Compare commits

...

26 Commits

Author SHA1 Message Date
cvs2git
18f7c6fcac This commit was manufactured by cvs2git to create branch 'sp4560'. 2011-07-24 08:07:31 +00:00
Mark Andrews
3987bc43d9 remove RELEASE-NOTES-BIND-9.6-ESV.xml 2011-07-24 08:07:30 +00:00
Automatic Updater
249100742c update copyright notice 2011-07-24 08:05:48 +00:00
Mark Andrews
b742c87a08 9.6-ESV-R5 2011-07-24 07:58:31 +00:00
Automatic Updater
39bd472355 update 2011-07-22 00:15:49 +00:00
Automatic Updater
df4d76e4af update copyright notice 2011-07-21 23:46:12 +00:00
Automatic Updater
0af3ddd7aa newcopyrights 2011-07-21 23:30:14 +00:00
Automatic Updater
cb1750eeba update 2011-07-21 07:15:48 +00:00
Mark Andrews
2343159252 s/fallbackas/fallback as/ 2011-07-21 06:23:20 +00:00
Mark Andrews
4516da053b 9.6-ESV-R5 2011-07-21 06:16:58 +00:00
Automatic Updater
1e2061295a update 2011-07-21 03:15:47 +00:00
Mark Andrews
5a6573cac1 9.6-ESV-R5 2011-07-21 02:48:13 +00:00
Mark Andrews
4c6a741bf8 update changes note 2011-07-21 02:36:13 +00:00
Automatic Updater
2d60879034 update 2011-07-21 02:15:57 +00:00
Mark Andrews
de13ce5a11 3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
                        [RT #24950]
2011-07-21 01:48:05 +00:00
Automatic Updater
6ff1fd74b2 update 2011-07-21 00:15:47 +00:00
Automatic Updater
cd80d14af5 update copyright notice 2011-07-20 23:46:20 +00:00
Automatic Updater
4653bb36ff update 2011-07-20 15:15:39 +00:00
Curtis Blackburn
c7ad49649e added #include <stdlib.h> to lib/dns/zone.c 2011-07-20 14:32:53 +00:00
Automatic Updater
6e6410e0bf update 2011-07-20 01:15:48 +00:00
Curtis Blackburn
6a2e1ce0d7 3132.[bug]Workaround for excessive startup time with
large number of zones;
 allow setting of an environment variable to tune
 the number of tasks. default is 8, reccommend
 200 zones per task. If you have 200000 zones:
 csh: setenv BIND9_ZONE_TASKS_HINT 1000
 sh:  BIND9_ZONE_TASKS_HINT=1000;
      export BIND9_ZONE_TASKS_HINT
 Applicable to 9.7, 9.6, auto-tuned in 9.8 and up.
2011-07-20 00:33:35 +00:00
Automatic Updater
0a8e2b14aa update 2011-06-21 22:15:44 +00:00
Evan Hunt
5d2c608d5a Add the newly discovered PoD to the nsupdate test. (No CHANGES note.) 2011-06-21 22:14:29 +00:00
Automatic Updater
47a8e740a0 update 2011-06-17 00:15:56 +00:00
Automatic Updater
8547ac2268 update copyright notice 2011-06-16 23:46:05 +00:00
Automatic Updater
5499083f12 update 2011-06-16 02:15:46 +00:00
17 changed files with 321 additions and 418 deletions

22
CHANGES
View File

@@ -1,5 +1,27 @@
--- 9.6-ESV-R5 released ---
3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
[RT #24950]
3132. [bug] Workaround for excessive startup time with large
number of zones; allow setting of an environment
variable to tune the number of tasks, default is 8,
recommends 200 zones per task. If you have 200000
zones set the BIND9_ZONE_TASKS_HINT environment
variable to 1000 before starting named:
csh: setenv BIND9_ZONE_TASKS_HINT 1000
sh: BIND9_ZONE_TASKS_HINT=1000;
export BIND9_ZONE_TASKS_HINT
Applicable to 9.7, 9.6, auto-tuned in 9.8 and up.
[RT #25084]
--- 9.6-ESV-R5rc1 released ---
3124. [bug] Use an rdataset attribute flag to indicate
3124. [bug] Use an rdataset attribute flag to indicate
negative-cache records rather than using rrtype 0;
this will prevent problems when that rrtype is

10
README
View File

@@ -42,9 +42,15 @@ BIND 9
Stichting NLnet - NLnet Foundation
Nominum, Inc.
BIND 9.6.3
BIND 9.6-ESV-R5 (Extended Support Version)
BIND 9.6.3 is a maintenance release, fixing bugs in 9.6.2.
BIND 9.4-ESV-R5 is a maintenance release, fixing bugs in BIND
9.6-ESV-R4.
BIND 9.6.3/BIND 9.6-ESV-R4
BIND 9.6.3/BIND 9.6-ESV-R4 is a maintenance release, fixing bugs
in 9.6.2.
BIND 9.6.2

View File

@@ -1,48 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
<!--
- Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397648"></a>Introduction</h2></div></div></div>
<!-- $Id: RELEASE-NOTES-BIND-9.6-ESV.html,v 1.1.24.9 2011/07/24 08:05:48 tbox Exp $ -->
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.71.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><hr /></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359830"></a>Introduction</h2></div></div></div>
<p>
BIND 9.6-ESV-R5rc1 is the first release
candidate of BIND 9.6-ESV-R5.
BIND 9.6-ESV-R5 is the current production release
of BIND 9.6.
</p>
<p>
This document summarizes changes from BIND 9.6-ESV-R4 to BIND 9.6-ESV-R5rc1.
This document summarizes changes from BIND 9.6-ESV-R4 to BIND 9.6-ESV-R5.
Please see the CHANGES file in the source code release for a
complete list of all changes.
</p>
</div>
<div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397612"></a>Download</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359873"></a>Download</h2></div></div></div>
<p>
The latest release of BIND 9 software can always be found
on our web site at
<a class="ulink" href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
<a href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
There you will find additional information about each release,
source code, and some pre-compiled versions for certain operating
systems.
</p>
</div>
<div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397703"></a>Support</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358813"></a>Support</h2></div></div></div>
<p>Product support information is available on
<a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
<a href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
for paid support options. Free support is provided by our user
community via a mailing list. Information on all public email
lists is available at
<a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
<a href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
</p>
</div>
<div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397838"></a>New Features</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358862"></a>New Features</h2></div></div></div>
<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397843"></a>9.6-ESV-R5rc1</h3></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358903"></a>9.6-ESV-R5</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
<div class="itemizedlist"><ul type="disc"><li>
Added a tool able to generate malformed packets to allow testing
of how named handles them.
[RT #24096]
@@ -50,122 +68,146 @@ of how named handles them.
</div>
</div>
<div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397763"></a>Security Fixes</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3358941"></a>Security Fixes</h2></div></div></div>
<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397821"></a>9.6-ESV-R5rc1</h3></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3358961"></a>9.6-ESV-R5</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
Change #2912 (see CHANGES) exposed a latent bug in the DNS message
processing code that could allow certain UPDATE requests to crash named.
[RT #24777] [CVE-2011-2464]
</li><li class="listitem">
<div class="itemizedlist"><ul type="disc"><li>
named, set up to be a caching resolver, is vulnerable to a
user querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
</li><li>
Change #2912 populated the message section in replies to UPDATE requests,
which some Windows clients wanted. This exposed a latent bug that allowed
the response message to crash named. With this fix, change 2912 has been
reduced to copy only the zone section to the reply. A more complete fix
for the latent bug will be released later.
[RT #24777]
</li></ul></div>
</div>
</div>
<div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397866"></a>Feature Changes</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359009"></a>Feature Changes</h2></div></div></div>
<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397871"></a>9.6-ESV-R5rc1</h3></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3359028"></a>9.6-ESV-R5</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
<div class="itemizedlist"><ul type="disc"><li>
Merged in the NetBSD ATF test framework (currently
version 0.12) for development of future unit tests.
Use configure --with-atf to build ATF internally
or configure --with-atf=prefix to use an external
copy. [RT #23209]
</li><li class="listitem">
</li><li>
Added more verbose error reporting from DLZ LDAP. [RT #23402]
</li><li class="listitem">
</li><li>
Replaced compile time constant with STDTIME_ON_32BITS.
[RT #23587]
</li></ul></div>
</div>
</div>
<div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1397893"></a>Bug Fixes</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359049"></a>Bug Fixes</h2></div></div></div>
<div class="section" title="9.6-ESV-R5rc1"><div class="titlepage"><div><div><h3 class="title"><a id="id1397899"></a>9.6-ESV-R5rc1</h3></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id3359056"></a>9.6-ESV-R5</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
Improved the mechanism for flagging database entries as negative
cache records; the former method, RR type 0, could be ambiguous.
[RT #24777]
</li><li class="listitem">
<div class="itemizedlist"><ul type="disc"><li>
<p>
During RFC5011 processing some journal write errors were not detected.
This could lead to managed-keys changes being committed but not
recorded in the journal files, causing potential inconsistencies
during later processing. [RT #20256]
</li><li class="listitem">
</p>
<p>
A potential NULL pointer deference in the DNS64 code could cause
named to terminate unexpectedly. [RT #20256]
</li><li class="listitem">
</p>
<p>
A state variable relating to DNSSEC could fail to be set during
some infrequently-executed code paths, allowing it to be used whilst
in an unitialized state during cache updates, with unpredictable results.
[RT #20256]
</li><li class="listitem">
</p>
<p>
A potential NULL pointer deference in DNSSEC signing code could
cause named to terminate unexpectedly [RT #20256]
</li><li class="listitem">
</p>
<p>
Several cosmetic code changes were made to silence warnings
generated by a static code analysis tool. [RT #20256]
</li><li class="listitem">
</p>
</li><li>
When using _builtin in named.conf, named.conf changes were not found
when reloading the config file. Now checks _builtin zone arguments
to see if the zone is re-usable or not. [RT #21914]
</li><li>
After an external code review, a code cleanup was done. [RT #22521]
</li><li>
When signing records, named didn't filter out any TTL changes
to DNSKEY records. This resulted in an incomplete key set. TTL
changes are now dealt with before signing. [RT #22590]
</li><li>
The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32 were
updated/corrected per current Windows OS. [RT #22724]
</li><li>
Cause named to terminate at startup or rndc reconfig
reload to fail, if a log file specified in the
conf file isn't a plain file. (RT #22771]
</li><li class="listitem">
After an external code review, a code cleanup was done. [RT #22521]
</li><li class="listitem">
</li><li>
named now forces the ADB cache time for glue related data to zero
instead of relying on TTL. This corrects problematic behavior in cases
where a server was authoritative for the A record of a nameserver for a
delegated zone and was queried to recursively resolve records within
that zone. [RT #22842]
</li><li class="listitem">
</li><li>
Fix the zonechecks system test to fail on error (warning in 9.6,
fatal in 9.7) to match behaviour for 9.4. [RT #22905]
</li><li class="listitem">
Fixed precedence order bug with NS and DNAME records if both are
present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
</li><li class="listitem">
</li><li>
The "rndc" command usage statement was missing the "-b" option.
[RT #22937]
</li><li>
Fixed a possible deadlock due to zone re-signing. [RT #22964]
</li><li>
Fixed precedence order bug with NS and DNAME records if both are present.
(Also fixed timing of autosign test in 9.7+) [RT #23035]
</li><li>
The secure zone update feature in named is based on the zone being
signed and configured for dynamic updates. A bug in the ACL processing
for "allow-update { none; };" resulted in a zone that is supposed to
be static being treated as a dynamic zone. Thus, named would try to
sign/re-sign that zone erroneously. [RT #23120]
</li><li class="listitem">
</li><li>
A new test has been added to check the apex NSEC3 records after DNSKEY
records have been added via dynamic update. [RT #23229]
</li><li>
If a slave initiates a TSIG signed AXFR from the master and the master
fails to correctly TSIG sign the final message, the slave would be left
with the zone in an unclean state. named detected this error too late
and named would crash with an INSIST. The order dependancy has been
fixed. [RT #23254]
</li><li class="listitem">
</li><li>
If the server has an IPv6 address but does not have IPv6 connectivity
to the internet, dig +trace could fail attempting to use IPv6
addresses. [RT #23297]
</li><li class="listitem">
</li><li>
Changing TTL did not cause dnssec-signzone to generate new signatures.
[RT #23330]
</li><li class="listitem">
</li><li>
Have the validating resolver use RRSIG original TTL to compute
validated RRset and RRSIG TTL. [RT #23332]
</li><li class="listitem">
</li><li>
In "make test" bin/tests/resolver, hold the socket manager lock
while freeing the socket.
[RT #23333]
</li><li class="listitem">
</li><li>
If named encountered a CNAME instead of a DS record when walking
the chain of trust down from the trust anchor, it incorrectly stopped
validating. [RT #23338]
</li><li class="listitem">
</li><li>
RRSIG records could have time stamps too far in the future.
[RT #23356]
</li><li class="listitem">
</li><li>
named stores cached data in an in-memory database and keeps track of
how recently the data is used with a heap. The heap is stored within the
cache's memory space. Under a sustained high query load and with a small
@@ -176,61 +218,77 @@ the cache memory the heap used up and never recovering.
This fix removes the heap into its own memory space, preventing the heap
from exhausting the cache space and allowing named to recover gracefully
when the high query load abates. [RT #23371]
</li><li class="listitem">
</li><li>
If running on a powerpc CPU and with atomic operations enabled,
named could lock up. Added sync instructions to the end of atomic
operations. [RT #23469]
</li><li class="listitem">
</li><li>
If OpenSSL was built without engine support, named would have
compile errors and fail to build.
[RT #23473]
</li><li class="listitem">
</li><li>
Handle isc_event_allocate failures in t_tasks test.
[RT #23572]
</li><li class="listitem">
</li><li>
ixfr-from-differences {master|slave};
failed to select the master/slave zones, resulting in on diff/journal
file being created.
[RT #23580]
</li><li class="listitem">
</li><li>
If a DNAME substitution failed, named returned NOERROR. The correct
response should be YXDOMAIN.
[RT #23591]
</li><li class="listitem">
</li><li>
Remove bin/tests/system/logfileconfig/ns1/named.conf and
add setup.sh in order to resolve changing named.conf issue. [RT #23687]
</li><li class="listitem">
</li><li>
NOTIFY messages were not being sent when generating
a NSEC3 chain incrementally. [RT #23702]
</li><li class="listitem">
</li><li>
Signatures for records at the zone apex could go
stale due to an incorrect timer setting. [RT #23769]
</li><li class="listitem">
</li><li>
The autosign tests attempted to open ports within reserved ranges. Test
now avoids those ports.
[RT #23957]
</li><li class="listitem">
</li><li>
named, acting as authoritative server for DLZ zones, was not correctly
setting the authoritative (AA) bit.
[RT #24146]
</li><li>
Clean up some cross-compiling issues and added two undocumented
configure options, --with-gost and --with-rlimtype, to allow over-riding
default settings (gost=no and rlimtype="long int") when cross-compiling.
[RT #24367]
</li><li class="listitem">
</li><li>
When trying sign with NSEC3, if dnssec-signzone couldn't find the
KSK, it would give an incorrect error "NSEC3 iterations too big for
weakest DNSKEY strength" rather than the correct "failed to find
keys at the zone apex: not found" [RT #24369]
</li><li class="listitem">
</li><li>
nsupdate could dump core on shutdown when using SIG(0) keys. [RT #24604]
</li><li class="listitem">
</li><li>
Named could fail to validate zones list in a DLV that validated insecure
without using DLV and had DS records in the parent zone. [RT #24631]
</li><li>
A bug in FreeBSD kernels causes IPv6 UDP responses greater than
1280 bytes to not fragment as they should. Until there is a kernel
fix, named will work around this by setting IPV6_USE_MIN_MTU on a
per packet basis. [RT #24950]
</li><li>
To avoid excessive startup time for configurations with large numbers
of zones, an environment variable, BIND9_ZONE_TASKS_HINTS, may now
be set prior to starting named. Divide your number of zones by 200
to find the recommended setting for this environment variable (i.e.,
if you have 200000 zones, set BIND9_ZONE_TASKS_HINTS to 1000 before
starting named). [RT #25084]
</li></ul></div>
</div>
</div>
<div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1398060"></a>Known issues in this release</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359404"></a>Known issues in this release</h2></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
<div class="itemizedlist"><ul type="disc"><li>
<p>
"make test" will fail on OSX and possibly other operating systems.
The failure occurs in a new test to check for allow-query ACLs.
@@ -249,13 +307,13 @@ without using DLV and had DS records in the parent zone. [RT #24631]
</li></ul></div>
</div>
<div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id1398098"></a>Thank You</h2></div></div></div>
<div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3359438"></a>Thank You</h2></div></div></div>
<p>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at
<a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
<a href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
</p>
</div>
</div></body></html>

Binary file not shown.

View File

@@ -2,11 +2,11 @@
Introduction
BIND 9.6-ESV-R5rc1 is the first release candidate of BIND 9.6-ESV-R5.
BIND 9.6-ESV-R5 is the current production release of BIND 9.6.
This document summarizes changes from BIND 9.6-ESV-R4 to BIND
9.6-ESV-R5rc1. Please see the CHANGES file in the source code release
for a complete list of all changes.
9.6-ESV-R5. Please see the CHANGES file in the source code release for
a complete list of all changes.
Download
@@ -25,27 +25,30 @@ Support
New Features
9.6-ESV-R5rc1
9.6-ESV-R5
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
Security Fixes
9.6-ESV-R5rc1
9.6-ESV-R5
* Change #2912 (see CHANGES) exposed a latent bug in the DNS message
processing code that could allow certain UPDATE requests to crash
named. [RT #24777] [CVE-2011-2464]
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Change #2912 populated the message section in replies to UPDATE
requests, which some Windows clients wanted. This exposed a latent
bug that allowed the response message to crash named. With this
fix, change 2912 has been reduced to copy only the zone section to
the reply. A more complete fix for the latent bug will be released
later. [RT #24777]
Feature Changes
9.6-ESV-R5rc1
9.6-ESV-R5
* Merged in the NetBSD ATF test framework (currently version 0.12)
for development of future unit tests. Use configure --with-atf to
@@ -56,29 +59,34 @@ Feature Changes
Bug Fixes
9.6-ESV-R5rc1
9.6-ESV-R5
* Improved the mechanism for flagging database entries as negative
cache records; the former method, RR type 0, could be ambiguous.
[RT #24777]
* During RFC5011 processing some journal write errors were not
detected. This could lead to managed-keys changes being committed
but not recorded in the journal files, causing potential
inconsistencies during later processing. [RT #20256]
* A potential NULL pointer deference in the DNS64 code could cause
A potential NULL pointer deference in the DNS64 code could cause
named to terminate unexpectedly. [RT #20256]
* A state variable relating to DNSSEC could fail to be set during
A state variable relating to DNSSEC could fail to be set during
some infrequently-executed code paths, allowing it to be used
whilst in an unitialized state during cache updates, with
unpredictable results. [RT #20256]
* A potential NULL pointer deference in DNSSEC signing code could
A potential NULL pointer deference in DNSSEC signing code could
cause named to terminate unexpectedly [RT #20256]
* Several cosmetic code changes were made to silence warnings
Several cosmetic code changes were made to silence warnings
generated by a static code analysis tool. [RT #20256]
* When using _builtin in named.conf, named.conf changes were not
found when reloading the config file. Now checks _builtin zone
arguments to see if the zone is re-usable or not. [RT #21914]
* After an external code review, a code cleanup was done. [RT #22521]
* When signing records, named didn't filter out any TTL changes to
DNSKEY records. This resulted in an incomplete key set. TTL changes
are now dealt with before signing. [RT #22590]
* The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
were updated/corrected per current Windows OS. [RT #22724]
* Cause named to terminate at startup or rndc reconfig reload to
fail, if a log file specified in the conf file isn't a plain file.
(RT #22771]
* After an external code review, a code cleanup was done. [RT #22521]
* named now forces the ADB cache time for glue related data to zero
instead of relying on TTL. This corrects problematic behavior in
cases where a server was authoritative for the A record of a
@@ -86,6 +94,9 @@ Bug Fixes
resolve records within that zone. [RT #22842]
* Fix the zonechecks system test to fail on error (warning in 9.6,
fatal in 9.7) to match behaviour for 9.4. [RT #22905]
* The "rndc" command usage statement was missing the "-b" option. [RT
#22937]
* Fixed a possible deadlock due to zone re-signing. [RT #22964]
* Fixed precedence order bug with NS and DNAME records if both are
present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
* The secure zone update feature in named is based on the zone being
@@ -93,6 +104,8 @@ Bug Fixes
processing for "allow-update { none; };" resulted in a zone that is
supposed to be static being treated as a dynamic zone. Thus, named
would try to sign/re-sign that zone erroneously. [RT #23120]
* A new test has been added to check the apex NSEC3 records after
DNSKEY records have been added via dynamic update. [RT #23229]
* If a slave initiates a TSIG signed AXFR from the master and the
master fails to correctly TSIG sign the final message, the slave
would be left with the zone in an unclean state. named detected
@@ -141,6 +154,8 @@ Bug Fixes
incorrect timer setting. [RT #23769]
* The autosign tests attempted to open ports within reserved ranges.
Test now avoids those ports. [RT #23957]
* named, acting as authoritative server for DLZ zones, was not
correctly setting the authoritative (AA) bit. [RT #24146]
* Clean up some cross-compiling issues and added two undocumented
configure options, --with-gost and --with-rlimtype, to allow
over-riding default settings (gost=no and rlimtype="long int") when
@@ -154,6 +169,16 @@ Bug Fixes
* Named could fail to validate zones list in a DLV that validated
insecure without using DLV and had DS records in the parent zone.
[RT #24631]
* A bug in FreeBSD kernels causes IPv6 UDP responses greater than
1280 bytes to not fragment as they should. Until there is a kernel
fix, named will work around this by setting IPV6_USE_MIN_MTU on a
per packet basis. [RT #24950]
* To avoid excessive startup time for configurations with large
numbers of zones, an environment variable, BIND9_ZONE_TASKS_HINTS,
may now be set prior to starting named. Divide your number of zones
by 200 to find the recommended setting for this environment
variable (i.e., if you have 200000 zones, set
BIND9_ZONE_TASKS_HINTS to 1000 before starting named). [RT #25084]
Known issues in this release

View File

@@ -1,306 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<article xmlns="http://docbook.org/ns/docbook"
xmlns:xl="http://www.w3.org/1999/xlink" version="5.0">
<section>
<title>Introduction</title>
<para>
BIND 9.6-ESV-R5rc1 is the first release
candidate of BIND 9.6-ESV-R5.
</para>
<para>
This document summarizes changes from BIND 9.6-ESV-R4 to BIND 9.6-ESV-R5rc1.
Please see the CHANGES file in the source code release for a
complete list of all changes.
</para>
</section>
<section>
<title>Download</title>
<para>
The latest release of BIND 9 software can always be found
on our web site at
<link xl:href="http://www.isc.org/downloads/all">http://www.isc.org/downloads/all</link>.
There you will find additional information about each release,
source code, and some pre-compiled versions for certain operating
systems.
</para>
</section>
<section>
<title>Support</title>
<para>Product support information is available on
<link xl:href="http://www.isc.org/services/support">http://www.isc.org/services/support</link>
for paid support options. Free support is provided by our user
community via a mailing list. Information on all public email
lists is available at
<link xl:href="https://lists.isc.org/mailman/listinfo">https://lists.isc.org/mailman/listinfo</link>.
</para>
</section>
<section>
<title>New Features</title>
<section>
<title>9.6-ESV-R5rc1</title>
<itemizedlist>
<listitem>
Added a tool able to generate malformed packets to allow testing
of how named handles them.
[RT #24096]
</listitem>
</itemizedlist>
</section>
</section>
<section>
<title>Security Fixes</title>
<section>
<title>9.6-ESV-R5rc1</title>
<itemizedlist>
<listitem>
Change #2912 (see CHANGES) exposed a latent bug in the DNS message
processing code that could allow certain UPDATE requests to crash named.
[RT #24777] [CVE-2011-2464]
</listitem>
<listitem>
named, set up to be a caching resolver, is vulnerable to a
user querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
</listitem>
</itemizedlist>
</section>
</section>
<section>
<title>Feature Changes</title>
<section>
<title>9.6-ESV-R5rc1</title>
<itemizedlist>
<listitem>
Merged in the NetBSD ATF test framework (currently
version 0.12) for development of future unit tests.
Use configure --with-atf to build ATF internally
or configure --with-atf=prefix to use an external
copy. [RT #23209]
</listitem>
<listitem>
Added more verbose error reporting from DLZ LDAP. [RT #23402]
</listitem>
<listitem>
Replaced compile time constant with STDTIME_ON_32BITS.
[RT #23587]
</listitem>
</itemizedlist>
</section>
</section>
<section>
<title>Bug Fixes</title>
<section>
<title>9.6-ESV-R5rc1</title>
<itemizedlist>
<listitem>
Improved the mechanism for flagging database entries as negative
cache records; the former method, RR type 0, could be ambiguous.
[RT #24777]
</listitem>
<listitem>
During RFC5011 processing some journal write errors were not detected.
This could lead to managed-keys changes being committed but not
recorded in the journal files, causing potential inconsistencies
during later processing. [RT #20256]
</listitem>
<listitem>
A potential NULL pointer deference in the DNS64 code could cause
named to terminate unexpectedly. [RT #20256]
</listitem>
<listitem>
A state variable relating to DNSSEC could fail to be set during
some infrequently-executed code paths, allowing it to be used whilst
in an unitialized state during cache updates, with unpredictable results.
[RT #20256]
</listitem>
<listitem>
A potential NULL pointer deference in DNSSEC signing code could
cause named to terminate unexpectedly [RT #20256]
</listitem>
<listitem>
Several cosmetic code changes were made to silence warnings
generated by a static code analysis tool. [RT #20256]
</listitem>
<listitem>
Cause named to terminate at startup or rndc reconfig
reload to fail, if a log file specified in the
conf file isn't a plain file. (RT #22771]
</listitem>
<listitem>
After an external code review, a code cleanup was done. [RT #22521]
</listitem>
<listitem>
named now forces the ADB cache time for glue related data to zero
instead of relying on TTL. This corrects problematic behavior in cases
where a server was authoritative for the A record of a nameserver for a
delegated zone and was queried to recursively resolve records within
that zone. [RT #22842]
</listitem>
<listitem>
Fix the zonechecks system test to fail on error (warning in 9.6,
fatal in 9.7) to match behaviour for 9.4. [RT #22905]
</listitem>
<listitem>
Fixed precedence order bug with NS and DNAME records if both are
present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
</listitem>
<listitem>
The secure zone update feature in named is based on the zone being
signed and configured for dynamic updates. A bug in the ACL processing
for "allow-update { none; };" resulted in a zone that is supposed to
be static being treated as a dynamic zone. Thus, named would try to
sign/re-sign that zone erroneously. [RT #23120]
</listitem>
<listitem>
If a slave initiates a TSIG signed AXFR from the master and the master
fails to correctly TSIG sign the final message, the slave would be left
with the zone in an unclean state. named detected this error too late
and named would crash with an INSIST. The order dependancy has been
fixed. [RT #23254]
</listitem>
<listitem>
If the server has an IPv6 address but does not have IPv6 connectivity
to the internet, dig +trace could fail attempting to use IPv6
addresses. [RT #23297]
</listitem>
<listitem>
Changing TTL did not cause dnssec-signzone to generate new signatures.
[RT #23330]
</listitem>
<listitem>
Have the validating resolver use RRSIG original TTL to compute
validated RRset and RRSIG TTL. [RT #23332]
</listitem>
<listitem>
In "make test" bin/tests/resolver, hold the socket manager lock
while freeing the socket.
[RT #23333]
</listitem>
<listitem>
If named encountered a CNAME instead of a DS record when walking
the chain of trust down from the trust anchor, it incorrectly stopped
validating. [RT #23338]
</listitem>
<listitem>
RRSIG records could have time stamps too far in the future.
[RT #23356]
</listitem>
<listitem>
named stores cached data in an in-memory database and keeps track of
how recently the data is used with a heap. The heap is stored within the
cache's memory space. Under a sustained high query load and with a small
cache size, this could lead to the heap exhausting the cache space. This
would result in cache misses and SERVFAILs, with named never releasing
the cache memory the heap used up and never recovering.
This fix removes the heap into its own memory space, preventing the heap
from exhausting the cache space and allowing named to recover gracefully
when the high query load abates. [RT #23371]
</listitem>
<listitem>
If running on a powerpc CPU and with atomic operations enabled,
named could lock up. Added sync instructions to the end of atomic
operations. [RT #23469]
</listitem>
<listitem>
If OpenSSL was built without engine support, named would have
compile errors and fail to build.
[RT #23473]
</listitem>
<listitem>
Handle isc_event_allocate failures in t_tasks test.
[RT #23572]
</listitem>
<listitem>
ixfr-from-differences {master|slave};
failed to select the master/slave zones, resulting in on diff/journal
file being created.
[RT #23580]
</listitem>
<listitem>
If a DNAME substitution failed, named returned NOERROR. The correct
response should be YXDOMAIN.
[RT #23591]
</listitem>
<listitem>
Remove bin/tests/system/logfileconfig/ns1/named.conf and
add setup.sh in order to resolve changing named.conf issue. [RT #23687]
</listitem>
<listitem>
NOTIFY messages were not being sent when generating
a NSEC3 chain incrementally. [RT #23702]
</listitem>
<listitem>
Signatures for records at the zone apex could go
stale due to an incorrect timer setting. [RT #23769]
</listitem>
<listitem>
The autosign tests attempted to open ports within reserved ranges. Test
now avoids those ports.
[RT #23957]
</listitem>
<listitem>
Clean up some cross-compiling issues and added two undocumented
configure options, --with-gost and --with-rlimtype, to allow over-riding
default settings (gost=no and rlimtype="long int") when cross-compiling.
[RT #24367]
</listitem>
<listitem>
When trying sign with NSEC3, if dnssec-signzone couldn't find the
KSK, it would give an incorrect error "NSEC3 iterations too big for
weakest DNSKEY strength" rather than the correct "failed to find
keys at the zone apex: not found" [RT #24369]
</listitem>
<listitem>
nsupdate could dump core on shutdown when using SIG(0) keys. [RT #24604]
</listitem>
<listitem>
Named could fail to validate zones list in a DLV that validated insecure
without using DLV and had DS records in the parent zone. [RT #24631]
</listitem>
</itemizedlist>
</section>
</section>
<section>
<title>Known issues in this release</title>
<itemizedlist>
<listitem>
<para>
"make test" will fail on OSX and possibly other operating systems.
The failure occurs in a new test to check for allow-query ACLs.
The failure is caused because the source address is not specified on
the dig commands issued in the test.
</para>
<para>
If running "make test" is part of your usual acceptance process,
please edit the file <code>bin/tests/system/allow_query/test.sh</code>
and add
<para>
<code>-b 10.53.0.2</code>
</para>
to the <code>DIGOPTS</code> line.
</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Thank You</title>
<para>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at
<link xl:href="http://www.isc.org/supportisc">http://www.isc.org/supportisc</link>.
</para>
</section>
</article>

View File

@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.25.332.4 2011/06/09 00:16:33 each Exp $
# $Id: tests.sh,v 1.25.332.5 2011/06/21 22:14:29 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@@ -124,6 +124,18 @@ then
status=1
fi
n=`expr $n + 1`
echo "I:check that update to undefined class is handled ($n)"
echo "a0e4280000010001000000000000060101c00c000000fe000000000000" |
$PERL ../packet.pl -a 10.53.0.1 -p 5300 -t tcp > /dev/null
$DIG +tcp version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
if test $ret -ne 0
then
echo "I:failed"
status=1
fi
if $PERL -e 'use Net::DNS;' 2>/dev/null
then
echo "I:running update.pl test"

View File

@@ -16,7 +16,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.h.in,v 1.106.40.25 2011/02/27 06:27:31 marka Exp $ */
/* $Id: config.h.in,v 1.106.40.26 2011/07/20 00:33:29 ckb Exp $ */
/*! \file */
@@ -190,6 +190,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
/* Define to 1 if you have the `getenv' function. */
#undef HAVE_GETENV
/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
#undef HAVE_GSSAPI_GSSAPI_H
@@ -336,6 +339,9 @@ int sigwait(const unsigned int *set, int *sig);
(O_NDELAY/O_NONBLOCK). */
#undef PORT_NONBLOCK
/* The size of `void *', as computed by sizeof. */
#undef SIZEOF_VOID_P
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS

19
configure vendored
View File

@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# $Id: configure,v 1.443.26.29 2011/05/05 19:23:28 tbox Exp $
# $Id: configure,v 1.443.26.30 2011/07/20 00:33:29 ckb Exp $
#
# Portions of this code release fall under one or more of the
# following Copyright notices. Please see individual source
@@ -517,7 +517,7 @@
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
# OF THE POSSIBILITY OF SUCH DAMAGE.
#
# From configure.in Revision.
# From configure.in Revision: 1.457.26.34 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.67.
#
@@ -20580,6 +20580,21 @@ $as_echo "#define FLEXIBLE_ARRAY_MEMBER /**/" >>confdefs.h
fi
#
# Check for getenv()
#
for ac_func in getenv
do :
ac_fn_c_check_func "$LINENO" "getenv" "ac_cv_func_getenv"
if test "x$ac_cv_func_getenv" = x""yes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_GETENV 1
_ACEOF
fi
done
#
# UnixWare 7.1.1 with the feature supplement to the UDK compiler
# is reported to not support "static inline" (RT #1212).

View File

@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
esyscmd([sed "s/^/# /" COPYRIGHT])dnl
AC_DIVERT_POP()dnl
AC_REVISION($Revision: 1.457.26.34 $)
AC_REVISION($Revision: 1.457.26.35 $)
AC_INIT(lib/dns/name.c)
AC_PREREQ(2.59)
@@ -282,6 +282,11 @@ AC_C_VOLATILE
AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME))
AC_C_FLEXIBLE_ARRAY_MEMBER
#
# Check for getenv()
#
AC_CHECK_FUNCS(getenv)
#
# UnixWare 7.1.1 with the feature supplement to the UDK compiler
# is reported to not support "static inline" (RT #1212).

View File

@@ -1,6 +1,6 @@
# $Id: SRCID,v 1.1.4.409 2011/06/15 04:16:12 tbox Exp $
# $Id: SRCID,v 1.1.4.419 2011/07/22 00:15:49 tbox Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
#
SRCID="( $Date: 2011/06/15 04:16:12 $ )"
SRCID="( $Date: 2011/07/22 00:15:49 $ )"

View File

@@ -1,3 +1,3 @@
LIBINTERFACE = 59
LIBREVISION = 4
LIBREVISION = 5
LIBAGE = 1

View File

@@ -15,12 +15,13 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.483.36.29 2011/03/21 01:17:14 marka Exp $ */
/* $Id: zone.c,v 1.483.36.33 2011/07/21 06:23:20 marka Exp $ */
/*! \file */
#include <config.h>
#include <errno.h>
#include <stdlib.h>
#include <isc/file.h>
#include <isc/mutex.h>
@@ -7524,7 +7525,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
goto tcp_transfer;
}
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"refresh: skipped tcp fallback"
"refresh: skipped tcp fallback "
"as master %s (source %s) is "
"unreachable (cached)",
master, source);
@@ -10476,6 +10477,28 @@ dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
return (ISC_R_SUCCESS);
}
/*
* Size of the zone task table. For best results, this should be a
* prime number, approximately 1% of the maximum number of authoritative
* zones expected to be served by this server.
*/
#define DEFAULT_ZONE_TASKS 101
static int
calculate_zone_tasks(void) {
int ntasks = DEFAULT_ZONE_TASKS;
#ifdef HAVE_GETENV
char *env = getenv("BIND9_ZONE_TASKS_HINT");
if (env != NULL)
ntasks = atoi(env);
if (ntasks < DEFAULT_ZONE_TASKS)
ntasks = DEFAULT_ZONE_TASKS;
#endif
return (ntasks);
}
/***
*** Zone manager.
***/
@@ -10488,6 +10511,7 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
dns_zonemgr_t *zmgr;
isc_result_t result;
isc_interval_t interval;
int zone_tasks = calculate_zone_tasks();
zmgr = isc_mem_get(mctx, sizeof(*zmgr));
if (zmgr == NULL)
@@ -10513,11 +10537,14 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
zmgr->transfersperns = 2;
/* Create the zone task pool. */
result = isc_taskpool_create(taskmgr, mctx,
8 /* XXX */, 2, &zmgr->zonetasks);
result = isc_taskpool_create(taskmgr, mctx, zone_tasks, 2,
&zmgr->zonetasks);
if (result != ISC_R_SUCCESS)
goto free_rwlock;
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
ISC_LOG_NOTICE, "Using %d tasks for zone loading", zone_tasks);
/* Create a single task for queueing of SOA queries. */
result = isc_task_create(taskmgr, 1, &zmgr->task);
if (result != ISC_R_SUCCESS)

View File

@@ -1,3 +1,3 @@
LIBINTERFACE = 55
LIBREVISION = 0
LIBREVISION = 1
LIBAGE = 5

View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: socket.c,v 1.308.12.20 2011/03/11 10:49:59 marka Exp $ */
/* $Id: socket.c,v 1.308.12.22 2011/07/21 23:46:12 tbox Exp $ */
/*! \file */
@@ -1206,6 +1206,9 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
if ((sock->type == isc_sockettype_udp)
&& ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0)) {
#if defined(IPV6_USE_MIN_MTU)
int use_min_mtu = 1; /* -1, 0, 1 */
#endif
struct cmsghdr *cmsgp;
struct in6_pktinfo *pktinfop;
@@ -1224,6 +1227,22 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
memcpy(pktinfop, &dev->pktinfo, sizeof(struct in6_pktinfo));
#if defined(IPV6_USE_MIN_MTU)
/*
* Set IPV6_USE_MIN_MTU as a per packet option as FreeBSD
* ignores setsockopt(IPV6_USE_MIN_MTU) when IPV6_PKTINFO
* is used.
*/
cmsgp = (struct cmsghdr *)(sock->sendcmsgbuf +
msg->msg_controllen);
msg->msg_controllen += cmsg_space(sizeof(use_min_mtu));
INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
cmsgp->cmsg_level = IPPROTO_IPV6;
cmsgp->cmsg_type = IPV6_USE_MIN_MTU;
cmsgp->cmsg_len = cmsg_len(sizeof(use_min_mtu));
memcpy(CMSG_DATA(cmsgp), &use_min_mtu, sizeof(use_min_mtu));
#endif
}
#endif /* USE_CMSG && ISC_PLATFORM_HAVEIPV6 */
#else /* ISC_NET_BSD44MSGHDR */
@@ -1888,6 +1907,13 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
cmsgbuflen = 0;
#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
cmsgbuflen += cmsg_space(sizeof(struct in6_pktinfo));
#if defined(IPV6_USE_MIN_MTU)
/*
* Provide space for working around FreeBSD's broken IPV6_USE_MIN_MTU
* support.
*/
cmsgbuflen += cmsg_space(sizeof(int));
#endif
#endif
sock->sendcmsgbuflen = cmsgbuflen;
if (sock->sendcmsgbuflen != 0U) {
@@ -2234,10 +2260,18 @@ opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
#ifdef IPV6_USE_MIN_MTU /* RFC 3542, not too common yet*/
/* use minimum MTU */
if (sock->pf == AF_INET6) {
(void)setsockopt(sock->fd, IPPROTO_IPV6,
IPV6_USE_MIN_MTU,
(void *)&on, sizeof(on));
if (sock->pf == AF_INET6 &&
setsockopt(sock->fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
(void *)&on, sizeof(on)) < 0) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__,
"setsockopt(%d, IPV6_USE_MIN_MTU) "
"%s: %s", sock->fd,
isc_msgcat_get(isc_msgcat,
ISC_MSGSET_GENERAL,
ISC_MSG_FAILED,
"failed"),
strbuf);
}
#endif
#if defined(IPV6_MTU)

View File

@@ -8,13 +8,12 @@
./KNOWN-DEFECTS X 2009
./Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011
./NSEC3-NOTES X 2008,2009
./README X 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010
./README X 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011
./README.idnkit X 2005,2009
./README.pkcs11 X 2008
./RELEASE-NOTES-BIND-9.6-ESV.html HTML 2011
./RELEASE-NOTES-BIND-9.6-ESV.pdf X 2011
./RELEASE-NOTES-BIND-9.6-ESV.txt X 2011
./RELEASE-NOTES-BIND-9.6-ESV.xml SGML 2011
./acconfig.h C 1999,2000,2001,2002,2003,2004,2005,2007,2009
./aclocal.m4 X 1999,2000,2001
./bin/.cvsignore X 1998,1999,2000,2001

View File

@@ -1,4 +1,4 @@
# $Id: version,v 1.43.12.13 2011/05/23 23:19:09 marka Exp $
# $Id: version,v 1.43.12.14 2011/07/21 02:48:13 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=6
PATCHVER=
RELEASETYPE=-ESV
RELEASEVER=-R5rc1
RELEASEVER=-R5