bind920: update to BIND version 9.20.24.

[Havard Eidnes (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>]

Module Name:	pkgsrc-wip
Committed By:	Havard Eidnes <he%NetBSD.org@localhost>
Pushed By:	he
Date:		Fri Jun 19 11:09:56 2026 +0200
Changeset:	c4f028ceffaefbd48bf68a045a0e980111751ab6

Modified Files:
	bind920/Makefile
	bind920/distinfo

Log Message:
bind920: update to BIND version 9.20.24.

Pkgsrc changes:
 * Version bump, checksums.

Upstream changes:

Removed Features
~~~~~~~~~~~~~~~~

- Remove ineffective TCP fallback after repeated UDP timeouts.

  When an authoritative server failed to respond to two consecutive UDP
  queries, :iscman:`named` marked the next retry as TCP but still sent
  it over UDP, producing misleading dnstap records. The ineffective
  retry path has been removed; a corrected TCP fallback will be restored
  in future BIND 9 versions. :gl:`#5529`

Feature Changes
~~~~~~~~~~~~~~~

- Fall back to TCP on receipt of a UDP response with a mismatched query ID.

  BIND used to wait silently for the correct DNS message ID on a UDP
  fetch, even after receiving a response from the expected server with
  the wrong ID, leaving room for off-path spoofing attempts to keep
  guessing within that window.  The resolver now retries the fetch over
  TCP on the first such response, and a new ``MismatchTCP`` statistics
  counter tracks how often the fallback fires. :gl:`#5449`

- Limit the number of glue records cached from a referral.

  When a delegation response contained many glue addresses per listed
  nameserver, all of them were cached without a per-nameserver bound,
  inflating resolver cache memory beyond what resolution could ever use.
  The cache now keeps at most 20 IPv4 and 20 IPv6 glue addresses per
  nameserver from a delegation. :gl:`#5701`

- Fix a resolver stall on a CNAME response to a DS query.

  A validating resolver could stall for about twelve seconds and then
  return SERVFAIL when an authoritative server answered a DS query with
  a CNAME. Such responses are now rejected promptly, so the query fails
  quickly instead of hanging. :gl:`#5878`

Bug Fixes
~~~~~~~~~

- The resolver now removes other RRsets at the same name when caching a
  CNAME.

  When an RRset is in stale cache and the authoritative server changes
  the record type to CNAME, the resolver fails to refresh the stale
  cache. This has been fixed. :gl:`#5302`

- Fix :any:`nxdomain-redirect` combined with :any:`dns64`.

  When a resolver was configured with both :any:`nxdomain-redirect` and
  :any:`dns64` in the same view, an AAAA query for a nonexistent name
  could abort :iscman:`named`. The combination failed whenever the
  redirect zone held A records but no AAAA records.  The server now
  serves the empty AAAA response from the redirect zone as-is, instead
  of attempting DNS64 synthesis on top of it. :gl:`#5789`

- Fix DNS64 owner case after DNAME restart.

  When BIND 9 was configured to use DNS64 and encountered a DNAME
  redirect, it could end up using freed memory for the DNS response
  owner name. This caused the response to contain corrupted data. This
  fix ensures the correct owner name is used when constructing the
  synthesized response after a DNAME redirect. :gl:`#5934`

- Clear REDIRECT flag when it isn't needed.

  When :any:`nxdomain-redirect` is in use, and a recursive query is used
  to get the redirected answer, a flag is set to distinguish it from a
  normal recursive response. Previously, that flag was left set
  afterward, which could trigger an assertion if a normal recursive
  query was sent later on behalf of the same client: for example,
  because the :any:`filter-aaaa` plugin was in use.  This has been
  fixed. :gl:`#5936`

- Disable output escaping in ``bind9.xsl``.

  The statistics charts were not displaying on some browsers. This has
  been fixed. :gl:`#5990`

- Fix crash on badly configured secondary signer.

  A badly configured secondary signer that was missing the ``file``
  entry caused the server to crash, rather than to reject the
  configuration. This has been fixed. :gl:`#5993`

- Fix a possible crash on concurrent TKEY DELETE for the same key.

  On a server configured with :any:`tkey-gssapi-keytab`, an
  authenticated peer could crash :iscman:`named` by sending two TKEY
  DELETE requests for the same dynamic key in rapid succession.  This
  has been fixed. :gl:`#6001`

- Reject RRSIG records covering meta-types.

  A recursive resolver could accept and cache an RRSIG record whose
  Type-Covered field named a meta-type (ANY, AXFR, IXFR, MAILA, MAILB),
  even though no real RRset of those types ever exists. Such records are
  now rejected by the DNS message parser. :gl:`#6002`

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=c4f028ceffaefbd48bf68a045a0e980111751ab6

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 bind920/Makefile | 2 +-
 bind920/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diffs:
diff --git a/bind920/Makefile b/bind920/Makefile
index 06164a3577..3f3068c1c4 100644
--- a/bind920/Makefile
+++ b/bind920/Makefile
@@ -15,7 +15,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.20.23
+BIND_VERSION=	9.20.24
 
 BUILD_DEFS+=	BIND_DIR VARBASE
 
diff --git a/bind920/distinfo b/bind920/distinfo
index 04d3e2e06e..8a9565f52e 100644
--- a/bind920/distinfo
+++ b/bind920/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
 
-BLAKE2s (bind-9.20.23.tar.xz) = 76c1af8f6e547e8db569ab88580e4301d72300f4d93e89f3cc8703332e40e687
-SHA512 (bind-9.20.23.tar.xz) = fce8a69620c15223e54dd197c09c7b00c165e5e3a5b2f62b241f589be5675c581029cf750caa8ed1f1fcb0faf293df04e77c494c205bab89d6d01153395bf4cb
-Size (bind-9.20.23.tar.xz) = 5837532 bytes
+BLAKE2s (bind-9.20.24.tar.xz) = 0326c6add2f13058158b64de4f1dca95ef3af5545d713db72c80925cda8eb2e4
+SHA512 (bind-9.20.24.tar.xz) = 6e163d483a45a71d979c0c4fc9778e22f6fc158ab3dff460d84fa60391689c2f6e62ec179500718bcad27547728910ee17de2d10ef1936018a8958138e9c146c
+Size (bind-9.20.24.tar.xz) = 5854912 bytes
 SHA1 (patch-configure.ac) = d3b9bb82c8e164135b93a76d5c53ad40521226e2