![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / net / bind99
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.17, Sun Sep 23 14:31:10 2018 UTC (5 years, 2 months ago) by taca
Branch: MAIN
CVS Tags: HEAD
Changes since 1.16: +1 -1
lines
FILE REMOVED
net/bind99: remove bind99 Remove bind99 from pkgsrc since BIND 9.9 became EOL on 30 June 2018.
Revision 1.16 / (download) - annotate - [select for diffs], Sat Mar 24 15:03:54 2018 UTC (5 years, 8 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base,
pkgsrc-2018Q2,
pkgsrc-2018Q1-base,
pkgsrc-2018Q1
Changes since 1.15: +2 -1
lines
Diff to previous 1.15 (colored)
net/bind99: update to 9.9.12 New maintenance releases in the 9.9, 9.10, 9.11, and 9.12 branches of BIND are now available. Release notes can be found with the releases or in the ISC Knowledge Base: 9.9.12: https://kb.isc.org/article/AA-01596/0/9.9.12-Notes.html 9.10.7: https://kb.isc.org/article/AA-01595/0/9.10.7-Notes.html 9.11.3: https://kb.isc.org/article/AA-01597/0/9.11.3-Notes.html 9.12.1: https://kb.isc.org/article/AA-01598/0/9.12.1-Notes.html Users who are migrating an existing BIND configuration to these new versions should take special note of two changes in the behavior of the "update-policy" statement which slightly change the behavior of two update-policy options. The first such change is discussed in greater length in the BIND Operational Notification issued today: https://kb.isc.org/article/AA-01599/update-policy-local-was-named-misleadingly The second change to update-policy behavior concerns this change: "update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. Previously, if the name field was omitted from the rule declaration but a type list was present, it wouldn't be interpreted as expected." which is a correction to an ambiguous case that was previously allowed, but which was capable of causing unexpected results when accidentally applied. The new requirement eliminates is intended to eliminate the confusion, which previously caused some operators to misapply security policies. However, due to the new requirement, named configuration files that relied on the previous behavior will no longer be accepted. These changes should not affect most operators, even those using "update-policy" to define Dynamic DNS permissions, but we would like to draw your attention to them so that operators are informed about the new behaviors.
Revision 1.15 / (download) - annotate - [select for diffs], Mon Jan 1 22:29:46 2018 UTC (5 years, 11 months ago) by rillig
Branch: MAIN
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored)
Sort PLIST files. Unsorted entries in PLIST files have generated a pkglint warning for at least 12 years. Somewhat more recently, pkglint has learned to sort PLIST files automatically. Since pkglint 5.4.23, the sorting is only done in obvious, simple cases. These have been applied by running: pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
Revision 1.14 / (download) - annotate - [select for diffs], Mon Jul 31 13:42:06 2017 UTC (6 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base,
pkgsrc-2017Q4,
pkgsrc-2017Q3-base,
pkgsrc-2017Q3
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (colored)
Update bind99 to 9.9.11.
Here is release note except security (already fixed by bind-9.9.10pl3, BIND
9.9.10-P3).
Release Notes for BIND Version 9.9.11
Introduction
This document summarizes significant changes since the last production
release of BIND on the corresponding major release branch. Please see
the CHANGES file for a further list of bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New DNSSEC Root Key
ICANN is in the process of introducing a new Key Signing Key (KSK) for
the global root zone. BIND has multiple methods for managing DNSSEC
trust anchors, with somewhat different behaviors. If the root key is
configured using the managed-keys statement, or if the pre-configured
root key is enabled by using dnssec-validation auto, then BIND can keep
keys up to date automatically. Servers configured in this way should
have begun the process of rolling to the new key when it was published
in the root zone in July 2017. However, keys configured using the
trusted-keys statement are not automatically maintained. If your server
is performing DNSSEC validation and is configured using trusted-keys,
you are advised to change your configuration before the root zone
begins signing with the new KSK. This is currently scheduled for
October 11, 2017.
This release includes an updated version of the bind.keys file
containing the new root key. This file can also be downloaded from
https://www.isc.org/bind-keys .
Windows XP No Longer Supported
As of BIND 9.9.11, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Feature Changes
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* DiG now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
Bug Fixes
* Fixed a bug that was introduced in an earlier development release
which caused multi-packet AXFR and IXFR messages to fail validation
if not all packets contained TSIG records; this caused
interoperability problems with some other DNS implementations. [RT
#45509]
* Semicolons are no longer escaped when printing CAA and URI records.
This may break applications that depend on the presence of the
backslash before the semicolon. [RT #45216]
* AD could be set on truncated answer with no records present in the
answer and authority sections. [RT #45140]
End of Life
BIND 9.9 (Extended Support Version) will be supported until at least
June, 2018. https://www.isc.org/downloads/software-support-policy/
Revision 1.13 / (download) - annotate - [select for diffs], Sat Apr 22 16:07:43 2017 UTC (6 years, 7 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base,
pkgsrc-2017Q2
Changes since 1.12: +3 -2
lines
Diff to previous 1.12 (colored)
Update bind99 to 9.9.10 (BIND 9.9.10). This is maintenance release and please refer release announce in detail: https://kb.isc.org/article/AA-01489.
Revision 1.12 / (download) - annotate - [select for diffs], Fri Feb 24 15:46:14 2017 UTC (6 years, 9 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base,
pkgsrc-2017Q1
Changes since 1.11: +2 -1
lines
Diff to previous 1.11 (colored)
Fix bind.keys PLIST handling, thanks joerg@ for the notice.
Revision 1.11 / (download) - annotate - [select for diffs], Mon May 2 13:22:06 2016 UTC (7 years, 7 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base,
pkgsrc-2016Q4,
pkgsrc-2016Q3-base,
pkgsrc-2016Q3,
pkgsrc-2016Q2-base,
pkgsrc-2016Q2
Changes since 1.10: +4 -1
lines
Diff to previous 1.10 (colored)
Update bind99 to 9.9.9 (BIND 9.9.9).
All Security Fixes should be fixed by 9.9.8-P4.
Security Fixes
* The resolver could abort with an assertion failure due to improper
DNAME handling when parsing fetch reply messages. This flaw is
disclosed in CVE-2016-1286. [RT #41753]
* Malformed control messages can trigger assertions in named and
rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]
* Specific APL data could trigger an INSIST. This flaw is disclosed
in CVE-2015-8704. [RT #41396]
* Incorrect reference counting could result in an INSIST failure if a
socket error occurred while performing a lookup. This flaw is
disclosed in CVE-2015-8461. [RT#40945]
* Insufficient testing when parsing a message allowed records with an
incorrect class to be be accepted, triggering a REQUIRE failure
when those records were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
New Features
* The following resource record types have been implemented: AVC,
CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
* Added a warning for a common misconfiguration involving forwarded
RFC 1918 and IPv6 ULA (Universal Local Address) zones.
* Contributed software from Nominum is included in the source at
contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the
performance of authoritative DNS servers, resperf for testing the
resolution performance of a caching DNS server, resperf-report for
generating a resperf report in HTML with gnuplot graphs, and
queryparse to extract DNS queries from pcap capture files. This
software is not installed by default with BIND.
* When loading a signed zone, named will now check whether an RRSIG's
inception time is in the future, and if so, it will regenerate the
RRSIG immediately. This helps when a system's clock needs to be
reset backwards.
Feature Changes
* Updated the compiled-in addresses for H.ROOT-SERVERS.NET and
L.ROOT-SERVERS.NET.
* The default preferred glue is now the address type of the transport
the query was received over.
* On machines with 2 or more processors (CPU), the default value for
the number of UDP listeners has been changed to the number of
detected processors minus one.
* Zone transfers now use smaller message sizes to improve message
compression. This results in reduced network usage.
* named -V output now also includes operating system details.
Porting Changes
* The Microsoft Windows install tool BINDInstall.exe which requires a
non-free version of Visual Studio to be built, now uses two files
(lists of flags and files) created by the Configure perl script
with all the needed information which were previously compiled in
the binary. Read win32utils/build.txt for more details. [RT #38915]
Bug Fixes
* rndc flushtree now works even if there wasn't a cached node at the
specified name. [RT #41846]
* Don't emit records with zero TTL unless the records were received
with a zero TTL. After being returned to waiting clients, the
answer will be discarded from the cache. [RT #41687]
* When deleting records from a zone database, interior nodes could be
left empty but not deleted, damaging search performance afterward.
[RT #40997] [RT #41941]
* The server could crash due to a use-after-free if a zone transfer
timed out. [RT #41297]
* Authoritative servers that were marked as bogus (e.g. blackholed in
configuration or with invalid addresses) were being queried anyway.
[RT #41321]
Revision 1.10 / (download) - annotate - [select for diffs], Thu Feb 26 10:14:10 2015 UTC (8 years, 9 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base,
pkgsrc-2016Q1,
pkgsrc-2015Q4-base,
pkgsrc-2015Q4,
pkgsrc-2015Q3-base,
pkgsrc-2015Q3,
pkgsrc-2015Q2-base,
pkgsrc-2015Q2,
pkgsrc-2015Q1-base,
pkgsrc-2015Q1
Changes since 1.9: +5 -1
lines
Diff to previous 1.9 (colored)
Update bind99 to 9.9.7.
Security Fixes
* On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys,
or implicitly via dnssec-validation auto; or dnssec-lookaside
auto;), revoking a trust anchor and sending a new untrusted
replacement could cause named to crash with an assertion failure.
This could occur in the event of a botched key rollover, or
potentially as a result of a deliberate attack if the attacker was
in position to monitor the victim's DNS traffic.
This flaw was discovered by Jan-Piet Mens, and is disclosed in
CVE-2015-1349. [RT #38344]
* A flaw in delegation handling could be exploited to put named into
an infinite loop, in which each lookup of a name server triggered
additional lookups of more name servers. This has been addressed by
placing limits on the number of levels of recursion named will
allow (default 7), and on the number of queries that it will send
before terminating a recursive query (default 50).
The recursion depth limit is configured via the max-recursion-depth
option, and the query limit via the max-recursion-queries option.
The flaw was discovered by Florian Maury of ANSSI, and is disclosed
in CVE-2014-8500. [RT #37580]
New Features
* None
Feature Changes
* NXDOMAIN responses to queries of type DS are now cached separately
from those for other types. This helps when using "grafted" zones
of type forward, for which the parent zone does not contain a
delegation, such as local top-level domains. Previously a query of
type DS for such a zone could cause the zone apex to be cached as
NXDOMAIN, blocking all subsequent queries. (Note: This change is
only helpful when DNSSEC validation is not enabled. "Grafted" zones
without a delegation in the parent are not a recommended
configuration.)
* NOTIFY messages that are sent because a zone has been updated are
now given priority above NOTIFY messages that were scheduled when
the server started up. This should mitigate delays in zone
propagation when servers are restarted frequently.
* Errors reported when running rndc addzone (e.g., when a zone file
cannot be loaded) have been clarified to make it easier to diagnose
problems.
* Added support for OPENPGPKEY type.
* When encountering an authoritative name server whose name is an
alias pointing to another name, the resolver treats this as an
error and skips to the next server. Previously this happened
silently; now the error will be logged to the newly-created "cname"
log category.
* If named is not configured to validate the answer then allow
fallback to plain DNS on timeout even when we know the server
supports EDNS. This will allow the server to potentially resolve
signed queries when TCP is being blocked.
Bug Fixes
* dig, host and nslookup aborted when encountering a name which,
after appending search list elements, exceeded 255 bytes. Such
names are now skipped, but processing of other names will continue.
[RT #36892]
* The error message generated when named-checkzone or named-checkconf
-z encounters a $TTL directive without a value has been clarified.
[RT #37138]
* Semicolon characters (;) included in TXT records were incorrectly
escaped with a backslash when the record was displayed as text.
This is actually only necessary when there are no quotation marks.
[RT #37159]
* When files opened for writing by named, such as zone journal files,
were referenced more than once in named.conf, it could lead to file
corruption as multiple threads wrote to the same file. This is now
detected when loading named.conf and reported as an error. [RT
#37172]
* dnssec-keygen -S failed to generate successor keys for some
algorithm types (including ECDSA and GOST) due to a difference in
the content of private key files. This has been corrected. [RT
#37183]
* UPDATE messages that arrived too soon after an rndc thaw could be
lost. [RT #37233]
* Forwarding of UPDATE messages did not work when they were signed
with SIG(0); they resulted in a BADSIG response code. [RT #37216]
* When checking for updates to trust anchors listed in managed-keys,
named now revalidates keys based on the current set of active trust
anchors, without relying on any cached record of previous
validation. [RT #37506]
* When NXDOMAIN redirection is in use, queries for a name that is
present in the redirection zone but a type that is not present will
now return NOERROR instead of NXDOMAIN.
* When a zone contained a delegation to an IPv6 name server but not
an IPv4 name server, it was possible for a memory reference to be
left un-freed. This caused an assertion failure on server shutdown,
but was otherwise harmless. [RT #37796]
* Due to an inadvertent removal of code in the previous release, when
named encountered an authoritative name server which dropped all
EDNS queries, it did not always try plain DNS. This has been
corrected. [RT #37965]
* A regression caused nsupdate to use the default recursive servers
rather than the SOA MNAME server when sending the UPDATE.
* Adjusted max-recursion-queries to better accommodate empty caches.
* Built-in "empty" zones did not correctly inherit the
"allow-transfer" ACL from the options or view. [RT #38310]
* A mutex leak was fixed that could cause named processes to grow to
very large sizes. [RT #38454]
* Fixed some bugs in RFC 5011 trust anchor management, including a
memory leak and a possible loss of state information.[RT #38458]
Revision 1.7.6.1 / (download) - annotate - [select for diffs], Wed Dec 10 09:24:28 2014 UTC (9 years ago) by tron
Branch: pkgsrc-2014Q3
Changes since 1.7: +31 -1
lines
Diff to previous 1.7 (colored) next main 1.8 (colored)
Pullup ticket #4569 - requested by taca
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.39-1.40
- net/bind99/PLIST 1.8-1.9
- net/bind99/distinfo 1.25-1.26
- net/bind99/patches/patch-bin_tests_system_Makefile.in 1.5
- net/bind99/patches/patch-configure 1.9
- net/bind99/patches/patch-lib_bind9_Makefile.in deleted
- net/bind99/patches/patch-lib_dns_Makefile.in deleted
- net/bind99/patches/patch-lib_isc_Makefile.in deleted
- net/bind99/patches/patch-lib_isccc_Makefile.in deleted
- net/bind99/patches/patch-lib_isccfg_Makefile.in deleted
- net/bind99/patches/patch-lib_lwres_Makefile.in deleted
- net/bind99/patches/patch-lib_lwres_getaddrinfo.c 1.2
- net/bind99/patches/patch-lib_lwres_getnameinfo.c 1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Oct 14 16:21:02 UTC 2014
Modified Files:
pkgsrc/net/bind99: Makefile PLIST distinfo
pkgsrc/net/bind99/patches: patch-bin_tests_system_Makefile.in
patch-configure patch-lib_lwres_getaddrinfo.c
patch-lib_lwres_getnameinfo.c
Removed Files:
pkgsrc/net/bind99/patches: patch-lib_bind9_Makefile.in
patch-lib_dns_Makefile.in patch-lib_isc_Makefile.in
patch-lib_isccc_Makefile.in patch-lib_isccfg_Makefile.in
patch-lib_lwres_Makefile.in
Log Message:
Update bind99 to 9.9.6.
New Features
Support for CAA record types, as described in RFC 6844 "DNS
Certification Authority Authorization (CAA) Resource Record",
was added. [RT#36625] [RT #36737]
Disallow "request-ixfr" from being specified in zone statements
where it is not valid (it is only valid for slave and redirect
zones) [RT #36608]
Support for CDS and CDNSKEY resource record types was added. For
details see the proposed Informational Internet-Draft "Automating
DNSSEC Delegation Trust Maintenance" at
http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14.
[RT #36333]
Added version printing options to various BIND utilities. [RT #26057]
[RT #10686]
On Windows, enable the Python tools "dnssec-coverage" and
"dnssec-checkds". [RT #34355]
Added a "no-case-compress" ACL, which causes named to use
case-insensitive compression (disabling change #3645) for specified
clients. (This is useful when dealing with broken client
implementations that use case-sensitive name comparisons, rejecting
responses that fail to match the capitalization of the query
that was sent.) [RT #35300]
Feature Changes
Adds RPZ SOA to the additional section of responses to clearly
indicate the use of RPZ in a manner that is intended to avoid
causing issues for downstream resolvers and forwarders [RT #36507]
rndc now gives distinct error messages when an unqualified zone
name matches multiple views vs. matching no views [RT #36691]
Improves the accuracy of dig's reported round trip times. [RT #36611]
The Windows installer now places files in the Program Files area
rather than system services. [RT #35361]
When an SPF record exists in a zone but no equivalent TXT record
does, a warning will be issued. The warning for the reverse
condition is no longer issued. See the check-spf option in the
documentation for details. [RT #36210]
"named" will now log explicitly when using rndc.key to configure
command channel. [RT #35316]
The default setting for the -U option (setting the number of UDP
listeners per interface) has been adjusted to improve performance.
[RT #35417]
Aging of smoothed round-trip time measurements is now limited
to no more than once per second, to improve accuracy in selecting
the best name server. [RT #32909]
DNSSEC keys that have been marked active but have no publication
date are no longer presumed to be publishable. [RT #35063]
Bug Fixes
The Makefile in bin/python was changed to work around a bmake
bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
Corrected bugs in the handling of wildcard records by the DNSSEC
validator: invalid wildcard expansions could be treated as valid
if signed, and valid wildcard expansions in NSEC3 opt-out ranges
had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
When resigning, dnssec-signzone was removing all signatures from
delegation nodes. It now retains DS and (if applicable) NSEC
signatures. [RT #36946]
The AD flag was being set inappopriately on RPZ responses. [RT #36833]
Updates the URI record type to current draft standard,
draft-faltstrom-uri-08, and allows the value field to be zero
length [RT #36642] [RT #36737]
RRSIG sets that were not loaded in a single transaction at start
up were not being correctly added to re-signing heaps. [RT #36302]
Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
A race condition could cause a crash in isc_event_free during
shutdown. [RT #36720]
Addresses a race condition issue in dispatch. [RT #36731]
acl elements could be miscounted, causing a crash while loading
a config [RT #36675]
Corrects a deadlock between view.c and adb.c. [RT #36341]
liblwres wasn't properly handling link-local addresses in
nameserver clauses in resolv.conf. [RT #36039]
Buffers in isc_print_vsnprintf were not properly initialized
leading to potential overflows when printing out quad values.
[RT #36505]
Don't call qsort() with a null pointer, and disable the GCC 4.9
"delete null pointer check" optimizer option. This fixes problems
when using GNU GCC 4.9.0 where its compiler code optimizations
may cause crashes in BIND. For more information, see the operational
advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
Fixed a bug that could cause repeated resigning of records in
dynamically signed zones. [RT #35273]
Fixed a bug that could cause an assertion failure after forwarding
was disabled. [RT #35979]
Fixed a bug that caused SERVFAILs when using RPZ on a system
configured as a forwarder. [RT #36060]
Worked around a limitation in Solaris's /dev/poll implementation
that could cause named to fail to start when configured to use
more sockets than the system could accomodate. [RT #35878]
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Dec 8 21:58:18 UTC 2014
Modified Files:
pkgsrc/net/bind99: Makefile PLIST distinfo
Log Message:
Update bind99 to 9.9.6p1 (BIND 9.9.6-P1).
--- 9.9.6-P1 released ---
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option, and the query limit
via the "max-recursion-queries" option. [RT #37580]
Revision 1.9 / (download) - annotate - [select for diffs], Mon Dec 8 21:58:18 2014 UTC (9 years ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base,
pkgsrc-2014Q4
Changes since 1.8: +2 -1
lines
Diff to previous 1.8 (colored)
Update bind99 to 9.9.6p1 (BIND 9.9.6-P1). --- 9.9.6-P1 released --- 4006. [security] A flaw in delegation handling could be exploited to put named into an infinite loop. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and the number of iterative queries that it will send (default 50) before terminating a recursive query (CVE-2014-8500). The recursion depth limit is configured via the "max-recursion-depth" option, and the query limit via the "max-recursion-queries" option. [RT #37580]
Revision 1.8 / (download) - annotate - [select for diffs], Tue Oct 14 16:21:02 2014 UTC (9 years, 1 month ago) by taca
Branch: MAIN
Changes since 1.7: +30 -1
lines
Diff to previous 1.7 (colored)
Update bind99 to 9.9.6. New Features Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737] Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608] Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333] Added version printing options to various BIND utilities. [RT #26057] [RT #10686] On Windows, enable the Python tools "dnssec-coverage" and "dnssec-checkds". [RT #34355] Added a "no-case-compress" ACL, which causes named to use case-insensitive compression (disabling change #3645) for specified clients. (This is useful when dealing with broken client implementations that use case-sensitive name comparisons, rejecting responses that fail to match the capitalization of the query that was sent.) [RT #35300] Feature Changes Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507] rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691] Improves the accuracy of dig's reported round trip times. [RT #36611] The Windows installer now places files in the Program Files area rather than system services. [RT #35361] When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210] "named" will now log explicitly when using rndc.key to configure command channel. [RT #35316] The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance. [RT #35417] Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909] DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063] Bug Fixes The Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**) Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072] When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946] The AD flag was being set inappopriately on RPZ responses. [RT #36833] Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737] RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302] Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452] A race condition could cause a crash in isc_event_free during shutdown. [RT #36720] Addresses a race condition issue in dispatch. [RT #36731] acl elements could be miscounted, causing a crash while loading a config [RT #36675] Corrects a deadlock between view.c and adb.c. [RT #36341] liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039] Buffers in isc_print_vsnprintf were not properly initialized leading to potential overflows when printing out quad values. [RT #36505] Don't call qsort() with a null pointer, and disable the GCC 4.9 "delete null pointer check" optimizer option. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968] Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273] Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979] Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060] Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878]
Revision 1.7 / (download) - annotate - [select for diffs], Tue Mar 11 14:05:07 2014 UTC (9 years, 9 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base,
pkgsrc-2014Q2-base,
pkgsrc-2014Q2,
pkgsrc-2014Q1-base,
pkgsrc-2014Q1
Branch point for: pkgsrc-2014Q3
Changes since 1.6: +1 -3
lines
Diff to previous 1.6 (colored)
Remove example rc.d scripts from PLISTs. These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or ignored otherwise.
Revision 1.6 / (download) - annotate - [select for diffs], Sun Feb 2 07:58:20 2014 UTC (9 years, 10 months ago) by taca
Branch: MAIN
Changes since 1.5: +7 -1
lines
Diff to previous 1.5 (colored)
Update bind99 to 9.9.5 (BIND 9.9.5). Security fixes were already covered by 9.9.4pl2. Some bug fixes and clean up, please refer CHANGES file in detail.
Revision 1.5 / (download) - annotate - [select for diffs], Sat Sep 21 16:00:34 2013 UTC (10 years, 2 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base,
pkgsrc-2013Q4,
pkgsrc-2013Q3-base,
pkgsrc-2013Q3
Changes since 1.4: +5 -1
lines
Diff to previous 1.4 (colored)
Update bind99 to 9.9.4 (BIND 9.9.4).
(CVE-2013-4854 and CVE-2013-3919 were already fixed in pkgsrc).
Security Fixes
Previously an error in bounds checking on the private type
'keydata' could be used to deny service through a deliberately
triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
Prevents exploitation of a runtime_check which can crash named
when satisfying a recursive query for particular malformed zones.
(CVE-2013-3919) [RT #33690]
New Features
Added Response Rate Limiting (RRL) functionality to reduce the
effectiveness of DNS as an amplifier for reflected denial-of-service
attacks by rate-limiting substantially-identical responses. [RT
#28130]
Feature Changes
rndc status now also shows the build-id. [RT #20422]
Improved OPT pseudo-record processing to make it easier to support
new EDNS options. [RT #34414]
"configure" now finishes by printing a summary of optional BIND
features and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.)
[RT #31777]
Addressed compatibility issues with newer versions of Microsoft
Visual Studio. [RT #33916]
Improved the 'rndc' man page. [RT #33506]
'named -g' now no longer works with an invalid logging configuration.
[RT #33473]
The default (and minimum) value for tcp-listen-queue is now 10
instead of 3. This is a subtle control setting (not applicable
to all OS environments). When there is a high rate of inbound
TCP connections, it controls how many connections can be queued
before they are accepted by named. Once this limit is exceeded,
new TCP connections will be rejected. Note however that a value
of 10 does not imply a strict limit of 10 queued TCP connections
- the impact of changing this configuration setting will be
OS-dependent. Larger values for tcp-listen queue will permit
more pending tcp connections, which may be needed where there
is a high rate of TCP-based traffic (for example in a dynamic
environment where there are frequent zone updates and transfers).
For most production servers the new default value of 10 should
be adequate. [RT #33029]
Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e
with PKCS#11. [RT #33463]
Added logging messages on slave servers when they forward DDNS
updates to a master. [RT #33240]
Changed the logging category for RRL events from 'queries' to
'query-errors'. [RT #33540]
Bug Fixes
Fixed the "allow-query-on" option to correctly check the destination
address. [RT #34590]
Fix forwarding for forward only "zones" beneath automatic empty
zones. [RT #34583]
Fix DNSSEC auto maintenance so signatures can be removed from a
zone with only KSK keys for an algorithm. [RT #34439]
Fix DNSSEC auto maintenance so signatures from newly inactive
keys are removed (when publishing a new key while deactivating
another key at the same time). [RT #32178]
Remove bogus warning log message about missing signatures when
receiving a query for a SIG record. [RT #34600]
Fix Response Policy Zones on slave servers so new RPZ changes
take effect. [RT #34450]
Fix the "zone-statistics" option to work with the default
traditional statistics (not new "--enable-newstats" feature).
[RT #34466]
named could crash when deleting inline-signing zones with "rndc
delzone". [RT #34066]
Improved resistance to a theoretical authentication attack based
on differential timing. [RT #33939]
named was failing to answer queries during "rndc reload" [RT
#34098]
win32: Some executables had been omitted from the installer. [RT
#34116]
fixed a broken 'Invalid keyfile' error message in dnssec-keygen.
[RT #34045]
The build of BIND now installs isc/stat.h so that it's available
to /isc/file.h when building other applications that reference
these header files - for example dnsperf (see Debian bug ticket
#692467). [RT #33056]
Better handle failures building XML for stats channel responses.
[RT #33706]
Fixed a memory leak in GSS-API processing. [RT #33574]
Fixed an acache-related race condition that could cause a crash.
[RT #33602]
rndc now properly fails when given an invalid '-c' argument. [RT
#33571]
Fixed an issue with the handling of zero TTL records that could
cause improper SERVFAILs. [RT #33411]
Fixed a crash-on-shutdown race condition with DNSSEC validation.
[RT #33573]
Corrected the way that "rndc addzone" and "rndc delzone" handle
non-standard characters in zone names. [RT #33419]
Adjusted RRL behavior for recursive queries to defer rate-limiting
until after recursion is complete. Also uses correct rcode for
slipped NXDOMAIN responses. [RT #33604]
Previously, BIND could erroneously report a missing file
specification when using inline slave zones. [RT #33662]
Revision 1.4 / (download) - annotate - [select for diffs], Thu Jun 6 02:55:03 2013 UTC (10 years, 6 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base,
pkgsrc-2013Q2
Changes since 1.3: +2 -2
lines
Diff to previous 1.3 (colored)
Update bind99 to 9.9.3pl1 (BIND 9.9.3-P1). Please refer CHANGES file for complete changes and here is quote from release announce. Introduction BIND 9.9.3-P1 is the latest production release of BIND 9.9-ESV. Security Fixes Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones. (CVE-2013-3919) [RT #33690] Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688] Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141] New Features Adds a new configuration option, "check-spf"; valid values are "warn" (default) and "ignore". When set to "warn", checks SPF and TXT records in spf format, warning if either resource record type occurs without a corresponding record of the other resource record type. [RT #33355] Adds the command-line tool "dnssec-coverage" that checks to make sure that there is no scheduled lapse in key coverage. Requires python. [RT #28098] Adds support for the EUI48 and EUI64 RR types. [RT #33082] Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836]
Revision 1.2.4.1 / (download) - annotate - [select for diffs], Wed Oct 10 13:48:13 2012 UTC (11 years, 2 months ago) by tron
Branch: pkgsrc-2012Q3
Changes since 1.2: +4 -1
lines
Diff to previous 1.2 (colored) next main 1.3 (colored)
Pullup ticket #3944 - requested by taca
net/bind99: security update
Revisions pulled up:
- net/bind99/Makefile 1.12-1.13
- net/bind99/PLIST 1.3
- net/bind99/distinfo 1.9
- net/bind99/patches/patch-bin_tests_system_Makefile.in 1.3
- net/bind99/patches/patch-configure 1.3
- net/bind99/patches/patch-configure.in 1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Oct 3 21:59:10 UTC 2012
Modified Files:
pkgsrc/net/bind99: Makefile
Log Message:
Bump all packages that use perl, or depend on a p5-* package, or
are called p5-*.
I hope that's all of them.
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Oct 10 03:07:13 UTC 2012
Modified Files:
pkgsrc/net/bind99: Makefile PLIST distinfo
pkgsrc/net/bind99/patches: patch-bin_tests_system_Makefile.in
patch-configure patch-configure.in
Log Message:
Update bind99 to 9.9.2 (BIND 9.9.2).
Here are change changes from release note. Note security fixes except
CVE-2012-5166 should be already fixed in previous version of bind99 package.
Please refer https://kb.isc.org/article/AA-00798 for list of full bug fixes.
Security Fixes
* A deliberately constructed combination of records could cause named to hang
while populating the additional section of a response. [CVE-2012-5166] [RT
#31090]
* Prevents a named assert (crash) when queried for a record whose RDATA
exceeds 65535 bytes. [CVE-2012-4244] [RT #30416]
* Prevents a named assert (crash) when validating caused by using "Bad cache"
data before it has been initialized. [CVE-2012-3817] [RT #30025]
* A condition has been corrected where improper handling of zero-length RDATA
could cause undesirable behavior, including termination of the named
process. [CVE-2012-1667] [RT #29644]
* ISC_QUEUE handling for recursive clients was updated to address a race
condition that could cause a memory leak. This rarely occurred with UDP
clients, but could be a significant problem for a server handling a steady
rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233]
New Features
* Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are
now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-checkds" command that checks a zone to
determine which DS records should be published in the parent zone, or which
DLV records should be published in a DLV zone, and queries the DNS to ensure
that it exists. (Note: This tool depends on python; it will not be built or
installed on systems that do not have a python interpreter.) [RT #28099]
* Introduces a new tool "dnssec-verify" that validates a signed zone, checking
for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673]
* Adds configuration option "max-rsa-exponent-size <value>;" that can be used
to specify the maximum rsa exponent size that will be accepted when
validating [RT #29228]
Feature Changes
* Improves OpenSSL error logging [RT #29932]
* nslookup now returns a nonzero exit code when it is unable to get an answer.
[RT #29492]
Revision 1.3 / (download) - annotate - [select for diffs], Wed Oct 10 03:07:12 2012 UTC (11 years, 2 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base,
pkgsrc-2013Q1,
pkgsrc-2012Q4-base,
pkgsrc-2012Q4
Changes since 1.2: +4 -1
lines
Diff to previous 1.2 (colored)
Update bind99 to 9.9.2 (BIND 9.9.2). Here are change changes from release note. Note security fixes except CVE-2012-5166 should be already fixed in previous version of bind99 package. Please refer https://kb.isc.org/article/AA-00798 for list of full bug fixes. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 & #30233] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] * Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * Adds configuration option "max-rsa-exponent-size <value>;" that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492]
Revision 1.1.1.1.2.1 / (download) - annotate - [select for diffs], Tue May 22 09:09:52 2012 UTC (11 years, 6 months ago) by tron
Branch: pkgsrc-2012Q1
Changes since 1.1.1.1: +1 -0
lines
Diff to previous 1.1.1.1 (colored) next main 1.2 (colored)
Pullup ticket #3797 - requested by taca
net/bind99/: security update
Revisions pulled up:
- net/bind99/Makefile 1.3-1.4
- net/bind99/PLIST 1.2
- net/bind99/distinfo 1.4
- net/bind99/files/named9.sh 1.2
- net/bind99/patches/patch-bin_tests_system_Makefile.in 1.2
- net/bind99/patches/patch-lib_dns_resolver.c deleted
---
Module Name: pkgsrc
Committed By: marino
Date: Sun May 20 12:00:15 UTC 2012
Modified Files:
pkgsrc/net/bind99: Makefile
pkgsrc/net/bind99/files: named9.sh
Log Message:
PR#45780 net/bind99: Fix chroot operation
DNSSEC related, bind99 needs same fix as bind98
---
Module Name: pkgsrc
Committed By: taca
Date: Tue May 22 03:31:07 UTC 2012
Modified Files:
pkgsrc/net/bind99: Makefile PLIST distinfo
pkgsrc/net/bind99/patches: patch-bin_tests_system_Makefile.in
Removed Files:
pkgsrc/net/bind99/patches: patch-lib_dns_resolver.c
Log Message:
Update biind99 package to 9.9.1.
pkgsrc change: add an comment to patches/patch-bin_tests_system_Makefile.in.
Changes from release announce:
Security Fixes
* Windows binary packages distributed by ISC are now built and linked
against OpenSSL 1.0.0i
New Features
* None
Feature Changes
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
* A note will be added to the README in future releases to explain
that the improved scalability provided by using multiple threads
to listen for and process queries (change 3137, RT #22992) does
not provide any performance benefit when running BIND on versions
of the linux kernel that do not include the 'lockless UDP transmit
path' changes that were incorporated in 2.6.39. (Some linux
distributors may have provided this functionality under their
own version numbering systems).
Bug Fixes
* The locking strategy around the handling of iterative queries
has been tuned to reduce unnecessary contention in a multi-threaded
environment. (Note that this may not provide a measurable
improvement over previous versions of BIND, but it corrects the
performance impact of change 3309 / RT #27995) [RT #29239]
* Addresses a race condition that can cause named to to crash when
the masters list for a zone is updated via rndc reload/reconfig
[RT #26732]
* named-checkconf now correctly validates dns64 clients acl
definitions. [RT #27631]
* Fixes a race condition in zone.c that can cause named to crash
during the processing of rndc delzone [RT #29028]
* Prevents a named segfault from resolver.c due to procedure
fctx_finddone() not being thread-safe. [RT #27995]
* Improves DNS64 reverse zone performance. [RT #28563]
* Adds wire format lookup method to sdb. [RT #28563]
* Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering
an assertion when flushing cache data. [RT #28571]
* Prevents intermittent named crashes following an rndc reload [RT
#28606]
* Resolves inconsistencies in locating DNSSEC keys where zone names
contain characters that require special mappings [RT #28600]
* A new flag -R has been added to queryperf for running tests
using non-recursive queries. It also now builds correctly on
MacOS version 10.7 (darwin) [RT #28565]
* Named no longer crashes if gssapi is enabled in named.conf but
was not compiled into the binary [RT #28338]
* SDB now handles unexpected errors from back-end database drivers
gracefully instead of exiting on an assert. [RT #28534]
* Prevents named crashes as a result of dereferencing a NULL pointer
in zmgr_start_xfrin_ifquota if the zone was being removed while
there were zone transfers still pending [RT #28419]
* Corrects a parser bug that could cause named to crash while
reading a malformed zone file. [RT #28467]
* Ensures that when a client recurses its status fields are
consistently set so that named doesn't fail on an INSIST in
client.c:exit_check. [RT #28346]
* Fixed a problem preventing proper use of 64 bit time values in
libbind. [RT # 26542]
* isccc/cc.c:table_fromwire could fail to free an allocated object
on error, leading to a possible memory leak condition. [RT #28265]
* Fixed a build error on systems without ENOTSUP. [RT #28200]
* The header file isc/hmacsha.h is now installed when building
BIND. [RT #28169]
* AAAA responses will no longer be returned in the additional
section when filter-aaaa-on-v4 is in use. (Prior to this change,
they would be returned for some query types). [RT #27292]
Revision 1.2 / (download) - annotate - [select for diffs], Tue May 22 03:31:07 2012 UTC (11 years, 6 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base,
pkgsrc-2012Q2-base,
pkgsrc-2012Q2
Branch point for: pkgsrc-2012Q3
Changes since 1.1: +2 -1
lines
Diff to previous 1.1 (colored)
Update biind99 package to 9.9.1. pkgsrc change: add an comment to patches/patch-bin_tests_system_Makefile.in. Changes from release announce: Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems). Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb->heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Prevents intermittent named crashes following an rndc reload [RT #28606] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] * Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419] * Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467] * Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346] * Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] * isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] * Fixed a build error on systems without ENOTSUP. [RT #28200] * The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] * AAAA responses will no longer be returned in the additional section when filter-aaaa-on-v4 is in use. (Prior to this change, they would be returned for some query types). [RT #27292]
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Wed Mar 7 14:25:00 2012 UTC (11 years, 9 months ago) by taca
Branch: TNF
CVS Tags: pkgsrc-base,
pkgsrc-2012Q1-base
Branch point for: pkgsrc-2012Q1
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored)
Importing BIND 9.9.0 as pkgsrc/net/bind99. Introduction BIND 9.9.0 is the first production release of BIND 9.9. This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. New Features * The new "inline-signing" option * NXDOMAIN redirection * "rndc flushtree <name>" command * "rndc sync" command * The new "rndc signing" command * "auto-dnssec" zones * Improves the startup time And more.
Revision 1.1 / (download) - annotate - [select for diffs], Wed Mar 7 14:25:00 2012 UTC (11 years, 9 months ago) by taca
Branch: MAIN
Initial revision