From owner-svn-src-all@freebsd.org Fri Jul 31 07:03:17 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 753B39AEC06; Fri, 31 Jul 2015 07:03:17 +0000 (UTC) (envelope-from erwin@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 56D151893; Fri, 31 Jul 2015 07:03:17 +0000 (UTC) (envelope-from erwin@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6V73GUR075214; Fri, 31 Jul 2015 07:03:16 GMT (envelope-from erwin@FreeBSD.org) Received: (from erwin@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6V737aT075186; Fri, 31 Jul 2015 07:03:07 GMT (envelope-from erwin@FreeBSD.org) Message-Id: <201507310703.t6V737aT075186@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: erwin set sender to erwin@FreeBSD.org using -f From: Erwin Lansing Date: Fri, 31 Jul 2015 07:03:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r286108 - in vendor/bind9/dist: . doc/arm lib/dns lib/lwres/man X-SVN-Group: vendor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2015 07:03:17 -0000 Author: erwin Date: Fri Jul 31 07:03:06 2015 New Revision: 286108 URL: https://svnweb.freebsd.org/changeset/base/286108 Log: Vendor import of BIND 9.9.7-P2 Sponsored by: DK Hostmaster A/S Modified: vendor/bind9/dist/CHANGES vendor/bind9/dist/README vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html vendor/bind9/dist/doc/arm/Bv9ARM.html vendor/bind9/dist/doc/arm/Bv9ARM.pdf vendor/bind9/dist/doc/arm/man.arpaname.html vendor/bind9/dist/doc/arm/man.ddns-confgen.html vendor/bind9/dist/doc/arm/man.dig.html vendor/bind9/dist/doc/arm/man.dnssec-checkds.html vendor/bind9/dist/doc/arm/man.dnssec-coverage.html vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html vendor/bind9/dist/doc/arm/man.dnssec-keygen.html vendor/bind9/dist/doc/arm/man.dnssec-revoke.html vendor/bind9/dist/doc/arm/man.dnssec-settime.html vendor/bind9/dist/doc/arm/man.dnssec-signzone.html vendor/bind9/dist/doc/arm/man.dnssec-verify.html vendor/bind9/dist/doc/arm/man.genrandom.html vendor/bind9/dist/doc/arm/man.host.html vendor/bind9/dist/doc/arm/man.isc-hmac-fixup.html vendor/bind9/dist/doc/arm/man.named-checkconf.html vendor/bind9/dist/doc/arm/man.named-checkzone.html vendor/bind9/dist/doc/arm/man.named-journalprint.html vendor/bind9/dist/doc/arm/man.named.html vendor/bind9/dist/doc/arm/man.nsec3hash.html vendor/bind9/dist/doc/arm/man.nsupdate.html vendor/bind9/dist/doc/arm/man.rndc-confgen.html vendor/bind9/dist/doc/arm/man.rndc.conf.html vendor/bind9/dist/doc/arm/man.rndc.html vendor/bind9/dist/doc/arm/notes.html vendor/bind9/dist/doc/arm/notes.pdf vendor/bind9/dist/doc/arm/notes.xml vendor/bind9/dist/lib/dns/api vendor/bind9/dist/lib/dns/tkey.c vendor/bind9/dist/lib/dns/validator.c vendor/bind9/dist/lib/lwres/man/lwres.html vendor/bind9/dist/lib/lwres/man/lwres_buffer.html vendor/bind9/dist/lib/lwres/man/lwres_config.html vendor/bind9/dist/lib/lwres/man/lwres_context.html vendor/bind9/dist/lib/lwres/man/lwres_gabn.html vendor/bind9/dist/lib/lwres/man/lwres_gai_strerror.html vendor/bind9/dist/lib/lwres/man/lwres_getaddrinfo.html vendor/bind9/dist/lib/lwres/man/lwres_gethostent.html vendor/bind9/dist/lib/lwres/man/lwres_getipnode.html vendor/bind9/dist/lib/lwres/man/lwres_getnameinfo.html vendor/bind9/dist/lib/lwres/man/lwres_getrrsetbyname.html vendor/bind9/dist/lib/lwres/man/lwres_gnba.html vendor/bind9/dist/lib/lwres/man/lwres_hstrerror.html vendor/bind9/dist/lib/lwres/man/lwres_inetntop.html vendor/bind9/dist/lib/lwres/man/lwres_noop.html vendor/bind9/dist/lib/lwres/man/lwres_packet.html vendor/bind9/dist/lib/lwres/man/lwres_resutil.html vendor/bind9/dist/version Modified: vendor/bind9/dist/CHANGES ============================================================================== --- vendor/bind9/dist/CHANGES Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/CHANGES Fri Jul 31 07:03:06 2015 (r286108) @@ -1,3 +1,14 @@ + --- 9.9.7-P2 released --- + +4165. [security] A failure to reset a value to NULL in tkey.c could + result in an assertion failure. (CVE-2015-5477) + [RT #40046] + + --- 9.9.7-P1 released --- + +4138. [bug] An uninitialized value in validator.c could result + in an assertion failure. (CVE-2015-4620) [RT #39795] + --- 9.9.7 released --- --- 9.9.7rc2 released --- @@ -8380,7 +8391,7 @@ on the responses. [RT #2454] 1208. [bug] dns_master_load*() failed to log a error message if - an error was detected when parsing the ownername of + an error was detected when parsing the owner name of a record. [RT #2448] 1207. [bug] libbind: getaddrinfo() could call freeaddrinfo() with Modified: vendor/bind9/dist/README ============================================================================== --- vendor/bind9/dist/README Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/README Fri Jul 31 07:03:06 2015 (r286108) @@ -51,6 +51,15 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.9.7-P2 + + BIND 9.9.7-P1 is a security release addressing the flaw + described in CVE-2015-5477. + +BIND 9.9.7-P1 + + BIND 9.9.7-P1 is a security release addressing the flaw + described in CVE-2015-4620. BIND 9.9.7 Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html Fri Jul 31 07:03:06 2015 (r286108) @@ -556,6 +556,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html Fri Jul 31 07:03:06 2015 (r286108) @@ -154,6 +154,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html Fri Jul 31 07:03:06 2015 (r286108) @@ -665,6 +665,6 @@ controls { -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html Fri Jul 31 07:03:06 2015 (r286108) @@ -1935,6 +1935,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2. -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html Fri Jul 31 07:03:06 2015 (r286108) @@ -139,6 +139,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html Fri Jul 31 07:03:06 2015 (r286108) @@ -11642,6 +11642,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html Fri Jul 31 07:03:06 2015 (r286108) @@ -247,6 +247,6 @@ zone "example.com" { -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html Fri Jul 31 07:03:06 2015 (r286108) @@ -135,6 +135,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html Fri Jul 31 07:03:06 2015 (r286108) @@ -45,7 +45,7 @@

-Release Notes for BIND Version 9.9.7

+Release Notes for BIND Version 9.9.7-P2

Introduction

- This document summarizes changes since the last production release - of BIND on the corresponding major release branch. + This document summarizes changes since BIND 9.9.7. +

+

+ BIND 9.9.7-P2 addresses a security issue described in CVE-2015-5477. +

+

+ BIND 9.9.7-P1 addresses a security issue described in CVE-2015-4620.

@@ -86,42 +91,23 @@
  • - On servers configured to perform DNSSEC validation using - managed trust anchors (i.e., keys configured explicitly - via managed-keys, or implicitly - via dnssec-validation auto; or - dnssec-lookaside auto;), revoking - a trust anchor and sending a new untrusted replacement - could cause named to crash with an - assertion failure. This could occur in the event of a - botched key rollover, or potentially as a result of a - deliberate attack if the attacker was in position to - monitor the victim's DNS traffic. + A specially crafted query could trigger an assertion failure + in message.c.

    - This flaw was discovered by Jan-Piet Mens, and is - disclosed in CVE-2015-1349. [RT #38344] + This flaw was discovered by Jonathan Foote, and is disclosed + in CVE-2015-5477. [RT #39795]

  • - A flaw in delegation handling could be exploited to put - named into an infinite loop, in which - each lookup of a name server triggered additional lookups - of more name servers. This has been addressed by placing - limits on the number of levels of recursion - named will allow (default 7), and - on the number of queries that it will send before - terminating a recursive query (default 50). -

    -

    - The recursion depth limit is configured via the - max-recursion-depth option, and the query limit - via the max-recursion-queries option. + On servers configured to perform DNSSEC validation, an + assertion failure could be triggered on answers from + a specially configured server.

    - The flaw was discovered by Florian Maury of ANSSI, and is - disclosed in CVE-2014-8500. [RT #37580] + This flaw was discovered by Breno Silveira Soares, and is + disclosed in CVE-2015-4620. [RT #39795]

@@ -134,143 +120,12 @@

Feature Changes

-
    -
  • - NXDOMAIN responses to queries of type DS are now cached separately - from those for other types. This helps when using "grafted" zones - of type forward, for which the parent zone does not contain a - delegation, such as local top-level domains. Previously a query - of type DS for such a zone could cause the zone apex to be cached - as NXDOMAIN, blocking all subsequent queries. (Note: This - change is only helpful when DNSSEC validation is not enabled. - "Grafted" zones without a delegation in the parent are not a - recommended configuration.) -

  • -
  • - NOTIFY messages that are sent because a zone has been updated - are now given priority above NOTIFY messages that were scheduled - when the server started up. This should mitigate delays in zone - propagation when servers are restarted frequently. -

  • -
  • - Errors reported when running rndc addzone - (e.g., when a zone file cannot be loaded) have been clarified - to make it easier to diagnose problems. -

  • -
  • - Added support for OPENPGPKEY type. -

  • -
  • - When encountering an authoritative name server whose name is - an alias pointing to another name, the resolver treats - this as an error and skips to the next server. Previously - this happened silently; now the error will be logged to - the newly-created "cname" log category. -

  • -
  • - If named is not configured to validate the answer then - allow fallback to plain DNS on timeout even when we know - the server supports EDNS. This will allow the server to - potentially resolve signed queries when TCP is being - blocked. -

  • -
+
  • None

Bug Fixes

-
    -
  • - dig, host and - nslookup aborted when encountering - a name which, after appending search list elements, - exceeded 255 bytes. Such names are now skipped, but - processing of other names will continue. [RT #36892] -

  • -
  • - The error message generated when - named-checkzone or - named-checkconf -z encounters a - $TTL directive without a value has - been clarified. [RT #37138] -

  • -
  • - Semicolon characters (;) included in TXT records were - incorrectly escaped with a backslash when the record was - displayed as text. This is actually only necessary when there - are no quotation marks. [RT #37159] -

  • -
  • - When files opened for writing by named, - such as zone journal files, were referenced more than once - in named.conf, it could lead to file - corruption as multiple threads wrote to the same file. This - is now detected when loading named.conf - and reported as an error. [RT #37172] -

  • -
  • - dnssec-keygen -S failed to generate successor - keys for some algorithm types (including ECDSA and GOST) due to - a difference in the content of private key files. This has been - corrected. [RT #37183] -

  • -
  • - UPDATE messages that arrived too soon after - an rndc thaw could be lost. [RT #37233] -

  • -
  • - Forwarding of UPDATE messages did not work when they were - signed with SIG(0); they resulted in a BADSIG response code. - [RT #37216] -

  • -
  • - When checking for updates to trust anchors listed in - managed-keys, named - now revalidates keys based on the current set of - active trust anchors, without relying on any cached - record of previous validation. [RT #37506] -

  • -
  • - When NXDOMAIN redirection is in use, queries for a name - that is present in the redirection zone but a type that - is not present will now return NOERROR instead of NXDOMAIN. -

  • -
  • - When a zone contained a delegation to an IPv6 name server - but not an IPv4 name server, it was possible for a memory - reference to be left un-freed. This caused an assertion - failure on server shutdown, but was otherwise harmless. - [RT #37796] -

  • -
  • - Due to an inadvertent removal of code in the previous - release, when named encountered an - authoritative name server which dropped all EDNS queries, - it did not always try plain DNS. This has been corrected. - [RT #37965] -

  • -
  • - A regression caused nsupdate to use the default recursive servers - rather than the SOA MNAME server when sending the UPDATE. -

  • -
  • - Adjusted max-recursion-queries to better accommodate empty - caches. -

  • -
  • - Built-in "empty" zones did not correctly inherit the - "allow-transfer" ACL from the options or view. [RT #38310] -

  • -
  • - A mutex leak was fixed that could cause named - processes to grow to very large sizes. [RT #38454] -

  • -
  • - Fixed some bugs in RFC 5011 trust anchor management, - including a memory leak and a possible loss of state - information.[RT #38458] -

  • -
+
  • None

@@ -310,6 +165,6 @@

-

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html Fri Jul 31 07:03:06 2015 (r286108) @@ -163,6 +163,6 @@
-

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html Fri Jul 31 07:03:06 2015 (r286108) @@ -514,6 +514,6 @@
-

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html Fri Jul 31 07:03:06 2015 (r286108) @@ -47,13 +47,13 @@
BIND 9 DNS Library Support
-
Prerequisite
-
Compilation
-
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
-
Library References
+
Prerequisite
+
Compilation
+
Installation
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
+
Library References
@@ -89,7 +89,7 @@

-Prerequisite

+Prerequisite

GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@

-Compilation

+Compilation
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -113,7 +113,7 @@ $ make
 

-Installation

+Installation
 $ cd lib/export
 $ make install
@@ -135,7 +135,7 @@ $ make i
 
 

-Known Defects/Restrictions

+Known Defects/Restrictions
  • Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -175,7 +175,7 @@ $ make

    -The dns.conf File

    +The dns.conf File

The IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -193,14 +193,14 @@ $ make

-Sample Applications

+Sample Applications

Some sample application programs using this API are provided for reference. The following is a brief description of these applications.

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -264,7 +264,7 @@ $ make

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

Similar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -305,7 +305,7 @@ $ make

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

It sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -346,7 +346,7 @@ $ make

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

This is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -363,7 +363,7 @@ $ make

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

It accepts a single update command as a command-line argument, sends an update request message to the @@ -458,7 +458,7 @@ $ sample

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

It checks a set of domains to see the name servers of the domains behave @@ -515,7 +515,7 @@ $ sample

-Library References

+Library References

As of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application @@ -540,6 +540,6 @@ $ sample -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html Fri Jul 31 07:03:06 2015 (r286108) @@ -140,6 +140,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.html ============================================================================== --- vendor/bind9/dist/doc/arm/Bv9ARM.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/Bv9ARM.html Fri Jul 31 07:03:06 2015 (r286108) @@ -41,7 +41,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.9.7

+

BIND Version 9.9.7-P2

@@ -234,7 +234,7 @@
A. Release Notes
-
Release Notes for BIND Version 9.9.7
+
Release Notes for BIND Version 9.9.7-P2
Introduction
Download
@@ -262,13 +262,13 @@
BIND 9 DNS Library Support
-
Prerequisite
-
Compilation
-
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
-
Library References
+
Prerequisite
+
Compilation
+
Installation
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
+
Library References
I. Manual pages
@@ -365,6 +365,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.pdf ============================================================================== Binary file (source and/or target). No diff available. Modified: vendor/bind9/dist/doc/arm/man.arpaname.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.arpaname.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.arpaname.html Fri Jul 31 07:03:06 2015 (r286108) @@ -50,20 +50,20 @@

arpaname {ipaddress ...}

-

DESCRIPTION

+

DESCRIPTION

arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.

-

SEE ALSO

+

SEE ALSO

BIND 9 Administrator Reference Manual.

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

@@ -87,6 +87,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/man.ddns-confgen.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.ddns-confgen.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.ddns-confgen.html Fri Jul 31 07:03:06 2015 (r286108) @@ -50,7 +50,7 @@

ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]

-

DESCRIPTION

+

DESCRIPTION

ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -77,7 +77,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm

@@ -144,7 +144,7 @@

-

SEE ALSO

+

SEE ALSO

nsupdate(1), named.conf(5), named(8), @@ -152,7 +152,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

@@ -176,6 +176,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/man.dig.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.dig.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.dig.html Fri Jul 31 07:03:06 2015 (r286108) @@ -52,7 +52,7 @@

dig [global-queryopt...] [query...]

-

DESCRIPTION

+

DESCRIPTION

dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@

-

SIMPLE USAGE

+

SIMPLE USAGE

A typical invocation of dig looks like:

@@ -152,7 +152,7 @@

-

OPTIONS

+

OPTIONS

The -b option sets the source IP address of the query to address. This must be a valid @@ -260,7 +260,7 @@

-

QUERY OPTIONS

+

QUERY OPTIONS

dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -618,7 +618,7 @@

-

MULTIPLE QUERIES

+

MULTIPLE QUERIES

The BIND 9 implementation of dig supports @@ -664,7 +664,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc

-

IDN SUPPORT

+

IDN SUPPORT

If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -678,14 +678,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc

-

FILES

+

FILES

/etc/resolv.conf

${HOME}/.digrc

-

SEE ALSO

+

SEE ALSO

host(1), named(8), dnssec-keygen(8), @@ -693,7 +693,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc

-

BUGS

+

BUGS

There are probably too many query options.

@@ -716,6 +716,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
-

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/man.dnssec-checkds.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.dnssec-checkds.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.dnssec-checkds.html Fri Jul 31 07:03:06 2015 (r286108) @@ -51,7 +51,7 @@

dnssec-dsfromkey [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

-

DESCRIPTION

+

DESCRIPTION

dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@

-

OPTIONS

+

OPTIONS

-f file

@@ -88,14 +88,14 @@

-

SEE ALSO

+

SEE ALSO

dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8),

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

@@ -118,6 +118,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/man.dnssec-coverage.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.dnssec-coverage.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.dnssec-coverage.html Fri Jul 31 07:03:06 2015 (r286108) @@ -50,7 +50,7 @@

dnssec-coverage [-K directory] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [zone]

-

DESCRIPTION

+

DESCRIPTION

dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@

-

OPTIONS

+

OPTIONS

-f file

@@ -168,7 +168,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-checkds(8), dnssec-dsfromkey(8), @@ -177,7 +177,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

@@ -201,6 +201,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html Fri Jul 31 07:03:06 2015 (r286108) @@ -52,14 +52,14 @@

dnssec-dsfromkey [-h] [-V]

-

DESCRIPTION

+

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

-

OPTIONS

+

OPTIONS

-1

@@ -144,7 +144,7 @@

-

EXAMPLE

+

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 @@ -159,7 +159,7 @@

-

FILES

+

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name @@ -173,13 +173,13 @@

-

CAVEAT

+

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -189,7 +189,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

@@ -213,6 +213,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html Fri Jul 31 07:03:06 2015 (r286108) @@ -50,7 +50,7 @@

dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@

-

OPTIONS

+

OPTIONS

-a algorithm
@@ -209,7 +209,7 @@
-

TIMING OPTIONS

+

TIMING OPTIONS

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -281,7 +281,7 @@

-

GENERATED KEY FILES

+

GENERATED KEY FILES

When dnssec-keyfromlabel completes successfully, @@ -320,7 +320,7 @@

-

SEE ALSO

+

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -328,7 +328,7 @@

-

AUTHOR

+

AUTHOR

Internet Systems Consortium

@@ -352,6 +352,6 @@ -

BIND 9.9.7 (Extended Support Version)

+

BIND 9.9.7-P2 (Extended Support Version)

Modified: vendor/bind9/dist/doc/arm/man.dnssec-keygen.html ============================================================================== --- vendor/bind9/dist/doc/arm/man.dnssec-keygen.html Fri Jul 31 04:50:47 2015 (r286107) +++ vendor/bind9/dist/doc/arm/man.dnssec-keygen.html Fri Jul 31 07:03:06 2015 (r286108) @@ -50,7 +50,7 @@

dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}

-

DESCRIPTION

+

DESCRIPTION

dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@

-

OPTIONS

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***