in BIND9
High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.
CVE: CVE-2012-3817
Posting date: 24 July, 2012
BUG FIXES:
- Fix for VU#624931 CVE-2012-2978: NSD denial of service
vulnerability from non-standard DNS packet from any host
on the internet.
PR: ports/170001
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Security: CVE-2012-2978
This module allows you to get the public suffix of a domain name using
the Public Suffix List from http://publicsuffix.org
A public suffix is one under which Internet users can directly register names.
Some examples of public suffixes are .com, .co.uk and pvt.k12.wy.us.
Accurately knowing the public suffix of a domain is useful when handling web
browser cookies, highlighting the most important part of a domain name in a
user interface or sorting URLs by web site
WWW: http://pypi.python.org/pypi/publicsuffix/
PR: ports/169326
Submitted by: d.pryadko@rambler-co.ru
The initial g stands for Geographic, as gdnsd offers a plugin system for
geographic (or other sorts of) balancing, redirection, and service-state-conscious
failover. If you don't care about that feature, it's still quite good at being
a very fast, lean, and resilient authoritative-only server for static DNS data.
gdnsd is written in C using libev and pthreads with a focus on highi performance,
low latency service. It does not offer any form of caching or recursive service,
and does not support DNSSEC.
WWW: http://code.google.com/p/gdnsd/
PR: ports/167946
Submitted by: Stefan Caunter <stef@scaleengine.com>
from ISC. These patched versions contain a critical bugfix:
Processing of DNS resource records where the rdata field is zero length
may cause various issues for the servers handling them.
Processing of these records may lead to unexpected outcomes. Recursive
servers may crash or disclose some portion of memory to the client.
Secondary servers may crash on restart after transferring a zone
containing these records. Master servers may corrupt zone data if the
zone option "auto-dnssec" is set to "maintain". Other unexpected
problems that are not listed here may also be encountered.
All BIND users are strongly encouraged to upgrade.
This is mostly a bugfix release. Most notable new features are ECDSA
support (RFC 6605) and command-line options for ldns-verify-zone for
validating against given keys and for safety margins on signatures
inception and expiration times.
- The examples and drill programs will now built by default.
PR: ports/168296
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Approved by: itetcu (mentor)
the latest from ISC. These versions all contain the following:
Feature Change
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
Bug Fix
* The locking strategy around the handling of iterative queries
has been tuned to reduce unnecessary contention in a multi-
threaded environment.
Each version also contains other critical bug fixes.
All BIND users are encouraged to upgrade to these latest versions.
- set NO_LATEST_LINK
- while I'm here, add LICENSE (GPL2) and remove mention of it from pkg-descr
PR: 168192
Submitted by: Ralf van der Enden <tremere at cainites dot net> (maintainer)