bind920: update to version 9.20.5.

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: bind920: update to version 9.20.5.
From: Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Wed, 29 Jan 2025 18:40:30 +0000
Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%osl-res.uninett.no@localhost>
Pushed By:	he
Date:		Wed Jan 29 19:39:09 2025 +0100
Changeset:	ec196ce5bac69b835c79a82a41a3c5afed371a94

Modified Files:
	bind920/Makefile
	bind920/distinfo

Log Message:
bind920: update to version 9.20.5.

Pkgsrc changes:
 * Basically only version + checksum changes.

Upstream changes:

BIND 9.20.5
-----------

Security Fixes
~~~~~~~~~~~~~~

- [CVE-2024-12705] DNS-over-HTTP(s) flooding fixes. ``51900adf29c``

  Fix DNS-over-HTTP(S) implementation issues that arise under heavy
  query load. Optimize resource usage for :iscman:`named` instances that
  accept queries over DNS-over-HTTP(S).

  Previously, :iscman:`named` would process all incoming HTTP/2 data at
  once, which could overwhelm the server, especially when dealing with
  clients that send requests but don't wait for responses. That has been
  fixed. Now, :iscman:`named` handles HTTP/2 data in smaller chunks and
  throttles reading until the remote side reads the response data. It
  also throttles clients that send too many requests at once.

  Additionally, :iscman:`named` now carefully processes data sent by
  some clients, which can be considered "flooding." It logs these
  clients and drops connections from them. :gl:`#4795`

  In some cases, :iscman:`named` could leave DNS-over-HTTP(S)
  connections in the `CLOSE_WAIT` state indefinitely. That also has been
  fixed. ISC would like to thank JF Billaud for thoroughly investigating
  the issue and verifying the fix. :gl:`#5083` :gl:`#4795` :gl:`#5083`

- [CVE-2024-11187] Limit the additional processing for large RDATA sets.
  ``4d3d17c344f``

  When answering queries, don't add data to the additional section if
  the answer has more than 13 names in the RDATA. This limits the number
  of lookups into the database(s) during a single client query, reducing
  query processing load. :gl:`#5034`

New Features
~~~~~~~~~~~~

- Add Extended DNS Error Code 22 - No Reachable Authority.
  ``ee77a192091``

  When the resolver is trying to query an authority server and
  eventually timed out, a SERVFAIL answer is given to the client. Add
  the Extended DNS Error Code 22 - No Reachable Authority to the
  response. :gl:`#2268` :gl:`!9814`

- Add a new option to configure the maximum number of outgoing queries
  per client request. ``844a5310532``

  The configuration option 'max-query-count' sets how many outgoing
  queries per client request is allowed. The existing
  'max-recursion-queries' is the number of permissible queries for a
  single name and is reset on every CNAME redirection. This new option
  is a global limit on the client request. The default is 200.

  This allows us to send a bit more queries while looking up a single
  name. The default for 'max-recursion-queries' is changed from 32 to
  50. :gl:`#4980`  :gl:`#4921` :gl:`!9832`

Removed Features
~~~~~~~~~~~~~~~~

- Drop single-use RETERR macro. ``87f70696c87``

  If the RETERR define is only used once in a file, just drop the macro.
  :gl:`!9885`

Feature Changes
~~~~~~~~~~~~~~~

- Update picohttpparser.{c,h} with upstream repository. ``3c9657a3f48``

  :gl:`#4485` :gl:`!9863`

- The configuration clauses parental-agents and primaries are renamed to
  remote-servers. ``b483cd4638c``

  The top blocks 'primaries' and 'parental-agents' are no longer
  preferred and should be renamed to 'remote-servers'. The zone
  statements 'parental-agents' and 'primaries' are still used, and may
  refer to any 'remote-servers' top block. :gl:`#4544` :gl:`!9911`

- Add none parameter to query-source and query-source-v6 to disable IPv4
  or IPv6 upstream queries. ``e260eb39c56``

  Add a none parameter to named configuration option `query-source`
  (respectively `query-source-v6`) which forbid usage of IPv4
  (respectively IPv6) addresses when named is doing an upstream query.
  :gl:`#4981` Turning-off upstream IPv6 queries while still listening to
  downstream queries on IPv6. :gl:`!9727` :gl:`!9775`

- Optimize memory layout of core structs. ``67fa22a7746``

  Reduce memory footprint by: - Reordering struct fields to minimize
  padding. - Using exact-sized atomic types instead of
  `*_least`/`*_fast` variants - Downsizing integer fields where possible

  Affected structs: - dns_name_t - dns_slabheader_t  - dns_rdata_t -
  qpcnode_t - qpznode_t :gl:`#5022` :gl:`!9793`

- Revert "Fix NSEC3 closest encloser lookup for names with empty
  non-terminals" ``993cb761489``

  Revert the fix for #4950 for 9.20.

  This reverts MR !9438.

  History: A performance improvement for NSEC3 closest encloser lookups
  (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438)
  and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and
  9.21.1).

  There was a bug in the code (#4950), so we reverted the change in
  !9611, !9613 and !9614.

  Then a new attempt was merged in main (MR !9610) and backported to
  9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been
  backported and was reverted in !9689.

  We now also revert the fix for 9.20 :gl:`#5108` :gl:`!9947`

- Add TLS SNI extension to all outgoing TLS connections. ``b14148ac897``

  :gl:`!9933`

- Remove unused maxquerycount. ``d61bfeb91e0``

  Related to #4980 :gl:`!9853`

- Use query counters in validator code. ``d91835160a2``

  Commit af7db8951364a89c468eda1535efb3f53adc2c1f as part of #4141 was
  supposed to apply the 'max-recursion-queries' quota to validator
  queries, but the counter was never actually passed on to
  'dns_resolver_createfetch()'. This has been fixed, and the global
  query counter ('max-query-count', per client request) is now also
  added.

  Related to #4980 :gl:`!9866`

Bug Fixes
~~~~~~~~~

- Fix nsupdate hang when processing a large update. ``4ca7a5d6011``

  To mitigate DNS flood attacks over a single TCP connection, we
  throttle the connection when the other side does not read the data.
  Throttling should only occur on server-side sockets, but erroneously
  also happened for nsupdate, which acts as a client. When nsupdate
  started throttling the connection, it never attempts to read again.
  This has been fixed.   :gl:`#4910` :gl:`!9834`

- Lock and attach when returning zone stats. ``79e6519168e``

  When returning zone statistics counters, the statistics sets are now
  attached while the zone is locked.  This addresses Coverity warnings
  CID 468720, 468728 and 468729. :gl:`#4934` :gl:`!9843`

- Fix possible assertion failure when reloading server while processing
  updates. ``41af766cd08``

  :gl:`#5006` :gl:`!9820`

- Preserve cache across reconfig when using attach-cache.
  ``826dfa006e2``

  When the `attach-cache` option is used in the `options` block with an
  arbitrary name, it causes all views to use the same cache. Previously,
  this configuration caused the cache to be deleted and a new cache
  created every time the server was reconfigured. This has been fixed.
  :gl:`#5061` :gl:`!9862`

- Resolve the spurious drops in performance due GLUE cache.
  ``eb3c66304f3``

  For performance reasons, the returned GLUE records are cached on the
  first use.  The current implementation could randomly cause a
  performance drop and increased memory use.  This has been fixed.
  :gl:`#5064` :gl:`!9918`

- Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
  ``c577c3b544d``

  `dnssec-signzone` was using revoked keys for signing RRsets other than
  DNSKEY.  This has been corrected. :gl:`#5070` :gl:`!9840`

- Revert "Lock and attach when returning zone stats" ``d954d9c20b9``

  :gl:`#5082` :gl:`!9860`

- Unknown directive in resolv.conf not handled properly. ``7738fd28c91``

  The line after an unknown directive in resolv.conf could accidentally
  be skipped, potentially affecting dig, host, nslookup, nsupdate, or
  delv. This has been fixed. :gl:`#5084` :gl:`!9877`

- Fix response policy zones and catalog zones with an $INCLUDE statement
  defined. ``cc0cbbe697c``

  Response policy zones (RPZ) and catalog zones were not working
  correctly if they had an $INCLUDE statement defined. This has been
  fixed. :gl:`#5111` :gl:`!9941`

- Finalize removal of memory debug flags size and mctx. ``31918336e8a``

  Commit 4b3d0c66009d30f5c0bc12ee128fc59f1d853f44 has removed them, but
  did not remove few traces in documentation and help. Remove them from
  remaining places. :gl:`!9842`

- Fix m4 macro in configure.ac. ``ae739c80ccb``

  :gl:`!9813`

- Mark loop as shuttingdown earlier in shutdown_cb. ``fed5e55e339``

  :gl:`!9891`

- Use CMM_{STORE,LOAD}_SHARED to store/load glue in gluelist.
  ``fa7443d3fd2``

  ThreadSanitizer has trouble understanding that gluelist->glue is
  constant after it is assigned to the slabheader with cmpxchg.  Help
  ThreadSanitizer to understand the code by using CMM_STORE_SHARED and
  CMM_LOAD_SHARED on gluelist->glue. :gl:`!9936`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=ec196ce5bac69b835c79a82a41a3c5afed371a94

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 5 ++++-
 bind920/distinfo | 6 +++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index f53b47e48f..0d82a4d20e 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.4
+BIND_VERSION=	9.20.5
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
@@ -33,6 +33,9 @@ MAKE_ENV+=		WRKDIR=${WRKDIR} PREFIX=${PREFIX}
 CONFIGURE_ARGS+=		--disable-linux-caps
 .endif
 
+# Compile with debug info
+CFLAGS+=	-g
+
 CONFIGURE_ARGS+=		--sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=		--localstatedir=${VARBASE}
 CONFIGURE_ARGS+=		--with-openssl=${SSLBASE:Q}
diff --git a/bind920/distinfo b/bind920/distinfo
index a95f69016e..4be765f7a6 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.4.tar.xz) = 45674779108e70f399bed788d2a03c712455529b3622ab2f7236bc0f37be55de
-SHA512 (bind-9.20.4.tar.xz) = a6cf91df7ef10d4a1746ff682686eeb482199a3a2e49dfa5723bc28a5d56b08d3fb762efd6b08d56d1177292bd5fa2e0b39054536c071c91265c9d4913782e1e
-Size (bind-9.20.4.tar.xz) = 5620536 bytes
+BLAKE2s (bind-9.20.5.tar.xz) = 424246855e2a4912581d1efbfec32f939804119f4729c6a423a1c6cc6b96be7d
+SHA512 (bind-9.20.5.tar.xz) = 893b2bcfe9227917970ad72d7aa5818f920c03bd42152f43c6f02a76a56b3b6893eba9200d92e1236c4ac28933c653134c8f5209cc7c3777ef9853b3129ba1b0
+Size (bind-9.20.5.tar.xz) = 5634832 bytes
 SHA1 (patch-configure.ac) = f1f672271aa38c10b12d12d48455eb0af82d270c
Prev by Date: yosys-dev: upgraded to 0.49, builds without Makefile patch, removed patch
Next by Date: sra-tools: Update to 3.2.0
Previous by Thread: yosys-dev: upgraded to 0.49, builds without Makefile patch, removed patch
Next by Thread: sra-tools: Update to 3.2.0
Indexes:
Home | Main Index | Thread Index | Old Index