bind920: update to BIND version 9.20.12.

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: bind920: update to BIND version 9.20.12.
From: Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Wed, 20 Aug 2025 16:28:07 +0000
Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Wed Aug 20 18:27:01 2025 +0200
Changeset:	0635bf896f2b8ec0aa4c7990fd42a71b315dfa98

Modified Files:
	bind920/Makefile
	bind920/PLIST
	bind920/distinfo

Log Message:
bind920: update to BIND version 9.20.12.

Pkgsrc changes:
 * Update checksums
 * Add new file to PLIST

Upstream changes:

BIND 9.20.12
------------

New Features
~~~~~~~~~~~~

- Support for parsing the DSYNC record has been added. ``f440fe712d``

  :gl:`#5440` :gl:`!10820`

Feature Changes
~~~~~~~~~~~~~~~

- Adaptive memory allocation strategy for qp-tries. ``9a046cbed5``

  qp-tries allocate their nodes (twigs) in chunks to reduce allocator
  pressure and improve memory locality. The choice of chunk size
  presents a tradeoff: larger chunks benefit qp-tries with many values
  (as seen in large zones and resolvers) but waste memory in smaller use
  cases.

  Previously, our fixed chunk size of 2^10 twigs meant that even an
  empty qp-trie would consume 12KB of memory, while reducing this size
  would negatively impact resolver performance.

  This MR implements an adaptive chunking strategy that tracks the size
  of the most recently allocated chunk and doubles the chunk size for
  each new allocation until reaching a predefined maximum.

  This approach effectively balances memory efficiency for small tries
  while maintaining the performance benefits of larger chunk sizes for
  bigger data structures. :gl:`#5445` :gl:`!10804`

- Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest
  type 1. ``5aefaa4b97``

  RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated
  by the IETF and should no longer be used for DNSSEC. DS digest type 1
  (SHA1) has also been deprecated. Validators are now expected to treat
  these algorithms and digest as unknown, resulting in some zones being
  treated as insecure when they were previously treated as secure.
  Warnings have been added to named and tools when these algorithms and
  this digest are being used for signing.

  Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a
  different DNSKEY algorithm.

  Zones with DS or CDS records with digest type 1 (SHA1) should be
  updated to use a different digest type (e.g. SHA256) and the digest
  type 1 records should be removed.

  Related to #5358 :gl:`!10738`

Bug Fixes
~~~~~~~~~

- Stale RRsets in a CNAME chain were not always refreshed.
  ``ed37c7825e``

  With serve-stale enabled, a CNAME chain that contains a stale RRset,
  the refresh query doesn't always properly refresh the stale RRsets.
  This has been fixed. :gl:`#5243` :gl:`!10767`

- Add RPZ extended DNS error for zones with a CNAME override policy
  configured. ``39ad2016c1``

  When the zone is configured with a CNAME override policy, or the
  response policy zone contains a wildcard CNAME, the extended DNS error
  code was not added. This has been fixed. :gl:`#5342` :gl:`!10819`

- Fix a possible crash when adding a zone while recursing.
  ``7a3ec8dd94``

  A query for a zone that was not yet loaded may yield an unexpected
  result such as a CNAME or DNAME, triggering an assertion failure. This
  has been fixed. :gl:`#5357` :gl:`!10718`

- Fix dig issues. ``8c50819aa8``

  When used with the ``+keepopen`` option with a TCP connection,
  iscman:`dig` could terminate unexpectedly in rare situations.
  Additionally, iscman:`dig` could hang and fail to shutdown properly
  when interrupted during a query. These have been fixed. :gl:`#5381`
  :gl:`!10727`

- Log dropped or slipped responses in the query-errors category.
  ``47470b586d``

  Responses which were dropped or slipped because of RRL (Response Rate
  Limiting) were logged in the ``rate-limit`` category instead of the
  ``query-errors`` category, as documented in ARM. This has been fixed.
  :gl:`#5388` :gl:`!10725`

- Separate out adbname type flags. ``fc689c6525``

  There are three adbname flags that are used to identify different
  types of adbname lookups when hashing rather than using multiple hash
  tables.  Separate these to their own structure element as these need
  to be able to be read without locking the adbname structure.
  :gl:`#5404` :gl:`!10695`

- Synth-from-dnssec was not working in some scenarios. ``bc54f059e0``

  Aggressive use of DNSSEC-Validated cache with NSEC was not working in
  scenarios when no parent NSEC was not in cache.  This has been fixed.
  :gl:`#5422` :gl:`!10754`

- Clean enough memory when adding new ADB names/entries under memory
  pressure. ``b7e7923daa``

  The ADB memory cleaning is opportunistic even when we are under memory
  pressure (in the overmem condition).  Split the opportunistic LRU
  cleaning and overmem cleaning and make the overmem cleaning always
  cleanup double of the newly allocated adbname/adbentry to ensure we
  never allocate more memory than the assigned limit. :gl:`!10707`

- Prevent spurious validation failures. ``3b98c7cc9d``

  Under rare circumstances, validation could fail if multiple clients
  simultaneously iterated the same set of signatures.

  References #3014 :gl:`!10815`

- Rename variable called 'free' to prevent the clash with free()
  ``7f25d92c5d``

  :gl:`!10757`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=0635bf896f2b8ec0aa4c7990fd42a71b315dfa98

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 2 +-
 bind920/PLIST    | 1 +
 bind920/distinfo | 6 +++---
 3 files changed, 5 insertions(+), 4 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index 03e05b40ac..9fb7e9a5c4 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.11
+BIND_VERSION=	9.20.12
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/PLIST b/bind920/PLIST
index 2906354598..5fb2c0cec6 100644
--- a/bind920/PLIST
+++ b/bind920/PLIST
@@ -48,6 +48,7 @@ include/dns/dnssec.h
 include/dns/dnstap.h
 include/dns/ds.h
 include/dns/dsdigest.h
+include/dns/dsync.h
 include/dns/dyndb.h
 include/dns/ecs.h
 include/dns/ede.h
diff --git a/bind920/distinfo b/bind920/distinfo
index a6bdc9b750..5425004a7b 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.11.tar.xz) = a5b54078611d2fdbb42ceb1033707e971216a92b534cbe0deae21987de5b7762
-SHA512 (bind-9.20.11.tar.xz) = bacc19eaf37133d37202db521e2c6727fc4e494562caad68e7c22e8dad84411684ba2c7430aa3bb2d916b9078c3aab8277d35e0f9b1f9893b89071de7ad7eee4
-Size (bind-9.20.11.tar.xz) = 5674856 bytes
+BLAKE2s (bind-9.20.12.tar.xz) = 1c4de3d06cf76fa902a0a1378fc287f85d9614b8f472239fb42ec5cd66fd224d
+SHA512 (bind-9.20.12.tar.xz) = a27b8581bebc50822bfa8990323d1bbbb6081ccadf8abc9ce5a6b5945bd26612cce9480766abe127f6e9cda5917717d31a56070dc7719a7cc7495b7d116407ef
+Size (bind-9.20.12.tar.xz) = 5700944 bytes
 SHA1 (patch-configure.ac) = d3b9bb82c8e164135b93a76d5c53ad40521226e2
Prev by Date: forgejo: update to 12.0.1
Next by Date: libvips: fix PLIST on NetBSD.
Previous by Thread: forgejo: update to 12.0.1
Next by Thread: libvips: fix PLIST on NetBSD.
Indexes:
Home | Main Index | Thread Index | Old Index