svn commit: r281273 - in stable/9: contrib/bind9 contrib/bind9/bin/check contrib/bind9/bin/dig contrib/bind9/bin/dig/include/dig contrib/bind9/bin/dnssec contrib/bind9/bin/named contrib/bind9/bin/n...
Xin LI
delphij at FreeBSD.org
Wed Apr 8 19:49:43 UTC 2015
Author: delphij
Date: Wed Apr 8 19:49:38 2015
New Revision: 281273
URL: https://svnweb.freebsd.org/changeset/base/281273
Log:
Update BIND to 9.9.7.
This is a direct commit to stable/9 because BIND is no longer in -HEAD.
Added:
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch11.html
- copied unchanged from r281268, vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch12.html
- copied unchanged from r281268, vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch13.html
- copied unchanged from r281268, vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html
stable/9/contrib/bind9/doc/arm/notes-wrapper.xml
- copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes-wrapper.xml
stable/9/contrib/bind9/doc/arm/notes.html
- copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes.html
stable/9/contrib/bind9/doc/arm/notes.pdf
- copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes.pdf
stable/9/contrib/bind9/doc/arm/notes.xml
- copied unchanged from r281268, vendor/bind9/dist/doc/arm/notes.xml
stable/9/contrib/bind9/lib/dns/rdata/generic/openpgpkey_61.c
- copied unchanged from r281268, vendor/bind9/dist/lib/dns/rdata/generic/openpgpkey_61.c
stable/9/contrib/bind9/lib/dns/rdata/generic/openpgpkey_61.h
- copied unchanged from r281268, vendor/bind9/dist/lib/dns/rdata/generic/openpgpkey_61.h
Modified:
stable/9/contrib/bind9/CHANGES
stable/9/contrib/bind9/COPYRIGHT
stable/9/contrib/bind9/FAQ.xml
stable/9/contrib/bind9/README
stable/9/contrib/bind9/bin/check/named-checkconf.c
stable/9/contrib/bind9/bin/dig/dig.1
stable/9/contrib/bind9/bin/dig/dig.docbook
stable/9/contrib/bind9/bin/dig/dig.html
stable/9/contrib/bind9/bin/dig/dighost.c
stable/9/contrib/bind9/bin/dig/host.c
stable/9/contrib/bind9/bin/dig/include/dig/dig.h
stable/9/contrib/bind9/bin/dig/nslookup.c
stable/9/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
stable/9/contrib/bind9/bin/dnssec/dnssec-importkey.c
stable/9/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.8
stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.c
stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
stable/9/contrib/bind9/bin/dnssec/dnssec-keygen.html
stable/9/contrib/bind9/bin/dnssec/dnssec-settime.8
stable/9/contrib/bind9/bin/dnssec/dnssec-settime.c
stable/9/contrib/bind9/bin/dnssec/dnssec-settime.docbook
stable/9/contrib/bind9/bin/dnssec/dnssec-settime.html
stable/9/contrib/bind9/bin/dnssec/dnssec-signzone.c
stable/9/contrib/bind9/bin/dnssec/dnssec-verify.c
stable/9/contrib/bind9/bin/dnssec/dnssectool.c
stable/9/contrib/bind9/bin/dnssec/dnssectool.h
stable/9/contrib/bind9/bin/named/client.c
stable/9/contrib/bind9/bin/named/config.c
stable/9/contrib/bind9/bin/named/include/named/globals.h
stable/9/contrib/bind9/bin/named/interfacemgr.c
stable/9/contrib/bind9/bin/named/main.c
stable/9/contrib/bind9/bin/named/named.html
stable/9/contrib/bind9/bin/named/query.c
stable/9/contrib/bind9/bin/named/server.c
stable/9/contrib/bind9/bin/named/update.c
stable/9/contrib/bind9/bin/named/zoneconf.c
stable/9/contrib/bind9/bin/nsupdate/nsupdate.c
stable/9/contrib/bind9/bin/rndc/rndc.c
stable/9/contrib/bind9/config.h.in
stable/9/contrib/bind9/configure.in
stable/9/contrib/bind9/doc/arm/Bv9ARM-book.xml
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch01.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch02.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch03.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch04.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch05.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch06.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch07.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch08.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch09.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.ch10.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.html
stable/9/contrib/bind9/doc/arm/Bv9ARM.pdf
stable/9/contrib/bind9/doc/arm/Makefile.in
stable/9/contrib/bind9/doc/arm/dnssec.xml
stable/9/contrib/bind9/doc/arm/man.arpaname.html
stable/9/contrib/bind9/doc/arm/man.ddns-confgen.html
stable/9/contrib/bind9/doc/arm/man.dig.html
stable/9/contrib/bind9/doc/arm/man.dnssec-checkds.html
stable/9/contrib/bind9/doc/arm/man.dnssec-coverage.html
stable/9/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
stable/9/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
stable/9/contrib/bind9/doc/arm/man.dnssec-keygen.html
stable/9/contrib/bind9/doc/arm/man.dnssec-revoke.html
stable/9/contrib/bind9/doc/arm/man.dnssec-settime.html
stable/9/contrib/bind9/doc/arm/man.dnssec-signzone.html
stable/9/contrib/bind9/doc/arm/man.dnssec-verify.html
stable/9/contrib/bind9/doc/arm/man.genrandom.html
stable/9/contrib/bind9/doc/arm/man.host.html
stable/9/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
stable/9/contrib/bind9/doc/arm/man.named-checkconf.html
stable/9/contrib/bind9/doc/arm/man.named-checkzone.html
stable/9/contrib/bind9/doc/arm/man.named-journalprint.html
stable/9/contrib/bind9/doc/arm/man.named.html
stable/9/contrib/bind9/doc/arm/man.nsec3hash.html
stable/9/contrib/bind9/doc/arm/man.nsupdate.html
stable/9/contrib/bind9/doc/arm/man.rndc-confgen.html
stable/9/contrib/bind9/doc/arm/man.rndc.conf.html
stable/9/contrib/bind9/doc/arm/man.rndc.html
stable/9/contrib/bind9/lib/bind9/api
stable/9/contrib/bind9/lib/bind9/check.c
stable/9/contrib/bind9/lib/bind9/getaddresses.c
stable/9/contrib/bind9/lib/dns/adb.c
stable/9/contrib/bind9/lib/dns/api
stable/9/contrib/bind9/lib/dns/diff.c
stable/9/contrib/bind9/lib/dns/dispatch.c
stable/9/contrib/bind9/lib/dns/gen.c
stable/9/contrib/bind9/lib/dns/include/dns/dispatch.h
stable/9/contrib/bind9/lib/dns/include/dns/log.h
stable/9/contrib/bind9/lib/dns/include/dns/rbt.h
stable/9/contrib/bind9/lib/dns/include/dns/request.h
stable/9/contrib/bind9/lib/dns/journal.c
stable/9/contrib/bind9/lib/dns/keytable.c
stable/9/contrib/bind9/lib/dns/log.c
stable/9/contrib/bind9/lib/dns/master.c
stable/9/contrib/bind9/lib/dns/masterdump.c
stable/9/contrib/bind9/lib/dns/message.c
stable/9/contrib/bind9/lib/dns/name.c
stable/9/contrib/bind9/lib/dns/nsec3.c
stable/9/contrib/bind9/lib/dns/openssldh_link.c
stable/9/contrib/bind9/lib/dns/opensslecdsa_link.c
stable/9/contrib/bind9/lib/dns/opensslgost_link.c
stable/9/contrib/bind9/lib/dns/private.c
stable/9/contrib/bind9/lib/dns/rbt.c
stable/9/contrib/bind9/lib/dns/rbtdb.c
stable/9/contrib/bind9/lib/dns/rdata.c
stable/9/contrib/bind9/lib/dns/rdata/generic/cdnskey_60.c
stable/9/contrib/bind9/lib/dns/rdata/generic/cds_59.c
stable/9/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
stable/9/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c
stable/9/contrib/bind9/lib/dns/rdata/generic/opt_41.c
stable/9/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
stable/9/contrib/bind9/lib/dns/rdata/generic/sig_24.c
stable/9/contrib/bind9/lib/dns/rdata/generic/spf_99.h
stable/9/contrib/bind9/lib/dns/rdata/generic/txt_16.c
stable/9/contrib/bind9/lib/dns/rdataset.c
stable/9/contrib/bind9/lib/dns/request.c
stable/9/contrib/bind9/lib/dns/resolver.c
stable/9/contrib/bind9/lib/dns/rootns.c
stable/9/contrib/bind9/lib/dns/spnego_asn1.c
stable/9/contrib/bind9/lib/dns/tkey.c
stable/9/contrib/bind9/lib/dns/tsig.c
stable/9/contrib/bind9/lib/dns/validator.c
stable/9/contrib/bind9/lib/dns/zone.c
stable/9/contrib/bind9/lib/dns/zt.c
stable/9/contrib/bind9/lib/export/isc/Makefile.in
stable/9/contrib/bind9/lib/export/isc/unix/Makefile.in
stable/9/contrib/bind9/lib/export/samples/nsprobe.c
stable/9/contrib/bind9/lib/export/samples/sample-request.c
stable/9/contrib/bind9/lib/export/samples/sample-update.c
stable/9/contrib/bind9/lib/irs/getnameinfo.c
stable/9/contrib/bind9/lib/isc/api
stable/9/contrib/bind9/lib/isc/hash.c
stable/9/contrib/bind9/lib/isc/hmacmd5.c
stable/9/contrib/bind9/lib/isc/hmacsha.c
stable/9/contrib/bind9/lib/isc/httpd.c
stable/9/contrib/bind9/lib/isc/include/isc/platform.h.in
stable/9/contrib/bind9/lib/isc/include/isc/radix.h
stable/9/contrib/bind9/lib/isc/include/isc/ratelimiter.h
stable/9/contrib/bind9/lib/isc/md5.c
stable/9/contrib/bind9/lib/isc/mem.c
stable/9/contrib/bind9/lib/isc/radix.c
stable/9/contrib/bind9/lib/isc/ratelimiter.c
stable/9/contrib/bind9/lib/isc/result.c
stable/9/contrib/bind9/lib/isc/sha1.c
stable/9/contrib/bind9/lib/isc/sha2.c
stable/9/contrib/bind9/lib/isc/unix/app.c
stable/9/contrib/bind9/lib/isc/unix/include/isc/net.h
stable/9/contrib/bind9/lib/isc/unix/include/isc/time.h
stable/9/contrib/bind9/lib/isc/unix/net.c
stable/9/contrib/bind9/lib/isc/unix/socket.c
stable/9/contrib/bind9/lib/isc/unix/stdio.c
stable/9/contrib/bind9/lib/isc/unix/time.c
stable/9/contrib/bind9/lib/isccfg/api
stable/9/contrib/bind9/lib/isccfg/parser.c
stable/9/contrib/bind9/lib/lwres/api
stable/9/contrib/bind9/lib/lwres/compat.c
stable/9/contrib/bind9/lib/lwres/gethost.c
stable/9/contrib/bind9/lib/lwres/man/lwres.html
stable/9/contrib/bind9/lib/lwres/man/lwres_buffer.html
stable/9/contrib/bind9/lib/lwres/man/lwres_config.html
stable/9/contrib/bind9/lib/lwres/man/lwres_context.html
stable/9/contrib/bind9/lib/lwres/man/lwres_gabn.html
stable/9/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
stable/9/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
stable/9/contrib/bind9/lib/lwres/man/lwres_gethostent.html
stable/9/contrib/bind9/lib/lwres/man/lwres_getipnode.html
stable/9/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
stable/9/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
stable/9/contrib/bind9/lib/lwres/man/lwres_gnba.html
stable/9/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
stable/9/contrib/bind9/lib/lwres/man/lwres_inetntop.html
stable/9/contrib/bind9/lib/lwres/man/lwres_noop.html
stable/9/contrib/bind9/lib/lwres/man/lwres_packet.html
stable/9/contrib/bind9/lib/lwres/man/lwres_resutil.html
stable/9/contrib/bind9/version
stable/9/lib/bind/config.h
stable/9/lib/bind/dns/code.h
stable/9/lib/bind/dns/dns/enumclass.h
stable/9/lib/bind/dns/dns/enumtype.h
stable/9/lib/bind/dns/dns/rdatastruct.h
stable/9/lib/bind/isc/isc/platform.h
Directory Properties:
stable/9/contrib/bind9/ (props changed)
Modified: stable/9/contrib/bind9/CHANGES
==============================================================================
--- stable/9/contrib/bind9/CHANGES Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/CHANGES Wed Apr 8 19:49:38 2015 (r281273)
@@ -1,11 +1,145 @@
- --- 9.9.6-P2 released ---
+ --- 9.9.7 released ---
+
+ --- 9.9.7rc2 released ---
+
+4061. [bug] Handle timeout in legacy system test. [RT #38573]
+
+4060. [bug] dns_rdata_freestruct could be called on a
+ uninitialised structure when handling a error.
+ [RT #38568]
+
+4059. [bug] Addressed valgrind warnings. [RT #38549]
+
+4058. [bug] UDP dispatches could use the wrong pseudorandom
+ number generator context. [RT #38578]
+
+4056. [bug] Fixed several small bugs in automatic trust anchor
+ management, including a memory leak and a possible
+ loss of key state information. [RT #38458]
+
+4057. [bug] 'dnssec-dsfromkey -T 0' failed to add ttl field.
+ [RT #38565]
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
- --- 9.9.6-P1 released ---
+4052. [bug] Fix a leak of query fetchlock. [RT #38454]
+
+4050. [bug] RPZ could send spurious SERVFAILs in response
+ to duplicate queries. [RT #38510]
+
+4049. [bug] CDS and CDNSKEY had the wrong attributes. [RT #38491]
+
+4048. [bug] adb hash table was not being grown. [RT #38470]
+
+ --- 9.9.7rc1 released ---
+
+4047. [cleanup] "named -V" now reports the current running versions
+ of OpenSSL and the libxml2 libraries, in addition to
+ the versions that were in use at build time.
+
+4046. [bug] Accounting of "total use" in memory context
+ statistics was not correct. [RT #38370]
+
+4045. [bug] Skip to next master on dns_request_createvia4 failure.
+ [RT #25185]
+
+4044. [bug] Change 3955 was not complete, resulting in an assertion
+ failure if the timing was just right. [RT #38352]
+
+4039. [cleanup] Cleaned up warnings from gcc -Wshadow. [RT #37381]
+
+4038. [bug] Add 'rpz' flag to node and use it to determine whether
+ to call dns_rpz_delete. This should prevent unbalanced
+ add / delete calls. [RT #36888]
+
+4037. [bug] also-notify was ignoring the tsig key when checking
+ for duplicates resulting in some expected notify
+ messages not being sent. [RT #38369]
+
+4035. [bug] Close temporary and NZF FILE pointers before moving
+ the former into the latter's place, as required on
+ Windows. [RT #38332]
+
+4032. [bug] Built-in "empty" zones did not correctly inherit the
+ "allow-transfer" ACL from the options or view.
+ [RT #38310]
+
+4031. [bug] named-checkconf -z failed to report a missing file
+ with a hint zone. [RT #38294]
+
+4028. [bug] $GENERATE with a zero step was not being caught as a
+ error. A $GENERATE with a / but no step was not being
+ caught as a error. [RT #38262]
+
+3973. [test] Added hooks for Google Performance Tools CPU profiler,
+ including real-time/wall-clock profiling. Use
+ "configure --with-gperftools-profiler" to enable.
+ [RT #37339]
+
+ --- 9.9.7b1 released ---
+
+4027. [port] Net::DNS 0.81 compatibility. [RT #38165]
+
+4026. [bug] Fix RFC 3658 reference in dig +sigchase. [RT #38173]
+
+4025. [port] bsdi: failed to build. [RT #38047]
+
+4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next,
+ dns_rdata_opt_current, dns_rdata_txt_first,
+ dns_rdata_txt_next and dns_rdata_txt_current were
+ documented but not implemented. These have now been
+ implemented.
+
+ dns_rdata_spf_first, dns_rdata_spf_next and
+ dns_rdata_spf_current were documented but not
+ implemented. The prototypes for these
+ functions have been removed. [RT #38068]
+
+4023. [bug] win32: socket handling with explicit ports and
+ invoking named with -4 was broken for some
+ configurations. [RT #38068]
+
+4021. [bug] Adjust max-recursion-queries to accommodate
+ the need for more queries when the cache is
+ empty. [RT #38104]
+
+4020. [bug] Change 3736 broke nsupdate's SOA MNAME discovery
+ resulting in updates being sent to the wrong server.
+ [RT #37925]
+
+4019. [func] If named is not configured to validate the answer
+ then allow fallback to plain DNS on timeout even
+ when we know the server supports EDNS. [RT #37978]
+
+4018. [bug] Fall back to plain DNS when EDNS queries are being
+ dropped was failing. [RT #37965]
+
+4017. [test] Add system test to check lookups to legacy servers
+ with broken DNS behavior. [RT #37965]
+
+4016. [bug] Fix a dig segfault due to bad linked list usage.
+ [RT #37591]
+
+4015. [bug] Nameservers that are skipped due to them being
+ CNAMEs were not being logged. They are now logged
+ to category 'cname' as per BIND 8. [RT #37935]
+
+4014. [bug] When including a master file origin_changed was
+ not being properly set leading to a potentially
+ spurious 'inherited owner' warning. [RT #37919]
+
+4012. [bug] Check returned status of OpenSSL digest and HMAC
+ functions when they return one. Note this applies
+ only to FIPS capable OpenSSL libraries put in
+ FIPS mode and MD5. [RT #37944]
+
+4011. [bug] master's list port inheritance was not properly
+ implemented. [RT #37792]
+
+4007. [doc] Remove acl forward reference restriction. [RT #37772]
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
@@ -19,6 +153,99 @@
"max-recursion-depth" option, and the query limit
via the "max-recursion-queries" option. [RT #37580]
+4004. [bug] When delegations had AAAA glue but not A, a
+ reference could be leaked causing an assertion
+ failure on shutdown. [RT #37796]
+
+4000. [bug] NXDOMAIN redirection incorrectly handled NXRRSET
+ from the redirect zone. [RT #37722]
+
+3998. [bug] isc_radix_search was returning matches that were
+ too precise. [RT #37680]
+
+3997. [protocol] Add OPENGPGKEY record. [RT# 37671]
+
+3996. [bug] Address use after free on out of memory error in
+ keyring_add. [RT #37639]
+
+3995. [bug] receive_secure_serial holds the zone lock for too
+ long. [RT #37626]
+
+3990. [testing] Add tests for unknown DNSSEC algorithm handling.
+ [RT #37541]
+
+3989. [cleanup] Remove redundant dns_db_resigned calls. [RT #35748]
+
+3987. [func] Handle future Visual Studio 14 incompatible changes.
+ [RT #37380]
+
+3986. [doc] Add the BIND version number to page footers
+ in the ARM. [RT #37398]
+
+3985. [doc] Describe how +ndots and +search interact in dig.
+ [RT #37529]
+
+3982. [doc] Include release notes in product documentation.
+ [RT #37272]
+
+3981. [bug] Cache DS/NXDOMAIN independently of other query types.
+ [RT #37467]
+
+3978. [test] Added a unit test for Diffie-Hellman key
+ computation, completing change #3974. [RT #37477]
+
+3976. [bug] When refreshing managed-key trust anchors, clear
+ any cached trust so that they will always be
+ revalidated with the current set of secure
+ roots. [RT #37506]
+
+3974. [bug] Handle DH_compute_key() failure correctly in
+ openssldh_link.c. [RT #37477]
+
+3972. [bug] Fix host's usage statement. [RT #37397]
+
+3971. [bug] Reduce the cascading failures due to a bad $TTL line
+ in named-checkconf / named-checkzone. [RT #37138]
+
+3970. [contrib] Fixed a use after free bug in the SDB LDAP driver.
+ [RT #37237]
+
+3968. [bug] Silence spurious log messages when using 'named -[46]'.
+ [RT #37308]
+
+3967. [test] Add test for inlined signed zone in multiple views
+ with different DNSKEY sets. [RT #35759]
+
+3966. [bug] Missing dns_db_closeversion call in receive_secure_db.
+ [RT #35746]
+
+3962. [bug] 'dig +topdown +trace +sigchase' address unhandled error
+ conditions. [RT #34663]
+
+3961. [bug] Forwarding of SIG(0) signed UPDATE messages failed with
+ BADSIG. [RT #37216]
+
+3960. [bug] 'dig +sigchase' could loop forever. [RT #37220]
+
+3959. [bug] Updates could be lost if they arrived immediately
+ after a rndc thaw. [RT #37233]
+
+3958. [bug] Detect when writeable files have multiple references
+ in named.conf. [RT #37172]
+
+3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+ and ECDSAP384SHA384. [RT #37183]
+
+3955. [bug] Notify messages due to changes are no longer queued
+ behind startup notify messages. [RT #24454]
+
+3954. [bug] Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
+
+3953. [bug] Don't escape semi-colon in TXT fields. [RT #37159]
+
+3952. [bug] dns_name_fullcompare failed to set *nlabelsp when the
+ two name pointers were the same. [RT #37176]
+
--- 9.9.6 released ---
3950. [port] Changed the bin/python Makefile to work around a
@@ -63,7 +290,7 @@
3922. [bug] When resigning, dnssec-signzone was removing
all signatures from delegation nodes. It now
- retains DS and (if applicable) NSEC signatures.
+ retains DS and (if applicable) NSEC signatures.
[RT #36946]
3921. [bug] AD was inappropriately set on RPZ responses. [RT #36833]
Modified: stable/9/contrib/bind9/COPYRIGHT
==============================================================================
--- stable/9/contrib/bind9/COPYRIGHT Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/COPYRIGHT Wed Apr 8 19:49:38 2015 (r281273)
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any
Modified: stable/9/contrib/bind9/FAQ.xml
==============================================================================
--- stable/9/contrib/bind9/FAQ.xml Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/FAQ.xml Wed Apr 8 19:49:38 2015 (r281273)
@@ -1,7 +1,7 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- - Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -31,6 +31,7 @@
<year>2009</year>
<year>2010</year>
<year>2013</year>
+ <year>2014</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
Modified: stable/9/contrib/bind9/README
==============================================================================
--- stable/9/contrib/bind9/README Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/README Wed Apr 8 19:49:38 2015 (r281273)
@@ -51,14 +51,21 @@ BIND 9
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
+
+BIND 9.9.7
+
+ BIND 9.9.7 is a maintenance release and addresses bugs
+ found in BIND 9.9.6 and earlier, as well as the security
+ flaws described in CVE-2014-8500 and CVE-2015-1349.
+
BIND 9.9.6
BIND 9.9.6 is a maintenance release, and also includes
- the following new functionality.
+ the following new functionality.
- The former behavior with respect to capitalization of names
- (prior to BIND 9.9.5) can be restored for specific clients via
- the new "no-case-compress" ACL.
+ (prior to BIND 9.9.5) can be restored for specific clients via
+ the new "no-case-compress" ACL.
BIND 9.9.5
@@ -219,7 +226,7 @@ Building
-DDIG_SIGCHASE_BU=1)
Disable dropping queries from particular well known ports.
-DNS_CLIENT_DROPPORT=0
- Sibling glue checking in named-checkzone is enabled by default.
+ Sibling glue checking in named-checkzone is enabled by default.
To disable the default check set. -DCHECK_SIBLING=0
named-checkzone checks out-of-zone addresses by default.
To disable this default set. -DCHECK_LOCAL=0
@@ -358,7 +365,7 @@ Change Log
[security] Fix for a significant security flaw
[experimental] Used for new features when the syntax
- or other aspects of the design are still
+ or other aspects of the design are still
in flux and may change
[port] Portability enhancement
@@ -367,7 +374,7 @@ Change Log
server addresses and keys
[tuning] Changes to built-in configuration defaults
- and constants to improve performanceo
+ and constants to improve performanceo
[protocol] Updates to the DNS protocol such as new
RR types
Modified: stable/9/contrib/bind9/bin/check/named-checkconf.c
==============================================================================
--- stable/9/contrib/bind9/bin/check/named-checkconf.c Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/bin/check/named-checkconf.c Wed Apr 8 19:49:38 2015 (r281273)
@@ -488,7 +488,33 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
- while ((c = isc_commandline_parse(argc, argv, "dhjt:pvxz")) != EOF) {
+ /*
+ * Process memory debugging argument first.
+ */
+#define CMDLINE_FLAGS "dhjm:t:pvxz"
+ while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+ switch (c) {
+ case 'm':
+ if (strcasecmp(isc_commandline_argument, "record") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+ if (strcasecmp(isc_commandline_argument, "trace") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+ if (strcasecmp(isc_commandline_argument, "usage") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+ if (strcasecmp(isc_commandline_argument, "size") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+ if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+ isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+ break;
+ default:
+ break;
+ }
+ }
+ isc_commandline_reset = ISC_TRUE;
+
+ RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+ while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
switch (c) {
case 'd':
debug++;
@@ -498,6 +524,9 @@ main(int argc, char **argv) {
nomerge = ISC_FALSE;
break;
+ case 'm':
+ break;
+
case 't':
result = isc_dir_chroot(isc_commandline_argument);
if (result != ISC_R_SUCCESS) {
@@ -557,8 +586,6 @@ main(int argc, char **argv) {
InitSockets();
#endif
- RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
Modified: stable/9/contrib/bind9/bin/dig/dig.1
==============================================================================
--- stable/9/contrib/bind9/bin/dig/dig.1 Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/bin/dig/dig.1 Wed Apr 8 19:49:38 2015 (r281273)
@@ -388,7 +388,10 @@ for it to be considered absolute. The de
or
\fBdomain\fR
directive in
-\fI/etc/resolv.conf\fR.
+\fI/etc/resolv.conf\fR
+if
+\fB+search\fR
+is set.
.RE
.PP
\fB+[no]nsid\fR
@@ -447,6 +450,12 @@ Toggle the display of per\-record commen
Use [do not use] the search list defined by the searchlist or domain directive in
\fIresolv.conf\fR
(if any). The search list is not used by default.
+.sp
+\'ndots' from
+\fIresolv.conf\fR
+(default 1) which may be overridden by
+\fI+ndots\fR
+determines if the name will be treated as relative or not and hence whether a search is eventually performed or not.
.RE
.PP
\fB+[no]short\fR
Modified: stable/9/contrib/bind9/bin/dig/dig.docbook
==============================================================================
--- stable/9/contrib/bind9/bin/dig/dig.docbook Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/bin/dig/dig.docbook Wed Apr 8 19:49:38 2015 (r281273)
@@ -624,7 +624,8 @@
are interpreted as relative names and will be searched
for in the domains listed in the <option>search</option>
or <option>domain</option> directive in
- <filename>/etc/resolv.conf</filename>.
+ <filename>/etc/resolv.conf</filename> if
+ <option>+search</option> is set.
</para>
</listitem>
</varlistentry>
@@ -731,6 +732,13 @@
<filename>resolv.conf</filename> (if any). The search
list is not used by default.
</para>
+ <para>
+ 'ndots' from <filename>resolv.conf</filename> (default 1)
+ which may be overridden by <parameter>+ndots</parameter>
+ determines if the name will be treated as relative
+ or not and hence whether a search is eventually
+ performed or not.
+ </para>
</listitem>
</varlistentry>
Modified: stable/9/contrib/bind9/bin/dig/dig.html
==============================================================================
--- stable/9/contrib/bind9/bin/dig/dig.html Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/bin/dig/dig.html Wed Apr 8 19:49:38 2015 (r281273)
@@ -412,7 +412,8 @@
are interpreted as relative names and will be searched
for in the domains listed in the <code class="option">search</code>
or <code class="option">domain</code> directive in
- <code class="filename">/etc/resolv.conf</code>.
+ <code class="filename">/etc/resolv.conf</code> if
+ <code class="option">+search</code> is set.
</p></dd>
<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
<dd><p>
@@ -468,12 +469,21 @@
record comments unless multiline mode is active.
</p></dd>
<dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd><p>
+<dd>
+<p>
Use [do not use] the search list defined by the
searchlist or domain directive in
<code class="filename">resolv.conf</code> (if any). The search
list is not used by default.
- </p></dd>
+ </p>
+<p>
+ 'ndots' from <code class="filename">resolv.conf</code> (default 1)
+ which may be overridden by <em class="parameter"><code>+ndots</code></em>
+ determines if the name will be treated as relative
+ or not and hence whether a search is eventually
+ performed or not.
+ </p>
+</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd><p>
Provide a terse answer. The default is to print the
@@ -590,7 +600,7 @@
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545168"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545181"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
@@ -636,7 +646,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545229"></a><h2>IDN SUPPORT</h2>
+<a name="id2545243"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
@@ -650,14 +660,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545252"></a><h2>FILES</h2>
+<a name="id2545266"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545269"></a><h2>SEE ALSO</h2>
+<a name="id2545283"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -665,7 +675,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2545306"></a><h2>BUGS</h2>
+<a name="id2545320"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
Modified: stable/9/contrib/bind9/bin/dig/dighost.c
==============================================================================
--- stable/9/contrib/bind9/bin/dig/dighost.c Wed Apr 8 19:46:13 2015 (r281272)
+++ stable/9/contrib/bind9/bin/dig/dighost.c Wed Apr 8 19:49:38 2015 (r281273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -58,6 +58,7 @@
#include <dns/log.h>
#include <dns/message.h>
#include <dns/name.h>
+#include <dns/rcode.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
@@ -1070,10 +1071,9 @@ parse_hmac(const char *hmac) {
*/
static isc_result_t
read_confkey(void) {
- isc_log_t *lctx = NULL;
cfg_parser_t *pctx = NULL;
cfg_obj_t *file = NULL;
- const cfg_obj_t *key = NULL;
+ const cfg_obj_t *keyobj = NULL;
const cfg_obj_t *secretobj = NULL;
const cfg_obj_t *algorithmobj = NULL;
const char *keyname;
@@ -1084,7 +1084,7 @@ read_confkey(void) {
if (! isc_file_exists(keyfile))
return (ISC_R_FILENOTFOUND);
- result = cfg_parser_create(mctx, lctx, &pctx);
+ result = cfg_parser_create(mctx, NULL, &pctx);
if (result != ISC_R_SUCCESS)
goto cleanup;
@@ -1093,16 +1093,16 @@ read_confkey(void) {
if (result != ISC_R_SUCCESS)
goto cleanup;
- result = cfg_map_get(file, "key", &key);
+ result = cfg_map_get(file, "key", &keyobj);
if (result != ISC_R_SUCCESS)
goto cleanup;
- (void) cfg_map_get(key, "secret", &secretobj);
- (void) cfg_map_get(key, "algorithm", &algorithmobj);
+ (void) cfg_map_get(keyobj, "secret", &secretobj);
+ (void) cfg_map_get(keyobj, "algorithm", &algorithmobj);
if (secretobj == NULL || algorithmobj == NULL)
fatal("key must have algorithm and secret");
- keyname = cfg_obj_asstring(cfg_map_getname(key));
+ keyname = cfg_obj_asstring(cfg_map_getname(keyobj));
secretstr = cfg_obj_asstring(secretobj);
algorithm = cfg_obj_asstring(algorithmobj);
@@ -2216,7 +2216,6 @@ setup_lookup(dig_lookup_t *lookup) {
if (result != ISC_R_SUCCESS) {
dns_message_puttempname(lookup->sendmsg,
&lookup->name);
- isc_buffer_init(&b, store, MXNAME);
fatal("'%s' is not a legal name "
"(%s)", lookup->textname,
isc_result_totext(result));
@@ -2976,7 +2975,8 @@ connect_done(isc_task_t *task, isc_event
query->waiting_connect = ISC_FALSE;
isc_event_free(&event);
l = query->lookup;
- if (l->current_query != NULL)
+ if ((l->current_query != NULL) &&
+ (ISC_LINK_LINKED(l->current_query, link)))
next = ISC_LIST_NEXT(l->current_query, link);
else
next = NULL;
@@ -3518,7 +3518,7 @@ recv_done(isc_task_t *task, isc_event_t
#endif
printmessage(query, msg, ISC_TRUE);
} else if (l->trace) {
- int n = 0;
+ int nl = 0;
int count = msg->counts[DNS_SECTION_ANSWER];
debug("in TRACE code");
@@ -3529,13 +3529,13 @@ recv_done(isc_task_t *task, isc_event_t
if (l->trace_root || (l->ns_search_only && count > 0)) {
if (!l->trace_root)
l->rdtype = dns_rdatatype_soa;
- n = followup_lookup(msg, query,
- DNS_SECTION_ANSWER);
+ nl = followup_lookup(msg, query,
+ DNS_SECTION_ANSWER);
l->trace_root = ISC_FALSE;
} else if (count == 0)
- n = followup_lookup(msg, query,
- DNS_SECTION_AUTHORITY);
- if (n == 0)
+ nl = followup_lookup(msg, query,
+ DNS_SECTION_AUTHORITY);
+ if (nl == 0)
docancel = ISC_TRUE;
} else {
debug("in NSSEARCH code");
@@ -3544,12 +3544,12 @@ recv_done(isc_task_t *task, isc_event_t
/*
* This is the initial NS query.
*/
- int n;
+ int nl;
l->rdtype = dns_rdatatype_soa;
- n = followup_lookup(msg, query,
- DNS_SECTION_ANSWER);
- if (n == 0)
+ nl = followup_lookup(msg, query,
+ DNS_SECTION_ANSWER);
+ if (nl == 0)
docancel = ISC_TRUE;
l->trace_root = ISC_FALSE;
usesearch = ISC_FALSE;
@@ -3679,12 +3679,12 @@ recv_done(isc_task_t *task, isc_event_t
* routines, since they may be using a non-DNS system for these lookups.
*/
isc_result_t
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
+get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) {
int count;
isc_result_t result;
isc_app_block();
- result = bind9_getaddresses(host, port, sockaddr, 1, &count);
+ result = bind9_getaddresses(host, myport, sockaddr, 1, &count);
isc_app_unblock();
if (result != ISC_R_SUCCESS)
return (result);
@@ -4151,6 +4151,9 @@ chase_scanname_section(dns_message_t *ms
dns_rdataset_t *rdataset;
dns_name_t *msg_name = NULL;
+ if (msg->counts[section] == 0)
+ return (NULL);
+
do {
dns_message_currentname(msg, section, &msg_name);
if (dns_name_compare(msg_name, name) == 0) {
@@ -4357,8 +4360,8 @@ get_trusted_key(isc_mem_t *mctx)
dns_rdatacallbacks_init_stdio(&callbacks);
callbacks.add = insert_trustedkey;
return (dns_master_loadfile(filename, dns_rootname, dns_rootname,
- current_lookup->rdclass, 0, &callbacks,
- mctx));
+ current_lookup->rdclass, DNS_MASTER_NOTTL,
+ &callbacks, mctx));
}
@@ -4558,36 +4561,36 @@ child_of_zone(dns_name_t * name, dns_nam
}
isc_result_t
-grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset)
-{
- isc_result_t result;
- dns_rdata_t sigrdata = DNS_RDATA_INIT;
+grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) {
dns_rdata_sig_t siginfo;
+ dns_rdataset_t mysigrdataset;
+ isc_result_t result;
- result = dns_rdataset_first(sigrdataset);
+ dns_rdataset_init(&mysigrdataset);
+ dns_rdataset_clone(sigrdataset, &mysigrdataset);
+
+ result = dns_rdataset_first(&mysigrdataset);
check_result(result, "empty RRSIG dataset");
- dns_rdata_init(&sigrdata);
do {
- dns_rdataset_current(sigrdataset, &sigrdata);
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
+
+ dns_rdataset_current(&mysigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
check_result(result, "sigrdata tostruct siginfo");
if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
- dns_rdata_freestruct(&siginfo);
- dns_rdata_reset(&sigrdata);
- return (ISC_R_SUCCESS);
+ result = ISC_R_SUCCESS;
+ goto cleanup;
}
+ } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
- dns_rdata_freestruct(&siginfo);
- dns_rdata_reset(&sigrdata);
+ result = ISC_R_FAILURE;
+cleanup:
+ dns_rdataset_disassociate(&mysigrdataset);
- } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
- dns_rdata_reset(&sigrdata);
-
- return (ISC_R_FAILURE);
+ return (result);
}
@@ -4667,26 +4670,30 @@ contains_trusted_key(dns_name_t *name, d
dns_rdataset_t *sigrdataset,
isc_mem_t *mctx)
{
- isc_result_t result;
- dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdataset_t myrdataset;
dst_key_t *dnsseckey = NULL;
int i;
+ isc_result_t result;
if (name == NULL || rdataset == NULL)
return (ISC_R_FAILURE);
- result = dns_rdataset_first(rdataset);
+ dns_rdataset_init(&myrdataset);
+ dns_rdataset_clone(rdataset, &myrdataset);
+
+ result = dns_rdataset_first(&myrdataset);
check_result(result, "empty rdataset");
do {
- dns_rdataset_current(rdataset, &rdata);
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+
+ dns_rdataset_current(&myrdataset, &rdata);
INSIST(rdata.type == dns_rdatatype_dnskey);
result = dns_dnssec_keyfromrdata(name, &rdata,
mctx, &dnsseckey);
check_result(result, "dns_dnssec_keyfromrdata");
-
for (i = 0; i < tk_list.nb_tk; i++) {
if (dst_key_compare(tk_list.key[i], dnsseckey)
== ISC_TRUE) {
@@ -4695,22 +4702,21 @@ contains_trusted_key(dns_name_t *name, d
printf(";; Ok, find a Trusted Key in the "
"DNSKEY RRset: %d\n",
dst_key_id(dnsseckey));
- if (sigchase_verify_sig_key(name, rdataset,
- dnsseckey,
- sigrdataset,
- mctx)
- == ISC_R_SUCCESS) {
- dst_key_free(&dnsseckey);
- dnsseckey = NULL;
- return (ISC_R_SUCCESS);
- }
+ result = sigchase_verify_sig_key(name, rdataset,
+ dnsseckey,
+ sigrdataset,
+ mctx);
+ if (result == ISC_R_SUCCESS)
+ goto cleanup;
}
}
+ dst_key_free(&dnsseckey);
+ } while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);
- dns_rdata_reset(&rdata);
- if (dnsseckey != NULL)
- dst_key_free(&dnsseckey);
- } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
+cleanup:
+ if (dnsseckey != NULL)
+ dst_key_free(&dnsseckey);
+ dns_rdataset_disassociate(&myrdataset);
return (ISC_R_NOTFOUND);
}
@@ -4721,16 +4727,20 @@ sigchase_verify_sig(dns_name_t *name, dn
dns_rdataset_t *sigrdataset,
isc_mem_t *mctx)
{
- isc_result_t result;
- dns_rdata_t keyrdata = DNS_RDATA_INIT;
+ dns_rdataset_t mykeyrdataset;
dst_key_t *dnsseckey = NULL;
+ isc_result_t result;
- result = dns_rdataset_first(keyrdataset);
+ dns_rdataset_init(&mykeyrdataset);
+ dns_rdataset_clone(keyrdataset, &mykeyrdataset);
+
+ result = dns_rdataset_first(&mykeyrdataset);
check_result(result, "empty DNSKEY dataset");
- dns_rdata_init(&keyrdata);
do {
- dns_rdataset_current(keyrdataset, &keyrdata);
+ dns_rdata_t keyrdata = DNS_RDATA_INIT;
+
+ dns_rdataset_current(&mykeyrdataset, &keyrdata);
INSIST(keyrdata.type == dns_rdatatype_dnskey);
result = dns_dnssec_keyfromrdata(name, &keyrdata,
@@ -4739,18 +4749,19 @@ sigchase_verify_sig(dns_name_t *name, dn
result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
sigrdataset, mctx);
- if (result == ISC_R_SUCCESS) {
- dns_rdata_reset(&keyrdata);
- dst_key_free(&dnsseckey);
- return (ISC_R_SUCCESS);
- }
+ if (result == ISC_R_SUCCESS)
+ goto cleanup;
dst_key_free(&dnsseckey);
- dns_rdata_reset(&keyrdata);
- } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
+ } while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);
- dns_rdata_reset(&keyrdata);
+ result = ISC_R_NOTFOUND;
- return (ISC_R_NOTFOUND);
+ cleanup:
+ if (dnsseckey != NULL)
+ dst_key_free(&dnsseckey);
+ dns_rdataset_disassociate(&mykeyrdataset);
+
+ return (result);
}
isc_result_t
@@ -4758,16 +4769,23 @@ sigchase_verify_sig_key(dns_name_t *name
dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
isc_mem_t *mctx)
{
- isc_result_t result;
- dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_rdata_sig_t siginfo;
+ dns_rdataset_t myrdataset;
+ dns_rdataset_t mysigrdataset;
+ isc_result_t result;
- result = dns_rdataset_first(sigrdataset);
+ dns_rdataset_init(&myrdataset);
+ dns_rdataset_clone(rdataset, &myrdataset);
+ dns_rdataset_init(&mysigrdataset);
+ dns_rdataset_clone(sigrdataset, &mysigrdataset);
+
+ result = dns_rdataset_first(&mysigrdataset);
check_result(result, "empty RRSIG dataset");
- dns_rdata_init(&sigrdata);
do {
- dns_rdataset_current(sigrdataset, &sigrdata);
+ dns_rdata_t sigrdata = DNS_RDATA_INIT;
+
+ dns_rdataset_current(&mysigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
check_result(result, "sigrdata tostruct siginfo");
@@ -4778,10 +4796,10 @@ sigchase_verify_sig_key(dns_name_t *name
*/
if (siginfo.keyid == dst_key_id(dnsseckey)) {
- result = dns_rdataset_first(rdataset);
+ result = dns_rdataset_first(&myrdataset);
check_result(result, "empty DS dataset");
- result = dns_dnssec_verify(name, rdataset, dnsseckey,
+ result = dns_dnssec_verify(name, &myrdataset, dnsseckey,
ISC_FALSE, mctx, &sigrdata);
printf(";; VERIFYING ");
@@ -4791,19 +4809,18 @@ sigchase_verify_sig_key(dns_name_t *name
printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
isc_result_totext(result));
- if (result == ISC_R_SUCCESS) {
- dns_rdata_reset(&sigrdata);
- return (result);
- }
+ if (result == ISC_R_SUCCESS)
+ goto cleanup;
}
- dns_rdata_freestruct(&siginfo);
- dns_rdata_reset(&sigrdata);
+ } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
- } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
+ result = ISC_R_NOTFOUND;
- dns_rdata_reset(&sigrdata);
+ cleanup:
+ dns_rdataset_disassociate(&myrdataset);
+ dns_rdataset_disassociate(&mysigrdataset);
- return (ISC_R_NOTFOUND);
+ return (result);
}
@@ -4811,27 +4828,35 @@ isc_result_t
sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
{
- isc_result_t result;
- dns_rdata_t keyrdata = DNS_RDATA_INIT;
- dns_rdata_t newdsrdata = DNS_RDATA_INIT;
- dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdata_ds_t dsinfo;
+ dns_rdataset_t mydsrdataset;
+ dns_rdataset_t mykeyrdataset;
dst_key_t *dnsseckey = NULL;
+ isc_result_t result;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
- result = dns_rdataset_first(dsrdataset);
+ dns_rdataset_init(&mydsrdataset);
+ dns_rdataset_clone(dsrdataset, &mydsrdataset);
+ dns_rdataset_init(&mykeyrdataset);
+ dns_rdataset_clone(keyrdataset, &mykeyrdataset);
+
+ result = dns_rdataset_first(&mydsrdataset);
check_result(result, "empty DSset dataset");
do {
- dns_rdataset_current(dsrdataset, &dsrdata);
+ dns_rdata_t dsrdata = DNS_RDATA_INIT;
+
+ dns_rdataset_current(&mydsrdataset, &dsrdata);
result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
check_result(result, "dns_rdata_tostruct for DS");
- result = dns_rdataset_first(keyrdataset);
+ result = dns_rdataset_first(&mykeyrdataset);
check_result(result, "empty KEY dataset");
do {
- dns_rdataset_current(keyrdataset, &keyrdata);
+ dns_rdata_t keyrdata = DNS_RDATA_INIT;
+
+ dns_rdataset_current(&mykeyrdataset, &keyrdata);
INSIST(keyrdata.type == dns_rdatatype_dnskey);
result = dns_dnssec_keyfromrdata(name, &keyrdata,
@@ -4843,6 +4868,7 @@ sigchase_verify_ds(dns_name_t *name, dns
* id of DNSKEY referenced by the DS
*/
if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
+ dns_rdata_t newdsrdata = DNS_RDATA_INIT;
result = dns_ds_buildrdata(name, &keyrdata,
dsinfo.digest_type,
@@ -4850,14 +4876,9 @@ sigchase_verify_ds(dns_name_t *name, dns
dns_rdata_freestruct(&dsinfo);
if (result != ISC_R_SUCCESS) {
- dns_rdata_reset(&keyrdata);
- dns_rdata_reset(&newdsrdata);
- dns_rdata_reset(&dsrdata);
- dst_key_free(&dnsseckey);
- dns_rdata_freestruct(&dsinfo);
printf("Oops: impossible to build"
" new DS rdata\n");
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-stable-9
mailing list