9/lib/lwres/getaddrinfo.c head/contrib/bind9/lib/lwres/include/Makefile.in head/contrib/bind9/lib/lwres/include/lwres/Makefile.in head/contrib/bind9/lib/lwres/man/Makefile.in head/contrib/bind9/make/rules.in head/contrib/bind9/version head/lib/bind/config.h head/lib/bind/config.mk head/lib/bind/dns/Makefile head/lib/bind/isc/isc/platform.h Directory Properties: head/contrib/bind9/ (props changed) Modified: head/contrib/bind9/CHANGES ============================================================================== --- head/contrib/bind9/CHANGES Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/CHANGES Fri Dec 7 12:39:58 2012 (r243981) @@ -1,15 +1,81 @@ - --- 9.8.3-P4 released --- + --- 9.8.4-P1 released --- + +3407. [security] Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + + --- 9.8.4 released --- 3383. [security] A certain combination of records in the RBT could cause named to hang while populating the additional section of a response. [RT #31090] - --- 9.8.3-P3 released --- +3373. [bug] win32: open raw files in binary mode. [RT #30944] 3364. [security] Named could die on specially crafted record. [RT #30416] - --- 9.8.3-P2 released --- + --- 9.8.4rc1 released --- + +3369. [bug] nsupdate terminated unexpectedly in interactive mode + if built with readline support. [RT #29550] + +3368. [bug] <dns/iptable.h> and <dns/zone.h> were not C++ safe. + +3367. [bug] dns_dnsseckey_create() result was not being checked. + [RT #30685] + +3366. [bug] Fixed Read-After-Write dependency violation for IA64 + atomic operations. [RT #25181] + +3365. [bug] Removed spurious newlines from log messages in + zone.c [RT #30675] + +3363. [bug] Need to allow "forward" and "fowarders" options + in static-stub zones; this had been overlooked. + [RT #30482] + +3362. [bug] Setting some option values to 0 in named.conf + could trigger an assertion failure on startup. + [RT #27730] + +3360. [bug] 'host -w' could die. [RT #18723] + +3359. [bug] An improperly-formed TSIG secret could cause a + memory leak. [RT #30607] + +3357. [port] Add support for libxml2-2.8.x [RT #30440] + +3356. [bug] Cap the TTL of signed RRsets when RRSIGs are + approaching their expiry, so they don't remain + in caches after expiry. [RT #26429] + + --- 9.8.4b1 released --- + +3354. [func] Improve OpenSSL error logging. [RT #29932] + +3353. [bug] Use a single task for task exclusive operations. + [RT #29872] + +3352. [bug] Ensure that learned server attributes timeout of the + adb cache. [RT #29856] + +3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report + caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX + memory debugging flags are set. [RT #30243] + +3350. [bug] Memory read overrun in isc___mem_reallocate if + ISC_MEM_DEBUGCTX memory debugging flag is set. + [RT #30240] + +3348. [bug] Prevent RRSIG data from being cached if a negative + record matching the covering type exists at a higher + trust level. Such data already can't be retrieved from + the cache since change 3218 -- this prevents it + being inserted into the cache as well. [RT #26809] + +3347. [bug] dnssec-settime: Issue a warning when writing a new + private key file would cause a change in the + permissions of the existing file. [RT #27724] 3346. [security] Bad-cache data could be used before it was initialized, causing an assert. [RT #30025] @@ -18,11 +84,47 @@ resulting in excessive cpu usage in some cases. [RT #29952] - --- 9.8.3-P1 released --- +3337. [bug] Change #3294 broke support for the multiple keys + in controls. [RT #29694] + +3335. [func] nslookup: return a nonzero exit code when unable + to get an answer. [RT #29492] + +3333. [bug] Setting resolver-query-timeout too low can cause + named to not recover if it loses connectivity. + [RT #29623] + +3332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 3331. [security] dns_rdataslab_fromrdataset could produce bad rdataslabs. [RT #29644] - + +3330. [func] Fix missing signatures on NOERROR results despite + RPZ rewriting. Also + - add optional "recursive-only yes|no" to the + response-policy statement + - add optional "max-policy-ttl" to the response-policy + statement to limit the false data that + "recursive-only no" can introduce into + resolvers' caches + - add a RPZ performance test to bin/tests/system/rpz + when queryperf is available. + - the encoding of PASSTHRU action to "rpz-passthru". + (The old encoding is still accepted.) + [RT #26172] + + +3329. [bug] Handle RRSIG signer-name case consistently: We + generate RRSIG records with the signer-name in + lower case. We accept them with any case, but if + they fail to validate, we try again in lower case. + [RT #27451] + +3328. [bug] Fixed inconsistent data checking in dst_parse.c. + [RT #29401] + +3317. [func] Add ECDSA support (RFC 6605). [RT #21918] + --- 9.8.3 released --- 3318. [tuning] Reduce the amount of work performed while holding a Modified: head/contrib/bind9/Makefile.in ============================================================================== --- head/contrib/bind9/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: head/contrib/bind9/README ============================================================================== --- head/contrib/bind9/README Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/README Fri Dec 7 12:39:58 2012 (r243981) @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.8.4 + + BIND 9.8.4 includes several bug fixes and patches security + flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244. + BIND 9.8.3 BIND 9.8.3 is a maintenance release. Modified: head/contrib/bind9/acconfig.h ============================================================================== --- head/contrib/bind9/acconfig.h Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/acconfig.h Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -138,6 +138,9 @@ int sigwait(const unsigned int *set, int /* Define if OpenSSL includes DSA support */ #undef HAVE_OPENSSL_DSA +/* Define if OpenSSL includes ECDSA support */ +#undef HAVE_OPENSSL_ECDSA + /* Define to the length type used by the socket API (socklen_t, size_t, int). */ #undef ISC_SOCKADDR_LEN_T Modified: head/contrib/bind9/bin/Makefile.in ============================================================================== --- head/contrib/bind9/bin/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: head/contrib/bind9/bin/check/Makefile.in ============================================================================== --- head/contrib/bind9/bin/check/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/check/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: head/contrib/bind9/bin/check/check-tool.c ============================================================================== --- head/contrib/bind9/bin/check/check-tool.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/check/check-tool.c Fri Dec 7 12:39:58 2012 (r243981) @@ -639,6 +639,9 @@ dump_zone(const char *zonename, dns_zone { isc_result_t result; FILE *output = stdout; + const char *flags; + + flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+"; if (debug) { if (filename != NULL && strcmp(filename, "-") != 0) @@ -649,7 +652,7 @@ dump_zone(const char *zonename, dns_zone } if (filename != NULL && strcmp(filename, "-") != 0) { - result = isc_stdio_open(filename, "w+", &output); + result = isc_stdio_open(filename, flags, &output); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not open output " Modified: head/contrib/bind9/bin/confgen/Makefile.in ============================================================================== --- head/contrib/bind9/bin/confgen/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/confgen/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above Modified: head/contrib/bind9/bin/confgen/unix/Makefile.in ============================================================================== --- head/contrib/bind9/bin/confgen/unix/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/confgen/unix/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above Modified: head/contrib/bind9/bin/dig/Makefile.in ============================================================================== --- head/contrib/bind9/bin/dig/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dig/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: head/contrib/bind9/bin/dig/nslookup.c ============================================================================== --- head/contrib/bind9/bin/dig/nslookup.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dig/nslookup.c Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -57,6 +57,7 @@ static isc_boolean_t in_use = ISC_FALSE; static char defclass[MXRD] = "IN"; static char deftype[MXRD] = "A"; static isc_event_t *global_event = NULL; +static int query_error = 1, print_error = 0; static char domainopt[DNS_NAME_MAXTEXT]; @@ -406,6 +407,9 @@ isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { char servtext[ISC_SOCKADDR_FORMATSIZE]; + /* I've we've gotten this far, we've reached a server. */ + query_error = 0; + debug("printmessage()"); isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext)); @@ -433,6 +437,9 @@ printmessage(dig_query_t *query, dns_mes (msg->rcode != dns_rcode_nxdomain) ? nametext : query->lookup->textname, rcode_totext(msg->rcode)); debug("returning with rcode == 0"); + + /* the lookup failed */ + print_error |= 1; return (ISC_R_SUCCESS); } @@ -887,5 +894,5 @@ main(int argc, char **argv) { destroy_libs(); isc_app_finish(); - return (0); + return (query_error | print_error); } Modified: head/contrib/bind9/bin/dnssec/Makefile.in ============================================================================== --- head/contrib/bind9/bin/dnssec/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -.\" Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -55,7 +55,7 @@ Use SHA\-256 as the digest algorithm. .RS 4 Select the digest algorithm. The value of \fBalgorithm\fR -must be one of SHA\-1 (SHA1), SHA\-256 (SHA256) or GOST. These values are case insensitive. +must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive. .RE .PP \-K \fIdirectory\fR @@ -139,5 +139,5 @@ RFC 4509. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2008\-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2008\-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .br Modified: head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -296,7 +296,7 @@ usage(void) { fprintf(stderr, " -K <directory>: directory in which to find " "key file or keyset file\n"); fprintf(stderr, " -a algorithm: digest algorithm " - "(SHA-1, SHA-256 or GOST)\n"); + "(SHA-1, SHA-256, GOST or SHA-384)\n"); fprintf(stderr, " -1: use SHA-1\n"); fprintf(stderr, " -2: use SHA-256\n"); fprintf(stderr, " -l: add lookaside zone and print DLV records\n"); @@ -415,6 +415,9 @@ main(int argc, char **argv) { else if (strcasecmp(algname, "GOST") == 0) dtype = DNS_DSDIGEST_GOST; #endif + else if (strcasecmp(algname, "SHA384") == 0 || + strcasecmp(algname, "SHA-384") == 0) + dtype = DNS_DSDIGEST_SHA384; else fatal("unknown algorithm %s", algname); } Modified: head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook Fri Dec 7 12:39:58 2012 (r243981) @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -39,6 +39,7 @@ <year>2008</year> <year>2009</year> <year>2010</year> + <year>2012</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -107,7 +108,8 @@ <para> Select the digest algorithm. The value of <option>algorithm</option> must be one of SHA-1 (SHA1), - SHA-256 (SHA256) or GOST. These values are case insensitive. + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. </para> </listitem> </varlistentry> Modified: head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -32,14 +32,14 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543465"></a><h2>DESCRIPTION</h2> +<a name="id2543468"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-dsfromkey</strong></span> outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). </p> </div> <div class="refsect1" lang="en"> -<a name="id2543477"></a><h2>OPTIONS</h2> +<a name="id2543480"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-1</span></dt> <dd><p> @@ -54,7 +54,8 @@ <dd><p> Select the digest algorithm. The value of <code class="option">algorithm</code> must be one of SHA-1 (SHA1), - SHA-256 (SHA256) or GOST. These values are case insensitive. + SHA-256 (SHA256), GOST or SHA-384 (SHA384). + These values are case insensitive. </p></dd> <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> <dd><p> @@ -100,7 +101,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543664"></a><h2>EXAMPLE</h2> +<a name="id2543667"></a><h2>EXAMPLE</h2> <p> To build the SHA-256 DS RR from the <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> @@ -115,7 +116,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543693"></a><h2>FILES</h2> +<a name="id2543697"></a><h2>FILES</h2> <p> The keyfile can be designed by the key identification <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name @@ -129,13 +130,13 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543729"></a><h2>CAVEAT</h2> +<a name="id2543732"></a><h2>CAVEAT</h2> <p> A keyfile error can give a "file not found" even if the file exists. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543738"></a><h2>SEE ALSO</h2> +<a name="id2543741"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -145,7 +146,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543778"></a><h2>AUTHOR</h2> +<a name="id2543781"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> Modified: head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -.\" Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -47,7 +47,7 @@ of the key is specified on the command l .RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR @@ -215,5 +215,5 @@ RFC 4034. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2008\-2011 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC") .br Modified: head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2007-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -55,7 +55,8 @@ int verbose; static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" " NSEC3DSA | NSEC3RSASHA1 |" - " RSASHA256 | RSASHA512 | ECCGOST"; + " RSASHA256 | RSASHA512 | ECCGOST |" + " ECDSAP256SHA256 | ECDSAP384SHA384"; ISC_PLATFORM_NORETURN_PRE static void usage(void) ISC_PLATFORM_NORETURN_POST; @@ -369,7 +370,8 @@ main(int argc, char **argv) { if (use_nsec3 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST) { + alg != DST_ALG_ECCGOST && + alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) { fatal("%s is incompatible with NSEC3; " "do not use the -3 option", algname); } Modified: head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook Fri Dec 7 12:39:58 2012 (r243981) @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -40,6 +40,7 @@ <year>2009</year> <year>2010</year> <year>2011</year> + <year>2012</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -94,7 +95,8 @@ <para> Selects the cryptographic algorithm. The value of <option>algorithm</option> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. </para> <para> Modified: head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -31,7 +31,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code cl ass="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543495"></a><h2>DESCRIPTION</h2> +<a name="id2543498"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keyfromlabel</strong></span> gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -44,14 +44,15 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543513"></a><h2>OPTIONS</h2> +<a name="id2543516"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> Selects the cryptographic algorithm. The value of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive. </p> <p> @@ -163,7 +164,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543877"></a><h2>TIMING OPTIONS</h2> +<a name="id2543880"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -210,7 +211,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544043"></a><h2>GENERATED KEY FILES</h2> +<a name="id2544046"></a><h2>GENERATED KEY FILES</h2> <p> When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes successfully, @@ -249,7 +250,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544116"></a><h2>SEE ALSO</h2> +<a name="id2544119"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, @@ -257,7 +258,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544149"></a><h2>AUTHOR</h2> +<a name="id2544152"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> Modified: head/contrib/bind9/bin/dnssec/dnssec-keygen.8 ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keygen.8 Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keygen.8 Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and/or distribute this software for any @@ -48,7 +48,7 @@ of the key is specified on the command l .RS 4 Selects the cryptographic algorithm. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. .sp If no algorithm is specified, then RSASHA1 will be used by default, unless the \fB\-3\fR @@ -63,7 +63,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 th .PP \-b \fIkeysize\fR .RS 4 -Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. +Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter. .sp The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with \fB\-f KSK\fR). However, if an algorithm is explicitly specified with the @@ -81,7 +81,7 @@ must either be ZONE (for a DNSSEC zone k .PP \-3 .RS 4 -Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3\-capable. +Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable. .RE .PP \-C @@ -298,7 +298,7 @@ RFC 4034. .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007\-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007\-2010, 2012 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br Modified: head/contrib/bind9/bin/dnssec/dnssec-keygen.c ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keygen.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keygen.c Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -85,6 +85,7 @@ usage(void) { fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1" " | NSEC3DSA |\n"); fprintf(stderr, " RSASHA256 | RSASHA512 | ECCGOST |\n"); + fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n"); fprintf(stderr, " DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | " "HMAC-SHA256 | \n"); fprintf(stderr, " HMAC-SHA384 | HMAC-SHA512\n"); @@ -102,6 +103,8 @@ usage(void) { fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible " "by 64\n"); fprintf(stderr, " ECCGOST:\tignored\n"); + fprintf(stderr, " ECDSAP256SHA256:\tignored\n"); + fprintf(stderr, " ECDSAP384SHA384:\tignored\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); fprintf(stderr, " HMAC-SHA1:\t[1..160]\n"); fprintf(stderr, " HMAC-SHA224:\t[1..224]\n"); @@ -549,7 +552,8 @@ main(int argc, char **argv) { if (use_nsec3 && alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 && alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 && - alg != DST_ALG_ECCGOST) { + alg != DST_ALG_ECCGOST && + alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) { fatal("%s is incompatible with NSEC3; " "do not use the -3 option", algname); } @@ -579,9 +583,11 @@ main(int argc, char **argv) { size = 1024; if (verbose > 0) fprintf(stderr, "key size not " - "specified; defaulting " - "to %d\n", size); - } else if (alg != DST_ALG_ECCGOST) + "specified; defaulting" + " to %d\n", size); + } else if (alg != DST_ALG_ECCGOST && + alg != DST_ALG_ECDSA256 && + alg != DST_ALG_ECDSA384) fatal("key size not specified (-b option)"); } @@ -710,6 +716,8 @@ main(int argc, char **argv) { fatal("invalid DSS key size: %d", size); break; case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: break; case DST_ALG_HMACMD5: options |= DST_TYPE_KEY; @@ -775,7 +783,8 @@ main(int argc, char **argv) { if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 || alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 || - alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST) && + alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST || + alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) && rsa_exp != 0) fatal("specified RSA exponent for a non-RSA key"); @@ -849,6 +858,8 @@ main(int argc, char **argv) { case DNS_KEYALG_DSA: case DNS_KEYALG_NSEC3DSA: case DST_ALG_ECCGOST: + case DST_ALG_ECDSA256: + case DST_ALG_ECDSA384: show_progress = ISC_TRUE; /* fall through */ Modified: head/contrib/bind9/bin/dnssec/dnssec-keygen.docbook ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keygen.docbook Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keygen.docbook Fri Dec 7 12:39:58 2012 (r243981) @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -43,6 +43,7 @@ <year>2008</year> <year>2009</year> <year>2010</year> + <year>2012</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -114,7 +115,8 @@ <para> Selects the cryptographic algorithm. For DNSSEC keys, the value of <option>algorithm</option> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are @@ -148,7 +150,8 @@ between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. </para> <para> The key size does not need to be specified if using a default @@ -184,7 +187,8 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms + default. Note that RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. </para> </listitem> Modified: head/contrib/bind9/bin/dnssec/dnssec-keygen.html ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-keygen.html Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-keygen.html Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ <!-- - - Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2010, 2012 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -32,7 +32,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class=" option">-z</code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543579"></a><h2>DESCRIPTION</h2> +<a name="id2543582"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -46,14 +46,15 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543597"></a><h2>OPTIONS</h2> +<a name="id2543601"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> Selects the cryptographic algorithm. For DNSSEC keys, the value of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are @@ -84,7 +85,8 @@ between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be - between 1 and 512 bits. + between 1 and 512 bits. Elliptic curve algorithms don't need + this parameter. </p> <p> The key size does not need to be specified if using a default @@ -111,7 +113,8 @@ Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by - default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms + default. Note that RSASHA256, RSASHA512, ECCGOST, + ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3-capable. </p></dd> <dt><span class="term">-C</span></dt> @@ -248,7 +251,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544166"></a><h2>TIMING OPTIONS</h2> +<a name="id2544169"></a><h2>TIMING OPTIONS</h2> <p> Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -319,7 +322,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544356"></a><h2>GENERATED KEYS</h2> +<a name="id2544359"></a><h2>GENERATED KEYS</h2> <p> When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, @@ -365,7 +368,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544506"></a><h2>EXAMPLE</h2> +<a name="id2544441"></a><h2>EXAMPLE</h2> <p> To generate a 768-bit DSA key for the domain <strong class="userinput"><code>example.com</code></strong>, the following command would be @@ -386,7 +389,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544550"></a><h2>SEE ALSO</h2> +<a name="id2544485"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2539</em>, @@ -395,7 +398,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2544581"></a><h2>AUTHOR</h2> +<a name="id2544584"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> Modified: head/contrib/bind9/bin/dnssec/dnssec-settime.c ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-settime.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-settime.c Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -38,6 +38,7 @@ #include <dns/keyvalues.h> #include <dns/result.h> +#include <dns/log.h> #include <dst/dst.h> @@ -151,6 +152,7 @@ main(int argc, char **argv) { isc_boolean_t force = ISC_FALSE; isc_boolean_t epoch = ISC_FALSE; isc_boolean_t changed = ISC_FALSE; + isc_log_t *log = NULL; if (argc == 1) usage(); @@ -159,6 +161,8 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("Out of memory"); + setup_logging(verbose, mctx, &log); + dns_result_register(); isc_commandline_errprint = ISC_FALSE; @@ -578,6 +582,7 @@ main(int argc, char **argv) { cleanup_entropy(&ectx); if (verbose > 10) isc_mem_stats(mctx, stdout); + cleanup_logging(&log); isc_mem_free(mctx, directory); isc_mem_destroy(&mctx); Modified: head/contrib/bind9/bin/dnssec/dnssec-signzone.c ============================================================================== --- head/contrib/bind9/bin/dnssec/dnssec-signzone.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/dnssec/dnssec-signzone.c Fri Dec 7 12:39:58 2012 (r243981) @@ -3893,7 +3893,10 @@ main(int argc, char *argv[]) { check_result(result, "isc_file_mktemplate"); fp = NULL; - result = isc_file_openunique(tempfile, &fp); + if (outputformat == dns_masterformat_text) + result = isc_file_openunique(tempfile, &fp); + else + result = isc_file_bopenunique(tempfile, &fp); if (result != ISC_R_SUCCESS) fatal("failed to open temporary output file: %s", isc_result_totext(result)); Modified: head/contrib/bind9/bin/named/Makefile.in ============================================================================== --- head/contrib/bind9/bin/named/Makefile.in Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/named/Makefile.in Fri Dec 7 12:39:58 2012 (r243981) @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2002 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: head/contrib/bind9/bin/named/builtin.c ============================================================================== --- head/contrib/bind9/bin/named/builtin.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/named/builtin.c Fri Dec 7 12:39:58 2012 (r243981) @@ -99,9 +99,9 @@ static size_t dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) { size_t i, j = 0; - for (i = 0; i < 4; i++) { + for (i = 0; i < 4U; i++) { unsigned char c = v[start++]; - if (start == 7) + if (start == 7U) start++; if (c > 99) { rdata[j++] = 3; @@ -164,7 +164,7 @@ dns64_cname(const dns_name_t *zone, cons i = (nlen % 4) == 2U ? 1 : 0; j = nlen; memset(v, 0, sizeof(v)); - while (j != 0) { + while (j != 0U) { INSIST((i/2) < sizeof(v)); if (ndata[0] != 1) return (ISC_R_NOTFOUND); Modified: head/contrib/bind9/bin/named/config.c ============================================================================== --- head/contrib/bind9/bin/named/config.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/named/config.c Fri Dec 7 12:39:58 2012 (r243981) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -89,7 +89,7 @@ options {\n\ #endif "\ recursive-clients 1000;\n\ - resolver-query-timeout 30;\n\ + resolver-query-timeout 10;\n\ rrset-order {type NS order random; order cyclic; };\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ Modified: head/contrib/bind9/bin/named/controlconf.c ============================================================================== --- head/contrib/bind9/bin/named/controlconf.c Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/named/controlconf.c Fri Dec 7 12:39:58 2012 (r243981) @@ -373,8 +373,10 @@ control_recvmessage(isc_task_t *task, is if (result == ISC_R_SUCCESS) break; isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret)); - log_invalid(&conn->ccmsg, result); - goto cleanup; + if (result != ISCCC_R_BADAUTH) { + log_invalid(&conn->ccmsg, result); + goto cleanup; + } } if (key == NULL) { Modified: head/contrib/bind9/bin/named/convertxsl.pl ============================================================================== --- head/contrib/bind9/bin/named/convertxsl.pl Fri Dec 7 08:25:08 2012 (r243980) +++ head/contrib/bind9/bin/named/convertxsl.pl Fri Dec 7 12:39:58 2012 (r243981) *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212071239.qB7CdxKQ095115>