bind920: update to version 9.20.2.

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: bind920: update to version 9.20.2.
From: Havard Eidnes <he%NetBSD.org@localhost>
Date: Wed, 18 Sep 2024 20:12:40 +0000
Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Wed Sep 18 22:09:47 2024 +0200
Changeset:	59117fccf83a8a3c83c019d9268247ddf1e9ea03

Modified Files:
	bind920/Makefile
	bind920/PLIST
	bind920/distinfo
	bind920/patches/patch-configure.ac
Removed Files:
	bind920/patches/patch-bin_named_include_named_os.h
	bind920/patches/patch-bin_named_os.c
	bind920/patches/patch-bin_named_server.c

Log Message:
bind920: update to version 9.20.2.

Pkgsrc changes:
 * Remove patches now integrated upstream.
 * Checksum changes.

Upstream changes:

Notes for BIND 9.20.2
---------------------

New Features
~~~~~~~~~~~~

- Support for Offline KSK implemented.

  Add a new configuration option :any:`offline-ksk` to enable Offline
  KSK key management. Signed Key Response (SKR) files created with
  :iscman:`dnssec-ksr` (or other programs) can now be imported into
  :iscman:`named` with the new :option:`rndc skr -import <rndc skr>`
  command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and
  generating signatures covering these types, these records are loaded
  from the currently active bundle from the imported SKR.

  The implementation is loosely based on
  `draft-icann-dnssec-keymgmt-01.txt
  <https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt>`_.
  :gl:`#1128`

- Print the full path of the working directory in startup log messages.

  :iscman:`named` now prints its initial working directory during
  startup, and the changed working directory when loading or reloading
  its configuration file, if it has a valid :any:`directory` option
  defined. :gl:`#4731`

- Support a restricted key tag range when generating new keys.

  When multiple signers are being used to sign a zone, it is useful to
  be able to specify a restricted range of key tags to be used by an
  operator to sign the zone. The range can be specified with
  ``tag-range`` in :any:`dnssec-policy`'s :ref:`keys
  <dnssec-policy-keys>` (for :iscman:`named` and :iscman:`dnssec-ksr`)
  and with the new options :option:`dnssec-keyfromlabel -M` and
  :option:`dnssec-keygen -M`. :gl:`#4830`

Feature Changes
~~~~~~~~~~~~~~~

- Exempt prefetches from the :any:`fetches-per-zone` and
  :any:`fetches-per-server` quotas.

  Fetches generated automatically as a result of :any:`prefetch` are now
  exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server`
  quotas. This should help in maintaining the cache from which query
  responses can be given. :gl:`#4219`

- Follow the number of CPUs set by ``taskset``/``cpuset``.

  Administrators may wish to constrain the set of cores that
  :iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl``
  programs (or equivalents on other OSes).

  If the admin has used ``taskset``, :iscman:`named` now automatically
  uses the given number of CPUs rather than the system-wide count.
  :gl:`#4884`

Bug Fixes
~~~~~~~~~

- Delay the release of root privileges until after configuring controls.

  Delay relinquishing root privileges until the control channel has been
  configured, for the benefit of systems that require root to use
  privileged port numbers.  This mostly affects systems without fine-
  grained privilege systems (i.e., other than Linux). :gl:`#4793`

- Fix a rare assertion failure when shutting down incoming transfer.

  A very rare assertion failure could be triggered when the incoming
  transfer was either forcefully shut down, or it finished during the
  printing of the details about the statistics channel.  This has been
  fixed. :gl:`#4860`

- Fix algorithm rollover bug when there are two keys with the same
  keytag.

  If there was an algorithm rollover and two keys of different
  algorithms shared the same keytags, there was the possibility that the
  check of whether the key matched a specific state could be performed
  against the wrong key. This has been fixed by not only checking for
  the matching key tag but also the key algorithm. :gl:`#4878`

- Fix an assertion failure in ``validate_dnskey_dsset_done()``.

  Under rare circumstances, :iscman:`named` could terminate unexpectedly
  when validating a DNSKEY resource record if the validation had been
  canceled in the meantime. This has been fixed. :gl:`#4911`

Known Issues
~~~~~~~~~~~~

- Long-running tasks in offloaded threads (e.g. the loading of RPZ zones
  or processing zone transfers) may block the resolution of queries
  during these operations and cause the queries to time out.

  To work around the issue, the ``UV_THREADPOOL_SIZE`` environment
  variable can be set to a larger value before starting :iscman:`named`.
  The recommended value is the number of RPZ zones (or number of
  transfers) plus the number of threads BIND should use, which is
  typically the number of CPUs. :gl:`#4898`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=59117fccf83a8a3c83c019d9268247ddf1e9ea03

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile                                   |   3 +-
 bind920/PLIST                                      |   1 +
 bind920/distinfo                                   |  11 +-
 bind920/patches/patch-bin_named_include_named_os.h |  22 ---
 bind920/patches/patch-bin_named_os.c               | 188 ---------------------
 bind920/patches/patch-bin_named_server.c           |  52 ------
 bind920/patches/patch-configure.ac                 |  22 ---
 7 files changed, 6 insertions(+), 293 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index f711ac9f19..72f60de4f7 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -2,7 +2,6 @@
 
 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
-PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	https://downloads.isc.org/isc/bind9/${BIND_VERSION}/
 EXTRACT_SUFX=	.tar.xz
@@ -16,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.1
+BIND_VERSION=	9.20.2
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/PLIST b/bind920/PLIST
index 131a340254..d0615f43d8 100644
--- a/bind920/PLIST
+++ b/bind920/PLIST
@@ -103,6 +103,7 @@ include/dns/rrl.h
 include/dns/sdlz.h
 include/dns/secalg.h
 include/dns/secproto.h
+include/dns/skr.h
 include/dns/soa.h
 include/dns/ssu.h
 include/dns/stats.h
diff --git a/bind920/distinfo b/bind920/distinfo
index 3397b69927..20df4e108f 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,10 +1,7 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.1.tar.xz) = 1fd3ee4303f45f6ec89c9a6e4f5057f2a703e56d8ab33c78af6fd8fdfdced403
-SHA512 (bind-9.20.1.tar.xz) = 4d410da58bd4e4b7c17961fd026014c330811e4a906e9d6db63419c7347815c6634ffc4ef97513a361add13419ee70ba814c97b583e85d2df89438b9d937d657
-Size (bind-9.20.1.tar.xz) = 5789604 bytes
-SHA1 (patch-bin_named_include_named_os.h) = d14f7e2e6c45c6a6879a9b7900a9f0348975bbe7
-SHA1 (patch-bin_named_os.c) = 9496ffdb0cbc225222161f41e6fcb7d494d430cc
-SHA1 (patch-bin_named_server.c) = 7fa9617cbeb6eaa85a73422311319fdb62c18fe6
-SHA1 (patch-configure.ac) = 0cfceff37b5a1900a85e0e23b80270eb005134e6
+BLAKE2s (bind-9.20.2.tar.xz) = 7cee1649ea07555289430f3b8b7e0655f268ec66066689db0dabeaf7e3d3f956
+SHA512 (bind-9.20.2.tar.xz) = da5c9ca3cedf8e28ccf85f886772a306eccf95c10883eff42e6d34694d650cdbd00b3e5fe30cc9fb012029c1a5e8e829ebd6ce2ffefa323d7057e8915badf90c
+Size (bind-9.20.2.tar.xz) = 5865060 bytes
+SHA1 (patch-configure.ac) = f1f672271aa38c10b12d12d48455eb0af82d270c
 SHA1 (patch-lib_dns_acl.c) = 731f99ad448717aa642c6c1b2f4c0ef0b002cc07
diff --git a/bind920/patches/patch-bin_named_include_named_os.h b/bind920/patches/patch-bin_named_include_named_os.h
deleted file mode 100644
index 4e65f62618..0000000000
--- a/bind920/patches/patch-bin_named_include_named_os.h
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD$
-
-Part of fix to
-https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
-pulled from
-https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9123
-
---- bin/named/include/named/os.h.orig	2024-07-08 13:09:16.770267986 +0000
-+++ bin/named/include/named/os.h
-@@ -41,8 +41,11 @@ named_os_inituserinfo(const char *userna
- void
- named_os_changeuser(void);
- 
-+void
-+named_os_tempuser(uid_t uid);
-+
- uid_t
--ns_os_uid(void);
-+named_os_uid(void);
- 
- void
- named_os_adjustnofile(void);
diff --git a/bind920/patches/patch-bin_named_os.c b/bind920/patches/patch-bin_named_os.c
deleted file mode 100644
index d6dc01cacf..0000000000
--- a/bind920/patches/patch-bin_named_os.c
+++ /dev/null
@@ -1,188 +0,0 @@
-$NetBSD$
-
-Part of fix to ("BIND relinquishes privileges too early")
-
-https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
-pulled from
-https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9123
-
-Also fix to (compat setresuid() is mis-implemented)
-and follow-up fixes to get rid of setresuid() usage:
-
-https://gitlab.isc.org/isc-projects/bind9/-/issues/4862
-pulled from
-https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9363
-
---- bin/named/os.c.orig	2024-07-08 13:09:16.774268226 +0000
-+++ bin/named/os.c
-@@ -249,115 +249,6 @@ linux_keepcaps(void) {
- 
- #endif /* HAVE_LIBCAP */
- 
--/*
-- * First define compatibility shims if {set,get}res{uid,gid} are not available
-- */
--
--#if !HAVE_GETRESGID
--static int
--getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid) {
--	*rgid = -1;
--	*egid = getegid();
--	*sgid = -1;
--
--	return (0);
--}
--#endif /* !HAVE_GETRESGID */
--
--#if !HAVE_SETRESGID
--static int
--setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
--	REQUIRE(rgid == (gid_t)-1);
--	REQUIRE(sgid == (gid_t)-1);
--
--#if HAVE_SETREGID
--	return (setregid(rgid, egid));
--#else  /* HAVE_SETREGID */
--	return (setegid(egid));
--#endif /* HAVE_SETREGID */
--}
--#endif /* !HAVE_SETRESGID */
--
--#if !HAVE_GETRESUID
--static int
--getresuid(uid_t *ruid, uid_t *euid, uid_t *suid) {
--	*ruid = -1;
--	*euid = geteuid();
--	*suid = -1;
--
--	return (0);
--}
--#endif /* !HAVE_GETRESUID */
--
--#if !HAVE_SETRESUID
--static int
--setresuid(uid_t ruid, uid_t euid, uid_t suid) {
--	REQUIRE(ruid == (uid_t)-1);
--	REQUIRE(suid == (uid_t)-1);
--
--#if HAVE_SETREGID
--	return (setregid(ruid, euid));
--#else  /* HAVE_SETREGID */
--	return (setegid(euid));
--#endif /* HAVE_SETREGID */
--}
--#endif /* !HAVE_SETRESUID */
--
--static int
--set_effective_gid(gid_t gid) {
--	gid_t oldgid;
--
--	if (getresgid(&(gid_t){ 0 }, &oldgid, &(gid_t){ 0 }) == -1) {
--		return (-1);
--	}
--
--	if (oldgid == gid) {
--		return (0);
--	}
--
--	if (setresgid(-1, gid, -1) == -1) {
--		return (-1);
--	}
--
--	if (getresgid(&(gid_t){ 0 }, &oldgid, &(gid_t){ 0 }) == -1) {
--		return (-1);
--	}
--
--	if (oldgid != gid) {
--		return (-1);
--	}
--
--	return (0);
--}
--
--static int
--set_effective_uid(uid_t uid) {
--	uid_t olduid;
--
--	if (getresuid(&(uid_t){ 0 }, &olduid, &(uid_t){ 0 }) == -1) {
--		return (-1);
--	}
--
--	if (olduid == uid) {
--		return (0);
--	}
--
--	if (setresuid(-1, uid, -1) == -1) {
--		return (-1);
--	}
--
--	if (getresuid(&(uid_t){ 0 }, &olduid, &(uid_t){ 0 }) == -1) {
--		return (-1);
--	}
--
--	if (olduid != uid) {
--		return (-1);
--	}
--
--	/* Success */
--	return (0);
--}
--
- static void
- setperms(uid_t uid, gid_t gid) {
- 	char strbuf[ISC_STRERRORSIZE];
-@@ -366,13 +257,13 @@ setperms(uid_t uid, gid_t gid) {
- 	 * Drop the gid privilege first, because in some cases the gid privilege
- 	 * cannot be dropped after the uid privilege has been dropped.
- 	 */
--	if (set_effective_gid(gid) == -1) {
-+	if (setegid(gid) == -1) {
- 		strerror_r(errno, strbuf, sizeof(strbuf));
- 		named_main_earlywarning("unable to set effective gid to %d: %s",
- 					gid, strbuf);
- 	}
- 
--	if (set_effective_uid(uid) == -1) {
-+	if (seteuid(uid) == -1) {
- 		strerror_r(errno, strbuf, sizeof(strbuf));
- 		named_main_earlywarning("unable to set effective uid to %d: %s",
- 					uid, strbuf);
-@@ -578,12 +469,12 @@ named_os_changeuser(void) {
- 
- 	done_setuid = true;
- 
--	if (setgid(runas_pw->pw_gid) < 0) {
-+	if (setgid(runas_pw->pw_gid) == -1) {
- 		strerror_r(errno, strbuf, sizeof(strbuf));
- 		named_main_earlyfatal("setgid(): %s", strbuf);
- 	}
- 
--	if (setuid(runas_pw->pw_uid) < 0) {
-+	if (setuid(runas_pw->pw_uid) == -1) {
- 		strerror_r(errno, strbuf, sizeof(strbuf));
- 		named_main_earlyfatal("setuid(): %s", strbuf);
- 	}
-@@ -603,8 +494,22 @@ named_os_changeuser(void) {
- #endif /* HAVE_LIBCAP */
- }
- 
-+void
-+named_os_tempuser(uid_t uid) {
-+	char strbuf[ISC_STRERRORSIZE];
-+
-+	if (done_setuid) {
-+		return;
-+	}
-+
-+	if (getuid() == 0 && seteuid(uid) < 0) {
-+		strerror_r(errno, strbuf, sizeof(strbuf));
-+		named_main_earlyfatal("setuid(): %s", strbuf);
-+	}
-+}
-+
- uid_t
--ns_os_uid(void) {
-+named_os_uid(void) {
- 	if (runas_pw == NULL) {
- 		return (0);
- 	}
diff --git a/bind920/patches/patch-bin_named_server.c b/bind920/patches/patch-bin_named_server.c
deleted file mode 100644
index 9c06704668..0000000000
--- a/bind920/patches/patch-bin_named_server.c
+++ /dev/null
@@ -1,52 +0,0 @@
-$NetBSD$
-
-Part of fix to ("BIND relinquishes privileges too early")
-
-https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
-pulled from
-https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9123
-
---- bin/named/server.c.orig	2024-07-08 13:09:16.774268226 +0000
-+++ bin/named/server.c
-@@ -9281,7 +9281,7 @@ load_configuration(const char *filename,
- 	 * Relinquish root privileges.
- 	 */
- 	if (first_time) {
--		named_os_changeuser();
-+		named_os_tempuser(named_os_uid());
- 	}
- 
- 	/*
-@@ -9628,6 +9628,9 @@ load_configuration(const char *filename,
- 	isc_loopmgr_resume(named_g_loopmgr);
- 	exclusive = false;
- 
-+	/* Take back root privileges temporarily */
-+	named_os_tempuser(0);
-+
- 	/* Configure the statistics channel(s) */
- 	result = named_statschannels_configure(named_g_server, config,
- 					       named_g_aclconfctx);
-@@ -9655,6 +9658,13 @@ load_configuration(const char *filename,
- 	(void)ns_interfacemgr_scan(server->interfacemgr, true, true);
- 
- 	/*
-+	 * Permanently drop root privileges now.
-+	 */
-+	if (first_time) {
-+		named_os_changeuser();
-+	}
-+
-+	/*
- 	 * These cleans up either the old production view list
- 	 * or our temporary list depending on whether they
- 	 * were swapped above or not.
-@@ -13175,7 +13185,7 @@ nzd_env_close(dns_view_t *view) {
- 	/*
- 	 * Database files must be owned by the eventual user, not by root.
- 	 */
--	ret = chown(dbpath_copy, ns_os_uid(), -1);
-+	ret = chown(dbpath_copy, named_os_uid(), -1);
- 	UNUSED(ret);
- 
- 	/*
diff --git a/bind920/patches/patch-configure.ac b/bind920/patches/patch-configure.ac
index e11cf0f1da..ba9ac81d45 100644
--- a/bind920/patches/patch-configure.ac
+++ b/bind920/patches/patch-configure.ac
@@ -1,14 +1,5 @@
 $NetBSD$
 
-Fix to (compat setresuid() is mis-implemented)
-and follow-up fixes to get rid of setresuid() usage:
- 
-https://gitlab.isc.org/isc-projects/bind9/-/issues/4862
-pulled from
-https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9363
-
-And ...
-
 support removal of WRKDIR references from config.h
 
 --- configure.ac.orig	2024-07-08 13:09:17.034283885 +0000
@@ -25,16 +16,3 @@ support removal of WRKDIR references from config.h
  
  AC_DEFINE([PACKAGE_BUILDER], ["make"], [make or Visual Studio])
  
-@@ -426,12 +429,6 @@ AS_CASE([$host],
- 
- AC_CHECK_FUNCS([sysctlbyname])
- 
--#
--# Check for uid/gid setting variants
--#
--AC_CHECK_FUNCS([setresuid setreuid getresuid])
--AC_CHECK_FUNCS([setresgid setregid getresgid])
--
- AC_TYPE_SIZE_T
- AC_TYPE_SSIZE_T
- AC_TYPE_UINTPTR_T
Prev by Date: Makefile: +py-GPSClien
Next by Date: mtr-graph: bump to 0.85.160
Previous by Thread: Makefile: +py-GPSClien
Next by Thread: mtr-graph: bump to 0.85.160
Indexes:
Home | Main Index | Thread Index | Old Index