Date: Wed, 8 Apr 2015 19:49:39 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r281273 - in stable/9: contrib/bind9 contrib/bind9/bin/check contrib/bind9/bin/dig contrib/bind9/bin/dig/include/dig contrib/bind9/bin/dnssec contrib/bind9/bin/named contrib/bind9/bin/n... Message-ID: <201504081949.t38Jnd0S001068@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Apr 8 19:49:38 2015 New Revision: 281273 URL: https://svnweb.freebsd.org/changeset/base/281273 Log: Update BIND to 9.9.7. This is a direct commit to stable/9 because BIND is no longer in -HEAD. Added: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html - copied unchanged from r281268, vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html - copied unchanged from r281268, vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html - copied unchanged from r281268, vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html stable/9/contrib/bind9/doc/arm/notes-wrapper.xml - copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes-wrapper.xml stable/9/contrib/bind9/doc/arm/notes.html - copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes.html stable/9/contrib/bind9/doc/arm/notes.pdf - copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes.pdf stable/9/contrib/bind9/doc/arm/notes.xml - copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes.xml stable/9/contrib/bind9/lib/dns/rdata/generic/openpgpkey_61.c - copied unchanged from r281268, vendor/bind9/dist/lib/dns/rdata/generic/openpgpkey_61.c stable/9/contrib/bind9/lib/dns/rdata/generic/openpgpkey_61.h - copied unchanged from r281268, vendor/bind9/dist/lib/dns/rdata/generic/openpgpkey_61.h Modified: stable/9/contrib/bind9/CHANGES stable/9/contrib/bind9/COPYRIGHT stable/9/contrib/bind9/FAQ.xml stable/9/contrib/bind9/README stable/9/contrib/bind9/bin/check/named-checkconf.c stable/9/contrib/bind9/bin/dig/dig.1 stable/9/contrib/bind9/bin/dig/dig.docbook stable/9/contrib/bind9/bin/dig/dig.html stable/9/contrib/bind9/bin/dig/dighost.c stable/9/contrib/bind9/bin/dig/host.c stable/9/contrib/bind9/bin/dig/include/dig/dig.h stable/9/contrib/bind9/bin/dig/nslookup.c stable/9/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c stable/9/contrib/bind9/bin/dnssec/dnssec-importkey.c stable/9/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.8 stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.c stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.docbook stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.html stable/9/contrib/bind9/bin/dnssec/dnssec-settime.8 stable/9/contrib/bind9/bin/dnssec/dnssec-settime.c stable/9/contrib/bind9/bin/dnssec/dnssec-settime.docbook stable/9/contrib/bind9/bin/dnssec/dnssec-settime.html stable/9/contrib/bind9/bin/dnssec/dnssec-signzone.c stable/9/contrib/bind9/bin/dnssec/dnssec-verify.c stable/9/contrib/bind9/bin/dnssec/dnssectool.c stable/9/contrib/bind9/bin/dnssec/dnssectool.h stable/9/contrib/bind9/bin/named/client.c stable/9/contrib/bind9/bin/named/config.c stable/9/contrib/bind9/bin/named/include/named/globals.h stable/9/contrib/bind9/bin/named/interfacemgr.c stable/9/contrib/bind9/bin/named/main.c stable/9/contrib/bind9/bin/named/named.html stable/9/contrib/bind9/bin/named/query.c stable/9/contrib/bind9/bin/named/server.c stable/9/contrib/bind9/bin/named/update.c stable/9/contrib/bind9/bin/named/zoneconf.c stable/9/contrib/bind9/bin/nsupdate/nsupdate.c stable/9/contrib/bind9/bin/rndc/rndc.c stable/9/contrib/bind9/config.h.in stable/9/contrib/bind9/configure.in stable/9/contrib/bind9/doc/arm/Bv9ARM-book.xml stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html stable/9/contrib/bind9/doc/arm/Bv9ARM.html stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf stable/9/contrib/bind9/doc/arm/Makefile.in stable/9/contrib/bind9/doc/arm/dnssec.xml stable/9/contrib/bind9/doc/arm/man.arpaname.html stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html stable/9/contrib/bind9/doc/arm/man.dig.html stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html stable/9/contrib/bind9/doc/arm/man.genrandom.html stable/9/contrib/bind9/doc/arm/man.host.html stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html stable/9/contrib/bind9/doc/arm/man.named-checkconf.html stable/9/contrib/bind9/doc/arm/man.named-checkzone.html stable/9/contrib/bind9/doc/arm/man.named-journalprint.html stable/9/contrib/bind9/doc/arm/man.named.html stable/9/contrib/bind9/doc/arm/man.nsec3hash.html stable/9/contrib/bind9/doc/arm/man.nsupdate.html stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html stable/9/contrib/bind9/doc/arm/man.rndc.conf.html stable/9/contrib/bind9/doc/arm/man.rndc.html stable/9/contrib/bind9/lib/bind9/api stable/9/contrib/bind9/lib/bind9/check.c stable/9/contrib/bind9/lib/bind9/getaddresses.c stable/9/contrib/bind9/lib/dns/adb.c stable/9/contrib/bind9/lib/dns/api stable/9/contrib/bind9/lib/dns/diff.c stable/9/contrib/bind9/lib/dns/dispatch.c stable/9/contrib/bind9/lib/dns/gen.c stable/9/contrib/bind9/lib/dns/include/dns/dispatch.h stable/9/contrib/bind9/lib/dns/include/dns/log.h stable/9/contrib/bind9/lib/dns/include/dns/rbt.h stable/9/contrib/bind9/lib/dns/include/dns/request.h stable/9/contrib/bind9/lib/dns/journal.c stable/9/contrib/bind9/lib/dns/keytable.c stable/9/contrib/bind9/lib/dns/log.c stable/9/contrib/bind9/lib/dns/master.c stable/9/contrib/bind9/lib/dns/masterdump.c stable/9/contrib/bind9/lib/dns/message.c stable/9/contrib/bind9/lib/dns/name.c stable/9/contrib/bind9/lib/dns/nsec3.c stable/9/contrib/bind9/lib/dns/openssldh_link.c stable/9/contrib/bind9/lib/dns/opensslecdsa_link.c stable/9/contrib/bind9/lib/dns/opensslgost_link.c stable/9/contrib/bind9/lib/dns/private.c stable/9/contrib/bind9/lib/dns/rbt.c stable/9/contrib/bind9/lib/dns/rbtdb.c stable/9/contrib/bind9/lib/dns/rdata.c stable/9/contrib/bind9/lib/dns/rdata/generic/cdnskey_60.c stable/9/contrib/bind9/lib/dns/rdata/generic/cds_59.c stable/9/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c stable/9/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c stable/9/contrib/bind9/lib/dns/rdata/generic/opt_41.c stable/9/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c stable/9/contrib/bind9/lib/dns/rdata/generic/sig_24.c stable/9/contrib/bind9/lib/dns/rdata/generic/spf_99.h stable/9/contrib/bind9/lib/dns/rdata/generic/txt_16.c stable/9/contrib/bind9/lib/dns/rdataset.c stable/9/contrib/bind9/lib/dns/request.c stable/9/contrib/bind9/lib/dns/resolver.c stable/9/contrib/bind9/lib/dns/rootns.c stable/9/contrib/bind9/lib/dns/spnego_asn1.c stable/9/contrib/bind9/lib/dns/tkey.c stable/9/contrib/bind9/lib/dns/tsig.c stable/9/contrib/bind9/lib/dns/validator.c stable/9/contrib/bind9/lib/dns/zone.c stable/9/contrib/bind9/lib/dns/zt.c stable/9/contrib/bind9/lib/export/isc/Makefile.in stable/9/contrib/bind9/lib/export/isc/unix/Makefile.in stable/9/contrib/bind9/lib/export/samples/nsprobe.c stable/9/contrib/bind9/lib/export/samples/sample-request.c stable/9/contrib/bind9/lib/export/samples/sample-update.c stable/9/contrib/bind9/lib/irs/getnameinfo.c stable/9/contrib/bind9/lib/isc/api stable/9/contrib/bind9/lib/isc/hash.c stable/9/contrib/bind9/lib/isc/hmacmd5.c stable/9/contrib/bind9/lib/isc/hmacsha.c stable/9/contrib/bind9/lib/isc/httpd.c stable/9/contrib/bind9/lib/isc/include/isc/platform.h.in stable/9/contrib/bind9/lib/isc/include/isc/radix.h stable/9/contrib/bind9/lib/isc/include/isc/ratelimiter.h stable/9/contrib/bind9/lib/isc/md5.c stable/9/contrib/bind9/lib/isc/mem.c stable/9/contrib/bind9/lib/isc/radix.c stable/9/contrib/bind9/lib/isc/ratelimiter.c stable/9/contrib/bind9/lib/isc/result.c stable/9/contrib/bind9/lib/isc/sha1.c stable/9/contrib/bind9/lib/isc/sha2.c stable/9/contrib/bind9/lib/isc/unix/app.c stable/9/contrib/bind9/lib/isc/unix/include/isc/net.h stable/9/contrib/bind9/lib/isc/unix/include/isc/time.h stable/9/contrib/bind9/lib/isc/unix/net.c stable/9/contrib/bind9/lib/isc/unix/socket.c stable/9/contrib/bind9/lib/isc/unix/stdio.c stable/9/contrib/bind9/lib/isc/unix/time.c stable/9/contrib/bind9/lib/isccfg/api stable/9/contrib/bind9/lib/isccfg/parser.c stable/9/contrib/bind9/lib/lwres/api stable/9/contrib/bind9/lib/lwres/compat.c stable/9/contrib/bind9/lib/lwres/gethost.c stable/9/contrib/bind9/lib/lwres/man/lwres.html stable/9/contrib/bind9/lib/lwres/man/lwres_buffer.html stable/9/contrib/bind9/lib/lwres/man/lwres_config.html stable/9/contrib/bind9/lib/lwres/man/lwres_context.html stable/9/contrib/bind9/lib/lwres/man/lwres_gabn.html stable/9/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html stable/9/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html stable/9/contrib/bind9/lib/lwres/man/lwres_gethostent.html stable/9/contrib/bind9/lib/lwres/man/lwres_getipnode.html stable/9/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html stable/9/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html stable/9/contrib/bind9/lib/lwres/man/lwres_gnba.html stable/9/contrib/bind9/lib/lwres/man/lwres_hstrerror.html stable/9/contrib/bind9/lib/lwres/man/lwres_inetntop.html stable/9/contrib/bind9/lib/lwres/man/lwres_noop.html stable/9/contrib/bind9/lib/lwres/man/lwres_packet.html stable/9/contrib/bind9/lib/lwres/man/lwres_resutil.html stable/9/contrib/bind9/version stable/9/lib/bind/config.h stable/9/lib/bind/dns/code.h stable/9/lib/bind/dns/dns/enumclass.h stable/9/lib/bind/dns/dns/enumtype.h stable/9/lib/bind/dns/dns/rdatastruct.h stable/9/lib/bind/isc/isc/platform.h Directory Properties: stable/9/contrib/bind9/ (props changed) Modified: stable/9/contrib/bind9/CHANGES ============================================================================== --- stable/9/contrib/bind9/CHANGES Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/CHANGES Wed Apr 8 19:49:38 2015 (r281273) @@ -1,11 +1,145 @@ - --- 9.9.6-P2 released --- + --- 9.9.7 released --- + + --- 9.9.7rc2 released --- + +4061. [bug] Handle timeout in legacy system test. [RT #38573] + +4060. [bug] dns_rdata_freestruct could be called on a + uninitialised structure when handling a error. + [RT #38568] + +4059. [bug] Addressed valgrind warnings. [RT #38549] + +4058. [bug] UDP dispatches could use the wrong pseudorandom + number generator context. [RT #38578] + +4056. [bug] Fixed several small bugs in automatic trust anchor + management, including a memory leak and a possible + loss of key state information. [RT #38458] + +4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field. + [RT #38565] 4053. [security] Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344] - --- 9.9.6-P1 released --- +4052. [bug] Fix a leak of query fetchlock. [RT #38454] + +4050. [bug] RPZ could send spurious SERVFAILs in response + to duplicate queries. [RT #38510] + +4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491] + +4048. [bug] adb hash table was not being grown. [RT #38470] + + --- 9.9.7rc1 released --- + +4047. [cleanup] "named -V" now reports the current running versions + of OpenSSL and the libxml2 libraries, in addition to + the versions that were in use at build time. + +4046. [bug] Accounting of "total use" in memory context + statistics was not correct. [RT #38370] + +4045. [bug] Skip to next master on dns_request_createvia4 failure. + [RT #25185] + +4044. [bug] Change 3955 was not complete, resulting in an assertion + failure if the timing was just right. [RT #38352] + +4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381] + +4038. [bug] Add 'rpz' flag to node and use it to determine whether + to call dns_rpz_delete. This should prevent unbalanced + add / delete calls. [RT #36888] + +4037. [bug] also-notify was ignoring the tsig key when checking + for duplicates resulting in some expected notify + messages not being sent. [RT #38369] + +4035. [bug] Close temporary and NZF FILE pointers before moving + the former into the latter's place, as required on + Windows. [RT #38332] + +4032. [bug] Built-in "empty" zones did not correctly inherit the + "allow-transfer" ACL from the options or view. + [RT #38310] + +4031. [bug] named-checkconf -z failed to report a missing file + with a hint zone. [RT #38294] + +4028. [bug] $GENERATE with a zero step was not being caught as a + error. A $GENERATE with a / but no step was not being + caught as a error. [RT #38262] + +3973. [test] Added hooks for Google Performance Tools CPU profiler, + including real-time/wall-clock profiling. Use + "configure --with-gperftools-profiler" to enable. + [RT #37339] + + --- 9.9.7b1 released --- + +4027. [port] Net::DNS 0.81 compatibility. [RT #38165] + +4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173] + +4025. [port] bsdi: failed to build. [RT #38047] + +4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next, + dns_rdata_opt_current, dns_rdata_txt_first, + dns_rdata_txt_next and dns_rdata_txt_current were + documented but not implemented. These have now been + implemented. + + dns_rdata_spf_first, dns_rdata_spf_next and + dns_rdata_spf_current were documented but not + implemented. The prototypes for these + functions have been removed. [RT #38068] + +4023. [bug] win32: socket handling with explicit ports and + invoking named with -4 was broken for some + configurations. [RT #38068] + +4021. [bug] Adjust max-recursion-queries to accommodate + the need for more queries when the cache is + empty. [RT #38104] + +4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery + resulting in updates being sent to the wrong server. + [RT #37925] + +4019. [func] If named is not configured to validate the answer + then allow fallback to plain DNS on timeout even + when we know the server supports EDNS. [RT #37978] + +4018. [bug] Fall back to plain DNS when EDNS queries are being + dropped was failing. [RT #37965] + +4017. [test] Add system test to check lookups to legacy servers + with broken DNS behavior. [RT #37965] + +4016. [bug] Fix a dig segfault due to bad linked list usage. + [RT #37591] + +4015. [bug] Nameservers that are skipped due to them being + CNAMEs were not being logged. They are now logged + to category 'cname' as per BIND 8. [RT #37935] + +4014. [bug] When including a master file origin_changed was + not being properly set leading to a potentially + spurious 'inherited owner' warning. [RT #37919] + +4012. [bug] Check returned status of OpenSSL digest and HMAC + functions when they return one. Note this applies + only to FIPS capable OpenSSL libraries put in + FIPS mode and MD5. [RT #37944] + +4011. [bug] master's list port inheritance was not properly + implemented. [RT #37792] + +4007. [doc] Remove acl forward reference restriction. [RT #37772] 4006. [security] A flaw in delegation handling could be exploited to put named into an infinite loop. This has @@ -19,6 +153,99 @@ "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580] +4004. [bug] When delegations had AAAA glue but not A, a + reference could be leaked causing an assertion + failure on shutdown. [RT #37796] + +4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET + from the redirect zone. [RT #37722] + +3998. [bug] isc_radix_search was returning matches that were + too precise. [RT #37680] + +3997. [protocol] Add OPENGPGKEY record. [RT# 37671] + +3996. [bug] Address use after free on out of memory error in + keyring_add. [RT #37639] + +3995. [bug] receive_secure_serial holds the zone lock for too + long. [RT #37626] + +3990. [testing] Add tests for unknown DNSSEC algorithm handling. + [RT #37541] + +3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748] + +3987. [func] Handle future Visual Studio 14 incompatible changes. + [RT #37380] + +3986. [doc] Add the BIND version number to page footers + in the ARM. [RT #37398] + +3985. [doc] Describe how +ndots and +search interact in dig. + [RT #37529] + +3982. [doc] Include release notes in product documentation. + [RT #37272] + +3981. [bug] Cache DS/NXDOMAIN independently of other query types. + [RT #37467] + +3978. [test] Added a unit test for Diffie-Hellman key + computation, completing change #3974. [RT #37477] + +3976. [bug] When refreshing managed-key trust anchors, clear + any cached trust so that they will always be + revalidated with the current set of secure + roots. [RT #37506] + +3974. [bug] Handle DH_compute_key() failure correctly in + openssldh_link.c. [RT #37477] + +3972. [bug] Fix host's usage statement. [RT #37397] + +3971. [bug] Reduce the cascading failures due to a bad $TTL line + in named-checkconf / named-checkzone. [RT #37138] + +3970. [contrib] Fixed a use after free bug in the SDB LDAP driver. + [RT #37237] + +3968. [bug] Silence spurious log messages when using 'named -[46]'. + [RT #37308] + +3967. [test] Add test for inlined signed zone in multiple views + with different DNSKEY sets. [RT #35759] + +3966. [bug] Missing dns_db_closeversion call in receive_secure_db. + [RT #35746] + +3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error + conditions. [RT #34663] + +3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with + BADSIG. [RT #37216] + +3960. [bug] 'dig +sigchase' could loop forever. [RT #37220] + +3959. [bug] Updates could be lost if they arrived immediately + after a rndc thaw. [RT #37233] + +3958. [bug] Detect when writeable files have multiple references + in named.conf. [RT #37172] + +3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 + and ECDSAP384SHA384. [RT #37183] + +3955. [bug] Notify messages due to changes are no longer queued + behind startup notify messages. [RT #24454] + +3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112] + +3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159] + +3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the + two name pointers were the same. [RT #37176] + --- 9.9.6 released --- 3950. [port] Changed the bin/python Makefile to work around a @@ -63,7 +290,7 @@ 3922. [bug] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now - retains DS and (if applicable) NSEC signatures. + retains DS and (if applicable) NSEC signatures. [RT #36946] 3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833] Modified: stable/9/contrib/bind9/COPYRIGHT ============================================================================== --- stable/9/contrib/bind9/COPYRIGHT Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/COPYRIGHT Wed Apr 8 19:49:38 2015 (r281273) @@ -1,4 +1,4 @@ -Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. Permission to use, copy, modify, and/or distribute this software for any Modified: stable/9/contrib/bind9/FAQ.xml ============================================================================== --- stable/9/contrib/bind9/FAQ.xml Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/FAQ.xml Wed Apr 8 19:49:38 2015 (r281273) @@ -1,7 +1,7 @@ <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> <!-- - - Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -31,6 +31,7 @@ <year>2009</year> <year>2010</year> <year>2013</year> + <year>2014</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> Modified: stable/9/contrib/bind9/README ============================================================================== --- stable/9/contrib/bind9/README Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/README Wed Apr 8 19:49:38 2015 (r281273) @@ -51,14 +51,21 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes + +BIND 9.9.7 + + BIND 9.9.7 is a maintenance release and addresses bugs + found in BIND 9.9.6 and earlier, as well as the security + flaws described in CVE-2014-8500 and CVE-2015-1349. + BIND 9.9.6 BIND 9.9.6 is a maintenance release, and also includes - the following new functionality. + the following new functionality. - The former behavior with respect to capitalization of names - (prior to BIND 9.9.5) can be restored for specific clients via - the new "no-case-compress" ACL. + (prior to BIND 9.9.5) can be restored for specific clients via + the new "no-case-compress" ACL. BIND 9.9.5 @@ -219,7 +226,7 @@ Building -DDIG_SIGCHASE_BU=1) Disable dropping queries from particular well known ports. -DNS_CLIENT_DROPPORT=0 - Sibling glue checking in named-checkzone is enabled by default. + Sibling glue checking in named-checkzone is enabled by default. To disable the default check set. -DCHECK_SIBLING=0 named-checkzone checks out-of-zone addresses by default. To disable this default set. -DCHECK_LOCAL=0 @@ -358,7 +365,7 @@ Change Log [security] Fix for a significant security flaw [experimental] Used for new features when the syntax - or other aspects of the design are still + or other aspects of the design are still in flux and may change [port] Portability enhancement @@ -367,7 +374,7 @@ Change Log server addresses and keys [tuning] Changes to built-in configuration defaults - and constants to improve performanceo + and constants to improve performanceo [protocol] Updates to the DNS protocol such as new RR types Modified: stable/9/contrib/bind9/bin/check/named-checkconf.c ============================================================================== --- stable/9/contrib/bind9/bin/check/named-checkconf.c Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/bin/check/named-checkconf.c Wed Apr 8 19:49:38 2015 (r281273) @@ -488,7 +488,33 @@ main(int argc, char **argv) { isc_commandline_errprint = ISC_FALSE; - while ((c = isc_commandline_parse(argc, argv, "dhjt:pvxz")) != EOF) { + /* + * Process memory debugging argument first. + */ +#define CMDLINE_FLAGS "dhjm:t:pvxz" + while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { + switch (c) { + case 'm': + if (strcasecmp(isc_commandline_argument, "record") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGRECORD; + if (strcasecmp(isc_commandline_argument, "trace") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGTRACE; + if (strcasecmp(isc_commandline_argument, "usage") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; + if (strcasecmp(isc_commandline_argument, "size") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGSIZE; + if (strcasecmp(isc_commandline_argument, "mctx") == 0) + isc_mem_debugging |= ISC_MEM_DEBUGCTX; + break; + default: + break; + } + } + isc_commandline_reset = ISC_TRUE; + + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); + + while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) { switch (c) { case 'd': debug++; @@ -498,6 +524,9 @@ main(int argc, char **argv) { nomerge = ISC_FALSE; break; + case 'm': + break; + case 't': result = isc_dir_chroot(isc_commandline_argument); if (result != ISC_R_SUCCESS) { @@ -557,8 +586,6 @@ main(int argc, char **argv) { InitSockets(); #endif - RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS); RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS); Modified: stable/9/contrib/bind9/bin/dig/dig.1 ============================================================================== --- stable/9/contrib/bind9/bin/dig/dig.1 Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/bin/dig/dig.1 Wed Apr 8 19:49:38 2015 (r281273) @@ -388,7 +388,10 @@ for it to be considered absolute. The de or \fBdomain\fR directive in -\fI/etc/resolv.conf\fR. +\fI/etc/resolv.conf\fR +if +\fB+search\fR +is set. .RE .PP \fB+[no]nsid\fR @@ -447,6 +450,12 @@ Toggle the display of per\-record commen Use [do not use] the search list defined by the searchlist or domain directive in \fIresolv.conf\fR (if any). The search list is not used by default. +.sp +\'ndots' from +\fIresolv.conf\fR +(default 1) which may be overridden by +\fI+ndots\fR +determines if the name will be treated as relative or not and hence whether a search is eventually performed or not. .RE .PP \fB+[no]short\fR Modified: stable/9/contrib/bind9/bin/dig/dig.docbook ============================================================================== --- stable/9/contrib/bind9/bin/dig/dig.docbook Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/bin/dig/dig.docbook Wed Apr 8 19:49:38 2015 (r281273) @@ -624,7 +624,8 @@ are interpreted as relative names and will be searched for in the domains listed in the <option>search</option> or <option>domain</option> directive in - <filename>/etc/resolv.conf</filename>. + <filename>/etc/resolv.conf</filename> if + <option>+search</option> is set. </para> </listitem> </varlistentry> @@ -731,6 +732,13 @@ <filename>resolv.conf</filename> (if any). The search list is not used by default. </para> + <para> + 'ndots' from <filename>resolv.conf</filename> (default 1) + which may be overridden by <parameter>+ndots</parameter> + determines if the name will be treated as relative + or not and hence whether a search is eventually + performed or not. + </para> </listitem> </varlistentry> Modified: stable/9/contrib/bind9/bin/dig/dig.html ============================================================================== --- stable/9/contrib/bind9/bin/dig/dig.html Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/bin/dig/dig.html Wed Apr 8 19:49:38 2015 (r281273) @@ -412,7 +412,8 @@ are interpreted as relative names and will be searched for in the domains listed in the <code class="option">search</code> or <code class="option">domain</code> directive in - <code class="filename">/etc/resolv.conf</code>. + <code class="filename">/etc/resolv.conf</code> if + <code class="option">+search</code> is set. </p></dd> <dt><span class="term"><code class="option">+[no]nsid</code></span></dt> <dd><p> @@ -468,12 +469,21 @@ record comments unless multiline mode is active. </p></dd> <dt><span class="term"><code class="option">+[no]search</code></span></dt> -<dd><p> +<dd> +<p> Use [do not use] the search list defined by the searchlist or domain directive in <code class="filename">resolv.conf</code> (if any). The search list is not used by default. - </p></dd> + </p> +<p> + 'ndots' from <code class="filename">resolv.conf</code> (default 1) + which may be overridden by <em class="parameter"><code>+ndots</code></em> + determines if the name will be treated as relative + or not and hence whether a search is eventually + performed or not. + </p> +</dd> <dt><span class="term"><code class="option">+[no]short</code></span></dt> <dd><p> Provide a terse answer. The default is to print the @@ -590,7 +600,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2545168"></a><h2>MULTIPLE QUERIES</h2> +<a name="id2545181"></a><h2>MULTIPLE QUERIES</h2> <p> The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports @@ -636,7 +646,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc </p> </div> <div class="refsect1" lang="en"> -<a name="id2545229"></a><h2>IDN SUPPORT</h2> +<a name="id2545243"></a><h2>IDN SUPPORT</h2> <p> If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -650,14 +660,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc </p> </div> <div class="refsect1" lang="en"> -<a name="id2545252"></a><h2>FILES</h2> +<a name="id2545266"></a><h2>FILES</h2> <p><code class="filename">/etc/resolv.conf</code> </p> <p><code class="filename">${HOME}/.digrc</code> </p> </div> <div class="refsect1" lang="en"> -<a name="id2545269"></a><h2>SEE ALSO</h2> +<a name="id2545283"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>, <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, @@ -665,7 +675,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc </p> </div> <div class="refsect1" lang="en"> -<a name="id2545306"></a><h2>BUGS</h2> +<a name="id2545320"></a><h2>BUGS</h2> <p> There are probably too many query options. </p> Modified: stable/9/contrib/bind9/bin/dig/dighost.c ============================================================================== --- stable/9/contrib/bind9/bin/dig/dighost.c Wed Apr 8 19:46:13 2015 (r281272) +++ stable/9/contrib/bind9/bin/dig/dighost.c Wed Apr 8 19:49:38 2015 (r281273) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -58,6 +58,7 @@ #include <dns/log.h> #include <dns/message.h> #include <dns/name.h> +#include <dns/rcode.h> #include <dns/rdata.h> #include <dns/rdataclass.h> #include <dns/rdatalist.h> @@ -1070,10 +1071,9 @@ parse_hmac(const char *hmac) { */ static isc_result_t read_confkey(void) { - isc_log_t *lctx = NULL; cfg_parser_t *pctx = NULL; cfg_obj_t *file = NULL; - const cfg_obj_t *key = NULL; + const cfg_obj_t *keyobj = NULL; const cfg_obj_t *secretobj = NULL; const cfg_obj_t *algorithmobj = NULL; const char *keyname; @@ -1084,7 +1084,7 @@ read_confkey(void) { if (! isc_file_exists(keyfile)) return (ISC_R_FILENOTFOUND); - result = cfg_parser_create(mctx, lctx, &pctx); + result = cfg_parser_create(mctx, NULL, &pctx); if (result != ISC_R_SUCCESS) goto cleanup; @@ -1093,16 +1093,16 @@ read_confkey(void) { if (result != ISC_R_SUCCESS) goto cleanup; - result = cfg_map_get(file, "key", &key); + result = cfg_map_get(file, "key", &keyobj); if (result != ISC_R_SUCCESS) goto cleanup; - (void) cfg_map_get(key, "secret", &secretobj); - (void) cfg_map_get(key, "algorithm", &algorithmobj); + (void) cfg_map_get(keyobj, "secret", &secretobj); + (void) cfg_map_get(keyobj, "algorithm", &algorithmobj); if (secretobj == NULL || algorithmobj == NULL) fatal("key must have algorithm and secret"); - keyname = cfg_obj_asstring(cfg_map_getname(key)); + keyname = cfg_obj_asstring(cfg_map_getname(keyobj)); secretstr = cfg_obj_asstring(secretobj); algorithm = cfg_obj_asstring(algorithmobj); @@ -2216,7 +2216,6 @@ setup_lookup(dig_lookup_t *lookup) { if (result != ISC_R_SUCCESS) { dns_message_puttempname(lookup->sendmsg, &lookup->name); - isc_buffer_init(&b, store, MXNAME); fatal("'%s' is not a legal name " "(%s)", lookup->textname, isc_result_totext(result)); @@ -2976,7 +2975,8 @@ connect_done(isc_task_t *task, isc_event query->waiting_connect = ISC_FALSE; isc_event_free(&event); l = query->lookup; - if (l->current_query != NULL) + if ((l->current_query != NULL) && + (ISC_LINK_LINKED(l->current_query, link))) next = ISC_LIST_NEXT(l->current_query, link); else next = NULL; @@ -3518,7 +3518,7 @@ recv_done(isc_task_t *task, isc_event_t #endif printmessage(query, msg, ISC_TRUE); } else if (l->trace) { - int n = 0; + int nl = 0; int count = msg->counts[DNS_SECTION_ANSWER]; debug("in TRACE code"); @@ -3529,13 +3529,13 @@ recv_done(isc_task_t *task, isc_event_t if (l->trace_root || (l->ns_search_only && count > 0)) { if (!l->trace_root) l->rdtype = dns_rdatatype_soa; - n = followup_lookup(msg, query, - DNS_SECTION_ANSWER); + nl = followup_lookup(msg, query, + DNS_SECTION_ANSWER); l->trace_root = ISC_FALSE; } else if (count == 0) - n = followup_lookup(msg, query, - DNS_SECTION_AUTHORITY); - if (n == 0) + nl = followup_lookup(msg, query, + DNS_SECTION_AUTHORITY); + if (nl == 0) docancel = ISC_TRUE; } else { debug("in NSSEARCH code"); @@ -3544,12 +3544,12 @@ recv_done(isc_task_t *task, isc_event_t /* * This is the initial NS query. */ - int n; + int nl; l->rdtype = dns_rdatatype_soa; - n = followup_lookup(msg, query, - DNS_SECTION_ANSWER); - if (n == 0) + nl = followup_lookup(msg, query, + DNS_SECTION_ANSWER); + if (nl == 0) docancel = ISC_TRUE; l->trace_root = ISC_FALSE; usesearch = ISC_FALSE; @@ -3679,12 +3679,12 @@ recv_done(isc_task_t *task, isc_event_t * routines, since they may be using a non-DNS system for these lookups. */ isc_result_t -get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) { +get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) { int count; isc_result_t result; isc_app_block(); - result = bind9_getaddresses(host, port, sockaddr, 1, &count); + result = bind9_getaddresses(host, myport, sockaddr, 1, &count); isc_app_unblock(); if (result != ISC_R_SUCCESS) return (result); @@ -4151,6 +4151,9 @@ chase_scanname_section(dns_message_t *ms dns_rdataset_t *rdataset; dns_name_t *msg_name = NULL; + if (msg->counts[section] == 0) + return (NULL); + do { dns_message_currentname(msg, section, &msg_name); if (dns_name_compare(msg_name, name) == 0) { @@ -4357,8 +4360,8 @@ get_trusted_key(isc_mem_t *mctx) dns_rdatacallbacks_init_stdio(&callbacks); callbacks.add = insert_trustedkey; return (dns_master_loadfile(filename, dns_rootname, dns_rootname, - current_lookup->rdclass, 0, &callbacks, - mctx)); + current_lookup->rdclass, DNS_MASTER_NOTTL, + &callbacks, mctx)); } @@ -4558,36 +4561,36 @@ child_of_zone(dns_name_t * name, dns_nam } isc_result_t -grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) -{ - isc_result_t result; - dns_rdata_t sigrdata = DNS_RDATA_INIT; +grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) { dns_rdata_sig_t siginfo; + dns_rdataset_t mysigrdataset; + isc_result_t result; - result = dns_rdataset_first(sigrdataset); + dns_rdataset_init(&mysigrdataset); + dns_rdataset_clone(sigrdataset, &mysigrdataset); + + result = dns_rdataset_first(&mysigrdataset); check_result(result, "empty RRSIG dataset"); - dns_rdata_init(&sigrdata); do { - dns_rdataset_current(sigrdataset, &sigrdata); + dns_rdata_t sigrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mysigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); if (dns_name_compare(&siginfo.signer, zone_name) == 0) { - dns_rdata_freestruct(&siginfo); - dns_rdata_reset(&sigrdata); - return (ISC_R_SUCCESS); + result = ISC_R_SUCCESS; + goto cleanup; } + } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS); - dns_rdata_freestruct(&siginfo); - dns_rdata_reset(&sigrdata); + result = ISC_R_FAILURE; +cleanup: + dns_rdataset_disassociate(&mysigrdataset); - } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); - - dns_rdata_reset(&sigrdata); - - return (ISC_R_FAILURE); + return (result); } @@ -4667,26 +4670,30 @@ contains_trusted_key(dns_name_t *name, d dns_rdataset_t *sigrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t myrdataset; dst_key_t *dnsseckey = NULL; int i; + isc_result_t result; if (name == NULL || rdataset == NULL) return (ISC_R_FAILURE); - result = dns_rdataset_first(rdataset); + dns_rdataset_init(&myrdataset); + dns_rdataset_clone(rdataset, &myrdataset); + + result = dns_rdataset_first(&myrdataset); check_result(result, "empty rdataset"); do { - dns_rdataset_current(rdataset, &rdata); + dns_rdata_t rdata = DNS_RDATA_INIT; + + dns_rdataset_current(&myrdataset, &rdata); INSIST(rdata.type == dns_rdatatype_dnskey); result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dnsseckey); check_result(result, "dns_dnssec_keyfromrdata"); - for (i = 0; i < tk_list.nb_tk; i++) { if (dst_key_compare(tk_list.key[i], dnsseckey) == ISC_TRUE) { @@ -4695,22 +4702,21 @@ contains_trusted_key(dns_name_t *name, d printf(";; Ok, find a Trusted Key in the " "DNSKEY RRset: %d\n", dst_key_id(dnsseckey)); - if (sigchase_verify_sig_key(name, rdataset, - dnsseckey, - sigrdataset, - mctx) - == ISC_R_SUCCESS) { - dst_key_free(&dnsseckey); - dnsseckey = NULL; - return (ISC_R_SUCCESS); - } + result = sigchase_verify_sig_key(name, rdataset, + dnsseckey, + sigrdataset, + mctx); + if (result == ISC_R_SUCCESS) + goto cleanup; } } + dst_key_free(&dnsseckey); + } while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS); - dns_rdata_reset(&rdata); - if (dnsseckey != NULL) - dst_key_free(&dnsseckey); - } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS); +cleanup: + if (dnsseckey != NULL) + dst_key_free(&dnsseckey); + dns_rdataset_disassociate(&myrdataset); return (ISC_R_NOTFOUND); } @@ -4721,16 +4727,20 @@ sigchase_verify_sig(dns_name_t *name, dn dns_rdataset_t *sigrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t keyrdata = DNS_RDATA_INIT; + dns_rdataset_t mykeyrdataset; dst_key_t *dnsseckey = NULL; + isc_result_t result; - result = dns_rdataset_first(keyrdataset); + dns_rdataset_init(&mykeyrdataset); + dns_rdataset_clone(keyrdataset, &mykeyrdataset); + + result = dns_rdataset_first(&mykeyrdataset); check_result(result, "empty DNSKEY dataset"); - dns_rdata_init(&keyrdata); do { - dns_rdataset_current(keyrdataset, &keyrdata); + dns_rdata_t keyrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mykeyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); result = dns_dnssec_keyfromrdata(name, &keyrdata, @@ -4739,18 +4749,19 @@ sigchase_verify_sig(dns_name_t *name, dn result = sigchase_verify_sig_key(name, rdataset, dnsseckey, sigrdataset, mctx); - if (result == ISC_R_SUCCESS) { - dns_rdata_reset(&keyrdata); - dst_key_free(&dnsseckey); - return (ISC_R_SUCCESS); - } + if (result == ISC_R_SUCCESS) + goto cleanup; dst_key_free(&dnsseckey); - dns_rdata_reset(&keyrdata); - } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS); + } while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS); - dns_rdata_reset(&keyrdata); + result = ISC_R_NOTFOUND; - return (ISC_R_NOTFOUND); + cleanup: + if (dnsseckey != NULL) + dst_key_free(&dnsseckey); + dns_rdataset_disassociate(&mykeyrdataset); + + return (result); } isc_result_t @@ -4758,16 +4769,23 @@ sigchase_verify_sig_key(dns_name_t *name dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t sigrdata = DNS_RDATA_INIT; dns_rdata_sig_t siginfo; + dns_rdataset_t myrdataset; + dns_rdataset_t mysigrdataset; + isc_result_t result; - result = dns_rdataset_first(sigrdataset); + dns_rdataset_init(&myrdataset); + dns_rdataset_clone(rdataset, &myrdataset); + dns_rdataset_init(&mysigrdataset); + dns_rdataset_clone(sigrdataset, &mysigrdataset); + + result = dns_rdataset_first(&mysigrdataset); check_result(result, "empty RRSIG dataset"); - dns_rdata_init(&sigrdata); do { - dns_rdataset_current(sigrdataset, &sigrdata); + dns_rdata_t sigrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mysigrdataset, &sigrdata); result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL); check_result(result, "sigrdata tostruct siginfo"); @@ -4778,10 +4796,10 @@ sigchase_verify_sig_key(dns_name_t *name */ if (siginfo.keyid == dst_key_id(dnsseckey)) { - result = dns_rdataset_first(rdataset); + result = dns_rdataset_first(&myrdataset); check_result(result, "empty DS dataset"); - result = dns_dnssec_verify(name, rdataset, dnsseckey, + result = dns_dnssec_verify(name, &myrdataset, dnsseckey, ISC_FALSE, mctx, &sigrdata); printf(";; VERIFYING "); @@ -4791,19 +4809,18 @@ sigchase_verify_sig_key(dns_name_t *name printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey), isc_result_totext(result)); - if (result == ISC_R_SUCCESS) { - dns_rdata_reset(&sigrdata); - return (result); - } + if (result == ISC_R_SUCCESS) + goto cleanup; } - dns_rdata_freestruct(&siginfo); - dns_rdata_reset(&sigrdata); + } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS); - } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS); + result = ISC_R_NOTFOUND; - dns_rdata_reset(&sigrdata); + cleanup: + dns_rdataset_disassociate(&myrdataset); + dns_rdataset_disassociate(&mysigrdataset); - return (ISC_R_NOTFOUND); + return (result); } @@ -4811,27 +4828,35 @@ isc_result_t sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset, dns_rdataset_t *dsrdataset, isc_mem_t *mctx) { - isc_result_t result; - dns_rdata_t keyrdata = DNS_RDATA_INIT; - dns_rdata_t newdsrdata = DNS_RDATA_INIT; - dns_rdata_t dsrdata = DNS_RDATA_INIT; dns_rdata_ds_t dsinfo; + dns_rdataset_t mydsrdataset; + dns_rdataset_t mykeyrdataset; dst_key_t *dnsseckey = NULL; + isc_result_t result; unsigned char dsbuf[DNS_DS_BUFFERSIZE]; - result = dns_rdataset_first(dsrdataset); + dns_rdataset_init(&mydsrdataset); + dns_rdataset_clone(dsrdataset, &mydsrdataset); + dns_rdataset_init(&mykeyrdataset); + dns_rdataset_clone(keyrdataset, &mykeyrdataset); + + result = dns_rdataset_first(&mydsrdataset); check_result(result, "empty DSset dataset"); do { - dns_rdataset_current(dsrdataset, &dsrdata); + dns_rdata_t dsrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mydsrdataset, &dsrdata); result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL); check_result(result, "dns_rdata_tostruct for DS"); - result = dns_rdataset_first(keyrdataset); + result = dns_rdataset_first(&mykeyrdataset); check_result(result, "empty KEY dataset"); do { - dns_rdataset_current(keyrdataset, &keyrdata); + dns_rdata_t keyrdata = DNS_RDATA_INIT; + + dns_rdataset_current(&mykeyrdataset, &keyrdata); INSIST(keyrdata.type == dns_rdatatype_dnskey); result = dns_dnssec_keyfromrdata(name, &keyrdata, @@ -4843,6 +4868,7 @@ sigchase_verify_ds(dns_name_t *name, dns * id of DNSKEY referenced by the DS */ if (dsinfo.key_tag == dst_key_id(dnsseckey)) { + dns_rdata_t newdsrdata = DNS_RDATA_INIT; result = dns_ds_buildrdata(name, &keyrdata, dsinfo.digest_type, @@ -4850,14 +4876,9 @@ sigchase_verify_ds(dns_name_t *name, dns dns_rdata_freestruct(&dsinfo); if (result != ISC_R_SUCCESS) { - dns_rdata_reset(&keyrdata); - dns_rdata_reset(&newdsrdata); - dns_rdata_reset(&dsrdata); - dst_key_free(&dnsseckey); - dns_rdata_freestruct(&dsinfo); printf("Oops: impossible to build" " new DS rdata\n"); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504081949.t38Jnd0S001068>