Update to 9.3.4

Lots of changes, see http://www.isc.org/sw/bind/view/?release=9.3.4#RELEASE
for all the details:

In brief:
2126.	[security]	Serialise validation of type ANY responses.

2124.	[security]	It was possible to dereference a freed fetch
context.

2089.	[security]	Raise the minimum safe OpenSSL versions to
OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
prior to these have known security flaws which
are (potentially) exploitable in named.

2088.	[security]	Change the default RSA exponent from 3 to 65537.

2066.   [security]      Handle SIG queries gracefully.

1941.   [bug]           ncache_adderesult() should set eresult even if no
rdataset is passed to it.

3 files changed, 7 insertions, 154 deletions

diff --git a/net/bind9/patches/patch-ao b/net/bind9/patches/patch-ao
index 58fc04b6328..592731b2f84 100644
--- a/net/bind9/patches/patch-ao
+++ b/net/bind9/patches/patch-ao
@@ -1,21 +1,22 @@
-$NetBSD: patch-ao,v 1.1 2006/08/28 16:00:45 seb Exp $
+$NetBSD: patch-ao,v 1.2 2007/01/28 01:31:52 adrianp Exp $
 
---- lib/bind/irs/getaddrinfo.c.orig	2005-07-28 07:43:19.000000000 +0000
+--- lib/bind/irs/getaddrinfo.c.orig	2006-11-13 05:04:49.000000000 +0000
 +++ lib/bind/irs/getaddrinfo.c
-@@ -332,7 +332,7 @@ getaddrinfo(hostname, servname, hints, r
+@@ -332,7 +332,8 @@ getaddrinfo(hostname, servname, hints, r
  	pai->ai_family = PF_UNSPEC;
  	pai->ai_socktype = ANY;
  	pai->ai_protocol = ANY;
--#ifdef __sparcv9
+-#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 +#if (defined(sun) && defined(_SOCKLEN_T) && defined(__sparc9)) || (defined(__NetBSD__) && (((defined(__sparc__) || defined(__i386__)) && defined(_LP64)) || defined(__alpha__)))
++
  	/*
  	 * clear _ai_pad to preserve binary
  	 * compatibility with previously compiled 64-bit
-@@ -365,7 +365,7 @@ getaddrinfo(hostname, servname, hints, r
+@@ -365,7 +366,7 @@ getaddrinfo(hostname, servname, hints, r
  		}
  		memcpy(pai, hints, sizeof(*pai));
  
--#ifdef __sparcv9
+-#if defined(sun) && defined(_SOCKLEN_T) && defined(__sparcv9)
 +#if (defined(sun) && defined(_SOCKLEN_T) && defined(__sparc9)) || (defined(__NetBSD__) && (((defined(__sparc__) || defined(__i386__)) && defined(_LP64)) || defined(__alpha__)))
  		/*
  		 * We need to clear _ai_pad to preserve binary
diff --git a/net/bind9/patches/patch-ap b/net/bind9/patches/patch-ap
deleted file mode 100644
index 1bd9d81ad9d..00000000000
--- a/net/bind9/patches/patch-ap
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD: patch-ap,v 1.1 2006/09/05 20:45:32 adrianp Exp $
-
---- bin/named/query.c.orig	2005-08-11 06:25:20.000000000 +0100
-+++ bin/named/query.c
-@@ -2393,7 +2393,7 @@ query_find(ns_client_t *client, dns_fetc
- 		is_zone = ISC_FALSE;
- 
- 		qtype = event->qtype;
--		if (qtype == dns_rdatatype_rrsig)
-+		if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
- 			type = dns_rdatatype_any;
- 		else
- 			type = qtype;
-@@ -2434,7 +2434,7 @@ query_find(ns_client_t *client, dns_fetc
- 	/*
- 	 * If it's a SIG query, we'll iterate the node.
- 	 */
--	if (qtype == dns_rdatatype_rrsig)
-+	if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
- 		type = dns_rdatatype_any;
- 	else
- 		type = qtype;
diff --git a/net/bind9/patches/patch-aq b/net/bind9/patches/patch-aq
deleted file mode 100644
index 29a20832f7d..00000000000
--- a/net/bind9/patches/patch-aq
+++ /dev/null
@@ -1,126 +0,0 @@
-$NetBSD: patch-aq,v 1.1 2006/09/05 20:45:32 adrianp Exp $
-
---- lib/dns/resolver.c.orig	2005-10-14 02:38:48.000000000 +0100
-+++ lib/dns/resolver.c
-@@ -762,7 +762,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_re
- 		INSIST(result != ISC_R_SUCCESS ||
- 		       dns_rdataset_isassociated(event->rdataset) ||
- 		       fctx->type == dns_rdatatype_any ||
--		       fctx->type == dns_rdatatype_rrsig);
-+		       fctx->type == dns_rdatatype_rrsig ||
-+		       fctx->type == dns_rdatatype_sig);
- 
- 		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
- 	}
-@@ -3188,7 +3189,8 @@ validated(isc_task_t *task, isc_event_t 
- 	if (hevent != NULL) {
- 		if (!negative && !chaining &&
- 		    (fctx->type == dns_rdatatype_any ||
--		     fctx->type == dns_rdatatype_rrsig)) {
-+		     fctx->type == dns_rdatatype_rrsig ||
-+		     fctx->type == dns_rdatatype_sig)) {
- 			/*
- 			 * Don't bind rdatasets; the caller
- 			 * will iterate the node.
-@@ -3306,7 +3308,8 @@ validated(isc_task_t *task, isc_event_t 
- 	if (!ISC_LIST_EMPTY(fctx->validators)) {
- 		INSIST(!negative);
- 		INSIST(fctx->type == dns_rdatatype_any ||
--		       fctx->type == dns_rdatatype_rrsig);
-+		       fctx->type == dns_rdatatype_rrsig ||
-+		       fctx->type == dns_rdatatype_sig);
- 		/*
- 		 * Don't send a response yet - we have
- 		 * more rdatasets that still need to
-@@ -3455,14 +3458,15 @@ cache_name(fetchctx_t *fctx, dns_name_t 
- 				return (result);
- 			anodep = &event->node;
- 			/*
--			 * If this is an ANY or SIG query, we're not going
--			 * to return any rdatasets, unless we encountered
-+			 * If this is an ANY, SIG or RRSIG query, we're not
-+			 * going to return any rdatasets, unless we encountered
- 			 * a CNAME or DNAME as "the answer".  In this case,
- 			 * we're going to return DNS_R_CNAME or DNS_R_DNAME
- 			 * and we must set up the rdatasets.
- 			 */
- 			if ((fctx->type != dns_rdatatype_any &&
--			    fctx->type != dns_rdatatype_rrsig) ||
-+			     fctx->type != dns_rdatatype_rrsig &&
-+			     fctx->type != dns_rdatatype_sig) ||
- 			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
- 				ardataset = event->rdataset;
- 				asigrdataset = event->sigrdataset;
-@@ -3521,7 +3525,7 @@ cache_name(fetchctx_t *fctx, dns_name_t 
- 		 */
- 		if (secure_domain && rdataset->trust != dns_trust_glue) {
- 			/*
--			 * SIGs are validated as part of validating the
-+			 * RRSIGs are validated as part of validating the
- 			 * type they cover.
- 			 */
- 			if (rdataset->type == dns_rdatatype_rrsig)
-@@ -3591,7 +3595,8 @@ cache_name(fetchctx_t *fctx, dns_name_t 
- 
- 			if (ANSWER(rdataset) && need_validation) {
- 				if (fctx->type != dns_rdatatype_any &&
--				    fctx->type != dns_rdatatype_rrsig) {
-+				    fctx->type != dns_rdatatype_rrsig &&
-+				    fctx->type != dns_rdatatype_sig) {
- 					/*
- 					 * This is The Answer.  We will
- 					 * validate it, but first we cache
-@@ -3763,23 +3768,28 @@ ncache_adderesult(dns_message_t *message
- 		  isc_result_t *eresultp)
- {
- 	isc_result_t result;
-+	dns_rdataset_t rdataset;
-+
-+	if (ardataset == NULL) {
-+		dns_rdataset_init(&rdataset);
-+		ardataset = &rdataset;
-+	}
- 	result = dns_ncache_add(message, cache, node, covers, now,
- 				maxttl, ardataset);
--	if (result == DNS_R_UNCHANGED) {
-+	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
- 		/*
--		 * The data in the cache are better than the negative cache
--		 * entry we're trying to add.
-+		 * If the cache now contains a negative entry and we
-+		 * care about whether it is DNS_R_NCACHENXDOMAIN or
-+		 * DNS_R_NCACHENXRRSET then extract it.
- 		 */
--		if (ardataset != NULL && ardataset->type == 0) {
-+		if (ardataset->type == 0) {
- 			/*
--			 * The cache data is also a negative cache
--			 * entry.
-+			 * The cache data is a negative cache entry.
- 			 */
- 			if (NXDOMAIN(ardataset))
- 				*eresultp = DNS_R_NCACHENXDOMAIN;
- 			else
- 				*eresultp = DNS_R_NCACHENXRRSET;
--			result = ISC_R_SUCCESS;
- 		} else {
- 			/*
- 			 * Either we don't care about the nature of the
-@@ -3791,14 +3801,11 @@ ncache_adderesult(dns_message_t *message
- 			 * XXXRTH  There's a CNAME/DNAME problem here.
- 			 */
- 			*eresultp = ISC_R_SUCCESS;
--			result = ISC_R_SUCCESS;
- 		}
--	} else if (result == ISC_R_SUCCESS) {
--		if (NXDOMAIN(ardataset))
--			*eresultp = DNS_R_NCACHENXDOMAIN;
--		else
--			*eresultp = DNS_R_NCACHENXRRSET;
-+		result = ISC_R_SUCCESS;
- 	}
-+	if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
-+		dns_rdataset_disassociate(ardataset);
- 
- 	return (result);
- }