<feed xmlns='http://www.w3.org/2005/Atom'>
<title>packages/net/bind, branch master</title>
<subtitle>Mirror of packages feed</subtitle>
<id>https://git-03.infra.openwrt.org/feed/packages/atom?h=master</id>
<link rel='self' href='https://git-03.infra.openwrt.org/feed/packages/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/'/>
<updated>2026-05-29T13:25:01Z</updated>
<entry>
<title>bind: add version check override</title>
<updated>2026-05-29T13:25:01Z</updated>
<author>
<name>George Sapkin</name>
</author>
<published>2026-05-28T14:06:28Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=bc295ef790eeee3ff20389604c9727217fb4d93c'/>
<id>urn:sha1:bc295ef790eeee3ff20389604c9727217fb4d93c</id>
<content type='text'>
Add version check override script.

Signed-off-by: George Sapkin &lt;george@sapk.in&gt;
</content>
</entry>
<entry>
<title>bind: bump to 9.20.23</title>
<updated>2026-05-29T13:25:01Z</updated>
<author>
<name>Noah Meyerhans</name>
</author>
<published>2026-05-25T15:09:01Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=2394fbf0608f4ce09c070d5b20c7176123871f39'/>
<id>urn:sha1:2394fbf0608f4ce09c070d5b20c7176123871f39</id>
<content type='text'>
Resolves several security issues:

- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
  received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.

Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html

Signed-off-by: Noah Meyerhans &lt;frodo@morgul.net&gt;
</content>
</entry>
<entry>
<title>bind: prevent mismatch of bind-libs version</title>
<updated>2026-04-07T18:59:27Z</updated>
<author>
<name>Mateusz Jończyk</name>
</author>
<published>2026-02-01T19:00:24Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=6f6bee95f8c9c9c2e7fcaa02bfe058e2f4654121'/>
<id>urn:sha1:6f6bee95f8c9c9c2e7fcaa02bfe058e2f4654121</id>
<content type='text'>
When upgrading specific packages manually, like:

        apk upgrade bind-dig

the bind-libs package is not upgraded automatically, which results in
problems when running the program, for example:

        root@OpenWrt:~# dig
        Error loading shared library libisc-9.20.10.so: No such file or directory (needed by /usr/bin/dig)
        Error loading shared library libdns-9.20.10.so: No such file or directory (needed by /usr/bin/dig)
        Error loading shared library libisccfg-9.20.10.so: No such file or directory (needed by /usr/bin/dig)
        Error relocating /usr/bin/dig: cfg_map_getname: symbol not found
        Error relocating /usr/bin/dig: irs_resconf_getndots: symbol not found
        Error relocating /usr/bin/dig: isc_managers_destroy: symbol not found
        Error relocating /usr/bin/dig: dns_fixedname_init: symbol not found
        Error relocating /usr/bin/dig: isc_nm_read: symbol not found
        Error relocating /usr/bin/dig: dns_rdata_init: symbol not found
        Error relocating /usr/bin/dig: isc_random_uniform: symbol not found
        [...]

This has happened to me twice on OpenWRT 24.10.

To fix this, enforce that the version of bind-libs matches the version
of any dependent packages. Use the same approach as in
net/knot/Makefile: make the dependency be present twice, once in the
DEPENDS variable, the other one in the EXTRA_DEPENDS variable.

Also, add an explicit EXTRA_DEPENDS variable to other internal
dependencies. For example, versions of the bind-server-filter-aaaa and
bind-server packages must match.

Tested on snapshot, on x86/64.

Signed-off-by: Mateusz Jończyk &lt;mat.jonczyk@o2.pl&gt;
</content>
</entry>
<entry>
<title>bind: bump to 9.20.21</title>
<updated>2026-03-31T11:42:09Z</updated>
<author>
<name>Noah Meyerhans</name>
</author>
<published>2026-03-28T15:31:50Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=d6d7d2325aac8ed2680470e3b56b2dca830efb53'/>
<id>urn:sha1:d6d7d2325aac8ed2680470e3b56b2dca830efb53</id>
<content type='text'>
Fixes several security issues:

- CVE-2026-1519 Fix unbounded NSEC3 iterations when validating
  referrals to unsigned delegations.
- CVE-2026-3104 Fix memory leaks in code preparing DNSSEC proofs of
  non-existence.
- CVE-2026-3119 Prevent a crash in code processing queries containing
  a TKEY record.
- CVE-2026-3591 Fix a stack use-after-return flaw in SIG(0) handling
  code.

Signed-off-by: Noah Meyerhans &lt;frodo@morgul.net&gt;
</content>
</entry>
<entry>
<title>bind: backport patch replace automatic empty zones</title>
<updated>2026-02-01T14:01:50Z</updated>
<author>
<name>Philip Prindeville</name>
</author>
<published>2025-12-10T21:50:48Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=505ca0a0d4b6949f4ebedf0b0c31c18eeebf521c'/>
<id>urn:sha1:505ca0a0d4b6949f4ebedf0b0c31c18eeebf521c</id>
<content type='text'>
The RFC-1918 zones are automatically synthesized locally by bind
to avoid forwarding queries about them to root nameservers.  As
a result, we can't easily replace them with rndc addzone on the
fly.  We need this for DHCP integration.

Signed-off-by: Philip Prindeville &lt;philipp@redfish-solutions.com&gt;
</content>
</entry>
<entry>
<title>bind: bump to 9.20.18</title>
<updated>2026-01-24T08:05:56Z</updated>
<author>
<name>Noah Meyerhans</name>
</author>
<published>2026-01-22T21:20:11Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=11aee85513246bfe71721bb074160507eaf3a764'/>
<id>urn:sha1:11aee85513246bfe71721bb074160507eaf3a764</id>
<content type='text'>
Fixes security issues:

 - CVE-2025-13878: Malformed BRID and HHIT records could trigger an
   assertion failure.

Signed-off-by: Noah Meyerhans &lt;frodo@morgul.net&gt;
</content>
</entry>
<entry>
<title>bind: manual fix for IPv6 server unreachable noise</title>
<updated>2025-12-13T01:06:44Z</updated>
<author>
<name>Philip Prindeville</name>
</author>
<published>2025-12-12T19:43:07Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=9d751f30fd6fb665b6d25b877b362bb39002cb27'/>
<id>urn:sha1:9d751f30fd6fb665b6d25b877b362bb39002cb27</id>
<content type='text'>
Until we have a failsafe way of detecting no IPv6 internet
connectivity automatically, allow the users to set it
manually for now.

Signed-off-by: Philip Prindeville &lt;philipp@redfish-solutions.com&gt;
</content>
</entry>
<entry>
<title>bind: save out served domains on service stop</title>
<updated>2025-12-06T21:05:05Z</updated>
<author>
<name>Philip Prindeville</name>
</author>
<published>2025-12-02T04:26:23Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=605a457cacef2df88f6ac20c2533f54071ed4f7c'/>
<id>urn:sha1:605a457cacef2df88f6ac20c2533f54071ed4f7c</id>
<content type='text'>
If named gets stopped, then started again, but isc-dhcpd isn't also
restarted, then we want named to at least have the existing content.

Signed-off-by: Philip Prindeville &lt;philipp@redfish-solutions.com&gt;
</content>
</entry>
<entry>
<title>bind: bump to 9.20.15</title>
<updated>2025-10-22T23:12:41Z</updated>
<author>
<name>Noah Meyerhans</name>
</author>
<published>2025-10-22T20:29:11Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=59465b95b847c2925993b2472d08af6f7571d770'/>
<id>urn:sha1:59465b95b847c2925993b2472d08af6f7571d770</id>
<content type='text'>
Fixes the following security issues:

- CVE-2025-8677: DNSSEC validation fails if matching but invalid
  DNSKEY is found.
- CVE-2025-40778 Address various spoofing attacks.
- CVE-2025-40780 Cache-poisoning due to weak pseudo-random number
  generator.

The complete list of changes from version 9.20.11 is available in the
upstream changelog at
https://ftp.isc.org/isc/bind9/9.20.15/doc/arm/html/changelog.html

Signed-off-by: Noah Meyerhans &lt;frodo@morgul.net&gt;
</content>
</entry>
<entry>
<title>bind: don't break IPv6 support</title>
<updated>2025-09-19T15:35:38Z</updated>
<author>
<name>David Härdeman</name>
</author>
<published>2025-09-18T07:55:29Z</published>
<link rel='alternate' type='text/html' href='https://git-03.infra.openwrt.org/feed/packages/commit/?id=c3a4dc458efcbaae802e6fb91aed88f3871fe894'/>
<id>urn:sha1:c3a4dc458efcbaae802e6fb91aed88f3871fe894</id>
<content type='text'>
What started in #20183 as a attempt to clean up noise in the logfiles,
turned out to be causing denial-of-service for dual-stack and especially
IPv6-only environments.

Breaking core network functionality cannot possibly be less important
than cosmetic issues, and those affected by log spam can avoid it via
other means (e.g. "query-source-v6 none;" in named.conf).

There's no reliable heuristic for determining whether there's IPv6
connectivity at the time bind is started which will catch any and all
corner cases, as discussed in #26327.

So, remove this logic for now. If a suitable heuristic can be devised,
it can always be added in a subsequent patch, but I have my doubts.

(Also, quote one variable to make shellcheck happy)

Closes: #26327
Closes: #20468

Signed-off-by: David Härdeman &lt;david@hardeman.nu&gt;
</content>
</entry>
</feed>
