net/bind911: update to 9.11.5

	--- 9.11.5 released ---

	--- 9.11.5rc1 released ---

5038.	[bug]		Chaosnet addresses were compared incorrectly.
			[GL #562]

5034.	[bug]		A race between threads could prevent zone maintenance
			scheduled immediately after zone load from being
			performed. [GL #542]

5033.	[bug]		When adding NTAs to multiple views using "rndc nta",
			the text returned via rndc was incorrectly terminated
			after the first line, making it look as if only one
			NTA had been added. Also, it was not possible to
			differentiate between views with the same name but
			different classes; this has been corrected with the
			addition of a "-class" option. [GL #105]

5032.	[func]		Add krb5-selfsub and ms-selfsub update policy rules.
			[GL #511]

5030.	[bug]		Align CMSG buffers to a 64-bit boundary, fixes crash
			on architectures with strict alignment. [GL #521]

5028.	[bug]		Spread the initial RRSIG expiration times over the
			entire working sig-validity-interval when signing a
			zone in named to even out re-signing and transfer
			loads. [GL #418]

5026.	[bug]		rndc reconfig should not touch already loaded zones.
			[GL #276]

5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
			krb5-subdomain documentation. [GL !708]

5021.	[bug]		dig returned a non-zero exit code when it received a
			reply over TCP after a retry. [GL #487]

5019.	[cleanup]	A message is now logged when ixfr-from-differences is
			set at zone level for an inline-signed zone. [GL #470]

5018.	[bug]		Fix incorrect sizeof arguments in lib/isc/pk11.c.
			[GL !588]

5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
			releasing the lock which is unsafe. [GL !589]

5016.	[bug]		Named could assert with overlapping filter-aaaa and
			dns64 acls. [GL #445]

5015.	[bug]		Reloading all zones caused zone maintenance to cease
			for inline-signed zones. [GL #435]

5014.	[bug]		Signatures loaded from the journal for the signed
			version of an inline-signed zone were not scheduled for
			refresh. [GL #482]

5012.	[bug]		Fix lock order reversal in pk11_initialize. [GL !590]

5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
			error queue was not logged. [GL #476]

5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
			ignored for zones which were not yet loaded or
			transferred. [GL #468]

5007.	[cleanup]	Replace custom ISC boolean and integer data types
			with C99 stdint.h and stdbool.h types. [GL #9]

5005.	[bug]		dnssec-verify, and dnssec-signzone at the verification
			step, failed on some validly signed zones. [GL #442]

5004.	[bug]		'rndc reconfig' could cause inline zones to stop
			re-signing. [GL #439]

5003.	[bug]		dns_acl_isinsecure did not handle geoip elements.
			[GL #406]

5002.	[bug]		mdig: Handle malformed +ednsopt option, support 100
			+ednsopt options per query rather than 100 total and
			address memory leaks if +ednsopt was specified.
			[GL #410]

5001.	[bug]		Fix refcount errors on error paths. [GL !563]

4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]

4995.	[test]		Add tests for "tcp-self" update policy. [GL !282]

4994.	[bug]		Trust anchor telemetry queries were not being sent
			upstream for locally served zones. [GL #392]

4992.	[bug]		The wrong address was being logged for trust anchor
			telemetry queries. [GL #379]

4990.	[bug]		Prevent a possible NULL reference in pkcs11-keygen.
			[GL #401]

5 files changed, 27 insertions, 189 deletions

diff --git a/net/bind911/Makefile b/net/bind911/Makefile
index a62c8ac10af..a974df5be78 100644
--- a/net/bind911/Makefile
+++ b/net/bind911/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.4 2018/09/27 04:24:18 wiz Exp $
+# $NetBSD: Makefile,v 1.5 2018/10/21 15:51:14 taca Exp $
 
 DISTNAME=	bind-${BIND_VERSION}
 PKGNAME=	${DISTNAME:S/-P/pl/}
@@ -14,7 +14,7 @@ CONFLICTS+=	host-[0-9]*
 
 MAKE_JOBS_SAFE=	no
 
-BIND_VERSION=	9.11.4-P2
+BIND_VERSION=	9.11.5
 
 .include "../../mk/bsd.prefs.mk"
 
diff --git a/net/bind911/distinfo b/net/bind911/distinfo
index 8080a49ce25..19e59a7dcb7 100644
--- a/net/bind911/distinfo
+++ b/net/bind911/distinfo
@@ -1,15 +1,14 @@
-$NetBSD: distinfo,v 1.2 2018/09/20 10:01:36 taca Exp $
+$NetBSD: distinfo,v 1.3 2018/10/21 15:51:14 taca Exp $
 
-SHA1 (bind-9.11.4-P2.tar.gz) = f01eada382fb2bd4d1fcab3f6f83bd3ebc35a9ab
-RMD160 (bind-9.11.4-P2.tar.gz) = 152448ebda7d9824f6035a35466ee29ed0391ab3
-SHA512 (bind-9.11.4-P2.tar.gz) = 6c01810526fc40485a6c0403d1ddc3b76d2e59b3426b5789436bd671f158d2fa0ea7c0aef2de81998ec715dabd06683fed7b17224d5c794c61e7100a69d4cb60
-Size (bind-9.11.4-P2.tar.gz) = 9617963 bytes
-SHA1 (patch-bin_dig_dighost.c) = c87f145a0e78df5d1b834bfec90ab3b4523ee915
+SHA1 (bind-9.11.5.tar.gz) = a87a1d6a94be03110ea4776001a75d29a3634cbc
+RMD160 (bind-9.11.5.tar.gz) = 7ac8f391f875d2eba07a1a31495ba1e1209a118a
+SHA512 (bind-9.11.5.tar.gz) = 7e34c8033dabaed232479b1dc2849d1247c0137bcb2b63f08f8f72ff2cca0f73e0f05d0b9b8959f8c4db8ee36a700af30fe869be186c7bab7c81a25843384b8d
+Size (bind-9.11.5.tar.gz) = 8810710 bytes
 SHA1 (patch-bin_tests_system_metadata_tests.sh) = d01a492d0b7738760bdbff714248e279a78fef28
 SHA1 (patch-config.threads.in) = 8341bdb11888d3efdde5f115de91b1f46aa40bd0
 SHA1 (patch-configure) = 9e488b315253dd9cf84e6658468e26399798b0e6
 SHA1 (patch-contrib_dlz_config.dlz.in) = 6c53d61aaaf1a952a867e4c4da0194db94f511d7
 SHA1 (patch-lib_dns_rbt.c) = 8af91b6d40b591d28d15f7f98c9b7a82df234381
-SHA1 (patch-lib_isc_unix_socket.c) = 73cbf20f8a1e4714450d291332ee928b1eb2898a
-SHA1 (patch-lib_lwres_getaddrinfo.c) = 656109a2c1583b38ed8a8e0cda6a95f71e4771a0
+SHA1 (patch-lib_isc_unix_socket.c) = dff0163246985d0750b2c99ce7673b257df3e5bf
+SHA1 (patch-lib_lwres_getaddrinfo.c) = 1956a857c1b158dbe95c46d90ab406e0030e321e
 SHA1 (patch-lib_lwres_getnameinfo.c) = 366100a25064f43bd938e9acf31188c917b45cbe
diff --git a/net/bind911/patches/patch-bin_dig_dighost.c b/net/bind911/patches/patch-bin_dig_dighost.c
deleted file mode 100644
index 0022aad0b23..00000000000
--- a/net/bind911/patches/patch-bin_dig_dighost.c
+++ /dev/null
@@ -1,128 +0,0 @@
-$NetBSD: patch-bin_dig_dighost.c,v 1.1 2018/09/09 13:11:38 taca Exp $
-
-* Avoid to use true as variable name.
-
---- bin/dig/dighost.c.orig	2018-07-03 06:56:55.000000000 +0000
-+++ bin/dig/dighost.c
-@@ -5215,7 +5215,7 @@ prepare_lookup(dns_name_t *name)
- 		isc_buffer_t *b = NULL;
- 		isc_region_t r;
- 		dns_rdataset_t *rdataset = NULL;
--		isc_boolean_t true = ISC_TRUE;
-+		isc_boolean_t isc_true = ISC_TRUE;
- #endif
- 
- 		memset(namestr, 0, DNS_NAME_FORMATSIZE);
-@@ -5229,7 +5229,7 @@ prepare_lookup(dns_name_t *name)
- 
- 		result = advanced_rrsearch(&rdataset, &ns.name,
- 					   dns_rdatatype_aaaa,
--					   dns_rdatatype_any, &true);
-+					   dns_rdatatype_any, &isc_true);
- 		if (result == ISC_R_SUCCESS) {
- 			for (result = dns_rdataset_first(rdataset);
- 			     result == ISC_R_SUCCESS;
-@@ -5258,7 +5258,7 @@ prepare_lookup(dns_name_t *name)
- 
- 		rdataset = NULL;
- 		result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
--					   dns_rdatatype_any, &true);
-+					   dns_rdatatype_any, &isc_true);
- 		if (result == ISC_R_SUCCESS) {
- 			for (result = dns_rdataset_first(rdataset);
- 			     result == ISC_R_SUCCESS;
-@@ -5377,11 +5377,11 @@ isc_result_t
- initialization(dns_name_t *name)
- {
- 	isc_result_t   result;
--	isc_boolean_t  true = ISC_TRUE;
-+	isc_boolean_t  isc_true = ISC_TRUE;
- 
- 	chase_nsrdataset = NULL;
- 	result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns,
--				   dns_rdatatype_any, &true);
-+				   dns_rdatatype_any, &isc_true);
- 	if (result != ISC_R_SUCCESS) {
- 		printf("\n;; NS RRset is missing to continue validation:"
- 		       " FAILED\n\n");
-@@ -5736,7 +5736,7 @@ sigchase_td(dns_message_t *msg)
- 	isc_result_t result;
- 	dns_name_t *name = NULL;
- 	isc_boolean_t have_answer = ISC_FALSE;
--	isc_boolean_t true = ISC_TRUE;
-+	isc_boolean_t isc_true = ISC_TRUE;
- 
- 	if (msg->rcode != dns_rcode_noerror &&
- 	    msg->rcode != dns_rcode_nxdomain) {
-@@ -5759,7 +5759,7 @@ sigchase_td(dns_message_t *msg)
- 			initialization(name);
- 			return;
- 		}
--		have_answer = true;
-+		have_answer = isc_true;
- 	} else {
- 		if (!current_lookup->trace_root_sigchase) {
- 			result = dns_message_firstname(msg,
-@@ -5878,7 +5878,7 @@ sigchase_td(dns_message_t *msg)
- 						   dns_rdatatype_rrsig,
- 						   current_lookup
- 						   ->rdtype_sigchase,
--						   &true);
-+						   &isc_true);
- 			if (result == ISC_R_FAILURE) {
- 				printf("\n;; RRset is missing to continue"
- 				       " validation SHOULD NOT APPEND:"
-@@ -5891,7 +5891,7 @@ sigchase_td(dns_message_t *msg)
- 						   &chase_authority_name,
- 						   dns_rdatatype_rrsig,
- 						   dns_rdatatype_any,
--						   &true);
-+						   &isc_true);
- 			if (result == ISC_R_FAILURE) {
- 				printf("\n;; RRSIG is missing  to continue"
- 				       " validation SHOULD NOT APPEND:"
-@@ -5967,7 +5967,7 @@ sigchase_td(dns_message_t *msg)
- 					   &chase_authority_name,
- 					   dns_rdatatype_rrsig,
- 					   dns_rdatatype_ds,
--					   &true);
-+					   &isc_true);
- 		if (result != ISC_R_SUCCESS) {
- 			printf("\n;; DSset is missing to continue validation:"
- 			       " FAILED\n\n");
-@@ -6054,7 +6054,7 @@ sigchase_td(dns_message_t *msg)
- 		result = advanced_rrsearch(&chase_rdataset, &chase_name,
- 					   current_lookup->rdtype_sigchase,
- 					   dns_rdatatype_any ,
--					   &true);
-+					   &isc_true);
- 	if (result == ISC_R_FAILURE) {
- 		printf("\n;; RRsig of RRset is missing to continue validation"
- 		       " SHOULD NOT APPEND: FAILED\n\n");
-@@ -6097,7 +6097,7 @@ getneededrr(dns_message_t *msg)
- 	dns_name_t *name = NULL;
- 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
- 	dns_rdata_sig_t siginfo;
--	isc_boolean_t   true = ISC_TRUE;
-+	isc_boolean_t   isc_true = ISC_TRUE;
- 
- 	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
- 	    != ISC_R_SUCCESS) {
-@@ -6113,7 +6113,7 @@ getneededrr(dns_message_t *msg)
- 	if (chase_rdataset == NULL) {
- 		result = advanced_rrsearch(&chase_rdataset, name,
- 					   dns_rdatatype_any,
--					   dns_rdatatype_any, &true);
-+					   dns_rdatatype_any, &isc_true);
- 		if (result != ISC_R_SUCCESS) {
- 			printf("\n;; No Answers: Validation FAILED\n\n");
- 			return (ISC_R_NOTFOUND);
-@@ -6232,7 +6232,7 @@ getneededrr(dns_message_t *msg)
- 		result = advanced_rrsearch(&chase_sigdsrdataset,
- 					   &chase_signame,
- 					   dns_rdatatype_rrsig,
--					   dns_rdatatype_ds, &true);
-+					   dns_rdatatype_ds, &isc_true);
- 		if (result == ISC_R_FAILURE) {
- 			printf(";; WARNING : NO RRSIG DS : RRSIG DS"
- 			       " should come with DS\n");
diff --git a/net/bind911/patches/patch-lib_isc_unix_socket.c b/net/bind911/patches/patch-lib_isc_unix_socket.c
index 3494acba07d..4a2cf9614be 100644
--- a/net/bind911/patches/patch-lib_isc_unix_socket.c
+++ b/net/bind911/patches/patch-lib_isc_unix_socket.c
@@ -1,33 +1,24 @@
-$NetBSD: patch-lib_isc_unix_socket.c,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: patch-lib_isc_unix_socket.c,v 1.2 2018/10/21 15:51:14 taca Exp $
 
-Make ENOBUFS a soft error
-https://gitlab.isc.org/isc-projects/bind9/issues/462
+Apply fix from NetBSD revision 1.24.
 
---- lib/isc/unix/socket.c.orig	2018-07-24 17:24:11.000000000 +0000
+--- lib/isc/unix/socket.c.orig	2018-10-06 01:36:17.000000000 +0000
 +++ lib/isc/unix/socket.c
-@@ -257,6 +257,7 @@ typedef enum { poll_idle, poll_active, p
- #define SOFT_ERROR(e)	((e) == EAGAIN || \
+@@ -258,6 +258,7 @@ typedef enum { poll_idle, poll_active, p
  			 (e) == EWOULDBLOCK || \
+ 			 (e) == ENOBUFS || \
  			 (e) == EINTR || \
 +			 (e) == ENOBUFS || \
  			 (e) == 0)
  
  #define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
-@@ -1952,7 +1953,7 @@ doio_recv(isc__socket_t *sock, isc_socke
- 		SOFT_OR_HARD(EHOSTDOWN, ISC_R_HOSTDOWN);
- 		/* HPUX 11.11 can return EADDRNOTAVAIL. */
- 		SOFT_OR_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
--		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
-+		SOFT_OR_HARD(ENOBUFS, ISC_R_NORESOURCES);
- 		/* Should never get this one but it was seen. */
- #ifdef ENOPROTOOPT
- 		SOFT_OR_HARD(ENOPROTOOPT, ISC_R_HOSTUNREACH);
-@@ -2149,7 +2150,7 @@ doio_send(isc__socket_t *sock, isc_socke
- 		ALWAYS_HARD(EHOSTDOWN, ISC_R_HOSTUNREACH);
- #endif
- 		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
--		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
-+		SOFT_OR_HARD(ENOBUFS, ISC_R_NORESOURCES);
- 		ALWAYS_HARD(EPERM, ISC_R_HOSTUNREACH);
- 		ALWAYS_HARD(EPIPE, ISC_R_NOTCONNECTED);
- 		ALWAYS_HARD(ECONNRESET, ISC_R_CONNECTIONRESET);
+@@ -1575,7 +1576,8 @@ build_msghdr_send(isc__socket_t *sock, c
+ 
+ #if defined(IPV6_USE_MIN_MTU)
+ 	if ((sock->type == isc_sockettype_udp) &&
+-	    ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0))
++	    ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0) &&
++	    (sock->pf == AF_INET6))
+ 	{
+ 		int use_min_mtu = 1;	/* -1, 0, 1 */
+ 
diff --git a/net/bind911/patches/patch-lib_lwres_getaddrinfo.c b/net/bind911/patches/patch-lib_lwres_getaddrinfo.c
index cf48c8c38a9..951fc5c0dc5 100644
--- a/net/bind911/patches/patch-lib_lwres_getaddrinfo.c
+++ b/net/bind911/patches/patch-lib_lwres_getaddrinfo.c
@@ -1,10 +1,10 @@
-$NetBSD: patch-lib_lwres_getaddrinfo.c,v 1.1 2018/09/09 13:11:38 taca Exp $
+$NetBSD: patch-lib_lwres_getaddrinfo.c,v 1.2 2018/10/21 15:51:14 taca Exp $
 
 * Add fix for KAME based implementation.
 
---- lib/lwres/getaddrinfo.c.orig	2018-07-03 06:56:55.000000000 +0000
+--- lib/lwres/getaddrinfo.c.orig	2018-10-06 01:36:17.000000000 +0000
 +++ lib/lwres/getaddrinfo.c
-@@ -148,6 +148,10 @@
+@@ -149,6 +149,10 @@
  #include <lwres/stdlib.h>
  #include <lwres/string.h>
  
@@ -15,27 +15,3 @@ $NetBSD: patch-lib_lwres_getaddrinfo.c,v 1.1 2018/09/09 13:11:38 taca Exp $
  #define SA(addr)	((struct sockaddr *)(addr))
  #define SIN(addr)	((struct sockaddr_in *)(addr))
  #define SIN6(addr)	((struct sockaddr_in6 *)(addr))
-@@ -372,14 +376,22 @@ lwres_getaddrinfo(const char *hostname, 
- 			p = strchr(ntmp, '%');
- 			ep = NULL;
- 
-+#ifdef __KAME__
-+			if (p != NULL) {
-+				scopeid = if_nametoindex(p + 1);
-+				if (scopeid)
-+					p = NULL;
-+			}
-+#endif
- 			/*
- 			 * Vendors may want to support non-numeric
- 			 * scopeid around here.
- 			 */
- 
--			if (p != NULL)
-+			if (p != NULL) {
- 				scopeid = (lwres_uint32_t)strtoul(p + 1,
- 								  &ep, 10);
-+			}
- 			if (p != NULL && ep != NULL && ep[0] == '\0')
- 				*p = '\0';
- 			else {