9.2.8

9 files changed, 204 insertions, 16 deletions

diff --git a/CHANGES b/CHANGES
index fa7f182f..780a46e7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+	--- 9.2.8 released ---
+
+2126.	[securityt]	Serialise validation of type ANY responses. [RT #16555]
+
 	--- 9.2.7 released ---
 
 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
diff --git a/FAQ b/FAQ
index 5c6a2a73..ba87de21 100644
--- a/FAQ
+++ b/FAQ
@@ -1,5 +1,9 @@
 Frequently Asked Questions about BIND 9
 
+Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+
+Copyright © 2000-2003 Internet Software Consortium.
+
 -------------------------------------------------------------------------------
 
 Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
@@ -630,3 +634,42 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    See these man-pages for more information : selinux(8), named_selinux(8), chcon
    (1), setsebool(8)
 
+Q: I want to forward all DNS queries from my caching nameserver to another server.
+   But there are some domains which have to be served locally, via rbldnsd.
+
+   How do I achieve this ?
+
+A: options {
+           forward only;
+           forwarders { <ip.of.primary.nameserver>; };
+   };
+
+   zone "sbl-xbl.spamhaus.org" {
+           type forward; forward only;
+           forwarders { <ip.of.rbldns.server> port 530; };
+   };
+
+   zone "list.dsbl.org" {
+           type forward; forward only;
+           forwarders { <ip.of.rbldns.server> port 530; };
+   };
+
+
+Q: Will named be affected by the 2007 changes to daylight savings rules in the US.
+
+A: No, so long as the machines internal clock (as reported by "date -u") remains
+   at UTC. The only visible change if you fail to upgrade your OS, if you are in a
+   affected area, will be that log messages will be a hour out during the period
+   where the old rules do not match the new rules.
+
+   For most OS's this change just means that you need to update the conversion
+   rules from UTC to local time. Normally this involves updating a file in /etc
+   (which sets the default timezone for the machine) and possibly a directory
+   which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
+   When updating the OS do not forget to update any chroot areas as well. See your
+   OS's documetation for more details.
+
+   The local timezone conversion rules can also be done on a individual basis by
+   setting the TZ envirionment variable appropriately. See your OS's documentation
+   for more details.
+
diff --git a/FAQ.xml b/FAQ.xml
index d6196185..7d73fa1a 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -1,7 +1,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
 <!--
- - Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and distribute this software for any
@@ -17,10 +17,26 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: FAQ.xml,v 1.4.8.5 2006/02/27 21:11:57 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.4.8.5.6.1 2007/01/12 02:28:15 marka Exp $ -->
 
 <article class="faq">
   <title>Frequently Asked Questions about BIND 9</title>
+  <articleinfo>
+    <copyright>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
+      <holder>Internet Software Consortium.</holder>
+    </copyright>
+  </articleinfo>
   <qandaset defaultlabel='qanda'>
     <qandaentry>
       <question>
@@ -1193,5 +1209,68 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
 	</para>
       </answer>
     </qandaentry>
+    <qandaentry>
+      <question>
+	<para>
+	  I want to forward all DNS queries from my caching nameserver to
+	  another server. But there are some domains which have to be
+	  served locally, via rbldnsd.
+	</para>
+	<para>
+	  How do I achieve this ?
+	</para>
+      </question>
+      <answer>
+        <programlisting>
+options {
+	forward only;
+	forwarders { &lt;ip.of.primary.nameserver&gt;; };
+};
+
+zone "sbl-xbl.spamhaus.org" {
+	type forward; forward only;
+	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
+};
+
+zone "list.dsbl.org" {
+	type forward; forward only;
+	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
+};
+        </programlisting>
+      </answer>
+    </qandaentry>
+    <qandaentry>
+      <question>
+	<para>
+	  Will named be affected by the 2007 changes to daylight savings
+	  rules in the US.
+	</para>
+      </question>
+      <answer>
+	<para>
+	  No, so long as the machines internal clock (as reported
+	  by "date -u") remains at UTC.  The only visible change
+	  if you fail to upgrade your OS, if you are in a affected
+	  area, will be that log messages will be a hour out during
+	  the period where the old rules do not match the new rules.
+	</para>
+	<para>
+	  For most OS's this change just means that you need to
+	  update the conversion rules from UTC to local time.
+	  Normally this involves updating a file in /etc (which
+	  sets the default timezone for the machine) and possibly
+	  a directory which has all the conversion rules for the
+	  world (e.g. /usr/share/zoneinfo).  When updating the OS
+	  do not forget to update any chroot areas as well.
+	  See your OS's documetation for more details.
+	</para>
+	<para>
+	  The local timezone conversion rules can also be done on
+	  a individual basis by setting the TZ envirionment variable
+	  appropriately.  See your OS's documentation for more
+	  details.
+	</para>
+      </answer>
+    </qandaentry>
   </qandaset>
 </article>
diff --git a/README b/README
index 12dbd6e2..efdfceca 100644
--- a/README
+++ b/README
@@ -43,6 +43,13 @@ BIND 9
 		Nominum, Inc.
 
 
+BIND 9.2.8
+	BIND 9.2.8 is a security release.
+
+BIND 9.2.7
+	BIND 9.2.7 is a maintenance release, containing fixes for
+	a number of bugs in 9.2.6.
+
 BIND 9.2.6
 
 	BIND 9.2.6 is a maintenance release, containing fixes for
diff --git a/lib/dns/api b/lib/dns/api
index 47628bd0..f2bcfbf5 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 18
-LIBREVISION = 3
-LIBAGE = 2
+LIBINTERFACE = 19
+LIBREVISION = 0
+LIBAGE = 3
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 8b44f274..5e173f1a 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.18.2.1 2004/03/09 06:11:24 marka Exp $ */
+/* $Id: validator.h,v 1.18.2.1.24.1 2007/01/11 04:58:37 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -111,6 +111,11 @@ struct dns_validator {
 	ISC_LINK(dns_validator_t)	link;
 };
 
+/*%
+ * dns_validator_create() options.
+ */
+#define DNS_VALIDATOR_DEFER 2U
+
 ISC_LANG_BEGINDECLS
 
 isc_result_t
@@ -154,6 +159,15 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  */
 
 void
+dns_validator_send(dns_validator_t *validator);
+/*%<
+ * Send a deferred validation request
+ *
+ * Requires:
+ *	'validator' to points to a valid DNSSEC validator.
+ */
+
+void
 dns_validator_cancel(dns_validator_t *validator);
 /*
  * Cancel a DNSSEC validation in progress.
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 421375b9..b87d3183 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.218.2.46 2006/07/28 04:51:18 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.46.6.1 2007/01/11 04:58:37 marka Exp $ */
 
 #include <config.h>
 
@@ -837,6 +837,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	INSIST(ISC_LIST_EMPTY(fctx->validators));
+
 	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
 
 	query = isc_mem_get(res->mctx, sizeof *query);
@@ -2622,12 +2624,21 @@ maybe_destroy(fetchctx_t *fctx) {
 	unsigned int bucketnum;
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	dns_resolver_t *res = fctx->res;
+	dns_validator_t *validator;
 
 	REQUIRE(SHUTTINGDOWN(fctx));
 
-	if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
+	if (fctx->pending != 0)
 		return;
 
+	for (validator = ISC_LIST_HEAD(fctx->validators);
+	     validator != NULL;
+	     validator = ISC_LIST_HEAD(fctx->validators)) {
+		ISC_LIST_UNLINK(fctx->validators, validator, link);
+		dns_validator_cancel(validator);
+		dns_validator_destroy(&validator);
+	}
+
 	bucketnum = fctx->bucketnum;
 	LOCK(&res->buckets[bucketnum].lock);
 	if (fctx->references == 0)
@@ -2810,7 +2821,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 			goto noanswer_response;
 	}
 
-	if (sentresponse) {
+	if (!ISC_LIST_EMPTY(fctx->validators))
+		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
+	else if (sentresponse) {
 		/*
 		 * If we only deferred the destroy because we wanted to cache
 		 * the data, destroy now.
@@ -2830,6 +2843,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 		 * more rdatasets that still need to
 		 * be validated.
 		 */
+		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
 		goto cleanup_event;
 	}
 
@@ -2878,6 +2892,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 	unsigned int options;
 	isc_task_t *task;
 	dns_validator_t *validator;
+	unsigned int valoptions = 0;
 
 	/*
 	 * The appropriate bucket lock must be held.
@@ -3065,15 +3080,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 						rdataset,
 						sigrdataset,
 						fctx->rmessage,
-						0,
+						valoptions,
 						task,
 						validated,
 						fctx,
 						&validator);
-					if (result == ISC_R_SUCCESS)
+					if (result == ISC_R_SUCCESS) {
 						ISC_LIST_APPEND(
 							fctx->validators,
 							validator, link);
+						valoptions |=
+							 DNS_VALIDATOR_DEFER;
+					}
 				}
 			}
 		} else if (!EXTERNAL(rdataset)) {
@@ -3148,7 +3166,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 					      valrdataset,
 					      valsigrdataset,
 					      fctx->rmessage,
-					      0,
+					      valoptions,
 					      task,
 					      validated,
 					      fctx,
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 1e4f108c..508da312 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.91.2.12 2006/01/06 02:55:16 marka Exp $ */
+/* $Id: validator.c,v 1.91.2.12.6.1 2007/01/11 04:58:37 marka Exp $ */
 
 #include <config.h>
 
@@ -1546,7 +1546,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	ISC_LINK_INIT(val, link);
 	val->magic = VALIDATOR_MAGIC;
 
-	isc_task_send(task, ISC_EVENT_PTR(&event));
+	if ((options & DNS_VALIDATOR_DEFER) == 0)
+		isc_task_send(task, ISC_EVENT_PTR(&event));
 
 	*validatorp = val;
 
@@ -1564,6 +1565,21 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 }
 
 void
+dns_validator_send(dns_validator_t *validator) {
+	isc_event_t *event;
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
+	event = (isc_event_t *)validator->event;
+	validator->options &= ~DNS_VALIDATOR_DEFER;
+	UNLOCK(&validator->lock);
+
+	isc_task_send(validator->task, ISC_EVENT_PTR(&event));
+}
+
+void
 dns_validator_cancel(dns_validator_t *validator) {
 	REQUIRE(VALID_VALIDATOR(validator));
 
@@ -1582,6 +1598,13 @@ dns_validator_cancel(dns_validator_t *validator) {
 
 		if (validator->authvalidator != NULL)
 			dns_validator_cancel(validator->authvalidator);
+
+		if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
+			isc_task_t *task = validator->event->ev_sender;
+			validator->options &= ~DNS_VALIDATOR_DEFER;
+			isc_event_free((isc_event_t **)&validator->event);
+			isc_task_detach(&task);
+		}
 	}
 	UNLOCK(&validator->lock);
 }
diff --git a/version b/version
index 41822481..d15aeb45 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.26.2.47 2006/11/28 01:57:58 marka Exp $
+# $Id: version,v 1.26.2.47.4.1 2007/01/11 04:59:36 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
 MINORVER=2
-PATCHVER=7
+PATCHVER=8
 RELEASETYPE=
 RELEASEVER=