bind920: update to BIND version 9.20.15:

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: bind920: update to BIND version 9.20.15:
From: Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Thu, 23 Oct 2025 15:51:19 +0000
Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Thu Oct 23 15:51:06 2025 +0000
Changeset:	ec03b0530015afa7fc6a6117d2c8de036387f006

Modified Files:
	bind920/Makefile
	bind920/PLIST
	bind920/distinfo

Log Message:
bind920: update to BIND version 9.20.15:

Pkgsrc changes:
 * Version bump, PLIST fix + checksums.

Upstream changes:

BIND 9.20.15
------------

Security Fixes
~~~~~~~~~~~~~~

- [CVE-2025-8677] DNSSEC validation fails if matching but invalid DNSKEY
  is found. ``0d676bf9f23``

  Previously, if a matching but cryptographically invalid key was
  encountered during DNSSEC validation, the key was skipped and not
  counted towards validation failures. :iscman:`named` now treats such
  DNSSEC keys as hard failures and the DNSSEC validation fails
  immediately, instead of continuing with the next DNSKEYs in the RRset.

  ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
  Security and Privacy Laboratory at Nankai University for bringing this
  vulnerability to our attention. :gl:`#5343`

- [CVE-2025-40778] Address various spoofing attacks. ``23de94fd236``

  Previously, several issues could be exploited to poison a DNS cache
  with spoofed records for zones which were not DNSSEC-signed or if the
  resolver was configured to not do DNSSEC validation. These issues were
  assigned CVE-2025-40778 and have now been fixed.

  As an additional layer of protection, :iscman:`named` no longer
  accepts DNAME records or extraneous NS records in the AUTHORITY
  section unless these are received via spoofing-resistant transport
  (TCP, UDP with DNS cookies, TSIG, or SIG(0)).

  ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
  Duan from Tsinghua University for bringing this vulnerability to our
  attention. :gl:`#5414`

- [CVE-2025-40780] Cache-poisoning due to weak pseudo-random number
  generator. ``34af35c2df8``

  It was discovered during research for an upcoming academic paper that
  a xoshiro128\*\* internal state can be recovered by an external 3rd
  party, allowing the prediction of UDP ports and DNS IDs in outgoing
  queries. This could lead to an attacker spoofing the DNS answers with
  great efficiency and poisoning the DNS cache.

  The internal random generator has been changed to a cryptographically
  secure pseudo-random generator.

  ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
  Hebrew University of Jerusalem for bringing this vulnerability to our
  attention. :gl:`#5484`

New Features
~~~~~~~~~~~~

- Add dnssec-policy keys configuration check to named-checkconf.
  ``1f5a0405f72``

  A new option `-k` is added to `named-checkconf` that allows checking
  the `dnssec-policy` `keys` configuration against the configured key
  stores. If the found key files are not in sync with the given
  `dnssec-policy`, the check will fail.

  This is useful to run before migrating to `dnssec-policy`. :gl:`#5486`
  :gl:`!11011`

Feature Changes
~~~~~~~~~~~~~~~

- Minor refactor of dst code. ``c6acbaa020b``

  Convert the defines to enums. Initialize the tags more explicitly and
  less ugly. :gl:`!11038`

Bug Fixes
~~~~~~~~~

- Use signer name when disabling DNSSEC algorithms. ``986816baa74``

  ``disable-algorithms`` could cause DNSSEC validation failures when the
  parent zone was signed with the algorithms that were being disabled
  for the child zone. This has been fixed; `disable-algorithms` now
  works on a whole-of-zone basis.

  If the zone's name is at or below the ``disable-algorithms`` name the
  algorithm is disabled for that zone, using deepest match when there
  are multiple ``disable-algorithms`` clauses.  :gl:`#5165` :gl:`!11014`

- Rndc sign during ZSK rollover will now replace signatures.
  ``d2f551140cd``

  When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
  :option:`rndc sign` command now signs the zone completely with the
  successor key, replacing all zone signatures from the predecessor key
  with new ones. :gl:`#5483` :gl:`!11017`

- Missing DNSSEC information when CD bit is set in query.
  ``968a6be41fb``

  The RRSIGs for glue records were not being cached correctly for CD=1
  queries.  This has been fixed. :gl:`#5502` :gl:`!10956`

- Preserve cache when reload fails and reload the server again.
  ``975aeda10b4``

  Fixes an issue where failing to reconfigure/reload the server would
  prevent to preserved the views caches on the subsequent server
  reconfiguration/reload. :gl:`#5523` :gl:`!10988`

- Check plugin config before registering. ``e2260b80702``

  In `named_config_parsefile()`, when checking the validity of
  `named.conf`, the checking of plugin correctness was deliberately
  postponed until the plugin is loaded and registered. However, the
  checking was never actually done: the `plugin_register()`
  implementation was called, but `plugin_check()` was not.

  `ns_plugin_register()` (used by `named`) now calls the check function
  before the register function, and aborts if either one fails.
  `ns_plugin_check()` (used by `named-checkconf`) calls only the check
  function. :gl:`!11032`

BIND 9.20.14
------------

.. note::

   The BIND 9.20.14 release was withdrawn after the discovery of a
   regression in a security fix in it during pre-release testing.

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=ec03b0530015afa7fc6a6117d2c8de036387f006

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 2 +-
 bind920/PLIST    | 1 -
 bind920/distinfo | 6 +++---
 3 files changed, 4 insertions(+), 5 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index dc3b6bcfbf..db82059545 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.13
+BIND_VERSION=	9.20.15
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/PLIST b/bind920/PLIST
index 5fb2c0cec6..2ac9d95d0d 100644
--- a/bind920/PLIST
+++ b/bind920/PLIST
@@ -144,7 +144,6 @@ include/isc/crc64.h
 include/isc/dir.h
 include/isc/dnsstream.h
 include/isc/endian.h
-include/isc/entropy.h
 include/isc/errno.h
 include/isc/error.h
 include/isc/file.h
diff --git a/bind920/distinfo b/bind920/distinfo
index 9bf445a7d3..bde31ec23e 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.13.tar.xz) = d91eff7a1c1527df32852b3f6daabb85e25d17eb322e5470ebc43b37c98ea28b
-SHA512 (bind-9.20.13.tar.xz) = 2e4be2153f80f60b97c0854ce69e5eb5c343713f5544ef6b9b9229d1ba65ba13e092c17170ae5ae328a97d0ccd8cb7c8cc8259baea70827a841d251423bc0a1c
-Size (bind-9.20.13.tar.xz) = 5762540 bytes
+BLAKE2s (bind-9.20.15.tar.xz) = a9f184b388370068ddb2317417750e5261af5ff0c311ad528c0e9648cd308447
+SHA512 (bind-9.20.15.tar.xz) = 087d7114279274898fdc846d50216167e0895d83c3fa01372cd5f1b9a106a1ed1b4ca588d86543da8c299577f4a6762713680b8e114514badb43b03d2a0fac82
+Size (bind-9.20.15.tar.xz) = 5765964 bytes
 SHA1 (patch-configure.ac) = d3b9bb82c8e164135b93a76d5c53ad40521226e2
Prev by Date: powerdns-recursor: PowerDNS Recursor 5.3.1
Next by Date: bind920: Add a patch to avoid calling arc4random_uniform(0), which will crash.
Previous by Thread: powerdns-recursor: PowerDNS Recursor 5.3.1
Next by Thread: bind920: Add a patch to avoid calling arc4random_uniform(0), which will crash.
Indexes:
Home | Main Index | Thread Index | Old Index