Now
MAIN commitmail json YAML
pkgsrc/net/bind98/DESCR@1.1.1.1
/
diff
pkgsrc/net/bind98/MESSAGE@1.1.1.1 / diff
pkgsrc/net/bind98/Makefile@1.1.1.1 / diff
pkgsrc/net/bind98/PLIST@1.1.1.1 / diff
pkgsrc/net/bind98/buildlink3.mk@1.1.1.1 / diff
pkgsrc/net/bind98/builtin.mk@1.1.1.1 / diff
pkgsrc/net/bind98/distinfo@1.1.1.1 / diff
pkgsrc/net/bind98/files/lwresd.sh@1.1.1.1 / diff
pkgsrc/net/bind98/files/named9.sh@1.1.1.1 / diff
pkgsrc/net/bind98/options.mk@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-config.threads.in@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-configure@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-lib_dns_rbt.c@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-lib_lwres_getaddrinfo.c@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-lib_lwres_getnameinfo.c@1.1.1.1 / diff
pkgsrc/net/bind98/MESSAGE@1.1.1.1 / diff
pkgsrc/net/bind98/Makefile@1.1.1.1 / diff
pkgsrc/net/bind98/PLIST@1.1.1.1 / diff
pkgsrc/net/bind98/buildlink3.mk@1.1.1.1 / diff
pkgsrc/net/bind98/builtin.mk@1.1.1.1 / diff
pkgsrc/net/bind98/distinfo@1.1.1.1 / diff
pkgsrc/net/bind98/files/lwresd.sh@1.1.1.1 / diff
pkgsrc/net/bind98/files/named9.sh@1.1.1.1 / diff
pkgsrc/net/bind98/options.mk@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-config.threads.in@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-configure@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-lib_dns_rbt.c@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-lib_lwres_getaddrinfo.c@1.1.1.1 / diff
pkgsrc/net/bind98/patches/patch-lib_lwres_getnameinfo.c@1.1.1.1 / diff
Importing BIND 9.8.0 as net/bind98.
Full release note:
http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html
New Features
9.8.0
* The ADB hash table stores informations about which authoritative
servers to query about particular domains. Previous versions of
BIND had the hash table size as a fixed value. On a busy recursive
server, this could lead to hash table collisions in the ADB cache,
resulting in degraded response time to queries. Bind 9.8 now has a
dynamically scalable ADB hash table, which helps a busy server to
avoid hash table collisions and maintain a consistent query
response time. [RT #21186]
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's
choosing, on a per zone basis, both globally or per view. I.e. if
the administrator wishes to have their recursive server query
192.0.2.1 and 192.0.2.2 for zone example.com rather than the
servers listed by the .com gTLDs, they would configure example.com
as a static-stub zone in their recursive server. [RT #21474]
* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See
the draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
* BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
from specified A records if no AAAA record exists. IP6.ARPA CNAME
records will be synthesized from corresponding IN-ADDR.ARPA. [RT
#21991/22769]
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure
--with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
likely to be refined in future releases. Contributed by Andrew
Tridgell of the Samba Project. [RT #22629]
* named now retains GSS-TSIG keys across restarts. This is for
compatibility with Microsoft DHCP servers doing dynamic DNS updates
for clients, which don't know to renegotiate the GSS-TSIG session
key when named restarts. [RT #22639]
* There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with
an external daemon. Contributed by Andrew Tridgell of the Samba
Project. [RT #22758]
* There have been a number of bug fixes and ease of use enhancements
for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
include:
+ Added a "tkey-gssapi-keytab" option. If set, dynamic updates
will be allowed for any key matching a Kerberos principal in
the specified keytab file. "tkey-gssapi-credential" is no
longer required and is expected to be deprecated. Contributed
by Andrew Tridgell of the Samba Project. [RT #22629]
+ It is no longer necessary to have a valid /etc/krb5.conf file.
Using the syntax DNS/hostname@REALM in nsupdate is sufficient
for to correctly set the default realm. [RT #22795]
+ Documentation updated new gssapi configuration options (new
option tkey-gssapi-keytab and changes in
tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
+ DLZ correctly deals with NULL zone in a query. [RT 22795]
+ TSIG correctly deals with a NULL tkey->creator. [RT 22795]
* A new test has been added to check the apex NSEC3 records after
DNSKEY records have been added via dynamic update. [RT #23229]
* RTT banding (randomized server selection on queries) was introduced
in BIND releases in 2008, due to the Kaminsky cache poisoning bug.
Instead of always picking the authoritative server with the lowest
RTT to the caching resolver, all the authoritative servers within
an RTT range were randomly used by the recursive server.
While this did add an extra bit of randomness that an attacker had
to overcome to poison a recursive server's cache, it also impacts
the resolver's speed in answering end customer queries, since it's
no longer the fastest auth server that gets asked. This means that
performance optimizations, such using topologically close
authoritative servers, are rendered ineffective.
ISC has evaluated the amount of security added versus the
performance hit to end users and has decided that RTT banding is
causing more harm than good. Therefore, with this release, BIND is
going back to the server selection used prior to adding RTT
banding. [RT #23310]
Feature Changes
9.8.0
* There is a new option in dig, +onesoa, that allows the final SOA
record in an AXFR response to be suppressed. [RT #20929
* There is additional information displayed in the recursing log
(qtype, qclass, qid and whether we are following the original
name). [RT #22043]
* Added option 'resolver-query-timeout' in named.conf (max query
timeout in seconds) to set a different value than the default (30
seconds). A value of 0 means 'use the compiled in default';
anything longer than 30 will be silently set to 30. [RT #22852]
* For Mac OS X, you can now have the test interfaces used during
"make test" stay beyond reboot. See bin/tests/system/README for
details.
Status:
Vendor Tag: TNF
Release Tags: pkgsrc-base
Full release note:
http://ftp.isc.org/isc/bind9/9.8.0/RELEASE-NOTES-BIND-9.8.html
New Features
9.8.0
* The ADB hash table stores informations about which authoritative
servers to query about particular domains. Previous versions of
BIND had the hash table size as a fixed value. On a busy recursive
server, this could lead to hash table collisions in the ADB cache,
resulting in degraded response time to queries. Bind 9.8 now has a
dynamically scalable ADB hash table, which helps a busy server to
avoid hash table collisions and maintain a consistent query
response time. [RT #21186]
* BIND now supports a new zone type, static-stub. This allows the
administrator of a recursive nameserver to force queries for a
particular zone to go to IP addresses of the administrator's
choosing, on a per zone basis, both globally or per view. I.e. if
the administrator wishes to have their recursive server query
192.0.2.1 and 192.0.2.2 for zone example.com rather than the
servers listed by the .com gTLDs, they would configure example.com
as a static-stub zone in their recursive server. [RT #21474]
* BIND now supports Response Policy Zones, a way of expressing
"reputation" in real time via specially constructed DNS zones. See
the draft specification here:
http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
* BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
from specified A records if no AAAA record exists. IP6.ARPA CNAME
records will be synthesized from corresponding IN-ADDR.ARPA. [RT
#21991/22769]
* Dynamically Loadable Zones (DLZ) now support dynamic updates.
Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
* Added a "dlopen" DLZ driver, allowing the creation of external DLZ
drivers that can be loaded as shared objects at runtime rather than
having to be linked with named at compile time. Currently this is
switched on via a compile-time option, "configure
--with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
likely to be refined in future releases. Contributed by Andrew
Tridgell of the Samba Project. [RT #22629]
* named now retains GSS-TSIG keys across restarts. This is for
compatibility with Microsoft DHCP servers doing dynamic DNS updates
for clients, which don't know to renegotiate the GSS-TSIG session
key when named restarts. [RT #22639]
* There is a new update-policy match type "external". This allows
named to decide whether to allow a dynamic update by checking with
an external daemon. Contributed by Andrew Tridgell of the Samba
Project. [RT #22758]
* There have been a number of bug fixes and ease of use enhancements
for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
include:
+ Added a "tkey-gssapi-keytab" option. If set, dynamic updates
will be allowed for any key matching a Kerberos principal in
the specified keytab file. "tkey-gssapi-credential" is no
longer required and is expected to be deprecated. Contributed
by Andrew Tridgell of the Samba Project. [RT #22629]
+ It is no longer necessary to have a valid /etc/krb5.conf file.
Using the syntax DNS/hostname@REALM in nsupdate is sufficient
for to correctly set the default realm. [RT #22795]
+ Documentation updated new gssapi configuration options (new
option tkey-gssapi-keytab and changes in
tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
+ DLZ correctly deals with NULL zone in a query. [RT 22795]
+ TSIG correctly deals with a NULL tkey->creator. [RT 22795]
* A new test has been added to check the apex NSEC3 records after
DNSKEY records have been added via dynamic update. [RT #23229]
* RTT banding (randomized server selection on queries) was introduced
in BIND releases in 2008, due to the Kaminsky cache poisoning bug.
Instead of always picking the authoritative server with the lowest
RTT to the caching resolver, all the authoritative servers within
an RTT range were randomly used by the recursive server.
While this did add an extra bit of randomness that an attacker had
to overcome to poison a recursive server's cache, it also impacts
the resolver's speed in answering end customer queries, since it's
no longer the fastest auth server that gets asked. This means that
performance optimizations, such using topologically close
authoritative servers, are rendered ineffective.
ISC has evaluated the amount of security added versus the
performance hit to end users and has decided that RTT banding is
causing more harm than good. Therefore, with this release, BIND is
going back to the server selection used prior to adding RTT
banding. [RT #23310]
Feature Changes
9.8.0
* There is a new option in dig, +onesoa, that allows the final SOA
record in an AXFR response to be suppressed. [RT #20929
* There is additional information displayed in the recursing log
(qtype, qclass, qid and whether we are following the original
name). [RT #22043]
* Added option 'resolver-query-timeout' in named.conf (max query
timeout in seconds) to set a different value than the default (30
seconds). A value of 0 means 'use the compiled in default';
anything longer than 30 will be silently set to 30. [RT #22852]
* For Mac OS X, you can now have the test interfaces used during
"make test" stay beyond reboot. See bin/tests/system/README for
details.
Status:
Vendor Tag: TNF
Release Tags: pkgsrc-base