Update to version 9.6-ESV-R3, the latest from ISC, which addresses

the following security vulnerabilities.

For more information regarding these issues please see:
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories

1. Cache incorrectly allows ncache and rrsig for the same type

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613

   Affects resolver operators whose servers are open to potential
   attackers. Triggering the bug will cause the server to crash.

   This bug applies even if you do not have DNSSEC enabled.

2. Key algorithm rollover

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614

   Affects resolver operators who are validating with DNSSEC, and
   querying zones which are in a key rollover period. The bug will
   cause answers to incorrectly be marked as insecure.

1 files changed, 23 insertions, 18 deletions

diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c
index 8f6778666a07..5fbe043e644a 100644
--- a/contrib/bind9/bin/named/server.c
+++ b/contrib/bind9/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.520.12.11.10.1 2010/03/03 22:06:36 marka Exp $ */
+/* $Id: server.c,v 1.520.12.11.10.4 2010/11/16 22:42:03 marka Exp $ */
 
 /*! \file */
 
@@ -1132,6 +1132,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		dns_acache_setcachesize(view->acache, max_acache_size);
 	}
 
+	CHECK(configure_view_acl(vconfig, config, "allow-query", actx,
+				 ns_g_mctx, &view->queryacl));
+
+	if (view->queryacl == NULL) {
+		CHECK(configure_view_acl(NULL, ns_g_config, "allow-query", actx,
+					 ns_g_mctx, &view->queryacl));
+	}
+
 	/*
 	 * Configure the zones.
 	 */
@@ -1606,13 +1614,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * configured in named.conf.
 	 */
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
-				 actx, ns_g_mctx, &view->queryacl));
+				 actx, ns_g_mctx, &view->cacheacl));
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
-				 actx, ns_g_mctx, &view->queryonacl));
-	if (view->queryonacl == NULL)
+				 actx, ns_g_mctx, &view->cacheonacl));
+	if (view->cacheonacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
 					 "allow-query-cache-on", actx,
-					 ns_g_mctx, &view->queryonacl));
+					 ns_g_mctx, &view->cacheonacl));
 	if (strcmp(view->name, "_bind") != 0) {
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
 					 actx, ns_g_mctx,
@@ -1628,14 +1636,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * "allow-recursion" inherits from "allow-query-cache" if set,
 	 * otherwise from "allow-query" if set.
 	 */
-	if (view->queryacl == NULL && view->recursionacl != NULL)
-		dns_acl_attach(view->recursionacl, &view->queryacl);
-	if (view->queryacl == NULL && view->recursion)
+	if (view->cacheacl == NULL && view->recursionacl != NULL)
+		dns_acl_attach(view->recursionacl, &view->cacheacl);
+	if (view->cacheacl == NULL && view->recursion)
 		CHECK(configure_view_acl(vconfig, config, "allow-query",
-					 actx, ns_g_mctx, &view->queryacl));
+					 actx, ns_g_mctx, &view->cacheacl));
 	if (view->recursion &&
-	    view->recursionacl == NULL && view->queryacl != NULL)
-		dns_acl_attach(view->queryacl, &view->recursionacl);
+	    view->recursionacl == NULL && view->cacheacl != NULL)
+		dns_acl_attach(view->cacheacl, &view->recursionacl);
 
 	/*
 	 * Set default "allow-recursion", "allow-recursion-on" and
@@ -1651,16 +1659,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 					 "allow-recursion-on",
 					 actx, ns_g_mctx,
 					 &view->recursiononacl));
-	if (view->queryacl == NULL) {
+	if (view->cacheacl == NULL) {
 		if (view->recursion)
 			CHECK(configure_view_acl(NULL, ns_g_config,
 						 "allow-query-cache", actx,
-						 ns_g_mctx, &view->queryacl));
-		else {
-			if (view->queryacl != NULL)
-				dns_acl_detach(&view->queryacl);
-			CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
-		}
+						 ns_g_mctx, &view->cacheacl));
+		else
+			CHECK(dns_acl_none(ns_g_mctx, &view->cacheacl));
 	}
 
 	/*