bind920: update to BIND version 9.20.20:

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: bind920: update to BIND version 9.20.20:
From: Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Sat, 28 Feb 2026 21:35:39 +0000

Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Sat Feb 28 21:34:52 2026 +0000
Changeset:	c454d2fea5923160529b6e95d7b42fe63e3193f4

Modified Files:
	bind920/Makefile
	bind920/distinfo

Log Message:
bind920: update to BIND version 9.20.20:

Pkgsrc changes:
 * Version bump + checksums.

Upstream changes:

Notes for BIND 9.20.20
----------------------

Security Fixes
~~~~~~~~~~~~~~

- Fix a use-after-free error in ``dns_client_resolve()`` triggered by a
  DNAME response.

  This issue only affected the :iscman:`delv` tool and it has now been
  fixed.

  ISC would like to thank Vitaly Simonovich for bringing this
  vulnerability to our attention. :gl:`#5728`

Feature Changes
~~~~~~~~~~~~~~~

- Record query time for all dnstap responses.

  Not all DNS responses had the query time set in their corresponding
  dnstap messages. This has been fixed. :gl:`#3695`

- Optimize TCP source port selection on Linux.

  Enable the ``IP_LOCAL_PORT_RANGE`` socket option on the outgoing TCP
  sockets to allow faster selection of the source <address,port> tuple
  for different destination <address,port> tuples, when nearing over
  70-80% of the source port utilization. :gl:`!11569`

Bug Fixes
~~~~~~~~~

- Fix an assertion failure triggered by non-minimal IXFRs.

  Processing an IXFR that included an RRset whose contents were not
  changed by the transfer triggered an assertion failure. This has been
  fixed. :gl:`#5759`

- Fix a crash when retrying a NOTIFY over TCP.

  Furthermore, do not attempt to retry over TCP at all if the source
  address is not available. :gl:`#5457`

- Fetch loop detection improvements.

  Fix a case where an in-domain nameserver with expired glue would fail
  to resolve. :gl:`#5588`

- Randomize nameserver selection.

  Since BIND 9.20.17, when selecting nameserver addresses to be looked
  up, :iscman:`named` selected them in DNSSEC order from the start of
  the NS RRset. This could lead to a resolution failure despite there
  being an address that could be resolved using the other nameserver
  names. :iscman:`named` now randomizes the order in which nameserver
  addresses are looked up. :gl:`#5695` :gl:`#5745`

- Fix dnstap logging of forwarded queries. :gl:`#5724`

- A stale answer could have been served in case of multiple upstream
  failures when following CNAME chains. This has been fixed. :gl:`#5751`

- Fail DNSKEY validation when supported but invalid DS is found.

  A regression was introduced in BIND 9.20.6 when adding the EDE code
  for unsupported DNSKEY and DS algorithms. When the parent had both
  supported and unsupported algorithms in the DS record, the validator
  would treat the supported DS algorithm as insecure instead of bogus
  when validating DNSKEY records. This has no security impact, as the
  rest of the child zone correctly ends with bogus status, but it is
  incorrect and thus the regression has been fixed. :gl:`#5757`

- Importing an invalid SKR file might corrupt stack memory.

  If an administrator imported an invalid SKR file, the local stack in
  the import function might overflow. This could lead to a memory
  corruption on the stack and ultimately a server crash. This has been
  fixed. :gl:`#5758`

- Return FORMERR for queries with the EDNS Client Subnet FAMILY field
  set to 0.

  :rfc:`7871` only defines families 1 (IPv4) and 2 (IPv6), and requires
  FORMERR to be returned for all unknown families. Queries with the EDNS
  Client Subnet FAMILY field set to 0 now elicit responses with
  RCODE=FORMERR. :gl:`!11565`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=c454d2fea5923160529b6e95d7b42fe63e3193f4

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 2 +-
 bind920/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index 4156442c41..8671a6bc66 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.18
+BIND_VERSION=	9.20.20
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/distinfo b/bind920/distinfo
index 55596fae68..d7aa48e7c4 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.18.tar.xz) = 179ade278f5ebdf44788398a187f22fddcbfbde2eb1f79f144df297e325fcd07
-SHA512 (bind-9.20.18.tar.xz) = d5b55aa40d9ed8e1744af2a64bd2ce34ea04e51f340bbee3c6149c6fe4bd9ee897902b857b3fbcfb48f7b238e439f88f5c883b54d6f8f44ff5ab3f5e4d48bd06
-Size (bind-9.20.18.tar.xz) = 5775248 bytes
+BLAKE2s (bind-9.20.20.tar.xz) = 82ffd9cd57b3ea8f04b48f778e95f6c87609a5bef0f5ee37f4fcb39f85dc74ca
+SHA512 (bind-9.20.20.tar.xz) = 46cd2983bdf45f65e3f134c5ae13b04b574836839dc6efac701146cf6a216a42ffa84b6f7267596b6b92b391e7845aa055031417053a3ebaa718cfc51db1ada7
+Size (bind-9.20.20.tar.xz) = 5802548 bytes
 SHA1 (patch-configure.ac) = d3b9bb82c8e164135b93a76d5c53ad40521226e2

Prev by Date: Reset maintainership
Next by Date: TODO: + crush-0.46.1, dmarc-report-viewer-2.4.0, resterm-0.23.6.
Previous by Thread: Reset maintainership
Next by Thread: TODO: + crush-0.46.1, dmarc-report-viewer-2.4.0, resterm-0.23.6.
Indexes:

Home | Main Index | Thread Index | Old Index