Pull up following revision(s) (requested by snj in ticket #1348):

doc/3RDPARTY: 1.1397 via patch
	external/bsd/bind/Makefile.inc: up to 1.24 via patch
	external/bsd/bind/dist/CHANGES: up to 1.24
	external/bsd/bind/dist/README: up to 1.12
	external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.3
	external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.4
	external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-ls delete
	external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-signer delete
	external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-ls delete
	external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-signer delete
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.22
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.19
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.24
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.12
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.25
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.12
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.12
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.12
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.12
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.21
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.10
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.10
	external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.10
	external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.host.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.4
	external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.4
	external/bsd/bind/dist/doc/arm/man.named.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.12
	external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.12
	external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.10
	external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.10
	external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.10
	external/bsd/bind/dist/lib/dns/api: up to 1.12
	external/bsd/bind/dist/lib/dns/message.c: up to 1.21
	external/bsd/bind/dist/lib/dns/resolver.c: up to 1.28
	external/bsd/bind/dist/lib/isc/api: up to 1.1.1.21
	external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.20
	external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.12
	external/bsd/bind/dist/srcid: up to 1.18
	external/bsd/bind/dist/version: up to 1.22
	external/bsd/bind/include/isc/platform.h: up to 1.22 via patch
Update BIND to 9.10.4-P5, fixing CVE-2016-9131, CVE-2016-9147,
and CVE-2016-9444.

doc/3RDPARTY

@@ -1,4 +1,4 @@
-#	$NetBSD: 3RDPARTY,v 1.1145.2.18.2.11 2016/12/14 08:21:38 snj Exp $
+#	$NetBSD: 3RDPARTY,v 1.1145.2.18.2.12 2017/01/16 11:56:45 martin Exp $
 #
 # This file contains a list of the software that has been integrated into
 # NetBSD where we are not the primary maintainer.
@@ -113,8 +113,8 @@ Notes:
 bc includes dc, both of which are in the NetBSD tree.
 
 Package:	bind [named and utils]
-Version:	9.10.4-P4
-Current Vers:	9.10.4-P4
+Version:	9.10.4-P5
+Current Vers:	9.10.4-P5
 Maintainer:	Paul Vixie <vixie@vix.com>
 Archive Site:	ftp://ftp.isc.org/isc/bind9/
 Home Page:	http://www.isc.org/software/bind/

external/bsd/bind/Makefile.inc

@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.inc,v 1.21.2.1.2.2 2016/11/05 17:47:30 martin Exp $
+#	$NetBSD: Makefile.inc,v 1.21.2.1.2.3 2017/01/16 11:56:42 martin Exp $
 
 .if !defined(BIND9_MAKEFILE_INC)
 BIND9_MAKEFILE_INC=yes

external/bsd/bind/dist/CHANGES

@@ -1,3 +1,27 @@
+	--- 9.10.4-P5 released ---
+
+4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
+			in responses resulting in SERVFAIL being returned.
+			[RT #43779]
+
+4528.	[bug]		Only set the flag bits for the i/o we are waiting
+			for on EPOLLERR or EPOLLHUP. [RT #43617]
+
+4519.	[port]		win32: handle ERROR_MORE_DATA. [RT #43534]
+
+4517.	[security]	Named could mishandle authority sections that were
+			missing RRSIGs triggering an assertion failure.
+			(CVE-2016-9444) [RT # 43632]
+
+4510.	[security]	Named mishandled some responses where covering RRSIG
+			records are returned without the requested data
+			resulting in a assertion failure. (CVE-2016-9147)
+			[RT #43548]
+
+4508.	[security]	Named incorrectly tried to cache TKEY records which
+			could trigger a assertion failure when there was
+			a class mismatch. (CVE-2016-9131) [RT #43522]
+
 	--- 9.10.4-P4 released ---
 
 4489.	[security]	It was possible to trigger assertions when processing

external/bsd/bind/dist/README

@@ -51,6 +51,11 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.10.4-P5
+
+	This version contains fixes for CVE-2016-9131, CVE-2016-9147,
+	CVE-2016-9444 and CVE-2016-9778.
+
 BIND 9.10.4-P4
 
 	This version contains a fix for CVE-2016-8864.

external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db

@@ -29,4 +29,6 @@ a.short			A	10.0.0.1
 short-dname		DNAME	short
 a.longlonglonglonglonglonglonglonglonglonglonglonglong	A 10.0.0.2
 long-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
-;
+cname			CNAME	a.cnamedname
+cnamedname		DNAME	target
+a.target		A	10.0.0.3

external/bsd/bind/dist/bin/tests/system/dname/tests.sh

@@ -63,6 +63,24 @@ grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking cname to dname from authoritative"
+ret=0
+$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
+grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking cname to dname from recursive"
+ret=0
+$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
+grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
+grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 
 exit $status

external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-ls

@@ -1,12 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the zkt-ls command
-#	out of the example directory
-#
-
-if test ! -f dnssec.conf
-then
-	echo Please start this skript out of the flat or hierarchical sub directory
-	exit 1
-fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@"

external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-signer

@@ -1,12 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the zkt-signer
-#	command out of the example directory
-#
-
-if test ! -f dnssec.conf
-then
-	echo Please start this skript out of the flat or hierarchical sub directory
-	exit 1
-fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@"

external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-ls

@@ -1,12 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the zkt-ls command
-#	out of the example directory
-#
-
-if test ! -f dnssec.conf
-then
-	echo Please start this skript out of the flat or hierarchical sub directory
-	exit 1
-fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@"

external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-signer

@@ -1,12 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the zkt-signer
-#	command out of the example directory
-#
-
-if test ! -f dnssec.conf
-then
-	echo Please start this skript out of the flat or hierarchical sub directory
-	exit 1
-fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@"

external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html

@@ -555,6 +555,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html

@@ -153,6 +153,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html

@@ -669,6 +669,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html

@@ -2326,6 +2326,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html

@@ -138,6 +138,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html

@@ -12845,6 +12845,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html

@@ -248,6 +248,6 @@ zone "example.com" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html

@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html

@@ -44,7 +44,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P5</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -60,13 +60,17 @@
 </div>
 <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P4</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P5</h2></div></div></div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
 <p>
       This document summarizes changes since BIND 9.10.4:
     </p>
+<p>
+      BIND 9.10.4-P5 addresses the security issues described in
+      CVE-2016-9131, CVE-2016-9147 and CVE-2016-9444.
+    </p>
 <p>
       BIND 9.10.4-P4 addresses the security issue described in
       CVE-2016-8864.
@@ -102,6 +106,22 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+	  Named could mishandle authority sections that were missing
+	  RRSIGs triggering an assertion failure.  This flaw is
+	  disclosed in CVE-2016-9444. [RT # 43632]
+	</p></li>
+<li class="listitem"><p>
+	  Named mishandled some responses where covering RRSIG
+	  records are returned without the requested data
+	  resulting in a assertion failure. This flaw is disclosed in
+	  CVE-2016-9147. [RT #43548]
+	</p></li>
+<li class="listitem"><p>
+	  Named incorrectly tried to cache TKEY records which could
+	  trigger a assertion failure when there was a class mismatch.
+	  This flaw is disclosed in CVE-2016-9131.  [RT #43522]
+	</p></li>
 <li class="listitem"><p>
 	  It was possible to trigger assertions when processing
 	  a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]
@@ -198,6 +218,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html

@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html

@@ -497,6 +497,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html

@@ -543,6 +543,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html

@@ -154,6 +154,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/Bv9ARM.html

@@ -40,7 +40,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.10.4-P4</p></div>
+<div><p class="releaseinfo">BIND Version 9.10.4-P5</p></div>
 <div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
@@ -239,7 +239,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P5</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -385,6 +385,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.arpaname.html

@@ -81,6 +81,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.ddns-confgen.html

@@ -185,6 +185,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.delv.html

@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dig.html

@@ -809,6 +809,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html

@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html

@@ -219,6 +219,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html

@@ -213,6 +213,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html

@@ -177,6 +177,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html

@@ -381,6 +381,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html

@@ -455,6 +455,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html

@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-settime.html

@@ -264,6 +264,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html

@@ -564,6 +564,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.dnssec-verify.html

@@ -164,6 +164,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.genrandom.html

@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.host.html

@@ -247,6 +247,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html

@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.lwresd.html

@@ -253,6 +253,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.named-checkconf.html

@@ -151,6 +151,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.named-checkzone.html

@@ -338,6 +338,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.named-journalprint.html

@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.named-rrchecker.html

@@ -104,6 +104,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.named.conf.html

@@ -676,6 +676,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.named.html

@@ -369,6 +369,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.nsec3hash.html

@@ -103,6 +103,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.nsupdate.html

@@ -663,6 +663,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.rndc-confgen.html

@@ -223,6 +223,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.rndc.conf.html

@@ -246,6 +246,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/man.rndc.html

@@ -621,6 +621,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
 </body>
 </html>

external/bsd/bind/dist/doc/arm/notes.html

@@ -21,13 +21,17 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P4</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.10.4-P5</h2></div></div></div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
 <p>
       This document summarizes changes since BIND 9.10.4:
     </p>
+<p>
+      BIND 9.10.4-P5 addresses the security issues described in
+      CVE-2016-9131, CVE-2016-9147 and CVE-2016-9444.
+    </p>
 <p>
       BIND 9.10.4-P4 addresses the security issue described in
       CVE-2016-8864.
@@ -63,6 +67,22 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem"><p>
+	  Named could mishandle authority sections that were missing
+	  RRSIGs triggering an assertion failure.  This flaw is
+	  disclosed in CVE-2016-9444. [RT # 43632]
+	</p></li>
+<li class="listitem"><p>
+	  Named mishandled some responses where covering RRSIG
+	  records are returned without the requested data
+	  resulting in a assertion failure. This flaw is disclosed in
+	  CVE-2016-9147. [RT #43548]
+	</p></li>
+<li class="listitem"><p>
+	  Named incorrectly tried to cache TKEY records which could
+	  trigger a assertion failure when there was a class mismatch.
+	  This flaw is disclosed in CVE-2016-9131.  [RT #43522]
+	</p></li>
 <li class="listitem"><p>
 	  It was possible to trigger assertions when processing
 	  a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]

external/bsd/bind/dist/doc/arm/notes.xml

@@ -23,6 +23,10 @@
     <para>
       This document summarizes changes since BIND 9.10.4:
     </para>
+    <para>
+      BIND 9.10.4-P5 addresses the security issues described in
+      CVE-2016-9131, CVE-2016-9147, CVE-2016-9444 and CVE-2016-9778.
+    </para>
     <para>
       BIND 9.10.4-P4 addresses the security issue described in
       CVE-2016-8864.
@@ -57,6 +61,37 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  A coding error in the <option>nxdomain-redirect</option>
+	  feature could lead to an assertion failure if the redirection
+	  namespace was served from a local authoritative data source
+	  such as a local zone or a DLZ instead of via recursive
+	  lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
+	  Named could mishandle authority sections that were missing
+	  RRSIGs triggering an assertion failure.  This flaw is
+	  disclosed in CVE-2016-9444. [RT # 43632]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
+	  Named mishandled some responses where covering RRSIG
+	  records are returned without the requested data
+	  resulting in a assertion failure. This flaw is disclosed in
+	  CVE-2016-9147. [RT #43548]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
+	  Named incorrectly tried to cache TKEY records which could
+	  trigger a assertion failure when there was a class mismatch.
+	  This flaw is disclosed in CVE-2016-9131.  [RT #43522]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  It was possible to trigger assertions when processing

external/bsd/bind/dist/lib/dns/api

@@ -6,5 +6,5 @@
 # 9.9-sub: 130-139, 150-159
 # 9.10: 140-149, 160-169
 LIBINTERFACE = 165
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0

external/bsd/bind/dist/lib/dns/message.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: message.c,v 1.13.2.2.2.2 2016/10/14 11:42:46 martin Exp $	*/
+/*	$NetBSD: message.c,v 1.13.2.2.2.3 2017/01/16 11:56:44 martin Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -1158,6 +1158,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
 	return (ISC_FALSE);
 }
 
+/*
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
+ * covering RRSIGs.
+ */
+static isc_boolean_t
+auth_signed(dns_namelist_t *section) {
+	dns_name_t *name;
+
+	for (name = ISC_LIST_HEAD(*section);
+	     name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		int auth_dnssec = 0, auth_rrsig = 0;
+		dns_rdataset_t *rds;
+
+		for (rds = ISC_LIST_HEAD(name->list);
+		     rds != NULL;
+		     rds = ISC_LIST_NEXT(rds, link))
+		{
+			switch (rds->type) {
+			case dns_rdatatype_ds:
+				auth_dnssec |= 0x1;
+				break;
+			case dns_rdatatype_nsec:
+				auth_dnssec |= 0x2;
+				break;
+			case dns_rdatatype_nsec3:
+				auth_dnssec |= 0x4;
+				break;
+			case dns_rdatatype_rrsig:
+				break;
+			default:
+				continue;
+			}
+
+			switch (rds->covers) {
+			case dns_rdatatype_ds:
+				auth_rrsig |= 0x1;
+				break;
+			case dns_rdatatype_nsec:
+				auth_rrsig |= 0x2;
+				break;
+			case dns_rdatatype_nsec3:
+				auth_rrsig |= 0x4;
+				break;
+			default:
+				break;
+			}
+		}
+
+		if (auth_dnssec != auth_rrsig)
+			return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
 static isc_result_t
 getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 	   dns_section_t sectionid, unsigned int options)
@@ -1183,12 +1240,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
 	seen_problem = ISC_FALSE;
 
+	section = &msg->sections[sectionid];
+
 	for (count = 0; count < msg->counts[sectionid]; count++) {
 		int recstart = source->current;
 		isc_boolean_t skip_name_search, skip_type_search;
 
-		section = &msg->sections[sectionid];
-
 		skip_name_search = ISC_FALSE;
 		skip_type_search = ISC_FALSE;
 		free_rdataset = ISC_FALSE;
@@ -1362,7 +1419,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			goto cleanup;
 		rdata->rdclass = rdclass;
 		issigzero = ISC_FALSE;
-		if (rdtype == dns_rdatatype_rrsig  &&
+		if (rdtype == dns_rdatatype_rrsig &&
 		    rdata->flags == 0) {
 			covers = dns_rdata_covers(rdata);
 			if (covers == 0)
@@ -1573,6 +1630,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		INSIST(free_rdataset == ISC_FALSE);
 	}
 
+	/*
+	 * If any of DS, NSEC or NSEC3 appeared in the
+	 * authority section of a query response without
+	 * a covering RRSIG, FORMERR
+	 */
+	if (sectionid == DNS_SECTION_AUTHORITY &&
+	    msg->opcode == dns_opcode_query &&
+	    ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
+	    ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
+	    !preserve_order &&
+	    !auth_signed(section))
+		DO_FORMERR;
+
 	if (seen_problem)
 		return (DNS_R_RECOVERABLE);
 	return (ISC_R_SUCCESS);

external/bsd/bind/dist/lib/dns/resolver.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: resolver.c,v 1.19.2.3.2.3 2016/11/05 17:47:33 martin Exp $	*/
+/*	$NetBSD: resolver.c,v 1.19.2.3.2.4 2017/01/16 11:56:44 martin Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -5467,16 +5467,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 							      rdataset->type,
 							      &noqname);
 					if (tresult == ISC_R_SUCCESS &&
-					    noqname != NULL) {
-						tresult =
-						     dns_rdataset_addnoqname(
+					    noqname != NULL)
+						(void) dns_rdataset_addnoqname(
 							    rdataset, noqname);
-						RUNTIME_CHECK(tresult ==
-							      ISC_R_SUCCESS);
-					}
 				}
-				if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
-						options = DNS_DBADD_PREFETCH;
+				if ((fctx->options &
+				     DNS_FETCHOPT_PREFETCH) != 0)
+					options = DNS_DBADD_PREFETCH;
 				addedrdataset = ardataset;
 				result = dns_db_addrdataset(fctx->cache, node,
 							    NULL, now, rdataset,
@@ -5609,11 +5606,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 				tresult = findnoqname(fctx, name,
 						      rdataset->type, &noqname);
 				if (tresult == ISC_R_SUCCESS &&
-				    noqname != NULL) {
-					tresult = dns_rdataset_addnoqname(
-							    rdataset, noqname);
-					RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
-				}
+				    noqname != NULL)
+					(void) dns_rdataset_addnoqname(
+						       rdataset, noqname);
 			}
 
 			/*
@@ -6751,7 +6746,7 @@ static isc_result_t
 answer_response(fetchctx_t *fctx) {
 	isc_result_t result;
 	dns_message_t *message;
-	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
 	dns_name_t *cname = NULL;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
@@ -6759,7 +6754,7 @@ answer_response(fetchctx_t *fctx) {
 	isc_boolean_t wanted_chaining;
 	unsigned int aflag;
 	dns_rdatatype_t type;
-	dns_fixedname_t fdname, fqname, fqdname;
+	dns_fixedname_t fdname, fqname;
 	dns_view_t *view;
 
 	FCTXTRACE("answer_response");
@@ -6783,13 +6778,12 @@ answer_response(fetchctx_t *fctx) {
 		aa = ISC_TRUE;
 	else
 		aa = ISC_FALSE;
-	dqname = qname = &fctx->name;
+	qname = &fctx->name;
 	type = fctx->type;
 	view = fctx->res->view;
-	dns_fixedname_init(&fqdname);
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (!done && result == ISC_R_SUCCESS) {
-		dns_namereln_t namereln, dnamereln;
+		dns_namereln_t namereln;
 		int order;
 		unsigned int nlabels;
 
@@ -6797,8 +6791,6 @@ answer_response(fetchctx_t *fctx) {
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-		dnamereln = dns_name_fullcompare(dqname, name, &order,
-						 &nlabels);
 		if (namereln == dns_namereln_equal) {
 			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6815,6 +6807,19 @@ answer_response(fetchctx_t *fctx) {
 					log_formerr(fctx, "NSEC3 in answer");
 					return (DNS_R_FORMERR);
 				}
+				if (rdataset->type == dns_rdatatype_tkey) {
+					/*
+					 * TKEY is not a valid record in a
+					 * response to any query we can make.
+					 */
+					log_formerr(fctx, "TKEY in answer");
+					return (DNS_R_FORMERR);
+				}
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}
 
 				/*
 				 * Apply filters, if given, on answers to reject
@@ -6923,15 +6928,19 @@ answer_response(fetchctx_t *fctx) {
 						 * a CNAME or DNAME).
 						 */
 						INSIST(!external);
-						if ((rdataset->type !=
-						     dns_rdatatype_cname) ||
-						    !found_dname ||
-						    (aflag ==
-						     DNS_RDATASETATTR_ANSWER))
+						/*
+						 * Don't use found_cname here
+						 * as we have just set it
+						 * above.
+						 */
+						if (cname == NULL &&
+						    !found_dname &&
+						    aflag ==
+						     DNS_RDATASETATTR_ANSWER)
 						{
 							have_answer = ISC_TRUE;
-							if (rdataset->type ==
-							    dns_rdatatype_cname)
+							if (found_cname &&
+							    cname == NULL)
 								cname = name;
 							name->attributes |=
 							    DNS_NAMEATTR_ANSWER;
@@ -7001,6 +7010,12 @@ answer_response(fetchctx_t *fctx) {
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link))
 			{
+				if (rdataset->rdclass != fctx->res->rdclass) {
+					log_formerr(fctx, "Mismatched class "
+						    "in answer");
+					return (DNS_R_FORMERR);
+				}
+
 				/*
 				 * Only pass DNAME or RRSIG(DNAME).
 				 */
@@ -7028,11 +7043,24 @@ answer_response(fetchctx_t *fctx) {
 					return (DNS_R_FORMERR);
 				}
 
-				if (dnamereln != dns_namereln_subdomain) {
+				/*
+				 * If DNAME + synthetic CNAME then the
+				 * namereln is dns_namereln_subdomain.
+				 *
+				 * If synthetic CNAME + DNAME then the
+				 * namereln is dns_namereln_commonancestor
+				 * and the number of label must match the
+				 * DNAME.  This order is not RFC compliant.
+				 */
+
+				if (namereln != dns_namereln_subdomain &&
+				    (namereln != dns_namereln_commonancestor ||
+				     nlabels != dns_name_countlabels(name)))
+				{
 					char qbuf[DNS_NAME_FORMATSIZE];
 					char obuf[DNS_NAME_FORMATSIZE];
 
-					dns_name_format(dqname, qbuf,
+					dns_name_format(qname, qbuf,
 							sizeof(qbuf));
 					dns_name_format(name, obuf,
 							sizeof(obuf));
@@ -7047,7 +7075,7 @@ answer_response(fetchctx_t *fctx) {
 					want_chaining = ISC_TRUE;
 					POST(want_chaining);
 					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(rdataset, dqname,
+					result = dname_target(rdataset, qname,
 							      nlabels, &fdname);
 					if (result == ISC_R_NOSPACE) {
 						/*
@@ -7064,13 +7092,11 @@ answer_response(fetchctx_t *fctx) {
 
 					dname = dns_fixedname_name(&fdname);
 					if (!is_answertarget_allowed(view,
-						     dqname, rdataset->type,
+						     qname, rdataset->type,
 						     dname, &fctx->domain))
 					{
 						return (DNS_R_SERVFAIL);
 					}
-					dqname = dns_fixedname_name(&fqdname);
-					dns_name_copy(dname, dqname, NULL);
 				} else {
 					/*
 					 * We've found a signature that
@@ -7216,7 +7242,8 @@ answer_response(fetchctx_t *fctx) {
 						rdataset->trust =
 						    dns_trust_additional;
 
-					if (rdataset->type == dns_rdatatype_ns) {
+					if (rdataset->type == dns_rdatatype_ns)
+					{
 						ns_name = name;
 						ns_rdataset = rdataset;
 					}

external/bsd/bind/dist/lib/isc/api

@@ -6,5 +6,5 @@
 # 9.9-sub: 130-139
 # 9.10: 140-149, 160-169
 LIBINTERFACE = 161
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 1

external/bsd/bind/dist/lib/isc/unix/socket.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: socket.c,v 1.15.2.2.2.2 2016/10/14 11:42:50 martin Exp $	*/
+/*	$NetBSD: socket.c,v 1.15.2.2.2.3 2017/01/16 11:56:44 martin Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -4077,7 +4077,8 @@ process_fds(isc__socketmgr_t *manager, struct epoll_event *events, int nevents)
 			 * events.  Note also that the read or write attempt
 			 * won't block because we use non-blocking sockets.
 			 */
-			events[i].events |= (EPOLLIN | EPOLLOUT);
+			int fd = events[i].data.fd;
+			events[i].events |= manager->epoll_events[fd];
 		}
 		process_fd(manager, events[i].data.fd,
 			   (events[i].events & EPOLLIN) != 0,

external/bsd/bind/dist/lib/isc/win32/socket.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: socket.c,v 1.8.2.2.2.1 2016/10/14 11:42:50 martin Exp $	*/
+/*	$NetBSD: socket.c,v 1.8.2.2.2.2 2017/01/16 11:56:45 martin Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -2490,15 +2490,18 @@ SocketIoThread(LPVOID ThreadContext) {
 
 		request = lpo->request_type;
 
-		errstatus = 0;
-		if (!bSuccess) {
+		if (!bSuccess)
+			errstatus = GetLastError();
+		else
+			errstatus = 0;
+		if (!bSuccess && errstatus != ERROR_MORE_DATA) {
 			isc_result_t isc_result;
 
 			/*
 			 * Did the I/O operation complete?
 			 */
-			errstatus = GetLastError();
-			isc_result = isc__errno2resultx(errstatus, __FILE__, __LINE__);
+			isc_result = isc__errno2resultx(errstatus,
+							__FILE__, __LINE__);
 
 			LOCK(&sock->lock);
 			CONSISTENT(sock);

external/bsd/bind/dist/srcid

@@ -1 +1 @@
-SRCID=853aa4b
+SRCID=2b12043

external/bsd/bind/dist/version

@@ -7,5 +7,5 @@ MAJORVER=9
 MINORVER=10
 PATCHVER=4
 RELEASETYPE=-P
-RELEASEVER=4
+RELEASEVER=5
 EXTENSIONS=