Add two patches for dlz/ldap in bind-9.6.1_p3-r1, bug 238681. Remove "dig" from make, its installed by bind-tools. Remove bind-9.6.1_p3. Version bump to 9.7.0_p1, bug 302361. Disable geoip support for now, since its not yet ready for 9.7.x. Some clean up. Fix permissions bug 174084 and bug 301275. Don't add a syslog rule automatically to the syslog-ng.conf, use elog now. Add a new named.conf-r4 which contains a lot of new stuff and improvements but see yourself.

(Portage version: 2.2_rc67/cvs/Linux x86_64)

3 files changed, 309 insertions, 0 deletions

diff --git a/net-dns/bind/files/bind-9.6.1-dlz-patch-dollar2.patch b/net-dns/bind/files/bind-9.6.1-dlz-patch-dollar2.patch
new file mode 100644
index 000000000000..94d294bace36
--- /dev/null
+++ b/net-dns/bind/files/bind-9.6.1-dlz-patch-dollar2.patch
@@ -0,0 +1,104 @@
+*** bind-9.6.1/contrib/dlz/drivers/sdlz_helper.c.realorig	2008-01-27 15:46:49.000000000 +0100
+--- bind-9.6.1/contrib/dlz/drivers/sdlz_helper.c	2008-01-27 15:46:49.000000000 +0100
+***************
+*** 181,187 ****
+  		tseg->direct = isc_boolean_true;
+  		tseg->strlen = strlen(tseg->sql);
+  
+! 		/* check if we encountered "%zone%" token */
+  		if (strcasecmp(tseg->sql, "zone") == 0) {
+  			/*
+  			 * we don't really need, or want the "zone"
+--- 181,187 ----
+  		tseg->direct = isc_boolean_true;
+  		tseg->strlen = strlen(tseg->sql);
+  
+! 		/* check if we encountered "$zone$" token */
+  		if (strcasecmp(tseg->sql, "zone") == 0) {
+  			/*
+  			 * we don't really need, or want the "zone"
+***************
+*** 194,200 ****
+  			/* tseg->sql points in-directly to a string */
+  			tseg->direct = isc_boolean_false;
+  			foundzone = isc_boolean_true;
+! 			/* check if we encountered "%record%" token */
+  		} else if (strcasecmp(tseg->sql, "record") == 0) {
+  			/*
+  			 * we don't really need, or want the "record"
+--- 194,200 ----
+  			/* tseg->sql points in-directly to a string */
+  			tseg->direct = isc_boolean_false;
+  			foundzone = isc_boolean_true;
+! 			/* check if we encountered "$record$" token */
+  		} else if (strcasecmp(tseg->sql, "record") == 0) {
+  			/*
+  			 * we don't really need, or want the "record"
+***************
+*** 207,213 ****
+  			/* tseg->sql points in-directly poinsts to a string */
+  			tseg->direct = isc_boolean_false;
+  			foundrecord = isc_boolean_true;
+! 			/* check if we encountered "%client%" token */
+  		} else if (strcasecmp(tseg->sql, "client") == 0) {
+  			/*
+  			 * we don't really need, or want the "client"
+--- 207,213 ----
+  			/* tseg->sql points in-directly poinsts to a string */
+  			tseg->direct = isc_boolean_false;
+  			foundrecord = isc_boolean_true;
+! 			/* check if we encountered "$client$" token */
+  		} else if (strcasecmp(tseg->sql, "client") == 0) {
+  			/*
+  			 * we don't really need, or want the "client"
+***************
+*** 235,241 ****
+  		/* Write error message to log */
+  		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+  			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+! 			      "Required token %%client%% not found.");
+  		result = ISC_R_FAILURE;
+  		goto flag_fail;
+  	}
+--- 235,241 ----
+  		/* Write error message to log */
+  		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+  			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+! 			      "Required token $client$ not found.");
+  		result = ISC_R_FAILURE;
+  		goto flag_fail;
+  	}
+***************
+*** 245,251 ****
+  		/* Write error message to log */
+  		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+  			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+! 			      "Required token %%record%% not found.");
+  		result = ISC_R_FAILURE;
+  		goto flag_fail;
+  	}
+--- 245,251 ----
+  		/* Write error message to log */
+  		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+  			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+! 			      "Required token $record$ not found.");
+  		result = ISC_R_FAILURE;
+  		goto flag_fail;
+  	}
+***************
+*** 255,261 ****
+  		/* Write error message to log */
+  		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+  			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+! 			      "Required token %%zone%% not found.");
+  		result = ISC_R_FAILURE;
+  		goto flag_fail;
+  	}
+--- 255,261 ----
+  		/* Write error message to log */
+  		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+  			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+! 			      "Required token $zone$ not found.");
+  		result = ISC_R_FAILURE;
+  		goto flag_fail;
+  	}
diff --git a/net-dns/bind/files/bind-9.6.1-dlz-patch-ldap-url.patch b/net-dns/bind/files/bind-9.6.1-dlz-patch-ldap-url.patch
new file mode 100644
index 000000000000..d67ca1150827
--- /dev/null
+++ b/net-dns/bind/files/bind-9.6.1-dlz-patch-ldap-url.patch
@@ -0,0 +1,17 @@
+--- bind-9.6.1/contrib/dlz/drivers/sdlz_helper.c.orig
++++ bind-9.6.1/contrib/dlz/drivers/sdlz_helper.c
+@@ -166,12 +166,12 @@
+ 		ISC_LIST_APPEND(*tql, tseg, link);
+ 
+ 		/*
+-		 * split string at the first "%". set query segment to
++		 * split string at the first "$". set query segment to
+ 		 * left portion
+ 		 */
+ 		tseg->sql = isc_mem_strdup(mctx,
+ 					   isc_string_separate(&right_str,
+-							       "%"));
++							       "$"));
+ 		if (tseg->sql == NULL) {
+ 			/* no memory, clean everything up. */
+ 			result = ISC_R_NOMEMORY;
diff --git a/net-dns/bind/files/named.conf-r4 b/net-dns/bind/files/named.conf-r4
new file mode 100644
index 000000000000..58df93945a4c
--- /dev/null
+++ b/net-dns/bind/files/named.conf-r4
@@ -0,0 +1,188 @@
+/*
+ * Refer to the named.conf(5) and named(8) man pages, and the documentation
+ * in /usr/share/doc/bind-9 for more details.
+ * Online versions of the documentation can be found here:
+ * http://www.isc.org/software/bind/documentation
+ *
+ * If you are going to set up an authoritative server, make sure you
+ * understand the hairy details of how DNS works. Even with simple mistakes,
+ * you can break connectivity for affected parties, or cause huge amounts of
+ * useless Internet traffic.
+ */
+
+acl "xfer" {
+	/* Allow no transfers. If we have other name servers, place them here. */
+	//127.0.0.1/32;
+	//::1/128;
+	"none";
+};
+
+/* 
+ * You might put in here some ips which are allowed to use the cache or
+ * recursive queries
+ */
+acl "trusted" {
+	127.0.0.0/8;
+	::1/128;
+};
+
+options {
+	directory "/var/bind";
+	pid-file "/var/run/named/named.pid";
+
+	/* https://www.isc.org/solutions/dlv */
+	bindkeys-file "/etc/bind/bind.keys";
+
+	listen-on-v6 { none; };
+	listen-on { 127.0.0.1; };
+
+	allow-query {
+		/*
+		 * Accept queries from our "trusted" ACL.  We will
+		 * allow anyone to query our master zones below.
+		 * This prevents us from becoming a free DNS server
+		 * to the masses.
+		 */
+		trusted;
+	};
+
+	allow-query-cache {
+		/* Use the cache for the "trusted" ACL. */
+		trusted;
+	};
+
+	allow-transfer {
+		/*
+		 * Zone tranfers limited to members of the
+		 * "xfer" ACL (e.g. secondary nameserver).
+		 */
+		xfer;
+	};
+
+/*
+ * If you've got a DNS server around at your upstream provider, enter its
+ * IP address here, and enable the line below. This will make you benefit
+ * from its cache, thus reduce overall DNS traffic in the Internet.
+ * 
+ * Uncomment the following lines to turn on DNS forwarding, and change
+ *  and/or update the forwarding ip address(es):
+ */
+/*
+	forward first;
+	forwarders {
+	//	123.123.123.123;	// Your ISP NS
+	//	124.124.124.124;	// Your ISP NS
+		4.2.2.1;		// Level3 Public DNS
+		4.2.2.2;		// Level3 Public DNS
+		8.8.8.8;		// Google Open DNS
+		8.8.4.4;		// Google Open DNS
+	};
+
+*/
+
+	//dnssec-enable yes;
+
+	/* if you have problems and are behind a firewall: */
+	//query-source address * port 53;
+};
+
+logging {
+	channel default_log {
+		file "/var/log/named/named.log" versions 5 size 50M;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+
+	category default { default_log; };
+	category general { default_log; };
+};
+
+include "/etc/bind/rndc.key";
+controls {
+	inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
+};
+
+
+view "internal" in {
+	/*
+	 * Our internal (trusted) view. We permit the internal networks
+	 * to freely access this view. We perform recursion for our
+	 * internal hosts, and retrieve data from the cache for them.
+	 */
+
+	match-clients { trusted; };
+	recursion yes;
+	additional-from-auth yes;
+	additional-from-cache yes;
+
+	zone "." in {
+		type hint;
+		file "/var/bind/root.cache";
+	};
+
+	zone "localhost" IN {
+		type master;
+		file "pri/localhost.zone";
+		allow-update { none; };
+		notify no;
+	};
+
+	zone "127.in-addr.arpa" IN {
+		type master;
+		file "pri/127.zone";
+		allow-update { none; };
+		notify no;
+	};
+};
+
+view "public" in {
+	/*
+	 * Our external (untrusted) view. We permit any client to access
+	 * portions of this view. We do not perform recursion or cache
+	 * access for hosts using this view.
+	 */
+
+	match-clients { any; };
+	recursion no;
+	additional-from-auth no;
+	additional-from-cache no;
+
+	zone "." in {
+		type hint;
+		file "/var/bind/root.cache";
+	};
+
+	//zone "YOUR-DOMAIN.TLD" {
+	//	type master;
+	//	file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
+	//	allow-query { any; };
+	//};
+
+	//zone "YOUR-SLAVE.TLD" {
+	//	type slave;
+	//	file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
+	//	masters { <MASTER>; };
+
+	//	/* Anybody is allowed to query but transfer should be controlled by the master. */
+	//	allow-query { any; };
+	//	allow-transfer { none; };
+
+	//	/* The master should be the only one who notifies the slaves, shouldn't it? */
+	//	allow-notify { <MASTER>; };
+	//	notify no;
+	//};
+
+	/*
+	 * Briefly, a zone which has been declared delegation-only will be effectively
+	 * limited to containing NS RRs for subdomains, but no actual data beyond its
+	 * own apex (for example, its SOA RR and apex NS RRset). This can be used to
+	 * filter out "wildcard" or "synthesized" data from NAT boxes or from
+	 * authoritative name servers whose undelegated (in-zone) data is of no
+	 * interest.
+	 * See http://www.isc.org/products/BIND/delegation-only.html for more info
+	 */
+
+	//zone "COM" { type delegation-only; };
+	//zone "NET" { type delegation-only; };
+};