update copyright notice

receiving multiple AXFR response messages that were
                        not all TSIG-signed. [RT #23254]

CHANGES

@@ -1,3 +1,12 @@
+	--- 9.4-ESV-R5 released ---
+
+3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
+			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
+			[RT #24950]
+
+3023.	[bug]		Named could be left in an inconsistent state when
+			receiving multiple AXFR response messages that were
+			not all TSIG-signed. [RT #23254]
 
 	--- 9.4-ESV-R5rc1 released ---
 

README

@@ -42,6 +42,11 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
+BIND 9.4-ESV-R5 (Extended Support Version)
+
+	BIND 9.4-ESV-R5 is expected to be the last release in the 9.4
+	series.
+
 BIND 9.4-ESV (Extended Support Version)
 
 	BIND 9.4-ESV is the Extended Support Version of BIND 9.4

RELEASE-NOTES-BIND-9.4-ESV.html

@@ -1,109 +1,132 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
+<!--
+ - Copyright (C) 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
 
-  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366823"></a>Introduction</h2></div></div></div>
+<!-- $Id: RELEASE-NOTES-BIND-9.4-ESV.html,v 1.1.2.12 2011/07/24 08:05:11 tbox Exp $ -->
+
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><hr /></div>
+
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359578"></a>Introduction</h2></div></div></div>
     
     <p>
-			BIND 9.4-ESV-R5rc1 is the first release
-			candidate of BIND 9.4-ESV-R5.
+			BIND 9.4-ESV-R5 is the current production release
+			of BIND 9.4.
 		</p>
     <p>
-			This document summarizes changes from BIND 9.4-ESV-R4 to BIND 9.4-ESV-R5rc1.
+			This document summarizes changes from BIND 9.4-ESV-R4 to BIND 9.4-ESV-R5.
 			Please see the CHANGES file in the source code release for a
 			complete list of all changes.
 		</p>
   </div>
 
-  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366840"></a>Download</h2></div></div></div>
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358597"></a>Download</h2></div></div></div>
     
     <p>
 			The latest release of BIND 9 software can always be found
 	 		on our web site at
-      <a class="ulink" href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
+      <a href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
   		There you will find additional information about each release,
  			source code, and some pre-compiled versions for certain operating
  			systems.
 		</p>
   </div>
 
-  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366780"></a>Support</h2></div></div></div>
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358630"></a>Support</h2></div></div></div>
     
     <p>Product support information is available on
-      <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+      <a href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
       for paid support options.  Free support is provided by our user
  			community via a mailing list.  Information on all public email
  			lists is available at
-      <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+      <a href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
     </p>
   </div>
 
-  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366717"></a>New Features</h2></div></div></div>
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358679"></a>New Features</h2></div></div></div>
     
-		<div class="section" title="9.4-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1366731"></a>9.4-ESV-R5rc1</h3></div></div></div>
+		<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358720"></a>9.4-ESV-R5</h3></div></div></div>
 			
 			<p>None.</p>
 		</div>
   </div>
 
-  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366712"></a>Feature Changes</h2></div></div></div>
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358748"></a>Feature Changes</h2></div></div></div>
     
-		<div class="section" title="9.4-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1366851"></a>9.4-ESV-R5rc1</h3></div></div></div>
+		<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358768"></a>9.4-ESV-R5</h3></div></div></div>
 			
 			<p>None.</p>
 		</div>
   </div>
 
-  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366862"></a>Security Fixes</h2></div></div></div>
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358796"></a>Security Fixes</h2></div></div></div>
     
-		<div class="section" title="9.4-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1366867"></a>9.4-ESV-R5rc1</h3></div></div></div>
+		<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358816"></a>9.4-ESV-R5</h3></div></div></div>
 			
-			<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
+			<div class="itemizedlist"><ul type="disc"><li>
 A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
 for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
 SO_ACCEPTFILTER support in BIND. [RT #22589]
-</li><li class="listitem">
+</li><li>
 named, set up to be a caching resolver, is vulnerable to a
 user querying a domain with very large resource record sets (RRSets)
 when trying to negatively cache the response. Due to an off-by-one
 error, caching the response could cause named to crash. [RT #24650]
 [CVE-2011-1910]
+</li><li>
+Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+processing code that could allow certain UPDATE requests to crash
+named. This was fixed by disambiguating internal database representation
+vs DNS wire format data. [RT #24777] [CVE-2011-2464]
 </li></ul></div>
 		</div>
   </div>
 
-  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366888"></a>Bug Fixes</h2></div></div></div>
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358855"></a>Bug Fixes</h2></div></div></div>
     
-		<div class="section" title="9.4-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1366894"></a>9.4-ESV-R5rc1</h3></div></div></div>
+		<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358861"></a>9.4-ESV-R5</h3></div></div></div>
 			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-Improved the mechanism for flagging database entries as negative
-cache records; the former method, RR type 0, could be ambiguous.
-[RT #24777]
-</li><li class="listitem">
+	    <div class="itemizedlist"><ul type="disc"><li>
 During RFC5011 processing some journal write errors were not detected.
 This could lead to managed-keys changes being committed but not 
 recorded in the journal files, causing potential inconsistencies  
 during later processing.  [RT #20256]
-</li><li class="listitem">
+<p>
 A potential NULL pointer deference in the DNS64 code could cause 
 named to terminate unexpectedly. [RT #20256]
-</li><li class="listitem">
+</p>
+<p>
 A state variable relating to DNSSEC could fail to be set during 
 some infrequently-executed code paths, allowing it to be used whilst
 in an unitialized state during cache updates, with unpredictable results.
 [RT #20256]
-</li><li class="listitem">
+</p>
+<p>
 A potential NULL pointer deference in DNSSEC signing code could 
 cause named to terminate unexpectedly  [RT #20256]
-</li><li class="listitem">
+</p>
+<p>
 Several cosmetic code changes were made to silence warnings
 generated by a static code analysis tool. [RT #20256]
-</li><li class="listitem">
+</p>
+</li><li>
 Cause named to terminate at startup or rndc reconfig
 reload to fail, if a log file specified in the
 conf file isn't a plain file. (RT #22771]
-</li><li class="listitem">
+</li><li>
 Prior to this fix, when named was was writing a zone to disk (as slave,
 when resigning, etc.), it might not correctly preserve the case of domain
 name labels within RDATA, if the RDATA was not compressible. The result
@@ -112,58 +135,69 @@ that did not match the RRSIG for that data, due to case mismatch. named
 now correctly preserves case. After upgrading to fixed code, the operator
 should either resign the data (on the master) or delete the disk file
 on the slave and reload the zone. [RT #22863]
-</li><li class="listitem">
+</li><li>
 Fix the zonechecks system test to fail on error (warning in 9.6,
 fatal in 9.7) to match behaviour for 9.4. [RT #22905]
-</li><li class="listitem">
+</li><li>
 There was a bug in how the clients-per-query code worked with some
 query patterns. This could result, in rare circumstances, in having all
 the client query slots filled with queries for the same DNS label,
 essentially ignoring the max-clients-per-query setting.
 [RT #22972]
-</li><li class="listitem">
+</li><li>
+If a slave initiates a TSIG signed AXFR from the master and the master
+fails to correctly TSIG sign the final message, the slave would be left
+with the zone in an unclean state. named detected this error too late
+and named would crash with an INSIST. The order dependancy has been
+fixed. [RT #23254]
+</li><li>
 Fixed precedence order bug with NS and DNAME records if both are present.
 (Also fixed timing of autosign test in 9.7+) [RT #23035]
-</li><li class="listitem">
+</li><li>
 Changing TTL did not cause dnssec-signzone to generate new signatures.
 [RT #23330]
-</li><li class="listitem">
+</li><li>
 If named encountered a CNAME instead of a DS record when walking
 the chain of trust down from the trust anchor, it incorrectly stopped
 validating. [RT #23338]
-</li><li class="listitem">
+</li><li>
 RRSIG records could have time stamps too far in the future.
 [RT #23356]
-</li><li class="listitem">
+</li><li>
 If running on a powerpc CPU and with atomic operations enabled,
 named could lock up. Added sync instructions to the end of atomic
 operations. [RT #23469]
-</li><li class="listitem">
+</li><li>
 ixfr-from-differences {master|slave};
 failed to select the master/slave zones, resulting in on diff/journal
 file being created.
 [RT #23580]
-</li><li class="listitem">
+</li><li>
 Remove bin/tests/system/logfileconfig/ns1/named.conf and
 add setup.sh in order to resolve changing named.conf issue. [RT #23687]
-</li><li class="listitem">
+</li><li>
 The autosign tests attempted to open ports within reserved ranges. Test
 now avoids those ports.
 [RT #23957]
-</li><li class="listitem">
+</li><li>
 Named could fail to validate zones list in a DLV that validated insecure
 without using DLV and had DS records in the parent zone. [RT #24631]
+</li><li>
+A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+1280 bytes to not fragment as they should. Until there is a kernel
+fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+per packet basis. [RT #24950]
 </li></ul></div>
 		</div>
   </div>
 
-  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1366996"></a>Thank You</h2></div></div></div>
+  <div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359002"></a>Thank You</h2></div></div></div>
     
     <p>
       Thank you to everyone who assisted us in making this release possible.
       If you would like to contribute to ISC to assist us in continuing to make
       quality open source software, please visit our donations page at
-      <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+      <a href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
     </p>
   </div>
 </div></body></html>

RELEASE-NOTES-BIND-9.4-ESV.txt

@@ -2,11 +2,11 @@
 
 Introduction
 
-   BIND 9.4-ESV-R5rc1 is the first release candidate of BIND 9.4-ESV-R5.
+   BIND 9.4-ESV-R5 is the current production release of BIND 9.4.
 
    This document summarizes changes from BIND 9.4-ESV-R4 to BIND
-   9.4-ESV-R5rc1. Please see the CHANGES file in the source code release
-   for a complete list of all changes.
+   9.4-ESV-R5. Please see the CHANGES file in the source code release for
+   a complete list of all changes.
 
 Download
 
@@ -25,19 +25,19 @@ Support
 
 New Features
 
-9.4-ESV-R5rc1
+9.4-ESV-R5
 
    None.
 
 Feature Changes
 
-9.4-ESV-R5rc1
+9.4-ESV-R5
 
    None.
 
 Security Fixes
 
-9.4-ESV-R5rc1
+9.4-ESV-R5
 
      * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
        allows for a TCP DoS attack. Until there is a kernel fix, ISC is
@@ -47,27 +47,28 @@ Security Fixes
        when trying to negatively cache the response. Due to an off-by-one
        error, caching the response could cause named to crash. [RT #24650]
        [CVE-2011-1910]
+     * Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+       processing code that could allow certain UPDATE requests to crash
+       named. This was fixed by disambiguating internal database
+       representation vs DNS wire format data. [RT #24777] [CVE-2011-2464]
 
 Bug Fixes
 
-9.4-ESV-R5rc1
+9.4-ESV-R5
 
-     * Improved the mechanism for flagging database entries as negative
-       cache records; the former method, RR type 0, could be ambiguous.
-       [RT #24777]
      * During RFC5011 processing some journal write errors were not
        detected. This could lead to managed-keys changes being committed
        but not recorded in the journal files, causing potential
        inconsistencies during later processing. [RT #20256]
-     * A potential NULL pointer deference in the DNS64 code could cause
+       A potential NULL pointer deference in the DNS64 code could cause
        named to terminate unexpectedly. [RT #20256]
-     * A state variable relating to DNSSEC could fail to be set during
+       A state variable relating to DNSSEC could fail to be set during
        some infrequently-executed code paths, allowing it to be used
        whilst in an unitialized state during cache updates, with
        unpredictable results. [RT #20256]
-     * A potential NULL pointer deference in DNSSEC signing code could
+       A potential NULL pointer deference in DNSSEC signing code could
        cause named to terminate unexpectedly [RT #20256]
-     * Several cosmetic code changes were made to silence warnings
+       Several cosmetic code changes were made to silence warnings
        generated by a static code analysis tool. [RT #20256]
      * Cause named to terminate at startup or rndc reconfig reload to
        fail, if a log file specified in the conf file isn't a plain file.
@@ -88,6 +89,11 @@ Bug Fixes
        all the client query slots filled with queries for the same DNS
        label, essentially ignoring the max-clients-per-query setting. [RT
        #22972]
+     * If a slave initiates a TSIG signed AXFR from the master and the
+       master fails to correctly TSIG sign the final message, the slave
+       would be left with the zone in an unclean state. named detected
+       this error too late and named would crash with an INSIST. The order
+       dependancy has been fixed. [RT #23254]
      * Fixed precedence order bug with NS and DNAME records if both are
        present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
      * Changing TTL did not cause dnssec-signzone to generate new
@@ -110,6 +116,10 @@ Bug Fixes
      * Named could fail to validate zones list in a DLV that validated
        insecure without using DLV and had DS records in the parent zone.
        [RT #24631]
+     * A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+       1280 bytes to not fragment as they should. Until there is a kernel
+       fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+       per packet basis. [RT #24950]
 
 Thank You
 

bin/tests/system/nsupdate/tests.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.23.18.2 2011/06/09 07:12:57 tbox Exp $
+# $Id: tests.sh,v 1.23.18.3 2011/06/21 22:14:15 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -113,6 +113,18 @@ then
         status=1
 fi
 
+n=`expr $n + 1`
+echo "I:check that update to undefined class is handled ($n)"
+echo "a0e4280000010001000000000000060101c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p 5300 -t tcp > /dev/null
+$DIG +tcp version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+if test $ret -ne 0
+then
+	echo "I:failed"
+        status=1
+fi
+
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     echo "I:running update.pl test"

doc/private/SRCID

@@ -1,6 +1,6 @@
-# $Id: SRCID,v 1.17.4.165 2011/06/15 02:16:43 tbox Exp $
+# $Id: SRCID,v 1.17.4.174 2011/07/23 00:15:16 tbox Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
-SRCID="( $Date: 2011/06/15 02:16:43 $ )"
+SRCID="( $Date: 2011/07/23 00:15:16 $ )"

lib/dns/api

@@ -1,3 +1,3 @@
 LIBINTERFACE = 39
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 1

lib/dns/xfrin.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.135.18.23 2008/09/25 04:15:52 marka Exp $ */
+/* $Id: xfrin.c,v 1.135.18.24 2011/07/22 06:24:01 marka Exp $ */
 
 /*! \file */
 
@@ -83,8 +83,9 @@ typedef enum {
 	XFRST_IXFR_DEL,
 	XFRST_IXFR_ADDSOA,
 	XFRST_IXFR_ADD,
+	XFRST_IXFR_END,
 	XFRST_AXFR,
-	XFRST_END
+	XFRST_AXFR_END
 } xfrin_state_t;
 
 /*%
@@ -198,6 +199,7 @@ static isc_result_t axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
 				   dns_rdata_t *rdata);
 static isc_result_t axfr_apply(dns_xfrin_ctx_t *xfr);
 static isc_result_t axfr_commit(dns_xfrin_ctx_t *xfr);
+static isc_result_t axfr_finalize(dns_xfrin_ctx_t *xfr);
 
 static isc_result_t ixfr_init(dns_xfrin_ctx_t *xfr);
 static isc_result_t ixfr_apply(dns_xfrin_ctx_t *xfr);
@@ -313,6 +315,16 @@ axfr_commit(dns_xfrin_ctx_t *xfr) {
 
 	CHECK(axfr_apply(xfr));
 	CHECK(dns_db_endload(xfr->db, &xfr->axfr.add_private));
+
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_finalize(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
 	CHECK(dns_zone_replacedb(xfr->zone, xfr->db, ISC_TRUE));
 
 	result = ISC_R_SUCCESS;
@@ -534,7 +546,7 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
 			if (soa_serial == xfr->end_serial) {
 				CHECK(ixfr_commit(xfr));
-				xfr->state = XFRST_END;
+				xfr->state = XFRST_IXFR_END;
 				break;
 			} else if (soa_serial != xfr->ixfr.current_serial) {
 				xfrin_log(xfr, ISC_LOG_ERROR,
@@ -565,11 +577,12 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 		CHECK(axfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
 		if (rdata->type == dns_rdatatype_soa) {
 			CHECK(axfr_commit(xfr));
-			xfr->state = XFRST_END;
+			xfr->state = XFRST_AXFR_END;
 			break;
 		}
 		break;
-	case XFRST_END:
+	case XFRST_AXFR_END:
+	case XFRST_IXFR_END:
 		FAIL(DNS_R_EXTRADATA);
 	default:
 		INSIST(0);
@@ -908,8 +921,7 @@ static void
 xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
 	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t evresult = cev->result;
-	isc_result_t result;
+	isc_result_t result = cev->result;
 	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_t sockaddr;
 
@@ -926,7 +938,9 @@ xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	CHECK(evresult);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
 	result = isc_socket_getsockname(xfr->socket, &sockaddr);
 	if (result == ISC_R_SUCCESS) {
 		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
@@ -1210,7 +1224,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 			result = DNS_R_UNEXPECTEDID;
 		if (xfr->reqtype == dns_rdatatype_axfr ||
 		    xfr->reqtype == dns_rdatatype_soa)
-			FAIL(result);
+			goto failure;
 		xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR",
 		       isc_result_totext(result));
  try_axfr:
@@ -1246,7 +1260,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 	if (result != ISC_R_SUCCESS) {
 		xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s",
 		       isc_result_totext(result));
-		FAIL(result);
+		goto failure;
 	}
 
 	for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
@@ -1294,8 +1308,9 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	} else if (dns_message_gettsigkey(msg) != NULL) {
 		xfr->sincetsig++;
-		if (xfr->sincetsig > 100 ||
-		    xfr->nmsg == 0 || xfr->state == XFRST_END)
+		if (xfr->sincetsig > 100 || xfr->nmsg == 0 ||
+		    xfr->state == XFRST_AXFR_END ||
+		    xfr->state == XFRST_IXFR_END)
 		{
 			result = DNS_R_EXPECTEDTSIG;
 			goto failure;
@@ -1316,16 +1331,22 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	dns_message_destroy(&msg);
 
-	if (xfr->state == XFRST_GOTSOA) {
+	switch (xfr->state) {
+	case XFRST_GOTSOA:
 		xfr->reqtype = dns_rdatatype_axfr;
 		xfr->state = XFRST_INITIALSOA;
 		CHECK(xfrin_send_request(xfr));
-	} else if (xfr->state == XFRST_END) {
+		break;
+	case XFRST_AXFR_END:
+		CHECK(axfr_finalize(xfr));
+		/* FALLTHROUGH */
+	case XFRST_IXFR_END:
 		/*
 		 * Close the journal.
 		 */
 		if (xfr->ixfr.journal != NULL)
 			dns_journal_destroy(&xfr->ixfr.journal);
+
 		/*
 		 * Inform the caller we succeeded.
 		 */
@@ -1339,7 +1360,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		 */
 		xfr->shuttingdown = ISC_TRUE;
 		maybe_free(xfr);
-	} else {
+		break;
+	default:
 		/*
 		 * Read the next message.
 		 */

lib/isc/api

@@ -1,3 +1,3 @@
 LIBINTERFACE = 38
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 2

lib/isc/unix/socket.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.237.18.70 2010/12/22 23:45:17 tbox Exp $ */
+/* $Id: socket.c,v 1.237.18.72 2011/07/21 23:45:14 tbox Exp $ */
 
 /*! \file */
 
@@ -1088,6 +1088,9 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
 #if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
 	if ((sock->type == isc_sockettype_udp)
 	    && ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0)) {
+#if defined(IPV6_USE_MIN_MTU)
+		int use_min_mtu = 1;	/* -1, 0, 1 */
+#endif
 		struct cmsghdr *cmsgp;
 		struct in6_pktinfo *pktinfop;
 
@@ -1106,6 +1109,22 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
 		cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
 		pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
 		memcpy(pktinfop, &dev->pktinfo, sizeof(struct in6_pktinfo));
+#if defined(IPV6_USE_MIN_MTU)
+		/*
+		 * Set IPV6_USE_MIN_MTU as a per packet option as FreeBSD
+		 * ignores setsockopt(IPV6_USE_MIN_MTU) when IPV6_PKTINFO
+		 * is used.
+		 */
+		cmsgp = (struct cmsghdr *)(sock->sendcmsgbuf +
+					   msg->msg_controllen);
+		msg->msg_controllen += cmsg_space(sizeof(use_min_mtu));
+		INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
+
+		cmsgp->cmsg_level = IPPROTO_IPV6;
+		cmsgp->cmsg_type = IPV6_USE_MIN_MTU;
+		cmsgp->cmsg_len = cmsg_len(sizeof(use_min_mtu));
+		memcpy(CMSG_DATA(cmsgp), &use_min_mtu, sizeof(use_min_mtu));
+#endif
 	}
 #endif /* USE_CMSG && ISC_PLATFORM_HAVEIPV6 */
 #else /* ISC_NET_BSD44MSGHDR */
@@ -1724,7 +1743,14 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 
 	cmsgbuflen = 0;
 #if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo));
+	cmsgbuflen += cmsg_space(sizeof(struct in6_pktinfo));
+#if defined(IPV6_USE_MIN_MTU)
+	/*
+	 * Provide space for working around FreeBSD's broken IPV6_USE_MIN_MTU
+	 * support.
+	 */
+	cmsgbuflen += cmsg_space(sizeof(int));
+#endif
 #endif
 	sock->sendcmsgbuflen = cmsgbuflen;
 	if (sock->sendcmsgbuflen != 0U) {
@@ -2055,10 +2081,18 @@ opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
 #endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
 #ifdef IPV6_USE_MIN_MTU        /* RFC 3542, not too common yet*/
 		/* use minimum MTU */
-		if (sock->pf == AF_INET6) {
-			(void)setsockopt(sock->fd, IPPROTO_IPV6,
-					 IPV6_USE_MIN_MTU,
-					 (void *)&on, sizeof(on));
+		if (sock->pf == AF_INET6 &&
+		    setsockopt(sock->fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
+			       (void *)&on, sizeof(on)) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_USE_MIN_MTU) "
+					 "%s: %s", sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
 		}
 #endif
 #endif /* ISC_PLATFORM_HAVEIPV6 */

util/copyrights

@@ -2069,7 +2069,7 @@
 ./lib/dns/win32/libdns.dsw			X	2001
 ./lib/dns/win32/libdns.mak			X	2001,2002,2003,2004,2005,2006
 ./lib/dns/win32/version.c			C	1998,1999,2000,2001,2004
-./lib/dns/xfrin.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
+./lib/dns/xfrin.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2011
 ./lib/dns/zone.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011
 ./lib/dns/zonekey.c				C	2001,2003,2004,2005
 ./lib/dns/zt.c					C	1999,2000,2001,2002,2004,2005
@@ -2300,7 +2300,7 @@
 ./lib/isc/unix/net.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008
 ./lib/isc/unix/os.c				C	2000,2001,2004,2005
 ./lib/isc/unix/resource.c			C	2000,2001,2004,2008,2009
-./lib/isc/unix/socket.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010
+./lib/isc/unix/socket.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011
 ./lib/isc/unix/socket_p.h			C	2000,2001,2004,2005,2008
 ./lib/isc/unix/stdio.c				C	2000,2001,2004,2011
 ./lib/isc/unix/stdtime.c			C	1999,2000,2001,2004,2005

version

@@ -1,4 +1,4 @@
-# $Id: version,v 1.29.134.34 2011/05/23 22:34:02 marka Exp $
+# $Id: version,v 1.29.134.35 2011/07/21 02:11:00 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=4
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R5rc1
+RELEASEVER=-R5