From: Tinderbox User Date: Wed, 15 Feb 2017 05:03:18 +0000 (+0000) Subject: regen v9_9_9_patch X-Git-Tag: v9.9.9-P8~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72a0c2df21ff09ad93c42303fb2b8569a8ed83be;p=thirdparty%2Fbind9.git regen v9_9_9_patch --- diff --git a/configure b/configure index 14771f7e831..2033977fac9 100755 --- a/configure +++ b/configure @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1996-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index f0bd9c6a904..746c0facbd5 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -555,6 +555,6 @@ -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 975903274a2..0108d9a832d 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -153,6 +153,6 @@ -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 3739f367879..4dea2d60b5f 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -663,6 +663,6 @@ controls { -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 8173d030b28..f0fcb41096b 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1960,6 +1960,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index e3ed3c7771e..dbcb33047a7 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -138,6 +138,6 @@ -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index d8cdaeef0a5..0f4805b9ffc 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -12314,6 +12314,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html index ceb5d6669e2..df2a91887f8 100644 --- a/doc/arm/Bv9ARM.ch07.html +++ b/doc/arm/Bv9ARM.ch07.html @@ -248,6 +248,6 @@ zone "example.com" { -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html index 6ff615e24e1..1a580bb72e2 100644 --- a/doc/arm/Bv9ARM.ch08.html +++ b/doc/arm/Bv9ARM.ch08.html @@ -134,6 +134,6 @@ -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index b50673a8cdb..c66334a99db 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -44,10 +44,11 @@

Table of Contents

Release Notes for BIND Version 9.9.9-P6

Release Notes for BIND Version 9.9.9-P7

Introduction
Download
New DNSSEC Root Key
Security Fixes
Feature Changes
Porting Changes

-Release Notes for BIND Version 9.9.9-P6

+Release Notes for BIND Version 9.9.9-P7

Introduction

This document summarizes changes since BIND 9.9.9:

+ BIND 9.9.9-P7 addresses the security issue described in + CVE-2017-3136, and updates the built in trusted keys for + the root zone. +

BIND 9.9.9-P6 addresses the security issue described in CVE-2017-3135, and fixes a regression introduced in a prior @@ -106,8 +112,42 @@

+New DNSSEC Root Key

+ ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the managed-keys + statement, or if the pre-configured root key is enabled by using + dnssec-validation auto, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + trusted-keys statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using trusted-keys, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. +

+ This release includes an updated version of the + bind.keys file containing the new root + key. This file can also be downloaded from + + https://www.isc.org/bind-keys + . +

Security Fixes

+ dns64 with break-dnssec yes; + can result in an assertion failure. This flaw is disclosed in + CVE-2017-3136.[RT #44653] +
If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured @@ -226,6 +266,6 @@

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html index 329b560cb16..b213f1de682 100644 --- a/doc/arm/Bv9ARM.ch10.html +++ b/doc/arm/Bv9ARM.ch10.html @@ -155,6 +155,6 @@

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html index d8b34b0b302..573f2ac3f0e 100644 --- a/doc/arm/Bv9ARM.ch11.html +++ b/doc/arm/Bv9ARM.ch11.html @@ -497,6 +497,6 @@ -

BIND 9.9.9-P6 (Extended Support Version)

BIND 9.9.9-P7 (Extended Support Version)

diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html index 5c7f1e7fee4..3be51f7b4af 100644 --- a/doc/arm/Bv9ARM.ch12.html +++ b/doc/arm/Bv9ARM.ch12.html @@ -539,6 +539,6 @@ $ sample-update -a sample-update -k Kxxx.+nnn+mm -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/Bv9ARM.ch13.html b/doc/arm/Bv9ARM.ch13.html index e6b3c709bd2..c173a2ef235 100644 --- a/doc/arm/Bv9ARM.ch13.html +++ b/doc/arm/Bv9ARM.ch13.html @@ -148,6 +148,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index 6405f53d5c7..cc52caac17f 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -40,7 +40,7 @@ BIND 9 Administrator Reference Manual -BIND Version 9.9.9-P6 +BIND Version 9.9.9-P7 Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC") Copyright © 2000-2003 Internet Software Consortium. @@ -233,10 +233,11 @@ A. Release Notes -Release Notes for BIND Version 9.9.9-P6 +Release Notes for BIND Version 9.9.9-P7 Introduction Download +New DNSSEC Root Key Security Fixes Feature Changes Porting Changes @@ -372,6 +373,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf index 37a2c1a219e..73d74eaac91 100644 Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index d5662d5ec2b..1c1ae33350c 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -81,6 +81,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index de5792109b1..17daeda4e4b 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -170,6 +170,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index 3b0074068ee..8c5191d6e73 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -746,6 +746,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index 55711cddc6a..84949d8018e 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -112,6 +112,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index 6f16d72200d..16bc1daf64f 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -195,6 +195,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 7521d11c930..14ebd86a465 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -213,6 +213,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html index d248aacb2ae..0737fe1d309 100644 --- a/doc/arm/man.dnssec-importkey.html +++ b/doc/arm/man.dnssec-importkey.html @@ -177,6 +177,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index c900f9d26e7..0a4ec482288 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -346,6 +346,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index 35d77d248d0..2602f71d6f7 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -448,6 +448,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index 12b8a52ee04..61cfad3e9a3 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -125,6 +125,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 2d2a455f3a1..12870620309 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -255,6 +255,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 0a38717d44e..945b18db3dd 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -538,6 +538,6 @@ db.example.com.signed -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 7fcec164040..62f02710432 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -150,6 +150,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 1d2927ba27e..7175845b5a4 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -102,6 +102,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 43750dd5c19..a469720cca3 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -248,6 +248,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index da32af491e4..05199c49f54 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -112,6 +112,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.lwresd.html b/doc/arm/man.lwresd.html index f68b959ddde..e719d966741 100644 --- a/doc/arm/man.lwresd.html +++ b/doc/arm/man.lwresd.html @@ -253,6 +253,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 136705e2731..dbae6e9b523 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -151,6 +151,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index 9c0e6484ea3..be53a18aee4 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -321,6 +321,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index 15850302e19..d1b6eea0319 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -102,6 +102,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html index 68093216da9..373440879a9 100644 --- a/doc/arm/man.named.conf.html +++ b/doc/arm/man.named.conf.html @@ -672,6 +672,6 @@ zone -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index fe5cf3a9580..bd437c0ff65 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -351,6 +351,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 901cc006a3c..cca28cfe308 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -103,6 +103,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 9593340dafb..c187a43154c 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -639,6 +639,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 5a0abc5f512..d377eec5342 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -216,6 +216,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 472f55fcde6..20fbf441cdf 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -245,6 +245,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 3f1f2c59589..a063b7379d0 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -581,6 +581,6 @@ -BIND 9.9.9-P6 (Extended Support Version) +BIND 9.9.9-P7 (Extended Support Version) diff --git a/doc/arm/notes.html b/doc/arm/notes.html index d72c55c7b7c..a62b96ba02a 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -21,13 +21,18 @@ -Release Notes for BIND Version 9.9.9-P6 +Release Notes for BIND Version 9.9.9-P7 Introduction This document summarizes changes since BIND 9.9.9: + + BIND 9.9.9-P7 addresses the security issue described in + CVE-2017-3136, and updates the built in trusted keys for + the root zone. + BIND 9.9.9-P6 addresses the security issue described in CVE-2017-3135, and fixes a regression introduced in a prior @@ -68,8 +73,42 @@ +New DNSSEC Root Key + + ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the managed-keys + statement, or if the pre-configured root key is enabled by using + dnssec-validation auto, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + trusted-keys statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using trusted-keys, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. + + + This release includes an updated version of the + bind.keys file containing the new root + key. This file can also be downloaded from + + https://www.isc.org/bind-keys + . + + + + Security Fixes + + dns64 with break-dnssec yes; + can result in an assertion failure. This flaw is disclosed in + CVE-2017-3136.[RT #44653] + If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf index d03b81a31af..79009b6694e 100644 Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ