Index: head/dns/bind9-devel/Makefile =================================================================== --- head/dns/bind9-devel/Makefile (revision 472674) +++ head/dns/bind9-devel/Makefile (revision 472675) @@ -1,304 +1,304 @@ # $FreeBSD$ # pkg-help formatted with fmt 59 63 PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} .if defined(BIND_TOOLS_SLAVE) # dns/bind-tools here PORTREVISION= 0 .else # XXX: correct version # dns/bind9xx here -PORTREVISION= 1 +PORTREVISION= 0 .endif CATEGORIES= dns net ipv6 # XXX: put the ISC master_site #MASTER_SITES= ISC/bind9/${ISCVERSION} MASTER_SITES= LOCAL/mat/bind .if defined(BIND_TOOLS_SLAVE) PKGNAMESUFFIX= -tools .else PKGNAMESUFFIX= 9-devel .endif # XXX: correct DISTNAME. #DISTNAME= ${PORTNAME}-${ISCVERSION} MAINTAINER= mat@FreeBSD.org .if defined(BIND_TOOLS_SLAVE) COMMENT= Command line tools from BIND: delv, dig, host, nslookup... .else COMMENT= BIND DNS suite with updated DNSSEC and DNS64 .endif LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/COPYRIGHT BROKEN_powerpc64= fails to link: /usr/bin/ld: cannot find -latomic LIB_DEPENDS= libxml2.so:textproc/libxml2 # XXX: remove tar:bz2 USES= cpe libedit ssl tar:bz2 # ISC releases things like 9.8.0-P1, which our versioning doesn't like -ISCVERSION= 9.13.0a0.2018.06.08 +ISCVERSION= 9.13.0a0.2018.06.15 # XXX: Remove gitlab USE_GITLAB= yes GL_SITE= https://gitlab.isc.org GL_ACCOUNT= isc-projects GL_PROJECT= bind9 -GL_COMMIT= b8fbe4aab40f5a41b9b0f00586c972d5afdba05f +GL_COMMIT= e495999c621a481db1ae2a5d189c416238a82980 CPE_VENDOR= isc CPE_VERSION= ${ISCVERSION:C/-.*//} .if ${ISCVERSION:M*-*} CPE_UPDATE= ${ISCVERSION:C/.*-//:tl} .endif GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ --disable-symtable \ --with-randomdev=/dev/random \ --with-libxml2=${LOCALBASE} \ --with-readline="-L${LOCALBASE}/lib -ledit" \ --with-dlopen=yes \ --with-openssl=${OPENSSLBASE} \ --sysconfdir=${ETCDIR} ETCDIR= ${PREFIX}/etc/namedb # XXX: Add -devel CONFLICTS= bind99 bind910 bind911 bind912 bind913 .if defined(BIND_TOOLS_SLAVE) CONFIGURE_ARGS+= --disable-shared # XXX: Change to the correct version CONFLICTS+= bind9-devel .else USE_RC_SUBR= named SUB_FILES= pkg-message named.conf CONFLICTS+= bind-tools .endif # BIND_TOOLS_SLAVE MAKE_JOBS_UNSAFE= yes PORTDOCS= * OPTIONS_DEFAULT= THREADS SIGCHASE IDN GSSAPI_NONE JSON PYTHON OPTIONS_DEFINE= IDN LARGE_FILE PYTHON JSON \ FIXED_RRSET SIGCHASE IPV6 THREADS OPTIONS_RADIO= CRYPTO GOSTDEF OPTIONS_RADIO_CRYPTO= NATIVE_PKCS11 OPTIONS_RADIO_GOSTDEF= GOST GOST_ASN1 .if !defined(BIND_TOOLS_SLAVE) OPTIONS_DEFAULT+= DLZ_FILESYSTEM LMDB RPZ_NSDNAME RPZ_NSIP TCP_FASTOPEN OPTIONS_DEFINE+= RPZ_NSIP RPZ_NSDNAME DOCS GEOIP \ MINCACHE PORTREVISION QUERYTRACE LMDB DNSTAP \ START_LATE TUNING_LARGE TCP_FASTOPEN OPTIONS_GROUP= DLZ OPTIONS_GROUP_DLZ= DLZ_POSTGRESQL DLZ_MYSQL DLZ_BDB \ DLZ_LDAP DLZ_FILESYSTEM DLZ_STUB .endif # BIND_TOOLS_SLAVE OPTIONS_SINGLE= GSSAPI OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE OPTIONS_SUB= yes CRYPTO_DESC= Choose which crypto engine to use DLZ_BDB_DESC= DLZ BDB driver DLZ_DESC= Dynamically Loadable Zones DLZ_FILESYSTEM_DESC= DLZ filesystem driver DLZ_LDAP_DESC= DLZ LDAP driver DLZ_MYSQL_DESC= DLZ MySQL driver (no threading) DLZ_POSTGRESQL_DESC= DLZ Postgres driver DLZ_STUB_DESC= DLZ stub driver DNSTAP_DESC= Provides fast passive logging of DNS messages FIXED_RRSET_DESC= Enable fixed rrset ordering GEOIP_DESC= Allow geographically based ACL. GOSTDEF_DESC= Enable GOST ciphers GOST_ASN1_DESC= GOST using ASN.1 GOST_DESC= GOST raw keys (new default) GSSAPI_BASE_DESC= Using Heimdal in base GSSAPI_HEIMDAL_DESC= Using security/heimdal GSSAPI_MIT_DESC= Using security/krb5 GSSAPI_NONE_DESC= Disable LARGE_FILE_DESC= 64-bit file support LMDB_DESC= Use LMDB for zone management MINCACHE_DESC= Use the mincachettl patch NATIVE_PKCS11_DESC= Use PKCS\#11 native API (**READ HELP**) PORTREVISION_DESC= Show PORTREVISION in the version string PYTHON_DESC= Build with Python utilities QUERYTRACE_DESC= Enable the very verbose query tracelogging RPZ_NSDNAME_DESC= Enable RPZ NSDNAME policy records RPZ_NSIP_DESC= Enable RPZ NSIP trigger rules SIGCHASE_DESC= dig/host/nslookup will do DNSSEC validation START_LATE_DESC= Start BIND late in the boot process (see help) TCP_FASTOPEN_DESC= RFC 7413 support TUNING_LARGE_DESC= Tune named for large systems (**READ HELP**) DLZ_BDB_CONFIGURE_ON= --with-dlz-bdb=yes DLZ_BDB_USES= bdb DLZ_FILESYSTEM_CONFIGURE_ON= --with-dlz-filesystem=yes DLZ_LDAP_CONFIGURE_ON= --with-dlz-ldap=yes DLZ_LDAP_USE= openldap=yes DLZ_MYSQL_CONFIGURE_ON= --with-dlz-mysql=yes DLZ_MYSQL_PREVENTS= THREADS DLZ_MYSQL_USES= mysql DLZ_POSTGRESQL_CONFIGURE_ON= --with-dlz-postgres=yes DLZ_POSTGRESQL_USES= pgsql DLZ_STUB_CONFIGURE_ON= --with-dlz-stub=yes DNSTAP_CONFIGURE_ENABLE= dnstap DNSTAP_IMPLIES= THREADS DNSTAP_LIB_DEPENDS= libfstrm.so:devel/fstrm \ libprotobuf-c.so:devel/protobuf-c FIXED_RRSET_CONFIGURE_ENABLE= fixed-rrset GEOIP_CONFIGURE_WITH= geoip GEOIP_LIB_DEPENDS= libGeoIP.so:net/GeoIP GOST_ASN1_CONFIGURE_ON= --with-gost=asn1 GOST_CONFIGURE_ON= --with-gost GSSAPI_BASE_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_BASE_USES= gssapi GSSAPI_HEIMDAL_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_MIT_CONFIGURE_ON=\ --with-gssapi=${GSSAPIBASEDIR} KRB5CONFIG="${KRB5CONFIG}" GSSAPI_MIT_USES= gssapi:mit GSSAPI_NONE_CONFIGURE_ON= --without-gssapi IDN_CONFIGURE_OFF= --without-libidn2 IDN_CONFIGURE_ON= --with-libidn2=${LOCALBASE} ${ICONV_CONFIGURE_BASE} IDN_LIB_DEPENDS= libidn2.so:dns/libidn2 IDN_USES= iconv IPV6_CONFIGURE_ENABLE= ipv6 JSON_CONFIGURE_WITH= libjson=${LOCALBASE} JSON_LIB_DEPENDS= libjson-c.so:devel/json-c LARGE_FILE_CONFIGURE_ENABLE= largefile LMDB_CONFIGURE_WITH= lmdb=${LOCALBASE} LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MINCACHE_EXTRA_PATCHES= ${FILESDIR}/extrapatch-bind-min-override-ttl NATIVE_PKCS11_CONFIGURE_ENABLE= native-pkcs11 NATIVE_PKCS11_IMPLIES= THREADS PYTHON_BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply@${PY_FLAVOR} PYTHON_CONFIGURE_WITH= python=${PYTHON_CMD} PYTHON_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}ply>=0:devel/py-ply@${PY_FLAVOR} PYTHON_USES= python QUERYTRACE_CONFIGURE_ENABLE= querytrace RPZ_NSDNAME_CONFIGURE_ENABLE= rpz-nsdname RPZ_NSIP_CONFIGURE_ENABLE= rpz-nsip SIGCHASE_CONFIGURE_ON= STD_CDEFINES="-DDIG_SIGCHASE=1" START_LATE_SUB_LIST= NAMED_REQUIRE="SERVERS cleanvar" \ NAMED_BEFORE="LOGIN" START_LATE_SUB_LIST_OFF=NAMED_REQUIRE="NETWORKING ldconfig syslogd" \ NAMED_BEFORE="SERVERS" TCP_FASTOPEN_CONFIGURE_ENABLE= tcp-fastopen THREADS_CONFIGURE_ENABLE= threads TUNING_LARGE_IMPLIES= THREADS TUNING_LARGE_CONFIGURE_ON= --with-tuning=large TUNING_LARGE_CONFIGURE_OFF= --with-tuning=default .include .if !${PORT_OPTIONS:MGOST} && !${PORT_OPTIONS:MGOST_ASN1} CONFIGURE_ARGS+= --without-gost .endif .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and rebuild everything \ that needs SSL. .endif # XXX: Remove post-extract: echo "SRCID=${GL_COMMIT}" > ${WRKSRC}/srcid # XXX: Remove first REINPLACE_CMD post-patch: @${REINPLACE_CMD} -e '/RELEASETYPE=/s#$$#-${GL_COMMIT}#' \ ${WRKSRC}/version .if defined(BIND_TOOLS_SLAVE) @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = lib bin#' \ -e 's#isc-config.sh installdirs#installdirs#' \ -e 's#.*INSTALL.*isc-config.*##' \ -e 's#.*INSTALL.*bind.keys.*##' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = delv dig dnssec tools nsupdate \\#' \ -e 's#^ .*check confgen ##' \ ${WRKSRC}/bin/Makefile.in .else . for FILE in check/named-checkconf.8 named/named.8 nsupdate/nsupdate.1 \ rndc/rndc.8 @${REINPLACE_CMD} -e 's#/etc/named.conf#${ETCDIR}/named.conf#g' \ -e 's#/etc/rndc.conf#${ETCDIR}/rndc.conf#g' \ -e "s#/var\/run\/named\/named.pid#/var/run/named/pid#" \ ${WRKSRC}/bin/${FILE} . endfor .endif .if !defined(BIND_TOOLS_SLAVE) . if ${PORTREVISION:N0} post-patch-PORTREVISION-on: @${REINPLACE_CMD} -e '/EXTENSIONS/s#=$$#=_${PORTREVISION}#' \ ${WRKSRC}/version . endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/mtree ${MKDIR} ${STAGEDIR}${ETCDIR} . for i in dynamic master slave working @${MKDIR} ${STAGEDIR}${ETCDIR}/$i . endfor ${INSTALL_DATA} ${WRKDIR}/named.conf ${STAGEDIR}${ETCDIR}/named.conf.sample ${INSTALL_DATA} ${FILESDIR}/named.root ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${FILESDIR}/empty.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-forward.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/localhost-reverse.db ${STAGEDIR}${ETCDIR}/master ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.dist.sample ${INSTALL_DATA} ${FILESDIR}/BIND.chroot.local.dist ${STAGEDIR}${PREFIX}/etc/mtree/BIND.chroot.local.dist.sample ${INSTALL_DATA} ${WRKSRC}/bin/rndc/rndc.conf \ ${STAGEDIR}${ETCDIR}/rndc.conf.sample post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/doc/arm/*.html ${STAGEDIR}${DOCSDIR}/arm ${INSTALL_DATA} ${WRKSRC}/doc/arm/Bv9ARM.pdf ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/CHANGES* ${WRKSRC}/HISTORY.md \ ${WRKSRC}/README.md ${STAGEDIR}${DOCSDIR} .endif # BIND_TOOLS_SLAVE # Can't use USE_PYTHON=autoplist post-install-PYTHON-on: @${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -type f | ${SED} -e 's|${STAGEDIR}||' >> ${TMPPLIST} .include Index: head/dns/bind9-devel/distinfo =================================================================== --- head/dns/bind9-devel/distinfo (revision 472674) +++ head/dns/bind9-devel/distinfo (revision 472675) @@ -1,3 +1,3 @@ -TIMESTAMP = 1528712121 -SHA256 (isc-projects-bind9-b8fbe4aab40f5a41b9b0f00586c972d5afdba05f_GL0.tar.gz) = a1b32af9f19a77b73661ef6690603bb9b011591f700f6e64819fa04e6399cd59 -SIZE (isc-projects-bind9-b8fbe4aab40f5a41b9b0f00586c972d5afdba05f_GL0.tar.gz) = 8925777 +TIMESTAMP = 1529305510 +SHA256 (isc-projects-bind9-e495999c621a481db1ae2a5d189c416238a82980_GL0.tar.gz) = d9b3559bc9a4d35bbe61d5e2316d3c1f97eac9b21e0f36502fc3839d8c7646c0 +SIZE (isc-projects-bind9-e495999c621a481db1ae2a5d189c416238a82980_GL0.tar.gz) = 8534156 Index: head/dns/bind9-devel/files/patch-CVE-2018-5738 =================================================================== --- head/dns/bind9-devel/files/patch-CVE-2018-5738 (revision 472674) +++ head/dns/bind9-devel/files/patch-CVE-2018-5738 (nonexistent) @@ -1,115 +0,0 @@ -commit 03ecba2cdc8d9a6cb6bdf863ffa1e230cb4ff223 -Author: Evan Hunt -Date: 2018-06-04 15:57:58 -0700 - - allow-recursion could incorrectly inherit from the default allow-query - ---- CHANGES.orig 2018-06-08 18:48:01 UTC -+++ CHANGES -@@ -22,7 +22,12 @@ - 4961. [protocol] Remove support for ECC-GOST (GOST R 34.11-94). - [GL #295] - --4960. [placeholder] -+4960. [security] When recursion is enabled, but the "allow-recursion" -+ and "allow-query-cache" ACLs are not specified, -+ they should be limited to local networks, -+ but were inadvertently set to match the default -+ "allow-query", thus allowing remote queries. -+ (CVE-2018-5738) [GL #309] - - 4959. [func] NSID logging (enabled by the "request-nsid" option) - now has its own "nsid" category, instead of using the ---- bin/named/server.c.orig 2018-06-08 18:48:01 UTC -+++ bin/named/server.c -@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_vie - CHECKM(named_config_getport(config, &port), "port"); - dns_view_setdstport(view, port); - -- CHECK(configure_view_acl(vconfig, config, named_g_config, -- "allow-query", NULL, actx, -- named_g_mctx, &view->queryacl)); -- - /* - * Make the list of response policy zone names for a view that - * is used for real lookups and so cares about hints. -@@ -4697,21 +4693,35 @@ configure_view(dns_view_t *view, dns_vie - "allow-query-cache-on", NULL, actx, - named_g_mctx, &view->cacheonacl)); - /* -- * Set "allow-query-cache", "allow-recursion", and -- * "allow-recursion-on" acls if configured in named.conf. -- * (Ignore the global defaults for now, because these ACLs -- * can inherit from each other when only some of them set at -- * the options/view level.) -+ * Set the "allow-query", "allow-query-cache", "allow-recursion", -+ * and "allow-recursion-on" ACLs if configured in named.conf, but -+ * NOT from the global defaults. This is done by leaving the third -+ * argument to configure_view_acl() NULL. -+ * -+ * We ignore the global defaults here because these ACLs -+ * can inherit from each other. If any are still unset after -+ * applying the inheritance rules, we'll look up the defaults at -+ * that time. - */ -- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", -- NULL, actx, named_g_mctx, &view->cacheacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query", NULL, actx, -+ named_g_mctx, &view->queryacl)); -+ -+ /* named.conf only */ -+ CHECK(configure_view_acl(vconfig, config, NULL, -+ "allow-query-cache", NULL, actx, -+ named_g_mctx, &view->cacheacl)); - - if (strcmp(view->name, "_bind") != 0 && - view->rdclass != dns_rdataclass_chaos) - { -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion", NULL, actx, - named_g_mctx, &view->recursionacl)); -+ /* named.conf only */ - CHECK(configure_view_acl(vconfig, config, NULL, - "allow-recursion-on", NULL, actx, - named_g_mctx, &view->recursiononacl)); -@@ -4749,18 +4759,21 @@ configure_view(dns_view_t *view, dns_vie - * the global config. - */ - if (view->recursionacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion", NULL, - actx, named_g_mctx, - &view->recursionacl)); - } - if (view->recursiononacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-recursion-on", NULL, - actx, named_g_mctx, - &view->recursiononacl)); - } - if (view->cacheacl == NULL) { -+ /* global default only */ - CHECK(configure_view_acl(NULL, NULL, named_g_config, - "allow-query-cache", NULL, - actx, named_g_mctx, -@@ -4774,6 +4787,14 @@ configure_view(dns_view_t *view, dns_vie - CHECK(dns_acl_none(mctx, &view->cacheacl)); - } - -+ if (view->queryacl == NULL) { -+ /* global default only */ -+ CHECK(configure_view_acl(NULL, NULL, named_g_config, -+ "allow-query", NULL, -+ actx, named_g_mctx, -+ &view->queryacl)); -+ } -+ - /* - * Ignore case when compressing responses to the specified - * clients. This causes case not always to be preserved, Property changes on: head/dns/bind9-devel/files/patch-CVE-2018-5738 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/dns/bind9-devel/files/extrapatch-bind-min-override-ttl =================================================================== --- head/dns/bind9-devel/files/extrapatch-bind-min-override-ttl (revision 472674) +++ head/dns/bind9-devel/files/extrapatch-bind-min-override-ttl (revision 472675) @@ -1,79 +1,79 @@ ---- bin/named/config.c.orig 2018-06-08 18:48:01 UTC +--- bin/named/config.c.orig 2018-06-15 08:58:30 UTC +++ bin/named/config.c @@ -176,12 +176,14 @@ options {\n\ max-recursion-queries 75;\n\ max-stale-ttl 604800; /* 1 week */\n\ message-compression yes;\n\ + min-cache-ttl 0; /* no minimal, zero is allowed */\n\ # min-roots ;\n\ minimal-any false;\n\ minimal-responses no-auth-recursive;\n\ notify-source *;\n\ notify-source-v6 *;\n\ nsec3-test-zone no;\n\ + override-cache-ttl 0; /* do not override */\n\ provide-ixfr true;\n\ + qname-minimization relaxed;\n\ query-source address *;\n\ - query-source-v6 address *;\n\ ---- bin/named/server.c.orig 2018-06-08 18:48:01 UTC +--- bin/named/server.c.orig 2018-06-15 08:58:30 UTC +++ bin/named/server.c -@@ -4074,6 +4074,16 @@ configure_view(dns_view_t *view, dns_vie +@@ -4071,6 +4071,16 @@ configure_view(dns_view_t *view, dns_vie } obj = NULL; + result = named_config_get(maps, "override-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = named_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; result = named_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); ---- lib/dns/include/dns/view.h.orig 2018-06-08 18:48:01 UTC +--- lib/dns/include/dns/view.h.orig 2018-06-15 08:58:30 UTC +++ lib/dns/include/dns/view.h -@@ -149,6 +149,8 @@ struct dns_view { +@@ -151,6 +151,8 @@ struct dns_view { isc_boolean_t requestnsid; isc_boolean_t sendcookie; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; isc_uint32_t nta_lifetime; isc_uint32_t nta_recheck; ---- lib/dns/resolver.c.orig 2018-06-08 18:48:01 UTC +--- lib/dns/resolver.c.orig 2018-06-15 08:58:30 UTC +++ lib/dns/resolver.c -@@ -5748,6 +5748,18 @@ cache_name(fetchctx_t *fctx, dns_name_t +@@ -5799,6 +5799,18 @@ cache_name(fetchctx_t *fctx, dns_name_t } /* + * Enforce the configure cache TTL override. + */ + if (res->view->overridecachettl) + rdataset->ttl = res->view->overridecachettl; + + /* + * Enforce the configure minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; + + /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) { ---- lib/isccfg/namedconf.c.orig 2018-06-08 18:48:01 UTC +--- lib/isccfg/namedconf.c.orig 2018-06-15 08:58:30 UTC +++ lib/isccfg/namedconf.c -@@ -1916,6 +1916,8 @@ view_clauses[] = { +@@ -1917,6 +1917,8 @@ view_clauses[] = { { "max-acache-size", &cfg_type_sizenodefault, CFG_CLAUSEFLAG_OBSOLETE }, { "max-cache-size", &cfg_type_sizeorpercent, 0 }, + { "override-cache-ttl", &cfg_type_ttlval, 0 }, + { "min-cache-ttl", &cfg_type_ttlval, 0 }, { "max-cache-ttl", &cfg_type_ttlval, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_ttlval, 0 }, Index: head/dns/bind9-devel/files/patch-configure =================================================================== --- head/dns/bind9-devel/files/patch-configure (revision 472674) +++ head/dns/bind9-devel/files/patch-configure (revision 472675) @@ -1,90 +1,90 @@ ---- configure.orig 2018-06-08 18:48:01 UTC +--- configure.orig 2018-06-15 08:58:30 UTC +++ configure -@@ -14848,27 +14848,9 @@ done +@@ -14856,27 +14856,9 @@ done # problems start to show up. saved_libs="$LIBS" for TRY_LIBS in \ - "-lgssapi_krb5" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \ - "-lgssapi" \ - "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgss -lkrb5" + "$($KRB5CONFIG gssapi --libs)"; \ do - # Note that this does not include $saved_libs, because - # on FreeBSD machines this configure script has added - # -L/usr/local/lib to LIBS, which can make the - # -lgssapi_krb5 test succeed with shared libraries even - # when you are trying to build with KTH in /usr/lib. - if test "/usr" = "$use_gssapi" - then - LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS" - else - LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS" - fi + LIBS="$TRY_LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 $as_echo_n "checking linking as $TRY_LIBS... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext -@@ -14911,47 +14893,7 @@ $as_echo "no" >&6; } ;; +@@ -14919,47 +14901,7 @@ $as_echo "no" >&6; } ;; no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac - # - # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib - # but MIT in /usr/local/lib and trying to build with KTH. - # /usr/local/lib can end up earlier on the link lines. - # Like most kludges, this one is not only inelegant it - # is also likely to be the wrong thing to do at least as - # many times as it is the right thing. Something better - # needs to be done. - # - if test "/usr" = "$use_gssapi" -a \ - -f /usr/local/lib/libkrb5.a; then - FIX_KTH_VS_MIT=yes - fi - - case "$FIX_KTH_VS_MIT" in - yes) - case "$enable_static_linking" in - yes) gssapi_lib_suffix=".a" ;; - *) gssapi_lib_suffix=".so" ;; - esac - - for lib in $LIBS; do - case $lib in - -L*) - ;; - -l*) - new_lib=`echo $lib | - sed -e s%^-l%$use_gssapi/lib/lib% \ - -e s%$%$gssapi_lib_suffix%` - NEW_LIBS="$NEW_LIBS $new_lib" - ;; - *) - as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5 - ;; - esac - done - LIBS="$NEW_LIBS" - ;; - esac - - DST_GSSAPI_INC="-I$use_gssapi/include" + DST_GSSAPI_INC="$($KRB5CONFIG gssapi --cflags)" DNS_GSSAPI_LIBS="$LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -@@ -23303,7 +23245,7 @@ $as_echo "" >&6; } +@@ -23311,7 +23253,7 @@ $as_echo "" >&6; } # Check other locations for includes. # Order is important (sigh). - bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" + bdb_incdirs="/db6 /db5 /db48" # include a blank element first for d in "" $bdb_incdirs do Index: head/dns/bind9-devel/pkg-plist =================================================================== --- head/dns/bind9-devel/pkg-plist (revision 472674) +++ head/dns/bind9-devel/pkg-plist (revision 472675) @@ -1,357 +1,358 @@ bin/arpaname bin/bind9-config bin/delv bin/dig %%DNSTAP%%bin/dnstap-read bin/host bin/isc-config.sh bin/mdig bin/named-rrchecker bin/nslookup bin/nsupdate @sample etc/mtree/BIND.chroot.dist.sample @sample etc/mtree/BIND.chroot.local.dist.sample %%ETCDIR%%/bind.keys %%ETCDIR%%/master/empty.db %%ETCDIR%%/master/localhost-forward.db %%ETCDIR%%/master/localhost-reverse.db @sample %%ETCDIR%%/named.conf.sample %%ETCDIR%%/named.root %%ETCDIR%%/rndc.conf.sample include/bind9/check.h include/bind9/getaddresses.h include/bind9/version.h include/dns/acl.h include/dns/adb.h include/dns/badcache.h include/dns/bit.h include/dns/byaddr.h include/dns/cache.h include/dns/callbacks.h include/dns/catz.h include/dns/cert.h include/dns/client.h include/dns/clientinfo.h include/dns/compress.h include/dns/db.h include/dns/dbiterator.h include/dns/dbtable.h include/dns/diff.h include/dns/dispatch.h include/dns/dlz.h include/dns/dlz_dlopen.h include/dns/dns64.h include/dns/dnsrps.h include/dns/dnssec.h include/dns/dnstap.h %%DNSTAP%%include/dns/dnstap.pb-c.h include/dns/ds.h include/dns/dsdigest.h include/dns/dyndb.h include/dns/ecdb.h include/dns/ecs.h include/dns/edns.h include/dns/enumclass.h include/dns/enumtype.h include/dns/events.h include/dns/fixedname.h include/dns/forward.h include/dns/geoip.h include/dns/ipkeylist.h include/dns/iptable.h include/dns/journal.h include/dns/keydata.h include/dns/keyflags.h include/dns/keytable.h include/dns/keyvalues.h include/dns/lib.h include/dns/librpz.h include/dns/log.h include/dns/lookup.h include/dns/master.h include/dns/masterdump.h include/dns/message.h include/dns/name.h include/dns/ncache.h include/dns/nsec.h include/dns/nsec3.h include/dns/nta.h include/dns/opcode.h include/dns/order.h include/dns/peer.h include/dns/portlist.h include/dns/private.h include/dns/rbt.h include/dns/rcode.h include/dns/rdata.h include/dns/rdataclass.h include/dns/rdatalist.h include/dns/rdataset.h include/dns/rdatasetiter.h include/dns/rdataslab.h include/dns/rdatastruct.h include/dns/rdatatype.h include/dns/request.h include/dns/resolver.h include/dns/result.h include/dns/rootns.h include/dns/rpz.h include/dns/rriterator.h include/dns/rrl.h include/dns/sdb.h include/dns/sdlz.h include/dns/secalg.h include/dns/secproto.h include/dns/soa.h include/dns/ssu.h include/dns/stats.h include/dns/tcpmsg.h include/dns/time.h include/dns/timer.h include/dns/tkey.h include/dns/tsec.h include/dns/tsig.h include/dns/ttl.h include/dns/types.h include/dns/update.h include/dns/validator.h include/dns/version.h include/dns/view.h include/dns/xfrin.h include/dns/zone.h include/dns/zonekey.h +include/dns/zoneverify.h include/dns/zt.h include/dst/dst.h include/dst/gssapi.h include/dst/lib.h include/dst/result.h include/irs/context.h include/irs/dnsconf.h include/irs/netdb.h include/irs/platform.h include/irs/resconf.h include/irs/types.h include/irs/version.h include/isc/aes.h include/isc/app.h include/isc/assertions.h include/isc/atomic.h include/isc/backtrace.h include/isc/base32.h include/isc/base64.h include/isc/bind9.h include/isc/boolean.h include/isc/buffer.h include/isc/bufferlist.h include/isc/commandline.h include/isc/condition.h include/isc/counter.h include/isc/crc64.h include/isc/deprecated.h include/isc/dir.h include/isc/errno.h include/isc/error.h include/isc/event.h include/isc/eventclass.h include/isc/file.h include/isc/formatcheck.h include/isc/fsaccess.h include/isc/fuzz.h include/isc/hash.h include/isc/heap.h include/isc/hex.h include/isc/hmacmd5.h include/isc/hmacsha.h include/isc/ht.h include/isc/httpd.h include/isc/int.h include/isc/interfaceiter.h include/isc/iterated_hash.h include/isc/json.h include/isc/keyboard.h include/isc/lang.h include/isc/lex.h include/isc/lfsr.h include/isc/lib.h include/isc/likely.h include/isc/list.h include/isc/log.h include/isc/magic.h include/isc/md5.h include/isc/mem.h include/isc/meminfo.h include/isc/msgcat.h include/isc/msgs.h include/isc/mutex.h include/isc/mutexblock.h include/isc/net.h include/isc/netaddr.h include/isc/netdb.h include/isc/netscope.h include/isc/nonce.h include/isc/offset.h include/isc/once.h include/isc/os.h include/isc/parseint.h include/isc/platform.h include/isc/pool.h include/isc/portset.h include/isc/print.h include/isc/queue.h include/isc/quota.h include/isc/radix.h include/isc/random.h include/isc/ratelimiter.h include/isc/refcount.h include/isc/regex.h include/isc/region.h include/isc/resource.h include/isc/result.h include/isc/resultclass.h include/isc/rwlock.h include/isc/safe.h include/isc/serial.h include/isc/sha1.h include/isc/sha2.h include/isc/sockaddr.h include/isc/socket.h include/isc/stat.h include/isc/stats.h include/isc/stdio.h include/isc/stdlib.h include/isc/stdtime.h include/isc/strerror.h include/isc/string.h include/isc/symtab.h include/isc/syslog.h include/isc/task.h include/isc/taskpool.h include/isc/thread.h include/isc/time.h include/isc/timer.h include/isc/tm.h include/isc/types.h include/isc/util.h include/isc/version.h include/isc/xml.h include/isccc/alist.h include/isccc/base64.h include/isccc/cc.h include/isccc/ccmsg.h include/isccc/events.h include/isccc/lib.h include/isccc/result.h include/isccc/sexpr.h include/isccc/symtab.h include/isccc/symtype.h include/isccc/types.h include/isccc/util.h include/isccc/version.h include/isccfg/aclconf.h include/isccfg/cfg.h include/isccfg/dnsconf.h include/isccfg/grammar.h include/isccfg/log.h include/isccfg/namedconf.h include/isccfg/version.h include/ns/client.h include/ns/interfacemgr.h include/ns/lib.h include/ns/listenlist.h include/ns/log.h include/ns/notify.h include/ns/query.h include/ns/server.h include/ns/sortlist.h include/ns/stats.h include/ns/types.h include/ns/update.h include/ns/version.h include/ns/xfrout.h include/pk11/constants.h include/pk11/internal.h include/pk11/pk11.h include/pk11/result.h include/pk11/site.h include/pkcs11/cryptoki.h include/pkcs11/eddsa.h include/pkcs11/pkcs11.h include/pkcs11/pkcs11f.h include/pkcs11/pkcs11t.h lib/libbind9.a lib/libdns.a lib/libirs.a lib/libisc.a lib/libisccc.a lib/libisccfg.a lib/libns.a man/man1/arpaname.1.gz man/man1/bind9-config.1.gz man/man1/delv.1.gz man/man1/dig.1.gz %%DNSTAP%%man/man1/dnstap-read.1.gz man/man1/host.1.gz man/man1/isc-config.sh.1.gz man/man1/mdig.1.gz man/man1/named-rrchecker.1.gz man/man1/nslookup.1.gz man/man1/nsupdate.1.gz man/man5/named.conf.5.gz man/man5/rndc.conf.5.gz man/man8/ddns-confgen.8.gz man/man8/dnssec-cds.8.gz %%PYTHON%%man/man8/dnssec-checkds.8.gz %%PYTHON%%man/man8/dnssec-coverage.8.gz man/man8/dnssec-dsfromkey.8.gz man/man8/dnssec-importkey.8.gz man/man8/dnssec-keyfromlabel.8.gz man/man8/dnssec-keygen.8.gz %%PYTHON%%man/man8/dnssec-keymgr.8.gz man/man8/dnssec-revoke.8.gz man/man8/dnssec-settime.8.gz man/man8/dnssec-signzone.8.gz man/man8/dnssec-verify.8.gz man/man8/named-checkconf.8.gz man/man8/named-checkzone.8.gz man/man8/named-compilezone.8.gz man/man8/named-journalprint.8.gz %%LMDB%%man/man8/named-nzd2nzf.8.gz man/man8/named.8.gz man/man8/nsec3hash.8.gz %%NATIVE_PKCS11%%man/man8/pkcs11-destroy.8.gz %%NATIVE_PKCS11%%man/man8/pkcs11-keygen.8.gz %%NATIVE_PKCS11%%man/man8/pkcs11-list.8.gz %%NATIVE_PKCS11%%man/man8/pkcs11-tokens.8.gz man/man8/rndc-confgen.8.gz man/man8/rndc.8.gz man/man8/tsig-keygen.8.gz sbin/ddns-confgen sbin/dnssec-cds %%PYTHON%%sbin/dnssec-checkds %%PYTHON%%sbin/dnssec-coverage sbin/dnssec-dsfromkey sbin/dnssec-importkey sbin/dnssec-keyfromlabel sbin/dnssec-keygen %%PYTHON%%sbin/dnssec-keymgr sbin/dnssec-revoke sbin/dnssec-settime sbin/dnssec-signzone sbin/dnssec-verify sbin/named sbin/named-checkconf sbin/named-checkzone sbin/named-compilezone sbin/named-journalprint %%LMDB%%sbin/named-nzd2nzf sbin/nsec3hash %%NATIVE_PKCS11%%sbin/pkcs11-destroy %%NATIVE_PKCS11%%sbin/pkcs11-keygen %%NATIVE_PKCS11%%sbin/pkcs11-list %%NATIVE_PKCS11%%sbin/pkcs11-tokens sbin/rndc sbin/rndc-confgen sbin/tsig-keygen @dir(bind,bind,) %%ETCDIR%%/dynamic @dir(bind,bind,) %%ETCDIR%%/slave @dir(bind,bind,) %%ETCDIR%%/working