diff -pruN 1:9.11.4+dfsg-3/bin/named/server.c 1:9.11.4.P2+dfsg-1/bin/named/server.c --- 1:9.11.4+dfsg-3/bin/named/server.c 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/named/server.c 2018-09-04 04:04:41.000000000 +0000 @@ -11145,7 +11145,7 @@ ns_server_freeze(ns_server_t *server, is isc_lex_t *lex, isc_buffer_t **text) { isc_result_t result, tresult; - dns_zone_t *zone = NULL, *raw = NULL; + dns_zone_t *mayberaw = NULL, *raw = NULL; dns_zonetype_t type; char classstr[DNS_RDATACLASS_FORMATSIZE]; char zonename[DNS_NAME_FORMATSIZE]; @@ -11154,11 +11154,11 @@ ns_server_freeze(ns_server_t *server, is isc_boolean_t frozen; const char *msg = NULL; - result = zone_from_args(server, lex, NULL, &zone, NULL, + result = zone_from_args(server, lex, NULL, &mayberaw, NULL, text, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); - if (zone == NULL) { + if (mayberaw == NULL) { result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); tresult = ISC_R_SUCCESS; @@ -11178,26 +11178,26 @@ ns_server_freeze(ns_server_t *server, is isc_result_totext(tresult)); return (tresult); } - dns_zone_getraw(zone, &raw); + dns_zone_getraw(mayberaw, &raw); if (raw != NULL) { - dns_zone_detach(&zone); - dns_zone_attach(raw, &zone); + dns_zone_detach(&mayberaw); + dns_zone_attach(raw, &mayberaw); dns_zone_detach(&raw); } - type = dns_zone_gettype(zone); + type = dns_zone_gettype(mayberaw); if (type != dns_zone_master) { - dns_zone_detach(&zone); + dns_zone_detach(&mayberaw); return (DNS_R_NOTMASTER); } - if (freeze && !dns_zone_isdynamic(zone, ISC_TRUE)) { - dns_zone_detach(&zone); + if (freeze && !dns_zone_isdynamic(mayberaw, ISC_TRUE)) { + dns_zone_detach(&mayberaw); return (DNS_R_NOTDYNAMIC); } result = isc_task_beginexclusive(server->task); RUNTIME_CHECK(result == ISC_R_SUCCESS); - frozen = dns_zone_getupdatedisabled(zone); + frozen = dns_zone_getupdatedisabled(mayberaw); if (freeze) { if (frozen) { msg = "WARNING: The zone was already frozen.\n" @@ -11206,16 +11206,16 @@ ns_server_freeze(ns_server_t *server, is result = DNS_R_FROZEN; } if (result == ISC_R_SUCCESS) { - result = dns_zone_flush(zone); + result = dns_zone_flush(mayberaw); if (result != ISC_R_SUCCESS) msg = "Flushing the zone updates to " "disk failed."; } if (result == ISC_R_SUCCESS) - dns_zone_setupdatedisabled(zone, freeze); + dns_zone_setupdatedisabled(mayberaw, freeze); } else { if (frozen) { - result = dns_zone_loadandthaw(zone); + result = dns_zone_loadandthaw(mayberaw); switch (result) { case ISC_R_SUCCESS: case DNS_R_UPTODATE: @@ -11238,7 +11238,7 @@ ns_server_freeze(ns_server_t *server, is (void) putnull(text); } - view = dns_zone_getview(zone); + view = dns_zone_getview(mayberaw); if (strcmp(view->name, "_default") == 0 || strcmp(view->name, "_bind") == 0) { @@ -11248,9 +11248,9 @@ ns_server_freeze(ns_server_t *server, is vname = view->name; sep = " "; } - dns_rdataclass_format(dns_zone_getclass(zone), classstr, + dns_rdataclass_format(dns_zone_getclass(mayberaw), classstr, sizeof(classstr)); - dns_name_format(dns_zone_getorigin(zone), + dns_name_format(dns_zone_getorigin(mayberaw), zonename, sizeof(zonename)); isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_INFO, @@ -11258,7 +11258,7 @@ ns_server_freeze(ns_server_t *server, is freeze ? "freezing" : "thawing", zonename, classstr, sep, vname, isc_result_totext(result)); - dns_zone_detach(&zone); + dns_zone_detach(&mayberaw); return (result); } diff -pruN 1:9.11.4+dfsg-3/bin/named/zoneconf.c 1:9.11.4.P2+dfsg-1/bin/named/zoneconf.c --- 1:9.11.4+dfsg-3/bin/named/zoneconf.c 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/named/zoneconf.c 2018-09-04 04:04:41.000000000 +0000 @@ -1223,7 +1223,7 @@ ns_zone_configure(const cfg_obj_t *confi dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS, ISC_TRUE); dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, - ISC_TRUE); + ISC_FALSE); } else dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS, ixfrdiff); diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/chain/ns7/named.conf.in 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/ns7/named.conf.in --- 1:9.11.4+dfsg-3/bin/tests/system/chain/ns7/named.conf.in 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/ns7/named.conf.in 2018-09-04 04:04:41.000000000 +0000 @@ -20,6 +20,12 @@ options { listen-on-v6 { fd92:7065:b8e:ffff::7; }; recursion yes; allow-recursion { any; }; + dnssec-validation yes; + deny-answer-aliases { + "example"; + } except-from { + "example"; + }; }; key rndc_key { diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/chain/tests.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/tests.sh --- 1:9.11.4+dfsg-3/bin/tests/system/chain/tests.sh 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/tests.sh 2018-09-04 04:04:41.000000000 +0000 @@ -248,5 +248,22 @@ $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "checking explicit DNAME query ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking DNAME via ANY query ($n)" +ret=0 +$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i +$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1 +grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/clean.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/clean.sh --- 1:9.11.4+dfsg-3/bin/tests/system/inline/clean.sh 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/clean.sh 2018-09-04 04:04:41.000000000 +0000 @@ -73,6 +73,10 @@ rm -f ns3/nsec3.db rm -f ns3/nsec3.db.jnl rm -f ns3/nsec3.db.signed rm -f ns3/nsec3.db.signed.jnl +rm -f ns3/delayedkeys.db +rm -f ns3/delayedkeys.db.jnl +rm -f ns3/delayedkeys.db.signed +rm -f ns3/delayedkeys.db.signed.jnl rm -f ns3/removedkeys-primary.db rm -f ns3/removedkeys-primary.db.jnl rm -f ns3/removedkeys-primary.db.signed diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/master5.db.in 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/master5.db.in --- 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/master5.db.in 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/master5.db.in 2018-09-04 04:04:41.000000000 +0000 @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns3 . ( + 2000042411 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns3 +ns3 A 10.53.0.3 + +c A 10.0.0.3 +e A 10.0.0.5 diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/named.conf.in 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/named.conf.in --- 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/named.conf.in 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/named.conf.in 2018-09-04 04:04:41.000000000 +0000 @@ -58,6 +58,10 @@ zone "master" { inline-signing yes; auto-dnssec maintain; file "master.db"; + notify explicit; + also-notify { + 10.53.0.3; + }; }; zone "dynamic" { @@ -141,6 +145,13 @@ zone "nokeys" { file "nokeys.bk"; }; +zone "delayedkeys" { + type master; + inline-signing yes; + auto-dnssec maintain; + file "delayedkeys.db"; +}; + zone "removedkeys-primary" { type master; inline-signing yes; diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/sign.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/sign.sh --- 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/sign.sh 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/sign.sh 2018-09-04 04:04:41.000000000 +0000 @@ -96,6 +96,14 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAS keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone` $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db +zone=delayedkeys +rm -f K${zone}.+*+*.key +rm -f K${zone}.+*+*.private +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` +keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone` +# Keys for the "delayedkeys" zone should not be initially accessible. +mv K${zone}.+*+*.* ../ + zone=removedkeys-primary rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/setup.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/setup.sh --- 1:9.11.4+dfsg-3/bin/tests/system/inline/setup.sh 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/setup.sh 2018-09-04 04:04:41.000000000 +0000 @@ -33,6 +33,7 @@ cp ns3/master.db.in ns3/updated.db cp ns3/master.db.in ns3/expired.db cp ns3/master.db.in ns3/nsec3.db cp ns3/master.db.in ns3/externalkey.db +cp ns3/master.db.in ns3/delayedkeys.db cp ns3/master.db.in ns3/removedkeys-primary.db mkdir ns3/removedkeys diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/tests.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/tests.sh --- 1:9.11.4+dfsg-3/bin/tests/system/inline/tests.sh 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/tests.sh 2018-09-04 04:04:41.000000000 +0000 @@ -879,6 +879,31 @@ if [ $ret != 0 ]; then echo_i "failed"; status=`expr $status + $ret` n=`expr $n + 1` +echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)" +ret=1 +# Ensure "rndc reload" attempts to load ns3/master.db by waiting 1 second so +# that the master file modification time has no possibility of being equal to +# the one stored during server startup. +sleep 1 +nextpart ns3/named.run > /dev/null +cp ns3/master5.db.in ns3/master.db +$RNDCCMD 10.53.0.3 reload 2>&1 | sed 's/^/ns3 /' | cat_i +for i in 1 2 3 4 5 6 7 8 9 10 +do + if nextpart ns3/named.run | grep "zone master.*sending notifies" > /dev/null; then + ret=0 + break + fi + sleep 1 +done +# Sanity check: master file updates should be reflected in the signed zone, +# i.e. SOA RNAME should no longer be set to "hostmaster". +$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n || ret=1 +grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` echo_i "test add/del zone combinations ($n)" ret=0 for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z @@ -1247,7 +1272,61 @@ grep "RRSIG" dig.out.ns3.test$n > /dev/n if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +# Check that the master file $2 for zone $1 does not contain RRSIG records +# while the journal file for that zone does contain them. +ensure_sigs_only_in_journal() { + origin="$1" + masterfile="$2" + $CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1 + $CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1 +} + n=`expr $n + 1` +echo_i "checking that records added from a journal are scheduled to be resigned ($n)" +ret=0 +# Signing keys for the "delayedkeys" zone are not yet accessible. Thus, the +# zone file for the signed version of the zone will contain no DNSSEC records. +# Move keys into place now and load them, which will cause DNSSEC records to +# only be present in the journal for the signed version of the zone. +mv Kdelayedkeys* ns3/ +$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1 +# Wait until the zone is signed. +ans=1 +for i in 1 2 3 4 5 6 7 8 9 10 +do + $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 + num=`grep "Done signing with" signing.out.test$n | wc -l` + if [ $num -eq 2 ]; then + ans=0 + break + fi + sleep 1 +done +if [ $ans != 0 ]; then ret=1; fi +# Halt rather than stopping the server to prevent the master file from being +# flushed upon shutdown since we specifically want to avoid it. +$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} . ns3 +ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns3 +# At this point, the raw zone journal will not have a source serial set. Upon +# server startup, receive_secure_serial() will rectify that, update SOA, resign +# it, and schedule its future resign. This will cause "rndc zonestatus" to +# return delayedkeys/SOA as the next node to resign, so we restart the server +# once again; with the raw zone journal now having a source serial set, +# receive_secure_serial() should refrain from introducing any zone changes. +$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} . ns3 +ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns3 +# We can now test whether the secure zone journal was correctly processed: +# unless the records contained in it were scheduled for resigning, no resigning +# event will be scheduled at all since the secure zone master file contains no +# DNSSEC records. +$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1 +grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + echo_i "check that zonestatus reports 'type: master' for a inline master zone ($n)" ret=0 $RNDCCMD 10.53.0.3 zonestatus master > rndc.out.ns3.test$n diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/resolver/tests.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/resolver/tests.sh --- 1:9.11.4+dfsg-3/bin/tests/system/resolver/tests.sh 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/resolver/tests.sh 2018-09-04 04:04:41.000000000 +0000 @@ -204,6 +204,7 @@ n=`expr $n + 1` echo_i "checking DNAME target filtering (deny) ($n)" ret=0 $DIG $DIGOPTS +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1 +grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1 grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/stop.pl 1:9.11.4.P2+dfsg-1/bin/tests/system/stop.pl --- 1:9.11.4+dfsg-3/bin/tests/system/stop.pl 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/bin/tests/system/stop.pl 2018-09-04 04:04:41.000000000 +0000 @@ -31,11 +31,12 @@ use Getopt::Long; # # server Name of the server directory. -my $usage = "usage: $0 [--use-rndc [--port port]] test-directory [server-directory]"; +my $usage = "usage: $0 [--use-rndc [--halt] [--port port]] test-directory [server-directory]"; my $use_rndc = 0; +my $halt = 0; my $port = 9953; -GetOptions('use-rndc' => \$use_rndc, 'port=i' => \$port) or die "$usage\n"; +GetOptions('use-rndc' => \$use_rndc, 'halt' => \$halt, 'port=i' => \$port) or die "$usage\n"; my $errors = 0; @@ -134,9 +135,10 @@ sub stop_rndc { return unless ($server =~ /^ns(\d+)$/); my $ip = "10.53.0.$1"; + my $how = $halt ? "halt" : "stop"; # Ugly, but should work. - system("$ENV{RNDC} -c ../common/rndc.conf -s $ip -p $port stop | sed 's/^/I:$server /'"); + system("$ENV{RNDC} -c ../common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$server /'"); return; } diff -pruN 1:9.11.4+dfsg-3/CHANGES 1:9.11.4.P2+dfsg-1/CHANGES --- 1:9.11.4+dfsg-3/CHANGES 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/CHANGES 2018-09-04 04:04:41.000000000 +0000 @@ -1,3 +1,24 @@ + --- 9.11.4-P2 released --- + +5022. [doc] Update ms-self, ms-subdomain, krb5-self, and + krb5-subdomain documentation. [GL !708] + +5015. [bug] Reloading all zones caused zone maintenance to cease + for inline-signed zones. [GL #435] + +5014. [bug] Signatures loaded from the journal for the signed + version of an inline-signed zone were not scheduled for + refresh. [GL #482] + +5004. [bug] 'rndc reconfig' could cause inline zones to stop + re-signing. [GL #439] + + --- 9.11.4-P1 released --- + +4997. [security] named could crash during recursive processing + of DNAME records when "deny-answer-aliases" was + in use. (CVE-2018-5740) [GL #387] + --- 9.11.4 released --- --- 9.11.4rc2 released --- diff -pruN 1:9.11.4+dfsg-3/debian/bind9.preinst 1:9.11.4.P2+dfsg-1/debian/bind9.preinst --- 1:9.11.4+dfsg-3/debian/bind9.preinst 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/bind9.preinst 2018-09-10 08:36:06.000000000 +0000 @@ -0,0 +1,49 @@ +#!/bin/sh +# preinst script for bind9 +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + install|upgrade) + if [ -n "$2" ] && dpkg --compare-versions "$2" lt "1:9.11.2+dfsg-6"; then + theirs=$(md5sum /etc/bind/named.conf.options | sed 's/ .*$//') + mine=56919cbc0d819c9a303a8bdeb306b5f1 + if [ "$mine" = "$theirs" ]; then + mv /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old + fi + fi + ;; + + abort-upgrade) + if [ ! -f "/etc/bind/named.conf.options" ] && [ -f "/etc/bind/named.conf.options.dpkg-old" ]; then + theirs=$(md5sum /etc/bind/named.conf.options.dpkg-old | sed 's/ .*$//') + mine=56919cbc0d819c9a303a8bdeb306b5f1 + if [ "$mine" = "$theirs" ]; then + mv /etc/bind/named.conf.options.dpkg-old /etc/bind/named.conf.options + fi + fi + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff -pruN 1:9.11.4+dfsg-3/debian/bind9.service 1:9.11.4.P2+dfsg-1/debian/bind9.service --- 1:9.11.4+dfsg-3/debian/bind9.service 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/bind9.service 2018-09-10 08:36:06.000000000 +0000 @@ -7,7 +7,7 @@ Before=nss-lookup.target [Service] Type=forking -EnvironmentFile=/etc/default/bind9 +EnvironmentFile=-/etc/default/bind9 ExecStart=/usr/sbin/named $OPTIONS ExecReload=/usr/sbin/rndc reload ExecStop=/usr/sbin/rndc stop diff -pruN 1:9.11.4+dfsg-3/debian/changelog 1:9.11.4.P2+dfsg-1/debian/changelog --- 1:9.11.4+dfsg-3/debian/changelog 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/changelog 2018-09-10 08:36:06.000000000 +0000 @@ -1,3 +1,40 @@ +bind9 (1:9.11.4.P2+dfsg-1) unstable; urgency=medium + + [ Bernhard Schmidt ] + * Add a very simple autopkgtest (dig @127.0.0.1) + + [ Ondřej Surý ] + * New upstream version 9.11.4.P2+dfsg + * Rebase patches for BIND 9.11.4-P2 + + -- Ondřej Surý Mon, 10 Sep 2018 08:36:06 +0000 + +bind9 (1:9.11.4.P1+dfsg-1) unstable; urgency=medium + + [ Timo Aaltonen ] + * skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 + crashing on startup. (LP: #1769440) + + [ Bernhard Schmidt ] + * Add gbp.conf for pristine-tar usage + * d/watch: Properly deal with -P patch releases + + [ Ondřej Surý ] + * Don't fail to start if /etc/default/bind9 doesn't exist + * New upstream version 9.11.4.P1+dfsg + * Rebase patches for BIND 9.11.4-P1 + * Add new dst__openssleddsa_init optional symbol (it depends on OpenSSL version) (Closes: #897643) + * Put aside named.conf.option from stretch when upgrading (Closes: #905177) + + -- Ondřej Surý Fri, 31 Aug 2018 09:53:27 +0000 + +bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium + + * Brown-paper-bag release :-( + * Fix missing colon in AppArmor profile (Closes: #904983) + + -- Bernhard Schmidt Mon, 30 Jul 2018 16:28:21 +0200 + bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium * Enable IDN support for dig+host using libidn2 (Closes: #459010) diff -pruN 1:9.11.4+dfsg-3/debian/extras/apparmor.d/usr.sbin.named 1:9.11.4.P2+dfsg-1/debian/extras/apparmor.d/usr.sbin.named --- 1:9.11.4+dfsg-3/debian/extras/apparmor.d/usr.sbin.named 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/extras/apparmor.d/usr.sbin.named 2018-09-10 08:36:06.000000000 +0000 @@ -30,7 +30,7 @@ /etc/ssl/openssl.cnf r, # root hints from dns-data-root - /usr/share/dns/root.* r + /usr/share/dns/root.* r, # GeoIP data files for GeoIP ACLs /usr/share/GeoIP/** r, diff -pruN 1:9.11.4+dfsg-3/debian/gbp.conf 1:9.11.4.P2+dfsg-1/debian/gbp.conf --- 1:9.11.4+dfsg-3/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/gbp.conf 2018-09-10 08:36:06.000000000 +0000 @@ -0,0 +1,3 @@ +[DEFAULT] +pristine-tar = True + diff -pruN 1:9.11.4+dfsg-3/debian/libdns1102.symbols 1:9.11.4.P2+dfsg-1/debian/libdns1102.symbols --- 1:9.11.4+dfsg-3/debian/libdns1102.symbols 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/libdns1102.symbols 2018-09-10 08:36:06.000000000 +0000 @@ -3063,6 +3063,7 @@ libdns.so.1102 libdns1102 #MINVER# dst__openssldh_init@Base 1:9.11.3+dfsg dst__openssldsa_init@Base 1:9.11.3+dfsg dst__opensslecdsa_init@Base 1:9.11.3+dfsg + (optional)dst__openssleddsa_init@Base 1:9.11.4.P1+dfsg dst__opensslrsa_init@Base 1:9.11.3+dfsg dst__privstruct_free@Base 1:9.11.3+dfsg dst__privstruct_parse@Base 1:9.11.3+dfsg diff -pruN 1:9.11.4+dfsg-3/debian/patches/02_version.diff 1:9.11.4.P2+dfsg-1/debian/patches/02_version.diff --- 1:9.11.4+dfsg-3/debian/patches/02_version.diff 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/patches/02_version.diff 2018-09-10 08:36:06.000000000 +0000 @@ -8,12 +8,12 @@ Subject: _version 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version -index 112781d..3a38745 100644 +index 83a92e8..7e8da78 100644 --- a/version +++ b/version @@ -8,4 +8,4 @@ MINORVER=11 PATCHVER=4 - RELEASETYPE= - RELEASEVER= + RELEASETYPE=-P + RELEASEVER=2 -EXTENSIONS= +EXTENSIONS="$(dpkg-parsechangelog --file=../debian/changelog | sed -n '/^Version/s/[^-]*//p')-$(dpkg-vendor --query Vendor)" diff -pruN 1:9.11.4+dfsg-3/debian/patches/10_min-cache-ttl.diff 1:9.11.4.P2+dfsg-1/debian/patches/10_min-cache-ttl.diff --- 1:9.11.4+dfsg-3/debian/patches/10_min-cache-ttl.diff 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/patches/10_min-cache-ttl.diff 2018-09-10 08:36:06.000000000 +0000 @@ -35,7 +35,7 @@ index 54bc37f..9efd7a5 100644 minimal-any false;\n\ minimal-responses false;\n\ diff --git a/bin/named/server.c b/bin/named/server.c -index 59a8998..ced3e9be 100644 +index 0c8939d..ad84414 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -3703,6 +3703,18 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, @@ -164,7 +164,7 @@ index 2b6d134..74c6215 100644 trust = rdataset->trust; /* diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 8f674a2..511b34c 100644 +index 41d1385..dab2f70 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -562,7 +562,9 @@ static isc_boolean_t fctx_unlink(fetchctx_t *fctx); diff -pruN 1:9.11.4+dfsg-3/debian/patches/series 1:9.11.4.P2+dfsg-1/debian/patches/series --- 1:9.11.4+dfsg-3/debian/patches/series 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/patches/series 2018-09-10 08:36:06.000000000 +0000 @@ -8,3 +8,4 @@ 75_ctxstart_no_sighandling.diff 80_reproducible_build.diff Add_--install-layout=deb_to_setup.py_call.patch +skip-rtld-deepbind-for-dyndb.diff diff -pruN 1:9.11.4+dfsg-3/debian/patches/skip-rtld-deepbind-for-dyndb.diff 1:9.11.4.P2+dfsg-1/debian/patches/skip-rtld-deepbind-for-dyndb.diff --- 1:9.11.4+dfsg-3/debian/patches/skip-rtld-deepbind-for-dyndb.diff 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/patches/skip-rtld-deepbind-for-dyndb.diff 2018-09-10 08:36:06.000000000 +0000 @@ -0,0 +1,24 @@ +From: BIND 9 Package +Date: Fri, 31 Aug 2018 08:42:51 +0000 +Subject: skip-rtld-deepbind-for-dyndb + +https://bugzilla.redhat.com/show_bug.cgi?id=1410433 +https://bugs.launchpad.net/bugs/1769440 +--- + lib/dns/dyndb.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c +index e21a84c..ac18162 100644 +--- a/lib/dns/dyndb.c ++++ b/lib/dns/dyndb.c +@@ -133,9 +133,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname, + instname, filename); + + flags = RTLD_NOW|RTLD_LOCAL; +-#ifdef RTLD_DEEPBIND +- flags |= RTLD_DEEPBIND; +-#endif + + handle = dlopen(filename, flags); + if (handle == NULL) diff -pruN 1:9.11.4+dfsg-3/debian/tests/control 1:9.11.4.P2+dfsg-1/debian/tests/control --- 1:9.11.4+dfsg-3/debian/tests/control 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/tests/control 2018-09-10 08:36:06.000000000 +0000 @@ -0,0 +1,3 @@ +Tests: simpletest +Restrictions: needs-root, isolation-container +Depends: bind9, dnsutils diff -pruN 1:9.11.4+dfsg-3/debian/tests/simpletest 1:9.11.4.P2+dfsg-1/debian/tests/simpletest --- 1:9.11.4+dfsg-3/debian/tests/simpletest 1970-01-01 00:00:00.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/tests/simpletest 2018-09-10 08:36:06.000000000 +0000 @@ -0,0 +1,21 @@ +#!/bin/sh + +set -e + +setup() { + service bind9 stop + service bind9 start +} + +run() { + dig -x 127.0.0.1 @127.0.0.1 +} + +teardown() { + service bind9 stop +} + +setup +run +teardown + diff -pruN 1:9.11.4+dfsg-3/debian/watch 1:9.11.4.P2+dfsg-1/debian/watch --- 1:9.11.4+dfsg-3/debian/watch 2018-07-29 21:26:09.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/debian/watch 2018-09-10 08:36:06.000000000 +0000 @@ -4,8 +4,8 @@ opts=\ repack,\ compression=xz,\ repacksuffix=+dfsg,\ -uversionmangle=s/((rc|b)\d+)$/~$1/,\ -dirversionmangle=s/((rc|b)\d+)$/~$1/,\ +uversionmangle=s/((rc|b)\d+)$/~$1/;s/-P(\d+)$/.P$1/,\ +dirversionmangle=s/((rc|b)\d+)$/~$1/;s/-P(\d+)$/.P$1/,\ dversionmangle=s/\.dfsg\./-/;s/[\.\+]dfsg$//,\ pgpsigurlmangle=s/$/.asc/ \ - https://ftp.isc.org/isc/bind9/(9\.11\.\d\S+)/ bind-@ANY_VERSION@\.tar\.gz + https://ftp.isc.org/isc/bind9/(9\.11\.\d+(?:(?:rc|b|-P)\d)?)/ bind-@ANY_VERSION@\.tar\.gz diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM-book.xml 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM-book.xml --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM-book.xml 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM-book.xml 2018-09-04 04:04:41.000000000 +0000 @@ -12548,7 +12548,7 @@ example.com. NS ns2.example.net. has been used to create a shared secret, the identity of the key used to authenticate the TKEY exchange will be used as the identity of the shared secret. Some rule types - use indentities matching the client's Kerberos principal + use identities matching the client's Kerberos principal (e.g, "host/machine@REALM") or Windows realm (machine$@REALM). @@ -12709,12 +12709,26 @@ example.com. NS ns2.example.net. - This rule takes a Windows machine principal - (machine$@REALM) for machine in REALM and - and converts it machine.realm allowing the machine - to update machine.realm. The REALM to be matched - is specified in the identity - field. The name field should be set to "." + When a client sends an UPDATE using a Windows + machine principal (for example, 'machine$@REALM'), + this rule allows records with the absolute name + of 'machine.REALM' to be updated. + + + The realm to be matched is specified in the + identity field. + + + The name field has + no effect on this rule; it should be set to "." + as a placeholder. + + + For example, + grant EXAMPLE.COM ms-self . A AAAA + allows any machine with a valid principal in + the realm EXAMPLE.COM to update + its own address records. @@ -12725,13 +12739,32 @@ example.com. NS ns2.example.net. - This rule takes a Windows machine principal - (machine$@REALM) for machine in REALM and - converts it to machine.realm allowing the machine - to update subdomains of machine.realm. The REALM - to be matched is specified in the + When a client sends an UPDATE using a Windows + machine principal (for example, 'machine$@REALM'), + this rule allows any machine in the specified + realm to update any record in the zone or in a + specified subdomain of the zone. + + + The realm to be matched is specified in the identity field. + + The name field + specifies the subdomain that may be updated. + If set to "." (or any other name at or above + the zone apex), any name in the zone can be + updated. + + + For example, if update-policy + for the zone "example.com" includes + grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA, + any machine with a valid principal in + the realm EXAMPLE.COM will + be able to update address records at or below + "hosts.example.com". + @@ -12741,12 +12774,32 @@ example.com. NS ns2.example.net. - This rule takes a Kerberos machine principal - (host/machine@REALM) for machine in REALM and - and converts it machine.realm allowing the machine - to update machine.realm. The REALM to be matched - is specified in the identity - field. The name field should be set to "." + When a client sends an UPDATE using a + Kerberos machine principal (for example, + 'host/machine@REALM'), this rule allows + records with the absolute name of 'machine' + to be updated provided it has been authenticated + by REALM. This is similar but not identical + to ms-self due to the + 'machine' part of the Kerberos principal + being an absolute name instead of a unqualified + name. + + + The realm to be matched is specified in the + identity field. + + + The name field has + no effect on this rule; it should be set to "." + as a placeholder. + + + For example, + grant EXAMPLE.COM krb5-self . A AAAA + allows any machine with a valid principal in + the realm EXAMPLE.COM to update + its own address records. @@ -12757,13 +12810,11 @@ example.com. NS ns2.example.net. - This rule takes a Kerberos machine principal - (host/machine@REALM) for machine in REALM and - converts it to machine.realm allowing the machine - to update subdomains of machine.realm. The REALM - to be matched is specified in the - identity field. The - name field should be set to "." + This rule is identical to + ms-subdomain, except that it works + with Kerberos machine principals (i.e., + 'host/machine@REALM') rather than Windows machine + principals. diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch01.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch01.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch01.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch01.html 2018-09-04 04:04:41.000000000 +0000 @@ -616,6 +616,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch02.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch02.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch02.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch02.html 2018-09-04 04:04:41.000000000 +0000 @@ -151,6 +151,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch03.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch03.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch03.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch03.html 2018-09-04 04:04:41.000000000 +0000 @@ -759,6 +759,6 @@ controls { -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch04.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch04.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch04.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch04.html 2018-09-04 04:04:41.000000000 +0000 @@ -2867,6 +2867,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2. -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch05.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch05.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch05.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch05.html 2018-09-04 04:04:41.000000000 +0000 @@ -142,6 +142,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch06.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch06.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch06.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch06.html 2018-09-04 04:04:41.000000000 +0000 @@ -10397,7 +10397,7 @@ example.com. NS ns2.example.net. has been used to create a shared secret, the identity of the key used to authenticate the TKEY exchange will be used as the identity of the shared secret. Some rule types - use indentities matching the client's Kerberos principal + use identities matching the client's Kerberos principal (e.g, "host/machine@REALM") or Windows realm (machine$@REALM).

@@ -10567,12 +10567,26 @@ example.com. NS ns2.example.net.

- This rule takes a Windows machine principal - (machine$@REALM) for machine in REALM and - and converts it machine.realm allowing the machine - to update machine.realm. The REALM to be matched - is specified in the identity - field. The name field should be set to "." + When a client sends an UPDATE using a Windows + machine principal (for example, 'machine$@REALM'), + this rule allows records with the absolute name + of 'machine.REALM' to be updated. +

+

+ The realm to be matched is specified in the + identity field. +

+

+ The name field has + no effect on this rule; it should be set to "." + as a placeholder. +

+

+ For example, + grant EXAMPLE.COM ms-self . A AAAA + allows any machine with a valid principal in + the realm EXAMPLE.COM to update + its own address records.

@@ -10584,13 +10598,32 @@ example.com. NS ns2.example.net.

- This rule takes a Windows machine principal - (machine$@REALM) for machine in REALM and - converts it to machine.realm allowing the machine - to update subdomains of machine.realm. The REALM - to be matched is specified in the + When a client sends an UPDATE using a Windows + machine principal (for example, 'machine$@REALM'), + this rule allows any machine in the specified + realm to update any record in the zone or in a + specified subdomain of the zone. +

+

+ The realm to be matched is specified in the identity field.

+

+ The name field + specifies the subdomain that may be updated. + If set to "." (or any other name at or above + the zone apex), any name in the zone can be + updated. +

+

+ For example, if update-policy + for the zone "example.com" includes + grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA, + any machine with a valid principal in + the realm EXAMPLE.COM will + be able to update address records at or below + "hosts.example.com". +

@@ -10601,12 +10634,32 @@ example.com. NS ns2.example.net.

- This rule takes a Kerberos machine principal - (host/machine@REALM) for machine in REALM and - and converts it machine.realm allowing the machine - to update machine.realm. The REALM to be matched - is specified in the identity - field. The name field should be set to "." + When a client sends an UPDATE using a + Kerberos machine principal (for example, + 'host/machine@REALM'), this rule allows + records with the absolute name of 'machine' + to be updated provided it has been authenticated + by REALM. This is similar but not identical + to ms-self due to the + 'machine' part of the Kerberos principal + being an absolute name instead of a unqualified + name. +

+

+ The realm to be matched is specified in the + identity field. +

+

+ The name field has + no effect on this rule; it should be set to "." + as a placeholder. +

+

+ For example, + grant EXAMPLE.COM krb5-self . A AAAA + allows any machine with a valid principal in + the realm EXAMPLE.COM to update + its own address records.

@@ -10618,13 +10671,11 @@ example.com. NS ns2.example.net.

- This rule takes a Kerberos machine principal - (host/machine@REALM) for machine in REALM and - converts it to machine.realm allowing the machine - to update subdomains of machine.realm. The REALM - to be matched is specified in the - identity field. The - name field should be set to "." + This rule is identical to + ms-subdomain, except that it works + with Kerberos machine principals (i.e., + 'host/machine@REALM') rather than Windows machine + principals.

@@ -14573,6 +14624,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch07.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch07.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch07.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch07.html 2018-09-04 04:04:41.000000000 +0000 @@ -399,6 +399,6 @@ allow-query { !{ !10/8; any; }; key exam -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch08.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch08.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch08.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch08.html 2018-09-04 04:04:41.000000000 +0000 @@ -136,6 +136,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch09.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch09.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch09.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch09.html 2018-09-04 04:04:41.000000000 +0000 @@ -36,7 +36,7 @@

Table of Contents

-
Release Notes for BIND Version 9.11.4
+
Release Notes for BIND Version 9.11.4-P2
Introduction
Download
@@ -44,7 +44,6 @@
Legacy Windows No Longer Supported
Security Fixes
New Features
-
Removed Features
Feature Changes
Bug Fixes
End of Life
@@ -54,7 +53,7 @@

-Release Notes for BIND Version 9.11.4

+Release Notes for BIND Version 9.11.4-P2

@@ -122,50 +121,27 @@

Security Fixes

-
  • -

    - When recursion is enabled but the allow-recursion - and allow-query-cache ACLs are not specified, they - should be limited to local networks, but they were inadvertently set - to match the default allow-query, thus allowing - remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] -

    -
-
- -
-

-New Features

  • - named now supports the "root key sentinel" - mechanism. This enables validating resolvers to indicate - which trust anchors are configured for the root, so that - information about root key rollover status can be gathered. - To disable this feature, add - root-key-sentinel no; to - named.conf. + There was a long-existing flaw in the documentation for + ms-self, krb5-self, + ms-subdomain, and krb5-subdomain + rules in update-policy statements. Though + the policies worked as intended, operators who configured their + servers according to the misleading documentation may have + thought zone updates were more restricted than they were; + users of these rule types are advised to review the documentation + and correct their configurations if necessary. New rule types + matching the previously documented behavior will be introduced + in a future maintenance release. [GL !708]

  • - Added the ability not to return a DNS COOKIE option when one - is present in the request. To prevent a cookie being returned, - add answer-cookie no; to - named.conf. [GL #173] -

    -

    - answer-cookie no is only intended as a - temporary measure, for use when named - shares an IP address with other servers that do not yet - support DNS COOKIE. A mismatch between servers on the - same address is not expected to cause operational problems, - but the option to disable COOKIE responses so that all - servers have the same behavior is provided out of an - abundance of caution. DNS COOKIE is an important security - mechanism, and should not be disabled unless absolutely - necessary. + named could crash during recursive processing + of DNAME records when deny-answer-aliases was + in use. This flaw is disclosed in CVE-2018-5740. [GL #387]

@@ -173,13 +149,10 @@

-Removed Features

+New Features

  • - named will now log a warning if the old - BIND now can be compiled against libidn2 library to add - IDNA2008 support. Previously BIND only supported IDNA2003 - using (now obsolete) idnkit-1 library. + None.

@@ -187,25 +160,11 @@

Feature Changes

-
    -
  • -

    - dig +noidnin can be used to disable IDN - processing on the input domain name, when BIND is compiled - with IDN support. -

    -
    • -
  • +

    • - Multiple cookie-secret clause are now - supported. The first cookie-secret in - named.conf is used to generate new - server cookies. Any others are used to accept old server - cookies or those generated by other servers using the - matching cookie-secret. + None.

      -
      • -
    +
@@ -214,18 +173,28 @@

  • - named now rejects excessively large - incremental (IXFR) zone transfers in order to prevent - possible corruption of journal files which could cause - named to abort when loading zones. [GL #339] -

    + Running rndc reconfig could cause + inline-signing to stop signing. [GL #439] +

  • -

    - rndc reload could cause named - to leak memory if it was invoked before the zone loading actions - from a previous rndc reload command were - completed. [RT #47076] +

    + Reloading all zones caused zone maintenance to stop for + inline-signing zones. [GL #435] +

    +
    • +
  • +

    + Signatures loaded from the journal for the signed version + inline-signing zone were not scheduled for + refresh. [GL #482] +

    +
    • +
  • +

    + A referral response with a non-empty ANSWER section was + incorrectly treated as an error; this caused certain domains + to be non-resolvable. [GL #390]

@@ -271,6 +240,6 @@
-

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch10.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch10.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch10.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch10.html 2018-09-04 04:04:41.000000000 +0000 @@ -148,6 +148,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch11.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch11.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch11.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch11.html 2018-09-04 04:04:41.000000000 +0000 @@ -914,6 +914,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch12.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch12.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch12.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch12.html 2018-09-04 04:04:41.000000000 +0000 @@ -533,6 +533,6 @@ $ sample -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch13.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch13.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch13.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch13.html 2018-09-04 04:04:41.000000000 +0000 @@ -213,6 +213,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.html --- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.html 2018-09-04 04:04:41.000000000 +0000 @@ -32,7 +32,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.11.4

+

BIND Version 9.11.4-P2

Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")

@@ -241,7 +241,7 @@
A. Release Notes
-
Release Notes for BIND Version 9.11.4
+
Release Notes for BIND Version 9.11.4-P2
Introduction
Download
@@ -249,7 +249,6 @@
Legacy Windows No Longer Supported
Security Fixes
New Features
-
Removed Features
Feature Changes
Bug Fixes
End of Life
@@ -443,6 +442,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.arpaname.html 1:9.11.4.P2+dfsg-1/doc/arm/man.arpaname.html --- 1:9.11.4+dfsg-3/doc/arm/man.arpaname.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.arpaname.html 2018-09-04 04:04:41.000000000 +0000 @@ -91,6 +91,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.ddns-confgen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.ddns-confgen.html --- 1:9.11.4+dfsg-3/doc/arm/man.ddns-confgen.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.ddns-confgen.html 2018-09-04 04:04:41.000000000 +0000 @@ -236,6 +236,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.delv.html 1:9.11.4.P2+dfsg-1/doc/arm/man.delv.html --- 1:9.11.4+dfsg-3/doc/arm/man.delv.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.delv.html 2018-09-04 04:04:41.000000000 +0000 @@ -624,6 +624,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dig.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dig.html --- 1:9.11.4+dfsg-3/doc/arm/man.dig.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dig.html 2018-09-04 04:04:41.000000000 +0000 @@ -1108,6 +1108,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-checkds.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-checkds.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-checkds.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-checkds.html 2018-09-04 04:04:41.000000000 +0000 @@ -148,6 +148,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-coverage.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-coverage.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-coverage.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-coverage.html 2018-09-04 04:04:41.000000000 +0000 @@ -270,6 +270,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-dsfromkey.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-dsfromkey.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-dsfromkey.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-dsfromkey.html 2018-09-04 04:04:41.000000000 +0000 @@ -289,6 +289,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-importkey.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-importkey.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-importkey.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-importkey.html 2018-09-04 04:04:41.000000000 +0000 @@ -250,6 +250,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keyfromlabel.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keyfromlabel.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keyfromlabel.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keyfromlabel.html 2018-09-04 04:04:41.000000000 +0000 @@ -492,6 +492,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keygen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keygen.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keygen.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keygen.html 2018-09-04 04:04:41.000000000 +0000 @@ -579,6 +579,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keymgr.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keymgr.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keymgr.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keymgr.html 2018-09-04 04:04:41.000000000 +0000 @@ -398,6 +398,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-revoke.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-revoke.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-revoke.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-revoke.html 2018-09-04 04:04:41.000000000 +0000 @@ -171,6 +171,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-settime.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-settime.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-settime.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-settime.html 2018-09-04 04:04:41.000000000 +0000 @@ -349,6 +349,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-signzone.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-signzone.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-signzone.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-signzone.html 2018-09-04 04:04:41.000000000 +0000 @@ -708,6 +708,6 @@ db.example.com.signed -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-verify.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-verify.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-verify.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-verify.html 2018-09-04 04:04:41.000000000 +0000 @@ -202,6 +202,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnstap-read.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnstap-read.html --- 1:9.11.4+dfsg-3/doc/arm/man.dnstap-read.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnstap-read.html 2018-09-04 04:04:41.000000000 +0000 @@ -134,6 +134,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.genrandom.html 1:9.11.4.P2+dfsg-1/doc/arm/man.genrandom.html --- 1:9.11.4+dfsg-3/doc/arm/man.genrandom.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.genrandom.html 2018-09-04 04:04:41.000000000 +0000 @@ -127,6 +127,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.host.html 1:9.11.4.P2+dfsg-1/doc/arm/man.host.html --- 1:9.11.4+dfsg-3/doc/arm/man.host.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.host.html 2018-09-04 04:04:41.000000000 +0000 @@ -366,6 +366,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.isc-hmac-fixup.html 1:9.11.4.P2+dfsg-1/doc/arm/man.isc-hmac-fixup.html --- 1:9.11.4+dfsg-3/doc/arm/man.isc-hmac-fixup.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.isc-hmac-fixup.html 2018-09-04 04:04:41.000000000 +0000 @@ -126,6 +126,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.lwresd.html 1:9.11.4.P2+dfsg-1/doc/arm/man.lwresd.html --- 1:9.11.4+dfsg-3/doc/arm/man.lwresd.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.lwresd.html 2018-09-04 04:04:41.000000000 +0000 @@ -329,6 +329,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.mdig.html 1:9.11.4.P2+dfsg-1/doc/arm/man.mdig.html --- 1:9.11.4+dfsg-3/doc/arm/man.mdig.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.mdig.html 2018-09-04 04:04:41.000000000 +0000 @@ -609,6 +609,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-checkconf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkconf.html --- 1:9.11.4+dfsg-3/doc/arm/man.named-checkconf.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkconf.html 2018-09-04 04:04:41.000000000 +0000 @@ -192,6 +192,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-checkzone.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkzone.html --- 1:9.11.4+dfsg-3/doc/arm/man.named-checkzone.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkzone.html 2018-09-04 04:04:41.000000000 +0000 @@ -463,6 +463,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named.conf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named.conf.html --- 1:9.11.4+dfsg-3/doc/arm/man.named.conf.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named.conf.html 2018-09-04 04:04:41.000000000 +0000 @@ -1035,6 +1035,6 @@ zone strin -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named.html --- 1:9.11.4+dfsg-3/doc/arm/man.named.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named.html 2018-09-04 04:04:41.000000000 +0000 @@ -490,6 +490,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-journalprint.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-journalprint.html --- 1:9.11.4+dfsg-3/doc/arm/man.named-journalprint.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-journalprint.html 2018-09-04 04:04:41.000000000 +0000 @@ -117,6 +117,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-nzd2nzf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-nzd2nzf.html --- 1:9.11.4+dfsg-3/doc/arm/man.named-nzd2nzf.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-nzd2nzf.html 2018-09-04 04:04:41.000000000 +0000 @@ -119,6 +119,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-rrchecker.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-rrchecker.html --- 1:9.11.4+dfsg-3/doc/arm/man.named-rrchecker.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-rrchecker.html 2018-09-04 04:04:41.000000000 +0000 @@ -121,6 +121,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.nsec3hash.html 1:9.11.4.P2+dfsg-1/doc/arm/man.nsec3hash.html --- 1:9.11.4+dfsg-3/doc/arm/man.nsec3hash.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.nsec3hash.html 2018-09-04 04:04:41.000000000 +0000 @@ -131,6 +131,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.nslookup.html 1:9.11.4.P2+dfsg-1/doc/arm/man.nslookup.html --- 1:9.11.4+dfsg-3/doc/arm/man.nslookup.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.nslookup.html 2018-09-04 04:04:41.000000000 +0000 @@ -419,6 +419,6 @@ nslookup -query=hinfo -timeout=10 -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.nsupdate.html 1:9.11.4.P2+dfsg-1/doc/arm/man.nsupdate.html --- 1:9.11.4+dfsg-3/doc/arm/man.nsupdate.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.nsupdate.html 2018-09-04 04:04:41.000000000 +0000 @@ -817,6 +817,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-destroy.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-destroy.html --- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-destroy.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-destroy.html 2018-09-04 04:04:41.000000000 +0000 @@ -162,6 +162,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-keygen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-keygen.html --- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-keygen.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-keygen.html 2018-09-04 04:04:41.000000000 +0000 @@ -200,6 +200,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-list.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-list.html --- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-list.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-list.html 2018-09-04 04:04:41.000000000 +0000 @@ -158,6 +158,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-tokens.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-tokens.html --- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-tokens.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-tokens.html 2018-09-04 04:04:41.000000000 +0000 @@ -119,6 +119,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.rndc-confgen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc-confgen.html --- 1:9.11.4+dfsg-3/doc/arm/man.rndc-confgen.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc-confgen.html 2018-09-04 04:04:41.000000000 +0000 @@ -277,6 +277,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.rndc.conf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.conf.html --- 1:9.11.4+dfsg-3/doc/arm/man.rndc.conf.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.conf.html 2018-09-04 04:04:41.000000000 +0000 @@ -268,6 +268,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.rndc.html 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.html --- 1:9.11.4+dfsg-3/doc/arm/man.rndc.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.html 2018-09-04 04:04:41.000000000 +0000 @@ -889,6 +889,6 @@ -

BIND 9.11.4 (Extended Support Version)

+

BIND 9.11.4-P2 (Extended Support Version)

diff -pruN 1:9.11.4+dfsg-3/doc/arm/notes.html 1:9.11.4.P2+dfsg-1/doc/arm/notes.html --- 1:9.11.4+dfsg-3/doc/arm/notes.html 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/notes.html 2018-09-04 04:04:41.000000000 +0000 @@ -15,7 +15,7 @@

-Release Notes for BIND Version 9.11.4

+Release Notes for BIND Version 9.11.4-P2

@@ -83,50 +83,27 @@

Security Fixes

-
  • -

    - When recursion is enabled but the allow-recursion - and allow-query-cache ACLs are not specified, they - should be limited to local networks, but they were inadvertently set - to match the default allow-query, thus allowing - remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] -

    -
-
- -
-

-New Features

  • - named now supports the "root key sentinel" - mechanism. This enables validating resolvers to indicate - which trust anchors are configured for the root, so that - information about root key rollover status can be gathered. - To disable this feature, add - root-key-sentinel no; to - named.conf. + There was a long-existing flaw in the documentation for + ms-self, krb5-self, + ms-subdomain, and krb5-subdomain + rules in update-policy statements. Though + the policies worked as intended, operators who configured their + servers according to the misleading documentation may have + thought zone updates were more restricted than they were; + users of these rule types are advised to review the documentation + and correct their configurations if necessary. New rule types + matching the previously documented behavior will be introduced + in a future maintenance release. [GL !708]

  • - Added the ability not to return a DNS COOKIE option when one - is present in the request. To prevent a cookie being returned, - add answer-cookie no; to - named.conf. [GL #173] -

    -

    - answer-cookie no is only intended as a - temporary measure, for use when named - shares an IP address with other servers that do not yet - support DNS COOKIE. A mismatch between servers on the - same address is not expected to cause operational problems, - but the option to disable COOKIE responses so that all - servers have the same behavior is provided out of an - abundance of caution. DNS COOKIE is an important security - mechanism, and should not be disabled unless absolutely - necessary. + named could crash during recursive processing + of DNAME records when deny-answer-aliases was + in use. This flaw is disclosed in CVE-2018-5740. [GL #387]

@@ -134,13 +111,10 @@

-Removed Features

+New Features

  • - named will now log a warning if the old - BIND now can be compiled against libidn2 library to add - IDNA2008 support. Previously BIND only supported IDNA2003 - using (now obsolete) idnkit-1 library. + None.

@@ -148,25 +122,11 @@

Feature Changes

-
    -
  • -

    - dig +noidnin can be used to disable IDN - processing on the input domain name, when BIND is compiled - with IDN support. -

    -
    • -
  • +

    • - Multiple cookie-secret clause are now - supported. The first cookie-secret in - named.conf is used to generate new - server cookies. Any others are used to accept old server - cookies or those generated by other servers using the - matching cookie-secret. + None.

      -
      • -
    +
@@ -175,18 +135,28 @@

  • - named now rejects excessively large - incremental (IXFR) zone transfers in order to prevent - possible corruption of journal files which could cause - named to abort when loading zones. [GL #339] -

    + Running rndc reconfig could cause + inline-signing to stop signing. [GL #439] +

  • -

    - rndc reload could cause named - to leak memory if it was invoked before the zone loading actions - from a previous rndc reload command were - completed. [RT #47076] +

    + Reloading all zones caused zone maintenance to stop for + inline-signing zones. [GL #435] +

    +
    • +
  • +

    + Signatures loaded from the journal for the signed version + inline-signing zone were not scheduled for + refresh. [GL #482] +

    +
    • +
  • +

    + A referral response with a non-empty ANSWER section was + incorrectly treated as an error; this caused certain domains + to be non-resolvable. [GL #390]

Binary files 1:9.11.4+dfsg-3/doc/arm/notes.pdf and 1:9.11.4.P2+dfsg-1/doc/arm/notes.pdf differ diff -pruN 1:9.11.4+dfsg-3/doc/arm/notes.txt 1:9.11.4.P2+dfsg-1/doc/arm/notes.txt --- 1:9.11.4+dfsg-3/doc/arm/notes.txt 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/notes.txt 2018-09-04 04:04:41.000000000 +0000 @@ -1,4 +1,4 @@ -Release Notes for BIND Version 9.11.4 +Release Notes for BIND Version 9.11.4-P2 Introduction @@ -41,58 +41,42 @@ from ISC. Security Fixes - * When recursion is enabled but the allow-recursion and - allow-query-cache ACLs are not specified, they should be limited to - local networks, but they were inadvertently set to match the default - allow-query, thus allowing remote queries. This flaw is disclosed in - CVE-2018-5738. [GL #309] + * There was a long-existing flaw in the documentation for ms-self, + krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy + statements. Though the policies worked as intended, operators who + configured their servers according to the misleading documentation may + have thought zone updates were more restricted than they were; users + of these rule types are advised to review the documentation and + correct their configurations if necessary. New rule types matching the + previously documented behavior will be introduced in a future + maintenance release. [GL !708] + + * named could crash during recursive processing of DNAME records when + deny-answer-aliases was in use. This flaw is disclosed in + CVE-2018-5740. [GL #387] New Features - * named now supports the "root key sentinel" mechanism. This enables - validating resolvers to indicate which trust anchors are configured - for the root, so that information about root key rollover status can - be gathered. To disable this feature, add root-key-sentinel no; to - named.conf. - - * Added the ability not to return a DNS COOKIE option when one is - present in the request. To prevent a cookie being returned, add - answer-cookie no; to named.conf. [GL #173] - - answer-cookie no is only intended as a temporary measure, for use when - named shares an IP address with other servers that do not yet support - DNS COOKIE. A mismatch between servers on the same address is not - expected to cause operational problems, but the option to disable - COOKIE responses so that all servers have the same behavior is - provided out of an abundance of caution. DNS COOKIE is an important - security mechanism, and should not be disabled unless absolutely - necessary. - -Removed Features - - * named will now log a warning if the old BIND now can be compiled - against libidn2 library to add IDNA2008 support. Previously BIND only - supported IDNA2003 using (now obsolete) idnkit-1 library. + * None. Feature Changes - * dig +noidnin can be used to disable IDN processing on the input domain - name, when BIND is compiled with IDN support. - - * Multiple cookie-secret clause are now supported. The first - cookie-secret in named.conf is used to generate new server cookies. - Any others are used to accept old server cookies or those generated by - other servers using the matching cookie-secret. + * None. Bug Fixes - * named now rejects excessively large incremental (IXFR) zone transfers - in order to prevent possible corruption of journal files which could - cause named to abort when loading zones. [GL #339] - - * rndc reload could cause named to leak memory if it was invoked before - the zone loading actions from a previous rndc reload command were - completed. [RT #47076] + * Running rndc reconfig could cause inline-signing to stop signing. [GL + #439] + + * Reloading all zones caused zone maintenance to stop for inline-signing + zones. [GL #435] + + * Signatures loaded from the journal for the signed version + inline-signing zone were not scheduled for refresh. [GL #482] + + * A referral response with a non-empty ANSWER section was incorrectly + treated as an error; this caused certain domains to be non-resolvable. + [GL #390] End of Life diff -pruN 1:9.11.4+dfsg-3/doc/arm/notes.xml 1:9.11.4.P2+dfsg-1/doc/arm/notes.xml --- 1:9.11.4+dfsg-3/doc/arm/notes.xml 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/doc/arm/notes.xml 2018-09-04 04:04:41.000000000 +0000 @@ -78,60 +78,34 @@ - When recursion is enabled but the allow-recursion - and allow-query-cache ACLs are not specified, they - should be limited to local networks, but they were inadvertently set - to match the default allow-query, thus allowing - remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] + There was a long-existing flaw in the documentation for + ms-self, krb5-self, + ms-subdomain, and krb5-subdomain + rules in update-policy statements. Though + the policies worked as intended, operators who configured their + servers according to the misleading documentation may have + thought zone updates were more restricted than they were; + users of these rule types are advised to review the documentation + and correct their configurations if necessary. New rule types + matching the previously documented behavior will be introduced + in a future maintenance release. [GL !708] - - - -
New Features - - named now supports the "root key sentinel" - mechanism. This enables validating resolvers to indicate - which trust anchors are configured for the root, so that - information about root key rollover status can be gathered. - To disable this feature, add - root-key-sentinel no; to - named.conf. - - - - - Added the ability not to return a DNS COOKIE option when one - is present in the request. To prevent a cookie being returned, - add answer-cookie no; to - named.conf. [GL #173] - - - answer-cookie no is only intended as a - temporary measure, for use when named - shares an IP address with other servers that do not yet - support DNS COOKIE. A mismatch between servers on the - same address is not expected to cause operational problems, - but the option to disable COOKIE responses so that all - servers have the same behavior is provided out of an - abundance of caution. DNS COOKIE is an important security - mechanism, and should not be disabled unless absolutely - necessary. + named could crash during recursive processing + of DNAME records when deny-answer-aliases was + in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-
Removed Features +
New Features - named will now log a warning if the old - BIND now can be compiled against libidn2 library to add - IDNA2008 support. Previously BIND only supported IDNA2003 - using (now obsolete) idnkit-1 library. + None. @@ -141,19 +115,7 @@ - dig +noidnin can be used to disable IDN - processing on the input domain name, when BIND is compiled - with IDN support. - - - - - Multiple cookie-secret clause are now - supported. The first cookie-secret in - named.conf is used to generate new - server cookies. Any others are used to accept old server - cookies or those generated by other servers using the - matching cookie-secret. + None. @@ -163,18 +125,28 @@ - named now rejects excessively large - incremental (IXFR) zone transfers in order to prevent - possible corruption of journal files which could cause - named to abort when loading zones. [GL #339] - + Running rndc reconfig could cause + inline-signing to stop signing. [GL #439] + - - rndc reload could cause named - to leak memory if it was invoked before the zone loading actions - from a previous rndc reload command were - completed. [RT #47076] + + Reloading all zones caused zone maintenance to stop for + inline-signing zones. [GL #435] + + + + + Signatures loaded from the journal for the signed version + inline-signing zone were not scheduled for + refresh. [GL #482] + + + + + A referral response with a non-empty ANSWER section was + incorrectly treated as an error; this caused certain domains + to be non-resolvable. [GL #390] diff -pruN 1:9.11.4+dfsg-3/lib/dns/api 1:9.11.4.P2+dfsg-1/lib/dns/api --- 1:9.11.4+dfsg-3/lib/dns/api 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/lib/dns/api 2018-09-04 04:04:41.000000000 +0000 @@ -9,5 +9,5 @@ # 9.11: 160-169,1100-1199 # 9.12: 1200-1299 LIBINTERFACE = 1103 -LIBREVISION = 0 +LIBREVISION = 2 LIBAGE = 1 diff -pruN 1:9.11.4+dfsg-3/lib/dns/resolver.c 1:9.11.4.P2+dfsg-1/lib/dns/resolver.c --- 1:9.11.4+dfsg-3/lib/dns/resolver.c 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/lib/dns/resolver.c 2018-09-04 04:04:41.000000000 +0000 @@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx unsigned int nlabels; dns_fixedname_t fixed; dns_name_t prefix; + int order; REQUIRE(rdataset != NULL); REQUIRE(rdataset->type == dns_rdatatype_cname || @@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx tname = &cname.cname; break; case dns_rdatatype_dname: + if (dns_name_fullcompare(qname, rname, &order, &nlabels) != + dns_namereln_subdomain) + { + return (ISC_TRUE); + } result = dns_rdata_tostruct(&rdata, &dname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_name_init(&prefix, NULL); tname = dns_fixedname_initname(&fixed); - nlabels = dns_name_countlabels(qname) - - dns_name_countlabels(rname); + nlabels = dns_name_countlabels(rname); dns_name_split(qname, nlabels, &prefix, NULL); result = dns_name_concatenate(&prefix, &dname.dname, tname, NULL); - if (result == DNS_R_NAMETOOLONG) + if (result == DNS_R_NAMETOOLONG) { + if (chainingp != NULL) { + *chainingp = ISC_TRUE; + } return (ISC_TRUE); + } RUNTIME_CHECK(result == ISC_R_SUCCESS); break; default: @@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) { } if ((ardataset->type == dns_rdatatype_cname || ardataset->type == dns_rdatatype_dname) && - !is_answertarget_allowed(fctx, qname, aname, ardataset, + type != ardataset->type && + type != dns_rdatatype_any && + !is_answertarget_allowed(fctx, qname, aname, ardataset, NULL)) { return (DNS_R_SERVFAIL); diff -pruN 1:9.11.4+dfsg-3/lib/dns/zone.c 1:9.11.4.P2+dfsg-1/lib/dns/zone.c --- 1:9.11.4+dfsg-3/lib/dns/zone.c 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/lib/dns/zone.c 2018-09-04 04:04:41.000000000 +0000 @@ -1774,6 +1774,10 @@ dns_zone_isdynamic(dns_zone_t *zone, isc (zone->type == dns_zone_redirect && zone->masters != NULL)) return (ISC_TRUE); + /* Inline zones are always dynamic. */ + if (zone->type == dns_zone_master && zone->raw != NULL) + return (ISC_TRUE); + /* If !ignore_freeze, we need check whether updates are disabled. */ if (zone->type == dns_zone_master && (!zone->update_disabled || ignore_freeze) && @@ -1910,6 +1914,11 @@ zone_touched(dns_zone_t *zone) { return (ISC_FALSE); } +/* + * Note: when dealing with inline-signed zones, external callers will always + * call zone_load() for the secure zone; zone_load() calls itself recursively + * in order to load the raw zone. + */ static isc_result_t zone_load(dns_zone_t *zone, unsigned int flags, isc_boolean_t locked) { isc_result_t result; @@ -1926,6 +1935,28 @@ zone_load(dns_zone_t *zone, unsigned int INSIST(zone != zone->raw); hasraw = inline_secure(zone); if (hasraw) { + /* + * We are trying to load an inline-signed zone. First call + * self recursively to try loading the raw version of the zone. + * Assuming the raw zone file is readable, there are two + * possibilities: + * + * a) the raw zone was not yet loaded and thus it will be + * loaded now, synchronously; if this succeeds, a + * subsequent attempt to load the signed zone file will + * take place and thus zone_postload() will be called + * twice: first for the raw zone and then for the secure + * zone; the latter call will take care of syncing the raw + * version with the secure version, + * + * b) the raw zone was already loaded and we are trying to + * reload it, which will happen asynchronously; this means + * zone_postload() will only be called for the raw zone + * because "result" returned by the zone_load() call below + * will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE; + * zone_postload() called for the raw zone will take care + * of syncing the raw version with the secure version. + */ result = zone_load(zone->raw, flags, ISC_FALSE); if (result != ISC_R_SUCCESS) { if (!locked) @@ -1965,7 +1996,7 @@ zone_load(dns_zone_t *zone, unsigned int * zone being reloaded. Do nothing - the database * we already have is guaranteed to be up-to-date. */ - if (zone->type == dns_zone_master) + if (zone->type == dns_zone_master && !hasraw) result = DNS_R_DYNAMIC; else result = ISC_R_SUCCESS; @@ -2008,7 +2039,6 @@ zone_load(dns_zone_t *zone, unsigned int goto cleanup; } - /* * If the file modification time is in the past * set loadtime to that value. @@ -4496,11 +4526,13 @@ zone_postload(dns_zone_t *zone, dns_db_t ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) && ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) { - if (zone->type == dns_zone_master && - (zone->update_acl != NULL || zone->ssutable != NULL)) + if (zone->type == dns_zone_master && (inline_secure(zone) || + (zone->update_acl != NULL || zone->ssutable != NULL))) + { options = DNS_JOURNALOPT_RESIGN; - else + } else { options = 0; + } result = dns_journal_rollforward(zone->mctx, db, options, zone->journal); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND && @@ -4643,13 +4675,14 @@ zone_postload(dns_zone_t *zone, dns_db_t isc_uint32_t serialmin, serialmax; INSIST(zone->type == dns_zone_master); + INSIST(zone->raw == NULL); if (serial == oldserial && zone_unchanged(zone->db, db, zone->mctx)) { dns_zone_log(zone, ISC_LOG_INFO, "ixfr-from-differences: " "unchanged"); - return(ISC_R_SUCCESS); + goto done; } serialmin = (oldserial + 1) & 0xffffffffU; @@ -4872,8 +4905,7 @@ zone_postload(dns_zone_t *zone, dns_db_t dns_db_issecure(db) ? " (DNSSEC signed)" : ""); zone->loadtime = loadtime; - DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING); - return (result); + goto done; cleanup: for (inc = ISC_LIST_HEAD(zone->newincludes); @@ -4910,6 +4942,23 @@ zone_postload(dns_zone_t *zone, dns_db_t result = ISC_R_SUCCESS; } + done: + DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING); + /* + * If this is an inline-signed zone and we were called for the raw + * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone + * as well, but only if this is a reload, not an initial zone load: in + * the former case, zone_postload() will not be run for the secure + * zone; in the latter case, it will be. Check which case we are + * dealing with by consulting the DNS_ZONEFLG_LOADED flag for the + * secure zone: if it is set, this must be a reload. + */ + if (inline_raw(zone) && + DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED)) + { + DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING); + } + return (result); } diff -pruN 1:9.11.4+dfsg-3/README 1:9.11.4.P2+dfsg-1/README --- 1:9.11.4+dfsg-3/README 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/README 2018-09-04 04:04:41.000000000 +0000 @@ -250,6 +250,15 @@ BIND 9.11.4 BIND 9.11.4 is a maintenance release, and addresses the security flaw disclosed in CVE-2018-5738. +BIND 9.11.4-P1 + +BIND 9.11.4-P1 addresses the security flaw disclosed in CVE-2018-5740. + +BIND 9.11.4-P2 + +BIND 9.11.4-P2 fixes several operationally significant bugs with +inline-signing zones. + Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff -pruN 1:9.11.4+dfsg-3/README.md 1:9.11.4.P2+dfsg-1/README.md --- 1:9.11.4+dfsg-3/README.md 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/README.md 2018-09-04 04:04:41.000000000 +0000 @@ -266,6 +266,15 @@ disclosed in CVE-2017-3145. BIND 9.11.4 is a maintenance release, and addresses the security flaw disclosed in CVE-2018-5738. +#### BIND 9.11.4-P1 + +BIND 9.11.4-P1 addresses the security flaw disclosed in CVE-2018-5740. + +#### BIND 9.11.4-P2 + +BIND 9.11.4-P2 fixes several operationally significant bugs with +inline-signing zones. + ### Building BIND BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX diff -pruN 1:9.11.4+dfsg-3/srcid 1:9.11.4.P2+dfsg-1/srcid --- 1:9.11.4+dfsg-3/srcid 2018-07-03 18:41:50.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/srcid 2018-09-04 17:05:19.000000000 +0000 @@ -1 +1 @@ -SRCID=2fe4344 +SRCID=7107deb diff -pruN 1:9.11.4+dfsg-3/version 1:9.11.4.P2+dfsg-1/version --- 1:9.11.4+dfsg-3/version 2018-07-03 06:56:55.000000000 +0000 +++ 1:9.11.4.P2+dfsg-1/version 2018-09-04 04:04:41.000000000 +0000 @@ -6,6 +6,6 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=11 PATCHVER=4 -RELEASETYPE= -RELEASEVER= +RELEASETYPE=-P +RELEASEVER=2 EXTENSIONS=