From owner-svn-src-all@FreeBSD.ORG Fri Jan 4 13:36:37 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4660C55A; Fri, 4 Jan 2013 13:36:37 +0000 (UTC) (envelope-from erwin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 2687727D; Fri, 4 Jan 2013 13:36:37 +0000 (UTC) Received: from svn.freebsd.org (svn.FreeBSD.org [8.8.178.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r04DabLn035210; Fri, 4 Jan 2013 13:36:37 GMT (envelope-from erwin@svn.freebsd.org) Received: (from erwin@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r04DaWl5035180; Fri, 4 Jan 2013 13:36:32 GMT (envelope-from erwin@svn.freebsd.org) Message-Id: <201301041336.r04DaWl5035180@svn.freebsd.org> From: Erwin Lansing Date: Fri, 4 Jan 2013 13:36:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r245039 - in stable/8/contrib/bind9: . bin/check bin/dig bin/dnssec bin/named bin/nsupdate doc doc/arm doc/misc lib lib/bind9 lib/bind9/include lib/bind9/include/bind9 lib/dns lib/dns/i... X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2013 13:36:37 -0000 Author: erwin Date: Fri Jan 4 13:36:31 2013 New Revision: 245039 URL: http://svnweb.freebsd.org/changeset/base/245039 Log: Update to 9.6-ESV-R8. All security fixes were previously merged. Release notes: https://kb.isc.org/article/AA-00795 Approved by: delphij (mentor) Modified: stable/8/contrib/bind9/CHANGES stable/8/contrib/bind9/README stable/8/contrib/bind9/bin/check/check-tool.c stable/8/contrib/bind9/bin/dig/nslookup.c stable/8/contrib/bind9/bin/dnssec/dnssec-signzone.c stable/8/contrib/bind9/bin/named/controlconf.c stable/8/contrib/bind9/bin/named/convertxsl.pl stable/8/contrib/bind9/bin/named/statschannel.c stable/8/contrib/bind9/bin/nsupdate/nsupdate.c stable/8/contrib/bind9/configure.in stable/8/contrib/bind9/doc/Makefile.in stable/8/contrib/bind9/doc/arm/Bv9ARM-book.xml stable/8/contrib/bind9/doc/arm/Bv9ARM.ch06.html stable/8/contrib/bind9/doc/arm/Bv9ARM.pdf stable/8/contrib/bind9/doc/misc/format-options.pl stable/8/contrib/bind9/doc/misc/sort-options.pl stable/8/contrib/bind9/isc-config.sh.in stable/8/contrib/bind9/lib/Makefile.in stable/8/contrib/bind9/lib/bind9/api stable/8/contrib/bind9/lib/bind9/check.c stable/8/contrib/bind9/lib/bind9/include/Makefile.in stable/8/contrib/bind9/lib/bind9/include/bind9/Makefile.in stable/8/contrib/bind9/lib/dns/adb.c stable/8/contrib/bind9/lib/dns/api stable/8/contrib/bind9/lib/dns/dnssec.c stable/8/contrib/bind9/lib/dns/dst_openssl.h stable/8/contrib/bind9/lib/dns/dst_parse.c stable/8/contrib/bind9/lib/dns/dst_result.c stable/8/contrib/bind9/lib/dns/include/Makefile.in stable/8/contrib/bind9/lib/dns/include/dns/dnssec.h stable/8/contrib/bind9/lib/dns/include/dns/iptable.h stable/8/contrib/bind9/lib/dns/include/dns/log.h stable/8/contrib/bind9/lib/dns/include/dns/stats.h stable/8/contrib/bind9/lib/dns/include/dns/zone.h stable/8/contrib/bind9/lib/dns/include/dst/Makefile.in stable/8/contrib/bind9/lib/dns/include/dst/result.h stable/8/contrib/bind9/lib/dns/log.c stable/8/contrib/bind9/lib/dns/master.c stable/8/contrib/bind9/lib/dns/masterdump.c stable/8/contrib/bind9/lib/dns/openssl_link.c stable/8/contrib/bind9/lib/dns/openssldh_link.c stable/8/contrib/bind9/lib/dns/openssldsa_link.c stable/8/contrib/bind9/lib/dns/opensslrsa_link.c stable/8/contrib/bind9/lib/dns/rbtdb.c stable/8/contrib/bind9/lib/dns/rdata.c stable/8/contrib/bind9/lib/dns/spnego_asn1.pl stable/8/contrib/bind9/lib/dns/zone.c stable/8/contrib/bind9/lib/isc/alpha/Makefile.in stable/8/contrib/bind9/lib/isc/alpha/include/Makefile.in stable/8/contrib/bind9/lib/isc/alpha/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/api stable/8/contrib/bind9/lib/isc/ia64/Makefile.in stable/8/contrib/bind9/lib/isc/ia64/include/Makefile.in stable/8/contrib/bind9/lib/isc/ia64/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/include/Makefile.in stable/8/contrib/bind9/lib/isc/include/isc/file.h stable/8/contrib/bind9/lib/isc/mem.c stable/8/contrib/bind9/lib/isc/mips/Makefile.in stable/8/contrib/bind9/lib/isc/mips/include/Makefile.in stable/8/contrib/bind9/lib/isc/mips/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/noatomic/Makefile.in stable/8/contrib/bind9/lib/isc/noatomic/include/Makefile.in stable/8/contrib/bind9/lib/isc/noatomic/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/nothreads/include/Makefile.in stable/8/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/powerpc/Makefile.in stable/8/contrib/bind9/lib/isc/powerpc/include/Makefile.in stable/8/contrib/bind9/lib/isc/powerpc/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/pthreads/condition.c stable/8/contrib/bind9/lib/isc/pthreads/include/Makefile.in stable/8/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/sparc64/Makefile.in stable/8/contrib/bind9/lib/isc/sparc64/include/Makefile.in stable/8/contrib/bind9/lib/isc/sparc64/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/unix/file.c stable/8/contrib/bind9/lib/isc/unix/include/Makefile.in stable/8/contrib/bind9/lib/isc/unix/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/x86_32/Makefile.in stable/8/contrib/bind9/lib/isc/x86_32/include/Makefile.in stable/8/contrib/bind9/lib/isc/x86_32/include/isc/Makefile.in stable/8/contrib/bind9/lib/isc/x86_64/Makefile.in stable/8/contrib/bind9/lib/isc/x86_64/include/Makefile.in stable/8/contrib/bind9/lib/isc/x86_64/include/isc/Makefile.in stable/8/contrib/bind9/lib/isccc/api stable/8/contrib/bind9/lib/isccc/cc.c stable/8/contrib/bind9/lib/isccc/include/Makefile.in stable/8/contrib/bind9/lib/isccc/include/isccc/Makefile.in stable/8/contrib/bind9/lib/isccfg/include/Makefile.in stable/8/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in stable/8/contrib/bind9/lib/lwres/Makefile.in stable/8/contrib/bind9/lib/lwres/api stable/8/contrib/bind9/lib/lwres/getaddrinfo.c stable/8/contrib/bind9/lib/lwres/include/Makefile.in stable/8/contrib/bind9/lib/lwres/include/lwres/Makefile.in stable/8/contrib/bind9/lib/lwres/man/Makefile.in stable/8/contrib/bind9/lib/lwres/unix/Makefile.in stable/8/contrib/bind9/lib/lwres/unix/include/Makefile.in stable/8/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in stable/8/contrib/bind9/make/rules.in stable/8/contrib/bind9/version Directory Properties: stable/8/contrib/bind9/ (props changed) Modified: stable/8/contrib/bind9/CHANGES ============================================================================== --- stable/8/contrib/bind9/CHANGES Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/CHANGES Fri Jan 4 13:36:31 2013 (r245039) @@ -1,33 +1,87 @@ - --- 9.6-ESV-R7-P4 released --- + --- 9.6-ESV-R8 released --- 3383. [security] A certain combination of records in the RBT could cause named to hang while populating the additional section of a response. [RT #31090] - --- 9.6-ESV-R7-P3 released --- +3373. [bug] win32: open raw files in binary mode. [RT #30944] 3364. [security] Named could die on specially crafted record. [RT #30416] -3358 [bug] Fix declaration of fatal in bin/named/server.c + --- 9.6-ESV-R8rc1 released --- + +3369. [bug] nsupdate terminated unexpectedly in interactive mode + if built with readline support. [RT #29550] + +3368. [bug] and were not C++ safe. + +3366. [bug] Fixed Read-After-Write dependency violation for IA64 + atomic operations. [RT #25181] + +3365. [bug] Removed spurious newlines from log messages in + zone.c [RT #30675] + +3362. [bug] Setting some option values to 0 in named.conf + could trigger an assertion failure on startup. + [RT #27730] + +3360. [bug] 'host -w' could die. [RT #18723] + +3359. [bug] An improperly-formed TSIG secret could cause a + memory leak. [RT #30607] + +3358. [bug] Fix declaration of fatal in bin/named/server.c and bin/nsupdate/main.c. [RT #30522] - --- 9.6-ESV-R7-P2 released --- +3357. [port] Add support for libxml2-2.8.x [RT #30440] + + --- 9.6-ESV-R8b1 released --- + +3354. [func] Improve OpenSSL error logging. [RT #29932] + +3352. [bug] Ensure that learned server attributes timeout of the + adb cache. [RT #29856] + +3350. [bug] Memory read overrun in isc___mem_reallocate if + ISC_MEM_DEBUGCTX memory debugging flag is set. + [RT #30240] + +3348. [bug] Prevent RRSIG data from being cached if a negative + record matching the covering type exists at a higher + trust level. Such data already can't be retrieved from + the cache since change 3218 -- this prevents it + being inserted into the cache as well. [RT #26809] 3346. [security] Bad-cache data could be used before it was initialized, causing an assert. [RT #30025] -3343. [bug] Relax isc_random_jitter() REQUIRE tests. [RT #29821] +3343. [bug] Relax isc_random_jitter() REQUIRE tests. [RT #29821] 3342. [bug] Change #3314 broke saving of stub zones to disk resulting in excessive cpu usage in some cases. [RT #29952] - --- 9.6-ESV-R7-P1 released --- +3337. [bug] Change #3294 broke support for the multiple keys + in controls. [RT #29694] + +3335. [func] nslookup: return a nonzero exit code when unable + to get an answer. [RT #29492] + +3332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 3331. [security] dns_rdataslab_fromrdataset could produce bad rdataslabs. [RT #29644] +3329. [bug] Handle RRSIG signer-name case consistently: We + generate RRSIG records with the signer-name in + lower case. We accept them with any case, but if + they fail to validate, we try again in lower case. + [RT #27451] + +3328. [bug] Fixed inconsistent data checking in dst_parse.c. + [RT #29401] + --- 9.6-ESV-R7 released --- 3318. [tuning] Reduce the amount of work performed while holding a Modified: stable/8/contrib/bind9/README ============================================================================== --- stable/8/contrib/bind9/README Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/README Fri Jan 4 13:36:31 2013 (r245039) @@ -48,9 +48,14 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.6-ESV-R8 (Extended Support Version) + + BIND 9.6-ESV-R8 includes several bug fixes and patches security + flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244. + BIND 9.6-ESV-R7 (Extended Support Version) - BIND 9.4-ESV-R7 is a maintenance release, fixing bugs in BIND + BIND 9.6-ESV-R7 is a maintenance release, fixing bugs in BIND 9.6-ESV-R6. BIND 9.6-ESV-R6 (Extended Support Version) @@ -60,7 +65,7 @@ BIND 9.6-ESV-R6 (Extended Support Versio BIND 9.6-ESV-R5 (Extended Support Version) - BIND 9.4-ESV-R5 is a maintenance release, fixing bugs in BIND + BIND 9.6-ESV-R5 is a maintenance release, fixing bugs in BIND 9.6-ESV-R4. BIND 9.6.3/BIND 9.6-ESV-R4 Modified: stable/8/contrib/bind9/bin/check/check-tool.c ============================================================================== --- stable/8/contrib/bind9/bin/check/check-tool.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/bin/check/check-tool.c Fri Jan 4 13:36:31 2013 (r245039) @@ -640,6 +640,9 @@ dump_zone(const char *zonename, dns_zone { isc_result_t result; FILE *output = stdout; + const char *flags; + + flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+"; if (debug) { if (filename != NULL && strcmp(filename, "-") != 0) @@ -650,7 +653,7 @@ dump_zone(const char *zonename, dns_zone } if (filename != NULL && strcmp(filename, "-") != 0) { - result = isc_stdio_open(filename, "w+", &output); + result = isc_stdio_open(filename, flags, &output); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not open output " Modified: stable/8/contrib/bind9/bin/dig/nslookup.c ============================================================================== --- stable/8/contrib/bind9/bin/dig/nslookup.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/bin/dig/nslookup.c Fri Jan 4 13:36:31 2013 (r245039) @@ -57,6 +57,7 @@ static isc_boolean_t in_use = ISC_FALSE; static char defclass[MXRD] = "IN"; static char deftype[MXRD] = "A"; static isc_event_t *global_event = NULL; +static int query_error = 1, print_error = 0; static char domainopt[DNS_NAME_MAXTEXT]; @@ -406,6 +407,9 @@ isc_result_t printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { char servtext[ISC_SOCKADDR_FORMATSIZE]; + /* I've we've gotten this far, we've reached a server. */ + query_error = 0; + debug("printmessage()"); isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext)); @@ -433,6 +437,9 @@ printmessage(dig_query_t *query, dns_mes (msg->rcode != dns_rcode_nxdomain) ? nametext : query->lookup->textname, rcode_totext(msg->rcode)); debug("returning with rcode == 0"); + + /* the lookup failed */ + print_error |= 1; return (ISC_R_SUCCESS); } @@ -903,5 +910,5 @@ main(int argc, char **argv) { destroy_libs(); isc_app_finish(); - return (0); + return (query_error | print_error); } Modified: stable/8/contrib/bind9/bin/dnssec/dnssec-signzone.c ============================================================================== --- stable/8/contrib/bind9/bin/dnssec/dnssec-signzone.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/bin/dnssec/dnssec-signzone.c Fri Jan 4 13:36:31 2013 (r245039) @@ -3520,7 +3520,10 @@ main(int argc, char *argv[]) { check_result(result, "isc_file_mktemplate"); fp = NULL; - result = isc_file_openunique(tempfile, &fp); + if (outputformat == dns_masterformat_text) + result = isc_file_openunique(tempfile, &fp); + else + result = isc_file_bopenunique(tempfile, &fp); if (result != ISC_R_SUCCESS) fatal("failed to open temporary output file: %s", isc_result_totext(result)); Modified: stable/8/contrib/bind9/bin/named/controlconf.c ============================================================================== --- stable/8/contrib/bind9/bin/named/controlconf.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/bin/named/controlconf.c Fri Jan 4 13:36:31 2013 (r245039) @@ -373,8 +373,10 @@ control_recvmessage(isc_task_t *task, is if (result == ISC_R_SUCCESS) break; isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret)); - log_invalid(&conn->ccmsg, result); - goto cleanup; + if (result != ISCCC_R_BADAUTH) { + log_invalid(&conn->ccmsg, result); + goto cleanup; + } } if (key == NULL) { Modified: stable/8/contrib/bind9/bin/named/convertxsl.pl ============================================================================== --- stable/8/contrib/bind9/bin/named/convertxsl.pl Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/bin/named/convertxsl.pl Fri Jan 4 13:36:31 2013 (r245039) @@ -1,6 +1,6 @@ #!/usr/bin/env perl # -# Copyright (C) 2006-2008 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2006-2008, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above Modified: stable/8/contrib/bind9/bin/named/statschannel.c ============================================================================== --- stable/8/contrib/bind9/bin/named/statschannel.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/bin/named/statschannel.c Fri Jan 4 13:36:31 2013 (r245039) @@ -84,16 +84,19 @@ static const char *nsstats_desc[dns_nsst static const char *resstats_desc[dns_resstatscounter_max]; static const char *zonestats_desc[dns_zonestatscounter_max]; static const char *sockstats_desc[isc_sockstatscounter_max]; +static const char *dnssecstats_desc[dns_dnssecstats_max]; #ifdef HAVE_LIBXML2 static const char *nsstats_xmldesc[dns_nsstatscounter_max]; static const char *resstats_xmldesc[dns_resstatscounter_max]; static const char *zonestats_xmldesc[dns_zonestatscounter_max]; static const char *sockstats_xmldesc[isc_sockstatscounter_max]; +static const char *dnssecstats_xmldesc[dns_dnssecstats_max]; #else #define nsstats_xmldesc NULL #define resstats_xmldesc NULL #define zonestats_xmldesc NULL #define sockstats_xmldesc NULL +#define dnssecstats_xmldesc NULL #endif /* HAVE_LIBXML2 */ #define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0) @@ -107,6 +110,7 @@ static int nsstats_index[dns_nsstatscoun static int resstats_index[dns_resstatscounter_max]; static int zonestats_index[dns_zonestatscounter_max]; static int sockstats_index[isc_sockstatscounter_max]; +static int dnssecstats_index[dns_dnssecstats_max]; static inline void set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs, @@ -408,6 +412,33 @@ init_desc(void) { "FDwatchRecvErr"); INSIST(i == isc_sockstatscounter_max); + /* Initialize DNSSEC statistics */ + for (i = 0; i < dns_dnssecstats_max; i++) + dnssecstats_desc[i] = NULL; +#ifdef HAVE_LIBXML2 + for (i = 0; i < dns_dnssecstats_max; i++) + dnssecstats_xmldesc[i] = NULL; +#endif + +#define SET_DNSSECSTATDESC(counterid, desc, xmldesc) \ + do { \ + set_desc(dns_dnssecstats_ ## counterid, \ + dns_dnssecstats_max, \ + desc, dnssecstats_desc,\ + xmldesc, dnssecstats_xmldesc); \ + dnssecstats_index[i++] = dns_dnssecstats_ ## counterid; \ + } while (0) + + i = 0; + SET_DNSSECSTATDESC(asis, "dnssec validation success with signer " + "\"as is\"", "DNSSECasis"); + SET_DNSSECSTATDESC(downcase, "dnssec validation success with signer " + "lower cased", "DNSSECdowncase"); + SET_DNSSECSTATDESC(wildcard, "dnssec validation of wildcard signature", + "DNSSECwild"); + SET_DNSSECSTATDESC(fail, "dnssec validation failures", "DNSSECfail"); + INSIST(i == dns_dnssecstats_max); + /* Sanity check */ for (i = 0; i < dns_nsstatscounter_max; i++) INSIST(nsstats_desc[i] != NULL); @@ -417,6 +448,8 @@ init_desc(void) { INSIST(zonestats_desc[i] != NULL); for (i = 0; i < isc_sockstatscounter_max; i++) INSIST(sockstats_desc[i] != NULL); + for (i = 0; i < dns_dnssecstats_max; i++) + INSIST(dnssecstats_desc[i] != NULL); #ifdef HAVE_LIBXML2 for (i = 0; i < dns_nsstatscounter_max; i++) INSIST(nsstats_xmldesc[i] != NULL); @@ -426,6 +459,8 @@ init_desc(void) { INSIST(zonestats_xmldesc[i] != NULL); for (i = 0; i < isc_sockstatscounter_max; i++) INSIST(sockstats_xmldesc[i] != NULL); + for (i = 0; i < dns_dnssecstats_max; i++) + INSIST(dnssecstats_xmldesc[i] != NULL); #endif } Modified: stable/8/contrib/bind9/bin/nsupdate/nsupdate.c ============================================================================== --- stable/8/contrib/bind9/bin/nsupdate/nsupdate.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/bin/nsupdate/nsupdate.c Fri Jan 4 13:36:31 2013 (r245039) @@ -1011,7 +1011,7 @@ parse_name(char **cmdlinep, dns_message_ isc_buffer_t source; word = nsu_strsep(cmdlinep, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read owner name\n"); return (STATUS_SYNTAX); } @@ -1044,6 +1044,11 @@ parse_rdata(char **cmdlinep, dns_rdatacl dns_rdatacallbacks_t callbacks; isc_result_t result; + if (cmdline == NULL) { + rdata->flags = DNS_RDATA_UPDATE; + return (STATUS_MORE); + } + while (*cmdline != 0 && isspace((unsigned char)*cmdline)) cmdline++; @@ -1110,7 +1115,7 @@ make_prereq(char *cmdline, isc_boolean_t */ if (isrrset) { word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read class or type\n"); goto failure; } @@ -1126,7 +1131,7 @@ make_prereq(char *cmdline, isc_boolean_t * Now read the type. */ word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read type\n"); goto failure; } @@ -1200,7 +1205,7 @@ evaluate_prereq(char *cmdline) { ddebug("evaluate_prereq()"); word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read operation code\n"); return (STATUS_SYNTAX); } @@ -1229,14 +1234,14 @@ evaluate_server(char *cmdline) { long port; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read server name\n"); return (STATUS_SYNTAX); } server = word; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) + if (word == NULL || *word == 0) port = DNSDEFAULTPORT; else { char *endp; @@ -1270,14 +1275,14 @@ evaluate_local(char *cmdline) { struct in6_addr in6; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read server name\n"); return (STATUS_SYNTAX); } local = word; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) + if (word == NULL || *word == 0) port = 0; else { char *endp; @@ -1326,7 +1331,7 @@ evaluate_key(char *cmdline) { char *n; namestr = nsu_strsep(&cmdline, " \t\r\n"); - if (*namestr == 0) { + if (namestr == NULL || *namestr == 0) { fprintf(stderr, "could not read key name\n"); return (STATUS_SYNTAX); } @@ -1350,7 +1355,7 @@ evaluate_key(char *cmdline) { } secretstr = nsu_strsep(&cmdline, "\r\n"); - if (*secretstr == 0) { + if (secretstr == NULL || *secretstr == 0) { fprintf(stderr, "could not read key secret\n"); return (STATUS_SYNTAX); } @@ -1391,7 +1396,7 @@ evaluate_zone(char *cmdline) { isc_result_t result; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read zone name\n"); return (STATUS_SYNTAX); } @@ -1418,7 +1423,7 @@ evaluate_realm(char *cmdline) { char buf[1024]; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { if (realm != NULL) isc_mem_free(mctx, realm); realm = NULL; @@ -1443,7 +1448,7 @@ evaluate_ttl(char *cmdline) { isc_uint32_t ttl; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not ttl\n"); return (STATUS_SYNTAX); } @@ -1477,7 +1482,7 @@ evaluate_class(char *cmdline) { dns_rdataclass_t rdclass; word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read class name\n"); return (STATUS_SYNTAX); } @@ -1535,7 +1540,7 @@ update_addordelete(char *cmdline, isc_bo * If it's a delete, ignore a TTL if present (for compatibility). */ word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { if (!isdelete) { fprintf(stderr, "could not read owner ttl\n"); goto failure; @@ -1576,7 +1581,7 @@ update_addordelete(char *cmdline, isc_bo */ word = nsu_strsep(&cmdline, " \t\r\n"); parseclass: - if (*word == 0) { + if (word == NULL || *word == 0) { if (isdelete) { rdataclass = dns_rdataclass_any; rdatatype = dns_rdatatype_any; @@ -1600,7 +1605,7 @@ update_addordelete(char *cmdline, isc_bo * Now read the type. */ word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { if (isdelete) { rdataclass = dns_rdataclass_any; rdatatype = dns_rdatatype_any; @@ -1680,7 +1685,7 @@ evaluate_update(char *cmdline) { ddebug("evaluate_update()"); word = nsu_strsep(&cmdline, " \t\r\n"); - if (*word == 0) { + if (word == NULL || *word == 0) { fprintf(stderr, "could not read operation code\n"); return (STATUS_SYNTAX); } @@ -1770,6 +1775,7 @@ get_next_command(void) { char cmdlinebuf[MAXCMD]; char *cmdline; char *word; + char *tmp; ddebug("get_next_command()"); if (interactive) { @@ -1781,11 +1787,18 @@ get_next_command(void) { isc_app_unblock(); if (cmdline == NULL) return (STATUS_QUIT); + + /* + * Normalize input by removing any eol. + */ + tmp = cmdline; + (void)nsu_strsep(&tmp, "\r\n"); + word = nsu_strsep(&cmdline, " \t\r\n"); if (feof(input)) return (STATUS_QUIT); - if (*word == 0) + if (word == NULL || *word == 0) return (STATUS_SEND); if (word[0] == ';') return (STATUS_MORE); Modified: stable/8/contrib/bind9/configure.in ============================================================================== --- stable/8/contrib/bind9/configure.in Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/configure.in Fri Jan 4 13:36:31 2013 (r245039) @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -1090,7 +1090,7 @@ case "$use_libxml2" in ;; auto|yes) case X`(xml2-config --version) 2>/dev/null` in - X2.[[67]].*) + X2.[[678]].*) libxml2_libs=`xml2-config --libs` libxml2_cflags=`xml2-config --cflags` ;; Modified: stable/8/contrib/bind9/doc/Makefile.in ============================================================================== --- stable/8/contrib/bind9/doc/Makefile.in Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/doc/Makefile.in Fri Jan 4 13:36:31 2013 (r245039) @@ -1,4 +1,4 @@ -# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: stable/8/contrib/bind9/doc/arm/Bv9ARM-book.xml ============================================================================== --- stable/8/contrib/bind9/doc/arm/Bv9ARM-book.xml Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/doc/arm/Bv9ARM-book.xml Fri Jan 4 13:36:31 2013 (r245039) @@ -9978,7 +9978,7 @@ zone zone_nameidentity + is specified in the identity field. @@ -9995,7 +9995,7 @@ zone zone_nameidentity field. + identity field. @@ -10010,7 +10010,7 @@ zone zone_nameidentity + is specified in the identity field. @@ -10027,7 +10027,7 @@ zone zone_nameidentity field. + identity field. Modified: stable/8/contrib/bind9/doc/arm/Bv9ARM.ch06.html ============================================================================== --- stable/8/contrib/bind9/doc/arm/Bv9ARM.ch06.html Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/doc/arm/Bv9ARM.ch06.html Fri Jan 4 13:36:31 2013 (r245039) @@ -6255,7 +6255,7 @@ zone zone_ (machine$@REALM) for machine in REALM and and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched - is specified in the <replacable>identity</replacable> + is specified in the identity field.

@@ -6273,7 +6273,7 @@ zone zone_ converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM to be matched is specified in the - <replacable>identity</replacable> field. + identity field.

@@ -6289,7 +6289,7 @@ zone zone_ (host/machine@REALM) for machine in REALM and and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched - is specified in the <replacable>identity</replacable> + is specified in the identity field.

@@ -6307,7 +6307,7 @@ zone zone_ converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM to be matched is specified in the - <replacable>identity</replacable> field. + identity field.

Modified: stable/8/contrib/bind9/doc/arm/Bv9ARM.pdf ============================================================================== Binary file (source and/or target). No diff available. Modified: stable/8/contrib/bind9/doc/misc/format-options.pl ============================================================================== --- stable/8/contrib/bind9/doc/misc/format-options.pl Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/doc/misc/format-options.pl Fri Jan 4 13:36:31 2013 (r245039) @@ -1,6 +1,6 @@ #!/usr/bin/perl # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: stable/8/contrib/bind9/doc/misc/sort-options.pl ============================================================================== --- stable/8/contrib/bind9/doc/misc/sort-options.pl Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/doc/misc/sort-options.pl Fri Jan 4 13:36:31 2013 (r245039) @@ -1,6 +1,6 @@ #!/bin/perl # -# Copyright (C) 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above Modified: stable/8/contrib/bind9/isc-config.sh.in ============================================================================== --- stable/8/contrib/bind9/isc-config.sh.in Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/isc-config.sh.in Fri Jan 4 13:36:31 2013 (r245039) @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2000, 2001, 2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: stable/8/contrib/bind9/lib/Makefile.in ============================================================================== --- stable/8/contrib/bind9/lib/Makefile.in Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/Makefile.in Fri Jan 4 13:36:31 2013 (r245039) @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2001, 2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: stable/8/contrib/bind9/lib/bind9/api ============================================================================== --- stable/8/contrib/bind9/lib/bind9/api Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/bind9/api Fri Jan 4 13:36:31 2013 (r245039) @@ -4,5 +4,5 @@ # 9.8: 80-89 # 9.9: 90-109 LIBINTERFACE = 50 -LIBREVISION = 7 +LIBREVISION = 9 LIBAGE = 0 Modified: stable/8/contrib/bind9/lib/bind9/check.c ============================================================================== --- stable/8/contrib/bind9/lib/bind9/check.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/bind9/check.c Fri Jan 4 13:36:31 2013 (r245039) @@ -287,10 +287,6 @@ disabled_algorithms(const cfg_obj_t *dis tresult = dns_secalg_fromtext(&alg, &r); if (tresult != ISC_R_SUCCESS) { - isc_uint8_t ui; - result = isc_parse_uint8(&ui, r.base, 10); - } - if (tresult != ISC_R_SUCCESS) { cfg_obj_log(cfg_listelt_value(element), logctx, ISC_LOG_ERROR, "invalid algorithm '%s'", r.base); @@ -1028,6 +1024,29 @@ typedef struct { } optionstable; static isc_result_t +check_nonzero(const cfg_obj_t *options, isc_log_t *logctx) { + isc_result_t result = ISC_R_SUCCESS; + const cfg_obj_t *obj = NULL; + unsigned int i; + + static const char *nonzero[] = { "max-retry-time", "min-retry-time", + "max-refresh-time", "min-refresh-time" }; + /* + * Check if value is zero. + */ + for (i = 0; i < sizeof(nonzero) / sizeof(nonzero[0]); i++) { + obj = NULL; + if (cfg_map_get(options, nonzero[i], &obj) == ISC_R_SUCCESS && + cfg_obj_asuint32(obj) == 0) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'%s' must not be zero", nonzero[i]); + result = ISC_R_FAILURE; + } + } + return (result); +} + +static isc_result_t check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const cfg_obj_t *config, isc_symtab_t *symtab, dns_rdataclass_t defclass, cfg_aclconfctx_t *actx, @@ -1036,7 +1055,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const char *zname; const char *typestr; unsigned int ztype; - const cfg_obj_t *zoptions; + const cfg_obj_t *zoptions, *goptions = NULL; const cfg_obj_t *obj = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; @@ -1105,9 +1124,11 @@ check_zoneconf(const cfg_obj_t *zconfig, }; zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - zoptions = cfg_tuple_get(zconfig, "options"); + if (config != NULL) + cfg_map_get(config, "options", &goptions); + obj = NULL; (void)cfg_map_get(zoptions, "type", &obj); if (obj == NULL) { @@ -1188,6 +1209,12 @@ check_zoneconf(const cfg_obj_t *zconfig, } /* + * Check if value is zero. + */ + if (check_nonzero(zoptions, logctx) != ISC_R_SUCCESS) + result = ISC_R_FAILURE; + + /* * Look for inappropriate options for the given zone type. * Check that ACLs expand correctly. */ @@ -1760,10 +1787,16 @@ check_viewconf(const cfg_obj_t *config, isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult = ISC_R_SUCCESS; cfg_aclconfctx_t actx; + const cfg_obj_t *options = NULL; const cfg_obj_t *obj; isc_boolean_t enablednssec, enablevalidation; /* + * Get global options block. + */ + (void)cfg_map_get(config, "options", &options); + + /* * Check that all zone statements are syntactically correct and * there are no duplicate zones. */ @@ -1798,8 +1831,6 @@ check_viewconf(const cfg_obj_t *config, * Check that forwarding is reasonable. */ if (voptions == NULL) { - const cfg_obj_t *options = NULL; - (void)cfg_map_get(config, "options", &options); if (options != NULL) if (check_forward(options, NULL, logctx) != ISC_R_SUCCESS) @@ -1810,11 +1841,17 @@ check_viewconf(const cfg_obj_t *config, } /* + * Check non-zero options at the global and view levels. + */ + if (options != NULL && check_nonzero(options, logctx) != ISC_R_SUCCESS) + result = ISC_R_FAILURE; + if (voptions != NULL &&check_nonzero(voptions, logctx) != ISC_R_SUCCESS) + result = ISC_R_FAILURE; + + /* * Check that dual-stack-servers is reasonable. */ if (voptions == NULL) { - const cfg_obj_t *options = NULL; - (void)cfg_map_get(config, "options", &options); if (options != NULL) if (check_dual_stack(options, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; @@ -1838,15 +1875,15 @@ check_viewconf(const cfg_obj_t *config, tresult = isc_symtab_create(mctx, 1000, freekey, mctx, ISC_FALSE, &symtab); if (tresult != ISC_R_SUCCESS) - return (ISC_R_NOMEMORY); + goto cleanup; (void)cfg_map_get(config, "key", &keys); tresult = check_keylist(keys, symtab, mctx, logctx); if (tresult == ISC_R_EXISTS) result = ISC_R_FAILURE; else if (tresult != ISC_R_SUCCESS) { - isc_symtab_destroy(&symtab); - return (tresult); + result = tresult; + goto cleanup; } if (voptions != NULL) { @@ -1856,8 +1893,8 @@ check_viewconf(const cfg_obj_t *config, if (tresult == ISC_R_EXISTS) result = ISC_R_FAILURE; else if (tresult != ISC_R_SUCCESS) { - isc_symtab_destroy(&symtab); - return (tresult); + result = tresult; + goto cleanup; } } @@ -1939,6 +1976,9 @@ check_viewconf(const cfg_obj_t *config, if (tresult != ISC_R_SUCCESS) result = tresult; + cleanup: + if (symtab != NULL) + isc_symtab_destroy(&symtab); cfg_aclconfctx_destroy(&actx); return (result); Modified: stable/8/contrib/bind9/lib/bind9/include/Makefile.in ============================================================================== --- stable/8/contrib/bind9/lib/bind9/include/Makefile.in Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/bind9/include/Makefile.in Fri Jan 4 13:36:31 2013 (r245039) @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: stable/8/contrib/bind9/lib/bind9/include/bind9/Makefile.in ============================================================================== --- stable/8/contrib/bind9/lib/bind9/include/bind9/Makefile.in Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/bind9/include/bind9/Makefile.in Fri Jan 4 13:36:31 2013 (r245039) @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 2001 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Modified: stable/8/contrib/bind9/lib/dns/adb.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/adb.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/dns/adb.c Fri Jan 4 13:36:31 2013 (r245039) @@ -3430,8 +3430,10 @@ dns_adb_adjustsrtt(dns_adb_t *adb, dns_a addr->entry->srtt = new_srtt; addr->srtt = new_srtt; - isc_stdtime_get(&now); - addr->entry->expires = now + ADB_ENTRY_WINDOW; + if (addr->entry->expires == 0) { + isc_stdtime_get(&now); + addr->entry->expires = now + ADB_ENTRY_WINDOW; + } UNLOCK(&adb->entrylocks[bucket]); } @@ -3441,6 +3443,7 @@ dns_adb_changeflags(dns_adb_t *adb, dns_ unsigned int bits, unsigned int mask) { int bucket; + isc_stdtime_t now; REQUIRE(DNS_ADB_VALID(adb)); REQUIRE(DNS_ADBADDRINFO_VALID(addr)); @@ -3449,6 +3452,11 @@ dns_adb_changeflags(dns_adb_t *adb, dns_ LOCK(&adb->entrylocks[bucket]); addr->entry->flags = (addr->entry->flags & ~mask) | (bits & mask); + if (addr->entry->expires == 0) { + isc_stdtime_get(&now); + addr->entry->expires = now + ADB_ENTRY_WINDOW; + } + /* * Note that we do not update the other bits in addr->flags with * the most recent values from addr->entry->flags. @@ -3527,15 +3535,16 @@ dns_adb_freeaddrinfo(dns_adb_t *adb, dns entry = addr->entry; REQUIRE(DNS_ADBENTRY_VALID(entry)); - isc_stdtime_get(&now); - *addrp = NULL; overmem = isc_mem_isovermem(adb->mctx); bucket = addr->entry->lock_bucket; LOCK(&adb->entrylocks[bucket]); - entry->expires = now + ADB_ENTRY_WINDOW; + if (entry->expires == 0) { + isc_stdtime_get(&now); + entry->expires = now + ADB_ENTRY_WINDOW; + } want_check_exit = dec_entry_refcnt(adb, overmem, entry, ISC_FALSE); Modified: stable/8/contrib/bind9/lib/dns/api ============================================================================== --- stable/8/contrib/bind9/lib/dns/api Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/dns/api Fri Jan 4 13:36:31 2013 (r245039) @@ -3,6 +3,6 @@ # 9.7: 60-79 # 9.8: 80-89 # 9.9: 90-109 -LIBINTERFACE = 110 +LIBINTERFACE = 111 LIBREVISION = 2 -LIBAGE = 0 +LIBAGE = 1 Modified: stable/8/contrib/bind9/lib/dns/dnssec.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/dnssec.c Fri Jan 4 12:06:59 2013 (r245038) +++ stable/8/contrib/bind9/lib/dns/dnssec.c Fri Jan 4 13:36:31 2013 (r245039) @@ -35,16 +35,20 @@ #include #include #include +#include #include #include #include #include #include #include +#include #include /* for DNS_TSIG_FUDGE */ #include +LIBDNS_EXTERNAL_DATA isc_stats_t *dns_dnssec_stats; + #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR) #define RETERR(x) do { \ @@ -74,6 +78,12 @@ digest_callback(void *arg, isc_region_t return (dst_context_adddata(ctx, data)); } +static inline void +inc_stat(isc_statscounter_t counter) { + if (dns_dnssec_stats != NULL) + isc_stats_increment(dns_dnssec_stats, counter); +} + /* * Make qsort happy. */ @@ -150,7 +160,9 @@ dns_dnssec_keyfromrdata(dns_name_t *name } static isc_result_t -digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *sig) { +digest_sig(dst_context_t *ctx, isc_boolean_t downcase, dns_rdata_t *sigrdata, + dns_rdata_rrsig_t *rrsig) +{ isc_region_t r; isc_result_t ret; dns_fixedname_t fname; @@ -162,11 +174,16 @@ digest_sig(dst_context_t *ctx, dns_rdata ret = dst_context_adddata(ctx, &r); if (ret != ISC_R_SUCCESS) return (ret); - dns_fixedname_init(&fname); - RUNTIME_CHECK(dns_name_downcase(&sig->signer, - dns_fixedname_name(&fname), NULL) - == ISC_R_SUCCESS); - dns_name_toregion(dns_fixedname_name(&fname), &r); + if (downcase) { + dns_fixedname_init(&fname); + + RUNTIME_CHECK(dns_name_downcase(&rrsig->signer, + dns_fixedname_name(&fname), + NULL) == ISC_R_SUCCESS); + dns_name_toregion(dns_fixedname_name(&fname), &r); + } else + dns_name_toregion(&rrsig->signer, &r); + return (dst_context_adddata(ctx, &r)); } @@ -188,6 +205,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rd isc_uint32_t flags; unsigned int sigsize; dns_fixedname_t fnewname; + dns_fixedname_t fsigner; REQUIRE(name != NULL); REQUIRE(dns_name_countlabels(name) <= 255); @@ -215,8 +233,14 @@ dns_dnssec_sign(dns_name_t *name, dns_rd sig.common.rdtype = dns_rdatatype_rrsig; ISC_LINK_INIT(&sig.common, link); + /* + * Downcase signer. + */ dns_name_init(&sig.signer, NULL); - dns_name_clone(dst_key_name(key), &sig.signer); + dns_fixedname_init(&fsigner); + RUNTIME_CHECK(dns_name_downcase(dst_key_name(key), + dns_fixedname_name(&fsigner), NULL) == ISC_R_SUCCESS); + dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer); sig.covered = set->type; sig.algorithm = dst_key_alg(key); @@ -256,7 +280,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rd /* * Digest the SIG rdata. */ - ret = digest_sig(ctx, &tmpsigrdata, &sig); + ret = digest_sig(ctx, ISC_FALSE, &tmpsigrdata, &sig); if (ret != ISC_R_SUCCESS) goto cleanup_context; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***