From owner-svn-src-stable@freebsd.org Thu Mar 10 07:45:01 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 64C70ACA473; Thu, 10 Mar 2016 07:45:01 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B506D07; Thu, 10 Mar 2016 07:45:00 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u2A7j073058507; Thu, 10 Mar 2016 07:45:00 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u2A7ivQf058467; Thu, 10 Mar 2016 07:44:57 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201603100744.u2A7ivQf058467@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Thu, 10 Mar 2016 07:44:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r296608 - in stable/9/contrib/bind9: . bin/named bin/rndc doc/arm lib/dns lib/isccc X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 07:45:01 -0000 Author: delphij Date: Thu Mar 10 07:44:56 2016 New Revision: 296608 URL: https://svnweb.freebsd.org/changeset/base/296608 Log: MFV r296599: BIND 9.9.8-P4. Security: CVE-2016-1285 Security: CVE-2016-1286 Security: CVE-2016-2088 Security: FreeBSD-SA-16:13.bind Modified: stable/9/contrib/bind9/CHANGES stable/9/contrib/bind9/COPYRIGHT stable/9/contrib/bind9/README stable/9/contrib/bind9/bin/named/control.c stable/9/contrib/bind9/bin/named/controlconf.c stable/9/contrib/bind9/bin/named/query.c stable/9/contrib/bind9/bin/rndc/rndc.c stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html stable/9/contrib/bind9/doc/arm/Bv9ARM.html stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf stable/9/contrib/bind9/doc/arm/man.arpaname.html stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html stable/9/contrib/bind9/doc/arm/man.dig.html stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html stable/9/contrib/bind9/doc/arm/man.genrandom.html stable/9/contrib/bind9/doc/arm/man.host.html stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html stable/9/contrib/bind9/doc/arm/man.named-checkconf.html stable/9/contrib/bind9/doc/arm/man.named-checkzone.html stable/9/contrib/bind9/doc/arm/man.named-journalprint.html stable/9/contrib/bind9/doc/arm/man.named.html stable/9/contrib/bind9/doc/arm/man.nsec3hash.html stable/9/contrib/bind9/doc/arm/man.nsupdate.html stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html stable/9/contrib/bind9/doc/arm/man.rndc.conf.html stable/9/contrib/bind9/doc/arm/man.rndc.html stable/9/contrib/bind9/doc/arm/notes.html stable/9/contrib/bind9/doc/arm/notes.pdf stable/9/contrib/bind9/doc/arm/notes.xml stable/9/contrib/bind9/lib/dns/api stable/9/contrib/bind9/lib/dns/resolver.c stable/9/contrib/bind9/lib/isccc/cc.c stable/9/contrib/bind9/version Directory Properties: stable/9/contrib/bind9/ (props changed) Modified: stable/9/contrib/bind9/CHANGES ============================================================================== --- stable/9/contrib/bind9/CHANGES Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/CHANGES Thu Mar 10 07:44:56 2016 (r296608) @@ -1,3 +1,12 @@ + --- 9.9.8-P4 released --- + +4319. [security] Fix resolver assertion failure due to improper + DNAME handling when parsing fetch reply messages. + (CVE-2016-1286) [RT #41753] + +4318. [security] Malformed control messages can trigger assertions + in named and rndc. (CVE-2016-1285) [RT #41666] + --- 9.9.8-P3 released --- 4288. [bug] Fixed a regression in resolver.c:possibly_mark() Modified: stable/9/contrib/bind9/COPYRIGHT ============================================================================== --- stable/9/contrib/bind9/COPYRIGHT Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/COPYRIGHT Thu Mar 10 07:44:56 2016 (r296608) @@ -1,4 +1,4 @@ -Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. Permission to use, copy, modify, and/or distribute this software for any Modified: stable/9/contrib/bind9/README ============================================================================== --- stable/9/contrib/bind9/README Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/README Thu Mar 10 07:44:56 2016 (r296608) @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.9.8-P4 + + BIND 9.9.8-P4 is a security release addressing the flaws + described in CVE-2016-1285 and CVE-2016-1286. + BIND 9.9.8-P3 BIND 9.9.8-P3 is a security release addressing the flaw described in Modified: stable/9/contrib/bind9/bin/named/control.c ============================================================================== --- stable/9/contrib/bind9/bin/named/control.c Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/bin/named/control.c Thu Mar 10 07:44:56 2016 (r296608) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009-2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009-2016 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *mess #endif data = isccc_alist_lookup(message, "_data"); - if (data == NULL) { + if (!isccc_alist_alistp(data)) { /* * No data section. */ Modified: stable/9/contrib/bind9/bin/named/controlconf.c ============================================================================== --- stable/9/contrib/bind9/bin/named/controlconf.c Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/bin/named/controlconf.c Thu Mar 10 07:44:56 2016 (r296608) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008, 2011-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2011-2014, 2016 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -397,7 +397,7 @@ control_recvmessage(isc_task_t *task, is * Limit exposure to replay attacks. */ _ctrl = isccc_alist_lookup(request, "_ctrl"); - if (_ctrl == NULL) { + if (!isccc_alist_alistp(_ctrl)) { log_invalid(&conn->ccmsg, ISC_R_FAILURE); goto cleanup_request; } Modified: stable/9/contrib/bind9/bin/named/query.c ============================================================================== --- stable/9/contrib/bind9/bin/named/query.c Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/bin/named/query.c Thu Mar 10 07:44:56 2016 (r296608) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -3221,7 +3221,8 @@ query_addbestns(ns_client_t *client) { goto cleanup; /* - * If the answer is secure only add NS records if they are secure * when the client may be looking for AD in the response. + * If the answer is secure only add NS records if they are secure + * when the client may be looking for AD in the response. */ if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) && ((rdataset->trust != dns_trust_secure) || Modified: stable/9/contrib/bind9/bin/rndc/rndc.c ============================================================================== --- stable/9/contrib/bind9/bin/rndc/rndc.c Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/bin/rndc/rndc.c Thu Mar 10 07:44:56 2016 (r296608) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -249,8 +249,8 @@ rndc_recvdone(isc_task_t *task, isc_even DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); data = isccc_alist_lookup(response, "_data"); - if (data == NULL) - fatal("no data section in response"); + if (!isccc_alist_alistp(data)) + fatal("bad or missing data section in response"); result = isccc_cc_lookupstring(data, "err", &errormsg); if (result == ISC_R_SUCCESS) { failed = ISC_TRUE; @@ -313,8 +313,8 @@ rndc_recvnonce(isc_task_t *task, isc_eve DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); _ctrl = isccc_alist_lookup(response, "_ctrl"); - if (_ctrl == NULL) - fatal("_ctrl section missing"); + if (!isccc_alist_alistp(_ctrl)) + fatal("bad or missing ctrl section in response"); nonce = 0; if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) nonce = 0; Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html Thu Mar 10 07:44:56 2016 (r296608) @@ -556,6 +556,6 @@ -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html Thu Mar 10 07:44:56 2016 (r296608) @@ -154,6 +154,6 @@ -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html Thu Mar 10 07:44:56 2016 (r296608) @@ -665,6 +665,6 @@ controls { -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html Thu Mar 10 07:44:56 2016 (r296608) @@ -1935,6 +1935,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2. -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html Thu Mar 10 07:44:56 2016 (r296608) @@ -139,6 +139,6 @@ -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html Thu Mar 10 07:44:56 2016 (r296608) @@ -12177,6 +12177,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html Thu Mar 10 07:44:56 2016 (r296608) @@ -247,6 +247,6 @@ zone "example.com" { -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html Thu Mar 10 07:44:56 2016 (r296608) @@ -135,6 +135,6 @@ -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html Thu Mar 10 07:44:56 2016 (r296608) @@ -45,7 +45,7 @@

Table of Contents

-
Release Notes for BIND Version 9.9.8-P3
+
Release Notes for BIND Version 9.9.8-P4
Introduction
Download
@@ -60,7 +60,7 @@

-Release Notes for BIND Version 9.9.8-P3

+Release Notes for BIND Version 9.9.8-P4

Introduction

@@ -68,6 +68,10 @@ This document summarizes changes since BIND 9.9.8:

+ BIND 9.9.8-P4 addresses the security issues described in + CVE-2016-1285 and CVE-2016-1286. +

+

BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704. It also fixes a serious regression in authoritative server selection that was introduced in 9.9.8. @@ -96,26 +100,35 @@ Security Fixes

  • + The resolver could abort with an assertion failure due to + improper DNAME handling when parsing fetch reply + messages. This flaw is disclosed in CVE-2016-1286. [RT #41753] +

    • +

  • + Malformed control messages can trigger assertions in named + and rndc. This flaw is disclosed in CVE-2016-1285. [RT + #41666] +

    • +

  • Specific APL data could trigger an INSIST. This flaw - was discovered by Brian Mitchell and is disclosed in - CVE-2015-8704. [RT #41396] + is disclosed in CVE-2015-8704. [RT #41396]

  • - Named is potentially vulnerable to the OpenSSL vulnerabilty + Named is potentially vulnerable to the OpenSSL vulnerability described in CVE-2015-3193.

  • + Incorrect reference counting could result in an INSIST + failure if a socket error occurred while performing a + lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] +

    • +

  • Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987]

    • -

  • - Incorrect reference counting could result in an INSIST - failure if a socket error occurred while performing a - lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] -

@@ -143,7 +156,8 @@

End of Life

- The BIND 9.9 (Extended Support Version) will be supported until June, 2017. + The BIND 9.9 (Extended Support Version) will be supported until + December, 2017. https://www.isc.org/downloads/software-support-policy/

@@ -177,6 +191,6 @@ -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html Thu Mar 10 07:44:56 2016 (r296608) @@ -163,6 +163,6 @@ -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html Thu Mar 10 07:44:56 2016 (r296608) @@ -514,6 +514,6 @@ -

BIND 9.9.8-P3 (Extended Support Version)

+

BIND 9.9.8-P4 (Extended Support Version)

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html ============================================================================== --- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html Thu Mar 10 06:25:47 2016 (r296607) +++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html Thu Mar 10 07:44:56 2016 (r296608) @@ -47,13 +47,13 @@
BIND 9 DNS Library Support
-
Prerequisite
-
Compilation
-
Installation
-
Known Defects/Restrictions
-
The dns.conf File
-
Sample Applications
-
Library References
+
Prerequisite
+
Compilation
+
Installation
+
Known Defects/Restrictions
+
The dns.conf File
+
Sample Applications
+
Library References
@@ -89,7 +89,7 @@

-Prerequisite

+Prerequisite

GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@

-Compilation

+Compilation
 $ ./configure --enable-exportlib [other flags]
 $ make
@@ -113,7 +113,7 @@ $ make
 

 

-Installation

+Installation

 
 $ cd lib/export
 $ make install
@@ -135,7 +135,7 @@ $ make i
 
 

 

-Known Defects/Restrictions

+Known Defects/Restrictions

 
    
 
  • Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -175,7 +175,7 @@ $ make
 
    
 
    
-The dns.conf File
    
+The dns.conf File

 
The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -193,14 +193,14 @@ $ make
 

 

-Sample Applications

+Sample Applications

 
Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   

 

 

-sample: a simple stub resolver utility

+sample: a simple stub resolver utility

 

   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -264,7 +264,7 @@ $ make
 

 

-sample-async: a simple stub resolver, working asynchronously

+sample-async: a simple stub resolver, working asynchronously

 

   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -305,7 +305,7 @@ $ make
 

 

-sample-request: a simple DNS transaction client

+sample-request: a simple DNS transaction client

 

   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -346,7 +346,7 @@ $ make
 

 

-sample-gai: getaddrinfo() and getnameinfo() test code

+sample-gai: getaddrinfo() and getnameinfo() test code

 

   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -363,7 +363,7 @@ $ make
 

 

-sample-update: a simple dynamic update client program

+sample-update: a simple dynamic update client program

 

   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -458,7 +458,7 @@ $ sample
 
 

 

-nsprobe: domain/name server checker in terms of RFC 4074

+nsprobe: domain/name server checker in terms of RFC 4074

 

   It checks a set
   of domains to see the name servers of the domains behave
@@ -515,7 +515,7 @@ $ sample
 
 

 

-Library References

+Library References

 
As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
@@ -540,6 +540,6 @@ $ sample
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -140,6 +140,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/Bv9ARM.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/Bv9ARM.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -41,7 +41,7 @@
 

 

 BIND 9 Administrator Reference Manual

-
BIND Version 9.9.8-P3

+
BIND Version 9.9.8-P4

 
Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")

 
Copyright © 2000-2003 Internet Software Consortium.

 

@@ -234,7 +234,7 @@
 
 
A. Release Notes

 

-
Release Notes for BIND Version 9.9.8-P3

+
Release Notes for BIND Version 9.9.8-P4

 

 
Introduction

 
Download

@@ -262,13 +262,13 @@
 

 
BIND 9 DNS Library Support

 

-
Prerequisite

-
Compilation

-
Installation

-
Known Defects/Restrictions

-
The dns.conf File

-
Sample Applications

-
Library References

+
Prerequisite

+
Compilation

+
Installation

+
Known Defects/Restrictions

+
The dns.conf File

+
Sample Applications

+
Library References

 

 

 
I. Manual pages

@@ -365,6 +365,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf
==============================================================================
Binary file (source and/or target). No diff available.

Modified: stable/9/contrib/bind9/doc/arm/man.arpaname.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.arpaname.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.arpaname.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -50,20 +50,20 @@
 
arpaname  {ipaddress ...}

 
 

-
DESCRIPTION

+
DESCRIPTION

 

       arpaname translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     

 

 

-
SEE ALSO

+
SEE ALSO

 

       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -87,6 +87,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -50,7 +50,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -77,7 +77,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -144,7 +144,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -152,7 +152,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -176,6 +176,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.dig.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dig.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.dig.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -99,7 +99,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -152,7 +152,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -280,7 +280,7 @@
 

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -649,7 +649,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -695,7 +695,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -709,14 +709,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -724,7 +724,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

@@ -747,6 +747,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
 
 
 

-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -51,7 +51,7 @@
 
dnssec-dsfromkey  [-l domain] [-f file] [-d dig path] [-D dsfromkey path] {zone}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-checkds
       verifies the correctness of Delegation Signer (DS) or DNSSEC
       Lookaside Validation (DLV) resource records for keys in a specified
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -88,14 +88,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-dsfromkey(8),
       dnssec-keygen(8),
       dnssec-signzone(8),
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -118,6 +118,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -50,7 +50,7 @@
 
dnssec-coverage  [-K directory] [-f file] [-d DNSKEY TTL] [-m max TTL] [-r interval] [-c compilezone path] [zone]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-coverage
       verifies that the DNSSEC keys for a given zone or a set of zones
       have timing metadata set properly to ensure no future lapses in DNSSEC
@@ -78,7 +78,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f file

 

@@ -168,7 +168,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 

       dnssec-checkds(8),
       dnssec-dsfromkey(8),
@@ -177,7 +177,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -201,6 +201,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -52,14 +52,14 @@
 
dnssec-dsfromkey  [-h] [-V]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -150,7 +150,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -165,7 +165,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -179,13 +179,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -195,7 +195,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -219,6 +219,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-i interval] [-k] [-K directory] [-L ttl] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       generates a key pair of files that referencing a key object stored
       in a cryptographic hardware service module (HSM).  The private key
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -209,7 +209,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -281,7 +281,7 @@
 

 
 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -320,7 +320,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -328,7 +328,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -352,6 +352,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v 
 level] [-V] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -280,7 +280,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -354,7 +354,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -400,7 +400,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -421,7 +421,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -430,7 +430,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

@@ -454,6 +454,6 @@
 
 
 
-
BIND 9.9.8-P3 (Extended Support Version)

+
BIND 9.9.8-P4 (Extended Support Version)

 
 

Modified: stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html
==============================================================================
--- stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html	Thu Mar 10 06:25:47 2016	(r296607)
+++ stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html	Thu Mar 10 07:44:56 2016	(r296608)
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***