From owner-cvs-src@FreeBSD.ORG Sat Jul 12 10:07:48 2008 Return-Path: Delivered-To: cvs-src@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F458106566B; Sat, 12 Jul 2008 10:07:48 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 7733F8FC0A; Sat, 12 Jul 2008 10:07:48 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m6CA7mLo050346; Sat, 12 Jul 2008 10:07:48 GMT (envelope-from dougb@repoman.freebsd.org) Received: (from svn2cvs@localhost) by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m6CA7mNR050345; Sat, 12 Jul 2008 10:07:48 GMT (envelope-from dougb@repoman.freebsd.org) Message-Id: <200807121007.m6CA7mNR050345@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: svn2cvs set sender to dougb@repoman.freebsd.org using -f From: Doug Barton Date: Sat, 12 Jul 2008 10:07:33 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: RELENG_6 Cc: Subject: cvs commit: src/contrib/bind9 CHANGES version src/contrib/bind9/bin/named client.c server.c src/contrib/bind9/doc/arm Bv9ARM-book.xml Bv9ARM.ch06.html Bv9ARM.pdf src/contrib/bind9/lib/dns api dispatch.c resolver.c ... X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2008 10:07:48 -0000 dougb 2008-07-12 10:07:33 UTC FreeBSD src repository Modified files: (Branch: RELENG_6) contrib/bind9 CHANGES version contrib/bind9/bin/named client.c server.c contrib/bind9/doc/arm Bv9ARM-book.xml Bv9ARM.ch06.html Bv9ARM.pdf contrib/bind9/lib/dns api dispatch.c resolver.c contrib/bind9/lib/dns/include/dns dispatch.h Log: SVN rev 180479 on 2008-07-12 10:07:33Z by dougb Merge from vendor/bind9/dist-9.3 as of the 9.3.5-P1 import. This version will by default randomize the UDP query source port (and sequence number of course) for every query. In order to take advantage of this randomization users MUST have an appropriate firewall configuration to allow UDP queries to be sent and answers to be received on random ports; and users MUST NOT specify a port number using the query-source[-v6] options. The avoid-v[46]-udp-ports options exist for users who wish to eliminate certain port numbers from being chosen by named for this purpose. See the ARM Chatper 6 for more information. Also please note, this issue applies only to UDP query ports. A random ephemeral port is always chosen for TCP queries. This issue applies primarily to name servers whose main purpose is to resolve random queries (sometimes referred to as "caching" servers, or more properly as "resolving" servers), although even an "authoritative" name server will make some queries, primarily at startup time. All users of BIND are strongly encouraged to upgrade to the latest version, and to utilize the source port randomization feature. This update addresses issues raised in: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience Revision Changes Path 1.1.1.3.2.8 +5 -0 src/contrib/bind9/CHANGES 1.1.1.2.2.5 +1 -9 src/contrib/bind9/bin/named/client.c 1.1.1.2.2.4 +27 -7 src/contrib/bind9/bin/named/server.c 1.1.1.2.2.4 +10 -2 src/contrib/bind9/doc/arm/Bv9ARM-book.xml 1.1.1.2.2.4 +10 -2 src/contrib/bind9/doc/arm/Bv9ARM.ch06.html 1.1.1.1.2.4 +840 -860 src/contrib/bind9/doc/arm/Bv9ARM.pdf 1.1.1.2.2.5 +3 -3 src/contrib/bind9/lib/dns/api 1.1.1.1.4.4 +234 -473 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.3 +5 -8 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.2.2.8 +38 -5 src/contrib/bind9/lib/dns/resolver.c 1.1.1.3.2.8 +3 -3 src/contrib/bind9/version