bind920: update to version 9.20.9.

[Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>]

Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Wed May 21 20:31:07 2025 +0200
Changeset:	99c81b9b5111d8c430bedc7e3df82a36ad7e1986

Modified Files:
	bind920/Makefile
	bind920/distinfo

Log Message:
bind920: update to version 9.20.9.

Pkgsrc changes:
 * None, other than checksum changes.

Upstream changes:

BIND 9.20.9
-----------

Security Fixes
~~~~~~~~~~~~

- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
  ``b8c198ac5ca``

  DNS messages that included a Transaction Signature (TSIG) containing
  an invalid value in the algorithm field caused :iscman:`named` to
  crash with an assertion failure. This has been fixed.
  :cve:`2025-40775` :gl:`#5300`

Feature Changes
~~~~~~~~~~~~~

- Use jinja2 templates in system tests. ``8f545784ff0``

  `python-jinja2` is now required to run system tests. :gl:`#4938`
  :gl:`!10396`

Bug Fixes
~~~~~~~

- Fix EDNS yaml output. ``8c3b226d89b``

  `dig` was producing invalid YAML when displaying some EDNS options.
  This has been corrected.

  Several other improvements have been made to the display of EDNS
  option data: - We now use the correct name for the UPDATE-LEASE
  option, which was previously displayed as "UL", and split it into
  separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
  durations are now displayed as comments in YAML mode so as not to
  interfere with machine parsing. - KEY-TAG options are now displayed as
  an array of integers in YAML mode. - EDNS COOKIE options are displayed
  as separate CLIENT and SERVER components, and cookie STATUS is a
  retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414`

- Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6``

  This change allows the client to identify the server that returns the
  BADVERS and to provide a DNS SERVER COOKIE to be included in the
  resend of the request. :gl:`#5235` :gl:`!10392`

- Disable own memory context for libxml2 on macOS. ``51e51d5ea8f``

  Apple broke custom memory allocation functions in the system-wide
  libxml2 starting with macOS Sequoia 15.4.  Usage of the custom memory
  allocation functions has been disabled on macOS. :gl:`#5268`
  :gl:`!10411`

- `check_private` failed to account for the length byte before the OID.
  ``2b827380e75``

  In PRIVATEOID keys, the key data begins with a length byte followed
  by an ASN.1 object identifier that indicates the cryptographic
  algorithm  to use. Previously, the length byte was not accounted for
  when  checking the contents of keys and signatures, which could have
  led to interoperability problems with any zones signed using
  PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376`

- Fix a serve-stale issue with a delegated zone. ``d839d11bf62``

  When ``stale-answer-client-timeout 0`` option was enabled, it could be
  ignored when resolving a zone which is a delegation of an
  authoritative zone belonging to the resolver. This has been fixed.
  :gl:`#5275` :gl:`!10420`

- Fix the ksr two-tone test. ``3e2b255b5b7``

  The two-tone ksr subtest (test_ksr_twotone) depended on the
  dnssec-policy keys algorithm values in named.conf being entered in
  numerical order.  As the algorithms used in the test can be selected
  randomly this does not always happen. Sort the dnssec-policy keys by
  algorithm when adding them to the key list from named.conf.
  :gl:`#5286` :gl:`!10435`

- Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad``

  The performance improvements for NSEC3 closest encloser lookups that
  were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
  records to be returned in nonexistence proofs and were therefore
  reverted again. :gl:`#5292` :gl:`!10443`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=99c81b9b5111d8c430bedc7e3df82a36ad7e1986

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 2 +-
 bind920/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index dc29bd9807..2f3346f060 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.8
+BIND_VERSION=	9.20.9
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/distinfo b/bind920/distinfo
index 4f64622f42..b62c390458 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.8.tar.xz) = 51d9388ed09d98259ba98a33318ae82b19384f2f7b2bb0966c6bab472d4b3914
-SHA512 (bind-9.20.8.tar.xz) = daf18ff41f36ac747051b032ce4afa426882edba7d040712f3b424dfae96b9f8de3a13a1f53c061bc7be603e6db3aace83ab7c96621b790bb45f8e158b14c47b
-Size (bind-9.20.8.tar.xz) = 5661928 bytes
+BLAKE2s (bind-9.20.9.tar.xz) = 8bf82afab4fd02c2e12ac263816c419c437c283441be12c677f4b36fa11144b0
+SHA512 (bind-9.20.9.tar.xz) = 78efb4c4a5d78bd04efe222982efa1d6bb6748965e40d816d9e4329d6f2687a43d1e439bc3f98c00c85abaf8fc435063bcbe2d96a61b252fe3df0a8affa19f8f
+Size (bind-9.20.9.tar.xz) = 5668452 bytes
 SHA1 (patch-configure.ac) = d3b9bb82c8e164135b93a76d5c53ad40521226e2