Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,

CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).

https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html

Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.

net/isc-bind/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.31 2014/09/23 09:42:41 sthen Exp $
+# $OpenBSD: Makefile,v 1.32 2014/12/09 17:21:36 sthen Exp $
 
 # XXX should we rename the rc script to either named.rc or isc_bind.rc ?
 # XXX how about also the package now we don't need to distinguish from the
@@ -6,20 +6,20 @@
 
 COMMENT=	Berkeley Internet Name Daemon: DNS server and tools
 
-V=		9.10.1
+V=		9.10.1-P1
 DISTNAME=	bind-$V
 PKGNAME=	isc-bind-${V:S/-P/pl/}
 
-SHARED_LIBS +=	isc                  1.1      # 145.0
+SHARED_LIBS +=	isc                  2.0      # 146.0
 SHARED_LIBS +=	isccc                0.0      # 140.1
-SHARED_LIBS +=	dns                  2.0      # 146.2
-SHARED_LIBS +=	isccfg               0.2      # 142.2
-SHARED_LIBS +=	bind9                0.0      # 140.6
+SHARED_LIBS +=	dns                  3.0      # 147.0
+SHARED_LIBS +=	isccfg               0.3      # 142.3
+SHARED_LIBS +=	bind9                0.1      # 140.7
 SHARED_LIBS +=	lwres                0.1      # 141.0
 SHARED_LIBS +=	irs                  0.0      # 141.2
 
 # not installed:
-#SHARED_LIBS +=	isc-nosymtbl         0.0      # 145.0
+#SHARED_LIBS +=	isc-nosymtbl         0.0      # 146.0
 #SHARED_LIBS +=	t_api                0.0      # unknown
 
 CATEGORIES=	net
@@ -29,7 +29,7 @@ HOMEPAGE=	http://www.isc.org/software/bind
 # ISC
 PERMIT_PACKAGE_CDROM=	Yes
 
-WANTLIB=	c crypto json-c m pthread xml2 z
+WANTLIB=	c crypto json-c lzma m pthread xml2 z
 
 MASTER_SITES=	${MASTER_SITE_ISC:=bind9/$V/}
 

net/isc-bind/distinfo

@@ -1,2 +1,2 @@
-SHA256 (bind-9.10.1.tar.gz) = U2Hsori2vAsTkEsPlkM2pHjfvBZXEVR/bMP4dSrGAYE=
-SIZE (bind-9.10.1.tar.gz) = 8353313
+SHA256 (bind-9.10.1-P1.tar.gz) = l0NDEI0y8lOhMDg9C6USkPt783IJLxRR8mSp46wJiY0=
+SIZE (bind-9.10.1-P1.tar.gz) = 8356463

net/isc-bind/patches/patch-bin_named_config_c

@@ -0,0 +1,18 @@
+$OpenBSD: patch-bin_named_config_c,v 1.1 2014/12/09 17:21:36 sthen Exp $
+
+Increase query limit until a level at which a query with "dig @::1
+www.ibm.com a" succeeds at startup. 150 was not enough.
+
+https://lists.isc.org/pipermail/bind-users/2014-December/094240.html
+
+--- bin/named/config.c.orig	Tue Dec  9 17:03:45 2014
++++ bin/named/config.c	Tue Dec  9 17:04:17 2014
+@@ -169,7 +169,7 @@ options {\n\
+ 	clients-per-query 10;\n\
+ 	max-clients-per-query 100;\n\
+ 	max-recursion-depth 7;\n\
+-	max-recursion-queries 50;\n\
++	max-recursion-queries 200;\n\
+ 	zero-no-soa-ttl-cache no;\n\
+ 	nsec3-test-zone no;\n\
+ 	allow-new-zones no;\n\

net/isc-bind/pkg/PLIST

@@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST,v 1.9 2014/09/23 09:42:41 sthen Exp $
+@comment $OpenBSD: PLIST,v 1.10 2014/12/09 17:21:36 sthen Exp $
 @pkgpath net/isc-bind,ratelimit
 @newgroup _bind:741
 @newuser _bind:741:_bind:daemon:bind user:/nonexistent:/sbin/nologin
@@ -133,6 +133,7 @@ include/isc/buffer.h
 include/isc/bufferlist.h
 include/isc/commandline.h
 include/isc/condition.h
+include/isc/counter.h
 include/isc/crc64.h
 include/isc/dir.h
 include/isc/entropy.h
@@ -252,6 +253,7 @@ include/lwres/netdb.h
 include/lwres/platform.h
 include/lwres/result.h
 include/lwres/stdlib.h
+include/lwres/string.h
 include/lwres/version.h
 include/pk11/
 include/pk11/constants.h