bind920: update to BIND version 9.20.18.

[Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>]

Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Wed Jan 21 16:07:48 2026 +0100
Changeset:	3f19060969fa19b7ed127ab346469f3eb65cb3f1

Modified Files:
	bind920/Makefile
	bind920/distinfo

Log Message:
bind920: update to BIND version 9.20.18.

Pkgsrc changes:
 * Version bump, checksums.

Upstream changes:

BIND 9.20.18
------------

Security Fixes
~~~~~~~~~~~~~~

- [CVE-2025-13878] Fix incorrect length checks for BRID and HHIT
  records. ``d4c0d61701``

  Malformed BRID and HHIT records could trigger an assertion failure.
  This has been fixed.

  ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
  bringing this vulnerability to our attention. :gl:`#5616`

Feature Changes
~~~~~~~~~~~~~~~

- Support compilation with cmocka 2.0.0+ ``bb9234c6ce``

  The `assert_in_range()` function was deprecated in favor of
  `assert_int_in_range()` and `assert_uint_in_range()`. Add
  compatibility shims for cmocka<2.0.0 and use the new functions.
  :gl:`#5699` :gl:`!11437`

- Add more information to the rndc recursing output about fetches.
  ``9766feb4df``

  This adds more information about the active fetches for debugging and
  diagnostic purposes. :gl:`!11358`

Bug Fixes
~~~~~~~~~

- Make key rollovers more robust. ``7a70d05b5d``

  A manual rollover when the zone is in an invalid DNSSEC state causes
  predecessor keys to be removed too quickly. Additional safeguards to
  prevent this have been added. DNSSEC records will not be removed from
  the zone until the underlying state machine has moved back into a
  valid DNSSEC state. :gl:`#5458` :gl:`!11329`

- Fix a catalog zones issue when a member zone could fail to load.
  ``95cbc2c327``

  A catalog zone's member zone could fail to load in some rare cases,
  when the internally generated zone configuration string was exceeding
  512 bytes. That condition only was not enough for the issue to arise,
  but it was a necessary condition. This could happen, for example, if
  the catalog zone's default primary servers list contained a large
  number of items. This has been fixed. :gl:`#5658` :gl:`!11349`

- Allow glue in delegations with QTYPE=ANY. ``441158ac18``

  When a query for type ANY triggered a delegation response, all
  additional data was omitted from the response, including mandatory
  glue. This has been corrected. :gl:`#5659` :gl:`!11283`

- Adding NSEC3 opt-out records could leave invalid records in chain.
  ``1b90296e1f``

  When creating an NSEC3 opt-out chain, a node in the chain could be
  removed too soon, causing the previous NSEC3 being unable to be found,
  resulting in invalid NSEC3 records to be left in the zone. This has
  been fixed. :gl:`#5671` :gl:`!11340`

- Fix slow speed of NSEC3 optout large delegation zone signing.
  ``88f915b77b``

  BIND 9.20 takes much more time signing a large delegation zone with
  NSEC3 optout compared to version 9.18. This has been restored.
  :gl:`#5672` :gl:`!11362`

- Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid.
  ``1d0e19c612``

  A zone that is signed with NSEC3, opt-out enabled, and then
  reconfigured to use NSEC, causes the zone to be published with missing
  NSEC records. This has been fixed. :gl:`#5679` :gl:`!11401`

- Fix a possible catalog zone issue during reconfiguration.
  ``911b45b2b3``

  The :iscman:`named` process could terminate unexpectedly during
  reconfiguration when a catalog zone update was taking place at the
  same time. This has been fixed. :gl:`!11386`

- Fix the charts in the statistics channel. ``7c7b01dd65``

  The charts in the statistics channel could sometimes fail to render in
  the browser, and were completely disabled for Mozilla-based browsers
  for historical reasons. This has been fixed. :gl:`!11364`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=3f19060969fa19b7ed127ab346469f3eb65cb3f1

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 2 +-
 bind920/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index 83b1d2ce06..4156442c41 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.17
+BIND_VERSION=	9.20.18
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/distinfo b/bind920/distinfo
index 97dafe054b..55596fae68 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.17.tar.xz) = 7f770fde2ce7cdfb6aaf614f1035aa787a1492f7211f694ec666e154e92a15ce
-SHA512 (bind-9.20.17.tar.xz) = bb082ce45336a190d72e9caf35fc0e4647d6cb3fb117d4b8ff6fd477157db9b3291ac652fd1faad95ac892feb722d50ef738f6d46a6cd30cf6a671f4d422330e
-Size (bind-9.20.17.tar.xz) = 5767060 bytes
+BLAKE2s (bind-9.20.18.tar.xz) = 179ade278f5ebdf44788398a187f22fddcbfbde2eb1f79f144df297e325fcd07
+SHA512 (bind-9.20.18.tar.xz) = d5b55aa40d9ed8e1744af2a64bd2ce34ea04e51f340bbee3c6149c6fe4bd9ee897902b857b3fbcfb48f7b238e439f88f5c883b54d6f8f44ff5ab3f5e4d48bd06
+Size (bind-9.20.18.tar.xz) = 5775248 bytes
 SHA1 (patch-configure.ac) = d3b9bb82c8e164135b93a76d5c53ad40521226e2