Date: Fri, 21 Dec 2018 08:29:43 +0000 (UTC) From: Mathieu Arnold <mat@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r487960 - in branches/2018Q4/dns: bind911 bind911/files bind912 bind912/files bind913 bind913/files Message-ID: <201812210829.wBL8ThXD021762@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mat Date: Fri Dec 21 08:29:43 2018 New Revision: 487960 URL: https://svnweb.freebsd.org/changeset/ports/487960 Log: MFH: r480174 r480176 r482890 r482891 r483797 r483797 r483798 r483798 r484911 r484916 r484916 r485589 r487359 r487359 r487359 Update to 9.11.5-P1, 9.12.3-P1, 9.13.5. While there: - Don't disable symbol table generation when building WITH_DEBUG. - Try and make sure nullfs can really be used in a more robustt and centralized way. - Make sure all changes are sync'ed among all BIND9 ports. (Also, all the changes in between the previous merge.) Approved by: ports-secteam (blanket, runtime fixes in these latest versions.) Modified: branches/2018Q4/dns/bind911/Makefile branches/2018Q4/dns/bind911/distinfo branches/2018Q4/dns/bind911/files/extrapatch-bind-min-override-ttl branches/2018Q4/dns/bind911/files/named.in branches/2018Q4/dns/bind911/files/patch-bin_named_include_named_globals.h branches/2018Q4/dns/bind911/files/patch-configure branches/2018Q4/dns/bind912/Makefile branches/2018Q4/dns/bind912/distinfo branches/2018Q4/dns/bind912/files/extrapatch-bind-min-override-ttl branches/2018Q4/dns/bind912/files/named.in branches/2018Q4/dns/bind912/files/patch-bin_named_include_named_globals.h branches/2018Q4/dns/bind912/files/patch-configure branches/2018Q4/dns/bind913/Makefile branches/2018Q4/dns/bind913/distinfo branches/2018Q4/dns/bind913/files/extrapatch-bind-min-override-ttl branches/2018Q4/dns/bind913/files/named.in branches/2018Q4/dns/bind913/files/patch-configure branches/2018Q4/dns/bind913/pkg-plist Directory Properties: branches/2018Q4/ (props changed) Modified: branches/2018Q4/dns/bind911/Makefile ============================================================================== --- branches/2018Q4/dns/bind911/Makefile Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind911/Makefile Fri Dec 21 08:29:43 2018 (r487960) @@ -20,7 +20,7 @@ LIB_DEPENDS= libxml2.so:textproc/libxml2 USES= cpe libedit # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.11.4-P2 +ISCVERSION= 9.11.5-P1 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} @@ -30,11 +30,11 @@ CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ - --disable-symtable \ --with-randomdev=/dev/random \ --with-libxml2=${LOCALBASE} \ --with-readline="-L${LOCALBASE}/lib -ledit" \ --with-dlopen=yes \ + --with-gost=no \ --sysconfdir=${ETCDIR} ETCDIR= ${PREFIX}/etc/namedb @@ -56,9 +56,8 @@ OPTIONS_DEFINE= IDN LARGE_FILE PYTHON JSON \ MINCACHE PORTREVISION QUERYTRACE LMDB DNSTAP \ START_LATE TUNING_LARGE TCP_FASTOPEN -OPTIONS_RADIO= CRYPTO GOSTDEF +OPTIONS_RADIO= CRYPTO OPTIONS_RADIO_CRYPTO= SSL NATIVE_PKCS11 -OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1 OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \ @@ -80,9 +79,6 @@ DNSTAP_DESC= Provides fast passive logging of DNS mes FILTER_AAAA_DESC= Enable filtering of AAAA records FIXED_RRSET_DESC= Enable fixed rrset ordering GEOIP_DESC= Allow geographically based ACL. -GOSTDEF_DESC= Enable GOST ciphers, needs SSL -GOST_ASN1_DESC= GOST using ASN.1 -GOST_DESC= GOST raw keys (new default) GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 @@ -131,10 +127,6 @@ FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_WITH= geoip GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP -GOST_ASN1_CONFIGURE_ON= --with-gost=asn1 - -GOST_CONFIGURE_ON= --with-gost - GSSAPI_BASE_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_BASE_USES= gssapi @@ -199,14 +191,16 @@ TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default .include <bsd.port.pre.mk> -.if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1} -CONFIGURE_ARGS+= --without-gost +.if defined(WITH_DEBUG) +CONFIGURE_ARGS+= --enable-symtable +.else +CONFIGURE_ARGS+= --disable-symtable .endif -.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base -BROKEN= OpenSSL from the base system does not support GOST, add \ - DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ - that needs SSL. +.if ${SSL_DEFAULT} == base +SUB_LIST+= ENGINES=/usr/lib/engines +.else +SUB_LIST+= ENGINES=${LOCALBASE}/lib/engines .endif post-patch: Modified: branches/2018Q4/dns/bind911/distinfo ============================================================================== --- branches/2018Q4/dns/bind911/distinfo Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind911/distinfo Fri Dec 21 08:29:43 2018 (r487960) @@ -1,3 +1,3 @@ -TIMESTAMP = 1537447447 -SHA256 (bind-9.11.4-P2.tar.gz) = a85af7b629109d41285c7adeae1515daac638bbe4d5dc30d1f4b343dff09d811 -SIZE (bind-9.11.4-P2.tar.gz) = 9617963 +TIMESTAMP = 1544687911 +SHA256 (bind-9.11.5-P1.tar.gz) = 6cd6dbf016569f12d4a0ed629e44e895d9ed41c6908274ed2e617666c5491928 +SIZE (bind-9.11.5-P1.tar.gz) = 8814650 Modified: branches/2018Q4/dns/bind911/files/extrapatch-bind-min-override-ttl ============================================================================== --- branches/2018Q4/dns/bind911/files/extrapatch-bind-min-override-ttl Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind911/files/extrapatch-bind-min-override-ttl Fri Dec 21 08:29:43 2018 (r487960) @@ -1,6 +1,6 @@ ---- bin/named/config.c.orig 2018-06-10 06:06:33 UTC +--- bin/named/config.c.orig 2018-10-06 01:36:17 UTC +++ bin/named/config.c -@@ -176,6 +176,8 @@ options {\n\ +@@ -177,6 +177,8 @@ options {\n\ " max-acache-size 16M;\n\ max-cache-size 90%;\n\ max-cache-ttl 604800; /* 1 week */\n\ @@ -9,9 +9,9 @@ max-clients-per-query 100;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ ---- bin/named/server.c.orig 2018-06-10 06:06:33 UTC +--- bin/named/server.c.orig 2018-10-06 01:36:17 UTC +++ bin/named/server.c -@@ -3692,6 +3692,16 @@ configure_view(dns_view_t *view, dns_vie +@@ -3695,6 +3695,16 @@ configure_view(dns_view_t *view, dns_vie } obj = NULL; @@ -28,20 +28,20 @@ result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2018-06-10 06:06:33 UTC +--- lib/dns/include/dns/view.h.orig 2018-10-06 01:36:17 UTC +++ lib/dns/include/dns/view.h -@@ -150,6 +150,8 @@ struct dns_view { - isc_boolean_t requestnsid; - isc_boolean_t sendcookie; +@@ -152,6 +152,8 @@ struct dns_view { + bool requestnsid; + bool sendcookie; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; - isc_uint32_t nta_lifetime; - isc_uint32_t nta_recheck; ---- lib/dns/resolver.c.orig 2018-06-10 06:06:33 UTC + uint32_t nta_lifetime; + uint32_t nta_recheck; +--- lib/dns/resolver.c.orig 2018-10-06 01:36:17 UTC +++ lib/dns/resolver.c -@@ -5473,6 +5473,18 @@ cache_name(fetchctx_t *fctx, dns_name_t +@@ -5474,6 +5474,18 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* @@ -60,9 +60,9 @@ * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2018-06-10 06:06:33 UTC +--- lib/isccfg/namedconf.c.orig 2018-10-06 01:36:17 UTC +++ lib/isccfg/namedconf.c -@@ -1770,6 +1770,8 @@ view_clauses[] = { +@@ -1773,6 +1773,8 @@ view_clauses[] = { #endif { "max-acache-size", &cfg_type_sizenodefault, 0 }, { "max-cache-size", &cfg_type_sizeorpercent, 0 }, Modified: branches/2018Q4/dns/bind911/files/named.in ============================================================================== --- branches/2018Q4/dns/bind911/files/named.in Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind911/files/named.in Fri Dec 21 08:29:43 2018 (r487960) @@ -62,7 +62,7 @@ required_dirs="${named_chrootdir}" _named_confdirroot="${named_conf%/*}" _named_confdir="${named_chrootdir}${_named_confdirroot}" _named_program_root="${named_program%/sbin/named}" -_openssl_engines="%%LOCALBASE%%/lib/engines" +_openssl_engines="%%ENGINES%%" # Needed if named.conf and rndc.conf are moved or if rndc.conf is used rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"} @@ -143,19 +143,16 @@ chroot_autoupdate() fi fi - # If OpenSSL from ports, then the engines should be present in the - # chroot, named loads them after chrooting. + # The OpenSSL engines should be present in the chroot, named loads them + # after chrooting. if [ -d ${_openssl_engines} ]; then - # FIXME when 8.4 is gone see if - # security.jail.param.allow.mount.nullfs can be used. - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then - mkdir -p ${named_chrootdir}${_openssl_engines} + mkdir -p ${named_chrootdir}${_openssl_engines} + if can_mount nullfs ; then mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines} else warn "named chroot: cannot nullfs mount OpenSSL" \ "engines into the chroot, will copy the shared" \ "libraries instead." - mkdir -p ${named_chrootdir}${_openssl_engines} cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines} fi fi @@ -241,20 +238,39 @@ named_stop() named_poststop() { - if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then + if [ -n "${named_chrootdir}" ]; then # if using OpenSSL from ports, unmount OpenSSL engines, if they # were not mounted but only copied, do nothing. - if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then - umount ${named_chrootdir}${_openssl_engines} + if [ -d ${_openssl_engines} ]; then + if can_mount nullfs; then + umount ${named_chrootdir}${_openssl_engines} + fi fi - # unmount /dev - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then - umount ${named_chrootdir}/dev 2>/dev/null || true - else - warn "named chroot:" \ - "cannot unmount devfs from inside jail!" + if [ -c ${named_chrootdir}/dev/null ]; then + # unmount /dev + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null || true + else + warn "named chroot:" \ + "cannot unmount devfs from inside jail!" + fi fi fi +} + +can_mount() +{ + local kld + kld=$1 + if ! load_kld $kld; then + return 1 + fi + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] || + [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] || + [ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then + return 0 + fi + return 1 } create_file() Modified: branches/2018Q4/dns/bind911/files/patch-bin_named_include_named_globals.h ============================================================================== --- branches/2018Q4/dns/bind911/files/patch-bin_named_include_named_globals.h Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind911/files/patch-bin_named_include_named_globals.h Fri Dec 21 08:29:43 2018 (r487960) @@ -1,8 +1,8 @@ We reference the pid file as being run/named/pid everywere else. ---- bin/named/include/named/globals.h.orig 2018-06-10 06:06:33 UTC +--- bin/named/include/named/globals.h.orig 2018-10-06 01:36:17 UTC +++ bin/named/include/named/globals.h -@@ -138,7 +138,7 @@ EXTERN isc_boolean_t ns_g_forcelock IN +@@ -139,7 +139,7 @@ EXTERN bool ns_g_forcelock INIT(false) #if NS_RUN_PID_DIR EXTERN const char * ns_g_defaultpidfile INIT(NS_LOCALSTATEDIR "/run/named/" Modified: branches/2018Q4/dns/bind911/files/patch-configure ============================================================================== --- branches/2018Q4/dns/bind911/files/patch-configure Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind911/files/patch-configure Fri Dec 21 08:29:43 2018 (r487960) @@ -1,6 +1,6 @@ ---- configure.orig 2018-06-10 06:06:33 UTC +--- configure.orig 2018-10-06 01:36:17 UTC +++ configure -@@ -14961,27 +14961,9 @@ done +@@ -15106,27 +15106,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ @@ -30,7 +30,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -15024,47 +15006,7 @@ $as_echo "no" >&6; } ;; +@@ -15169,47 +15151,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac @@ -79,7 +79,7 @@ DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -23847,7 +23789,7 @@ $as_echo "" >&6; } +@@ -23938,7 +23880,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). Modified: branches/2018Q4/dns/bind912/Makefile ============================================================================== --- branches/2018Q4/dns/bind912/Makefile Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind912/Makefile Fri Dec 21 08:29:43 2018 (r487960) @@ -29,13 +29,11 @@ COMMENT= BIND DNS suite with updated DNSSEC and DNS64 LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/COPYRIGHT -BROKEN_powerpc64= fails to link: /usr/bin/ld: cannot find -latomic - LIB_DEPENDS= libxml2.so:textproc/libxml2 -USES= cpe libedit +USES= compiler:c11 cpe libedit # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.12.2-P2 +ISCVERSION= 9.12.3-P1 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} @@ -45,11 +43,11 @@ CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ - --disable-symtable \ --with-randomdev=/dev/random \ --with-libxml2=${LOCALBASE} \ --with-readline="-L${LOCALBASE}/lib -ledit" \ --with-dlopen=yes \ + --with-gost=no \ --sysconfdir=${ETCDIR} ETCDIR= ${PREFIX}/etc/namedb @@ -72,9 +70,8 @@ OPTIONS_DEFAULT= SSL THREADS SIGCHASE IDN GSSAPI_NONE OPTIONS_DEFINE= IDN LARGE_FILE PYTHON JSON \ FIXED_RRSET SIGCHASE IPV6 THREADS -OPTIONS_RADIO= CRYPTO GOSTDEF +OPTIONS_RADIO= CRYPTO OPTIONS_RADIO_CRYPTO= SSL NATIVE_PKCS11 -OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1 .if !defined(BIND_TOOLS_SLAVE) OPTIONS_DEFAULT+= DLZ_FILESYSTEM LMDB RPZ_NSDNAME RPZ_NSIP TCP_FASTOPEN @@ -101,9 +98,6 @@ DLZ_STUB_DESC= DLZ stub driver DNSTAP_DESC= Provides fast passive logging of DNS messages FIXED_RRSET_DESC= Enable fixed rrset ordering GEOIP_DESC= Allow geographically based ACL. -GOSTDEF_DESC= Enable GOST ciphers, needs SSL -GOST_ASN1_DESC= GOST using ASN.1 -GOST_DESC= GOST raw keys (new default) GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 @@ -150,10 +144,6 @@ FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_WITH= geoip GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP -GOST_ASN1_CONFIGURE_ON= --with-gost=asn1 - -GOST_CONFIGURE_ON= --with-gost - GSSAPI_BASE_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_BASE_USES= gssapi @@ -220,14 +210,16 @@ TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default .include <bsd.port.pre.mk> -.if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1} -CONFIGURE_ARGS+= --without-gost +.if defined(WITH_DEBUG) +CONFIGURE_ARGS+= --enable-symtable +.else +CONFIGURE_ARGS+= --disable-symtable .endif -.if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base -BROKEN= OpenSSL from the base system does not support GOST, add \ - DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ - that needs SSL. +.if ${SSL_DEFAULT} == base +SUB_LIST+= ENGINES=/usr/lib/engines +.else +SUB_LIST+= ENGINES=${LOCALBASE}/lib/engines .endif post-patch: Modified: branches/2018Q4/dns/bind912/distinfo ============================================================================== --- branches/2018Q4/dns/bind912/distinfo Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind912/distinfo Fri Dec 21 08:29:43 2018 (r487960) @@ -1,3 +1,3 @@ -TIMESTAMP = 1537447540 -SHA256 (bind-9.12.2-P2.tar.gz) = 87027826e98bab90ead31f45ce7653cb3116ebe64ab8202a08b6b64531df693e -SIZE (bind-9.12.2-P2.tar.gz) = 9422128 +TIMESTAMP = 1544687855 +SHA256 (bind-9.12.3-P1.tar.gz) = 6cb79389d787368af27f01c65a9fa09be1fd062eda37c94819a1a0178d5ded73 +SIZE (bind-9.12.3-P1.tar.gz) = 8625693 Modified: branches/2018Q4/dns/bind912/files/extrapatch-bind-min-override-ttl ============================================================================== --- branches/2018Q4/dns/bind912/files/extrapatch-bind-min-override-ttl Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind912/files/extrapatch-bind-min-override-ttl Fri Dec 21 08:29:43 2018 (r487960) @@ -1,6 +1,6 @@ ---- bin/named/config.c.orig 2018-07-03 07:08:14 UTC +--- bin/named/config.c.orig 2018-10-06 05:51:22 UTC +++ bin/named/config.c -@@ -182,12 +182,14 @@ options {\n\ +@@ -183,12 +183,14 @@ options {\n\ max-recursion-queries 75;\n\ max-stale-ttl 604800; /* 1 week */\n\ message-compression yes;\n\ @@ -15,9 +15,9 @@ provide-ixfr true;\n\ query-source address *;\n\ query-source-v6 address *;\n\ ---- bin/named/server.c.orig 2018-07-03 07:08:14 UTC +--- bin/named/server.c.orig 2018-10-06 05:51:22 UTC +++ bin/named/server.c -@@ -4072,6 +4072,16 @@ configure_view(dns_view_t *view, dns_vie +@@ -4075,6 +4075,16 @@ configure_view(dns_view_t *view, dns_vie } obj = NULL; @@ -34,20 +34,20 @@ result = named_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2018-07-03 07:08:14 UTC +--- lib/dns/include/dns/view.h.orig 2018-10-06 05:51:22 UTC +++ lib/dns/include/dns/view.h -@@ -149,6 +149,8 @@ struct dns_view { - isc_boolean_t requestnsid; - isc_boolean_t sendcookie; +@@ -151,6 +151,8 @@ struct dns_view { + bool requestnsid; + bool sendcookie; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; - isc_uint32_t nta_lifetime; - isc_uint32_t nta_recheck; ---- lib/dns/resolver.c.orig 2018-07-03 07:08:14 UTC + uint32_t nta_lifetime; + uint32_t nta_recheck; +--- lib/dns/resolver.c.orig 2018-10-06 05:51:22 UTC +++ lib/dns/resolver.c -@@ -5756,6 +5756,18 @@ cache_name(fetchctx_t *fctx, dns_name_t +@@ -5757,6 +5757,18 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* @@ -66,9 +66,9 @@ * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2018-07-03 07:08:14 UTC +--- lib/isccfg/namedconf.c.orig 2018-10-06 05:51:22 UTC +++ lib/isccfg/namedconf.c -@@ -1914,6 +1914,8 @@ view_clauses[] = { +@@ -1917,6 +1917,8 @@ view_clauses[] = { { "max-acache-size", &cfg_type_sizenodefault, CFG_CLAUSEFLAG_OBSOLETE }, { "max-cache-size", &cfg_type_sizeorpercent, 0 }, Modified: branches/2018Q4/dns/bind912/files/named.in ============================================================================== --- branches/2018Q4/dns/bind912/files/named.in Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind912/files/named.in Fri Dec 21 08:29:43 2018 (r487960) @@ -62,7 +62,7 @@ required_dirs="${named_chrootdir}" _named_confdirroot="${named_conf%/*}" _named_confdir="${named_chrootdir}${_named_confdirroot}" _named_program_root="${named_program%/sbin/named}" -_openssl_engines="%%LOCALBASE%%/lib/engines" +_openssl_engines="%%ENGINES%%" # Needed if named.conf and rndc.conf are moved or if rndc.conf is used rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"} @@ -143,19 +143,16 @@ chroot_autoupdate() fi fi - # If OpenSSL from ports, then the engines should be present in the - # chroot, named loads them after chrooting. + # The OpenSSL engines should be present in the chroot, named loads them + # after chrooting. if [ -d ${_openssl_engines} ]; then - # FIXME when 8.4 is gone see if - # security.jail.param.allow.mount.nullfs can be used. - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then - mkdir -p ${named_chrootdir}${_openssl_engines} + mkdir -p ${named_chrootdir}${_openssl_engines} + if can_mount nullfs ; then mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines} else warn "named chroot: cannot nullfs mount OpenSSL" \ "engines into the chroot, will copy the shared" \ "libraries instead." - mkdir -p ${named_chrootdir}${_openssl_engines} cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines} fi fi @@ -241,20 +238,39 @@ named_stop() named_poststop() { - if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then + if [ -n "${named_chrootdir}" ]; then # if using OpenSSL from ports, unmount OpenSSL engines, if they # were not mounted but only copied, do nothing. - if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then - umount ${named_chrootdir}${_openssl_engines} + if [ -d ${_openssl_engines} ]; then + if can_mount nullfs; then + umount ${named_chrootdir}${_openssl_engines} + fi fi - # unmount /dev - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then - umount ${named_chrootdir}/dev 2>/dev/null || true - else - warn "named chroot:" \ - "cannot unmount devfs from inside jail!" + if [ -c ${named_chrootdir}/dev/null ]; then + # unmount /dev + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null || true + else + warn "named chroot:" \ + "cannot unmount devfs from inside jail!" + fi fi fi +} + +can_mount() +{ + local kld + kld=$1 + if ! load_kld $kld; then + return 1 + fi + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] || + [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] || + [ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then + return 0 + fi + return 1 } create_file() Modified: branches/2018Q4/dns/bind912/files/patch-bin_named_include_named_globals.h ============================================================================== --- branches/2018Q4/dns/bind912/files/patch-bin_named_include_named_globals.h Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind912/files/patch-bin_named_include_named_globals.h Fri Dec 21 08:29:43 2018 (r487960) @@ -1,8 +1,8 @@ We reference the pid file as being run/named/pid everywere else. ---- bin/named/include/named/globals.h.orig 2018-06-10 06:06:19 UTC +--- bin/named/include/named/globals.h.orig 2018-10-06 05:51:22 UTC +++ bin/named/include/named/globals.h -@@ -128,7 +128,7 @@ EXTERN isc_boolean_t named_g_forcelock +@@ -129,7 +129,7 @@ EXTERN bool named_g_forcelock INIT(fals #if NAMED_RUN_PID_DIR EXTERN const char * named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/named/" Modified: branches/2018Q4/dns/bind912/files/patch-configure ============================================================================== --- branches/2018Q4/dns/bind912/files/patch-configure Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind912/files/patch-configure Fri Dec 21 08:29:43 2018 (r487960) @@ -1,6 +1,6 @@ ---- configure.orig 2018-06-10 06:06:19 UTC +--- configure.orig 2018-10-06 05:51:22 UTC +++ configure -@@ -14939,27 +14939,9 @@ done +@@ -15085,27 +15085,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ @@ -30,7 +30,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -15002,47 +14984,7 @@ $as_echo "no" >&6; } ;; +@@ -15148,47 +15130,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac @@ -79,7 +79,7 @@ DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -23790,7 +23732,7 @@ $as_echo "" >&6; } +@@ -23886,7 +23828,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). Modified: branches/2018Q4/dns/bind913/Makefile ============================================================================== --- branches/2018Q4/dns/bind913/Makefile Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind913/Makefile Fri Dec 21 08:29:43 2018 (r487960) @@ -31,9 +31,9 @@ LICENSE_FILE= ${WRKSRC}/COPYRIGHT LIB_DEPENDS= libxml2.so:textproc/libxml2 -USES= cpe libedit ssl +USES= compiler:c11 cpe libedit ssl # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.13.3 +ISCVERSION= 9.13.5 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} @@ -43,7 +43,6 @@ CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ - --disable-symtable \ --with-libxml2=${LOCALBASE} \ --with-readline="-L${LOCALBASE}/lib -ledit" \ --with-dlopen=yes \ @@ -198,6 +197,18 @@ TUNING_LARGE_CONFIGURE_ON= --with-tuning=large TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default .include <bsd.port.pre.mk> + +.if defined(WITH_DEBUG) +CONFIGURE_ARGS+= --enable-symtable +.else +CONFIGURE_ARGS+= --disable-symtable +.endif + +.if ${SSL_DEFAULT} == base +SUB_LIST+= ENGINES=/usr/lib/engines +.else +SUB_LIST+= ENGINES=${LOCALBASE}/lib/engines +.endif post-patch: .if defined(BIND_TOOLS_SLAVE) Modified: branches/2018Q4/dns/bind913/distinfo ============================================================================== --- branches/2018Q4/dns/bind913/distinfo Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind913/distinfo Fri Dec 21 08:29:43 2018 (r487960) @@ -1,3 +1,3 @@ -TIMESTAMP = 1537447591 -SHA256 (bind-9.13.3.tar.gz) = 76674cf2a3e61766aed5c7fd1ee6ed3da133a9e331b35b24f40efdf1bbac5b44 -SIZE (bind-9.13.3.tar.gz) = 7805551 +TIMESTAMP = 1544687807 +SHA256 (bind-9.13.5.tar.gz) = bbde0b81c66a7c7f5b074c8f0e714ed8aa235e4b930e28953cab0ae3cae94e4b +SIZE (bind-9.13.5.tar.gz) = 6309308 Modified: branches/2018Q4/dns/bind913/files/extrapatch-bind-min-override-ttl ============================================================================== --- branches/2018Q4/dns/bind913/files/extrapatch-bind-min-override-ttl Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind913/files/extrapatch-bind-min-override-ttl Fri Dec 21 08:29:43 2018 (r487960) @@ -1,13 +1,6 @@ ---- bin/named/config.c.orig 2018-09-06 00:15:26 UTC +--- bin/named/config.c.orig 2018-12-07 18:44:21 UTC +++ bin/named/config.c -@@ -174,12 +174,14 @@ options {\n\ - max-recursion-queries 75;\n\ - max-stale-ttl 604800; /* 1 week */\n\ - message-compression yes;\n\ -+ min-cache-ttl 0; /* no minimal, zero is allowed */\n\ - # min-roots <obsolete>;\n\ - minimal-any false;\n\ - minimal-responses no-auth-recursive;\n\ +@@ -179,6 +179,7 @@ options {\n\ notify-source *;\n\ notify-source-v6 *;\n\ nsec3-test-zone no;\n\ @@ -15,9 +8,9 @@ provide-ixfr true;\n\ qname-minimization relaxed;\n\ query-source address *;\n\ ---- bin/named/server.c.orig 2018-09-06 00:15:26 UTC +--- bin/named/server.c.orig 2018-12-07 18:44:21 UTC +++ bin/named/server.c -@@ -4074,6 +4074,16 @@ configure_view(dns_view_t *view, dns_vie +@@ -4154,6 +4154,11 @@ configure_view(dns_view_t *view, dns_vie } obj = NULL; @@ -26,28 +19,22 @@ + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; -+ result = named_config_get(maps, "min-cache-ttl", &obj); -+ INSIST(result == ISC_R_SUCCESS); -+ view->mincachettl = cfg_obj_asuint32(obj); -+ -+ obj = NULL; result = named_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2018-09-06 00:15:26 UTC +--- lib/dns/include/dns/view.h.orig 2018-12-07 18:44:21 UTC +++ lib/dns/include/dns/view.h -@@ -153,6 +153,8 @@ struct dns_view { +@@ -153,6 +153,7 @@ struct dns_view { bool requestnsid; bool sendcookie; dns_ttl_t maxcachettl; -+ dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; - uint32_t nta_lifetime; - uint32_t nta_recheck; ---- lib/dns/resolver.c.orig 2018-09-06 00:15:26 UTC + dns_ttl_t mincachettl; + dns_ttl_t minncachettl; +--- lib/dns/resolver.c.orig 2018-12-07 18:44:21 UTC +++ lib/dns/resolver.c -@@ -5758,6 +5758,18 @@ cache_name(fetchctx_t *fctx, dns_name_t +@@ -5967,6 +5967,12 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* @@ -57,23 +44,16 @@ + rdataset->ttl = res->view->overridecachettl; + + /* -+ * Enforce the configure minimum cache TTL. -+ */ -+ if (rdataset->ttl < res->view->mincachettl) -+ rdataset->ttl = res->view->mincachettl; -+ -+ /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2018-09-06 00:15:26 UTC +--- lib/isccfg/namedconf.c.orig 2018-12-07 18:44:21 UTC +++ lib/isccfg/namedconf.c -@@ -1919,6 +1919,8 @@ view_clauses[] = { +@@ -1900,6 +1900,7 @@ view_clauses[] = { { "max-acache-size", &cfg_type_sizenodefault, CFG_CLAUSEFLAG_OBSOLETE }, { "max-cache-size", &cfg_type_sizeorpercent, 0 }, + { "override-cache-ttl", &cfg_type_ttlval, 0 }, -+ { "min-cache-ttl", &cfg_type_ttlval, 0 }, { "max-cache-ttl", &cfg_type_ttlval, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_ttlval, 0 }, Modified: branches/2018Q4/dns/bind913/files/named.in ============================================================================== --- branches/2018Q4/dns/bind913/files/named.in Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind913/files/named.in Fri Dec 21 08:29:43 2018 (r487960) @@ -62,7 +62,7 @@ required_dirs="${named_chrootdir}" _named_confdirroot="${named_conf%/*}" _named_confdir="${named_chrootdir}${_named_confdirroot}" _named_program_root="${named_program%/sbin/named}" -_openssl_engines="%%LOCALBASE%%/lib/engines" +_openssl_engines="%%ENGINES%%" # Needed if named.conf and rndc.conf are moved or if rndc.conf is used rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"} @@ -143,19 +143,16 @@ chroot_autoupdate() fi fi - # If OpenSSL from ports, then the engines should be present in the - # chroot, named loads them after chrooting. + # The OpenSSL engines should be present in the chroot, named loads them + # after chrooting. if [ -d ${_openssl_engines} ]; then - # FIXME when 8.4 is gone see if - # security.jail.param.allow.mount.nullfs can be used. - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then - mkdir -p ${named_chrootdir}${_openssl_engines} + mkdir -p ${named_chrootdir}${_openssl_engines} + if can_mount nullfs ; then mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines} else warn "named chroot: cannot nullfs mount OpenSSL" \ "engines into the chroot, will copy the shared" \ "libraries instead." - mkdir -p ${named_chrootdir}${_openssl_engines} cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines} fi fi @@ -241,20 +238,39 @@ named_stop() named_poststop() { - if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then + if [ -n "${named_chrootdir}" ]; then # if using OpenSSL from ports, unmount OpenSSL engines, if they # were not mounted but only copied, do nothing. - if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then - umount ${named_chrootdir}${_openssl_engines} + if [ -d ${_openssl_engines} ]; then + if can_mount nullfs; then + umount ${named_chrootdir}${_openssl_engines} + fi fi - # unmount /dev - if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then - umount ${named_chrootdir}/dev 2>/dev/null || true - else - warn "named chroot:" \ - "cannot unmount devfs from inside jail!" + if [ -c ${named_chrootdir}/dev/null ]; then + # unmount /dev + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null || true + else + warn "named chroot:" \ + "cannot unmount devfs from inside jail!" + fi fi fi +} + +can_mount() +{ + local kld + kld=$1 + if ! load_kld $kld; then + return 1 + fi + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] || + [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] || + [ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then + return 0 + fi + return 1 } create_file() Modified: branches/2018Q4/dns/bind913/files/patch-configure ============================================================================== --- branches/2018Q4/dns/bind913/files/patch-configure Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind913/files/patch-configure Fri Dec 21 08:29:43 2018 (r487960) @@ -1,6 +1,6 @@ ---- configure.orig 2018-09-06 00:15:26 UTC +--- configure.orig 2018-12-07 18:44:21 UTC +++ configure -@@ -16468,27 +16468,9 @@ done +@@ -16296,27 +16296,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ @@ -30,7 +30,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -16531,47 +16513,7 @@ $as_echo "no" >&6; } ;; +@@ -16359,47 +16341,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac @@ -79,7 +79,7 @@ DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -21337,7 +21279,7 @@ $as_echo "" >&6; } +@@ -20933,7 +20875,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). Modified: branches/2018Q4/dns/bind913/pkg-plist ============================================================================== --- branches/2018Q4/dns/bind913/pkg-plist Fri Dec 21 08:26:12 2018 (r487959) +++ branches/2018Q4/dns/bind913/pkg-plist Fri Dec 21 08:29:43 2018 (r487960) @@ -160,8 +160,7 @@ include/isc/fuzz.h include/isc/hash.h include/isc/heap.h include/isc/hex.h -include/isc/hmacmd5.h -include/isc/hmacsha.h +include/isc/hmac.h include/isc/ht.h include/isc/httpd.h include/isc/interfaceiter.h @@ -175,7 +174,7 @@ include/isc/likely.h include/isc/list.h include/isc/log.h include/isc/magic.h -include/isc/md5.h +include/isc/md.h include/isc/mem.h include/isc/meminfo.h include/isc/msgcat.h @@ -209,12 +208,11 @@ include/isc/resultclass.h include/isc/rwlock.h include/isc/safe.h include/isc/serial.h -include/isc/sha1.h -include/isc/sha2.h include/isc/sockaddr.h include/isc/socket.h include/isc/stat.h include/isc/stats.h +include/isc/stdatomic.h include/isc/stdio.h include/isc/stdtime.h include/isc/strerr.h @@ -252,6 +250,7 @@ include/isccfg/log.h include/isccfg/namedconf.h include/isccfg/version.h include/ns/client.h +include/ns/hooks.h include/ns/interfacemgr.h include/ns/lib.h include/ns/listenlist.h @@ -275,6 +274,7 @@ include/pkcs11/eddsa.h include/pkcs11/pkcs11.h include/pkcs11/pkcs11f.h include/pkcs11/pkcs11t.h +lib/filter-aaaa.so lib/libbind9.a lib/libdns.a lib/libirs.a @@ -308,6 +308,7 @@ man/man8/dnssec-revoke.8.gz man/man8/dnssec-settime.8.gz man/man8/dnssec-signzone.8.gz man/man8/dnssec-verify.8.gz +man/man8/filter-aaaa.8.gz man/man8/named-checkconf.8.gz man/man8/named-checkzone.8.gz man/man8/named-compilezone.8.gz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812210829.wBL8ThXD021762>