From patchwork Sat Sep 13 12:53:48 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Matthias Fischer <matthias.fischer@ipfire.org>
X-Patchwork-Id: 9070
Return-Path: <development+bounces-975-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cPB7t1Dvjz3whk
	for <patchwork@web04.haj.ipfire.org>; Sat, 13 Sep 2025 12:54:18 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org
 [IPv6:2001:678:b28::201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4cPB7t0220z3sf
	for <patchwork@ipfire.org>; Sat, 13 Sep 2025 12:54:18 +0000 (UTC)
Authentication-Results: mail01.ipfire.org;
	dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=kPytQs2s;
	dkim=pass header.d=ipfire.org header.s=202003rsa header.b=UAWsU1Q+;
	spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor
 denied by domain of
 "development+bounces-975-patchwork=ipfire.org@lists.ipfire.org")
 smtp.mailfrom="development+bounces-975-patchwork=ipfire.org@lists.ipfire.org";
	dmarc=pass (policy=reject) header.from=ipfire.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003rsa; t=1757768058;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=E+/J/QTvjkg4r/6BFFT5txhZ8jcYNYllf5lTldQ6Qa4=;
	b=ojKc+UZO5df/E9x58+H0fRoO85xniJ40e4CYq7Ma10CPxu0j63y/1w3RPrKMte9P3R3+0J
	1+8jjVmunbZc01ndIvAAfg5L9SP0ef3ZPWtqBNgJCqwV3BDNiIsTy0NZFQAt/76rPK68/5
	yVZ+4dbDAXd2LQKZHqTlB6E+axnlJfspG4O29z1IyukzjX5BxYbRGQKDLqHiE5U3JJPB3w
	+3cDfTEfIdr2YOhRouxqeaGktwLIsmyYnhM1RLRgq+3nCKAQFNAjsAoddt2k+6frlWOEC6
	eIMaJvL7z7vA7mRYniRumRrb+FstdyxVKSnqvCw7TUxzo/mKjlLyez2UCRlIRA==
ARC-Authentication-Results: i=1;
	mail01.ipfire.org;
	dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=kPytQs2s;
	dkim=pass header.d=ipfire.org header.s=202003rsa header.b=UAWsU1Q+;
	spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor
 denied by domain of
 "development+bounces-975-patchwork=ipfire.org@lists.ipfire.org")
 smtp.mailfrom="development+bounces-975-patchwork=ipfire.org@lists.ipfire.org";
	dmarc=pass (policy=reject) header.from=ipfire.org
ARC-Seal: i=1; s=202003rsa; d=ipfire.org; t=1757768058; a=rsa-sha256;
	cv=none;
	b=s/lkl5S4LB5Kimfw8zNQZzXaM4BpFoycu1D9sc2ME1kehLK9tad6HAp7hAwVVKHezKghyd
	GiwzYqGNgof2wtcM1gdyc19WD4yJv/lHCva0xhuKwCuTK6B+vcgdo6B93x6nLPDYnP/z7J
	ajQhLNPf5iPMeNWqlVG2KIzwWpW0fsOCqWDnlf+DLC2HcZFXgOLRLBgJj2jDTG95wGSV2T
	QT1F6ibjKhosmMRqWIEDRJoxKZa40lb+IChGxlMmv1JsLbc3PGCIxn626ior3DRXoufs5g
	2+7z77tEOP39Whv2sPxW6Y6ZGFZXTtJ1btI95+6HLfAdBXnQxIMY8Tr/VejfqA==
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cPB7s6RNwz32Kf
	for <patchwork@ipfire.org>; Sat, 13 Sep 2025 12:54:17 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org
 [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cPB7q292mz2xWj
	for <development@lists.ipfire.org>; Sat, 13 Sep 2025 12:54:15 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4cPB7p4zp9z3M3;
	Sat, 13 Sep 2025 12:54:14 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1757768054;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=E+/J/QTvjkg4r/6BFFT5txhZ8jcYNYllf5lTldQ6Qa4=;
	b=kPytQs2s1Cues0sfUqsuPYNmH0ioC2GK0FbwArfwVRhVzYjtvlWj5VFz06udYUR/UM2F8x
	WhCkQF4r1WfUUUBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1757768054;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=E+/J/QTvjkg4r/6BFFT5txhZ8jcYNYllf5lTldQ6Qa4=;
	b=UAWsU1Q+ZI3IytjTMW8mzswMKF5doc/n8Ygk0vZk9h04NnYtZpvpF92GwQKg2+qv9fuvA+
	UAZWezTA4u7x+jNj2fiwlhm6xUtGoe4BKwlaUoib7rwUkKoKYwGhFARpBkRqavYutB39IO
	GNvSxvFXKFAXfsqKgXBwqLBnQx2Q7ZevyLmUONAq6i0+1BKjdaDrTotGq5JV1XLxCV/28m
	fbvhgkJrDpnPfdkssRYoDXsmQIIlcOsgtMP+kMH5XWNB0o0Qv1ZjeoqCDK4YkMjq4/BlLW
	4PtPMwUq/HOWF3Dv1iyzuPws8EAl135ateK0Bjzq3g9gslq+vrMBHtddBAY2wQ==
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Cc: Matthias Fischer <matthias.fischer@ipfire.org>
Subject: [PATCH] bind: Update ot 9.20.13
Date: Sat, 13 Sep 2025 14:53:48 +0200
Message-ID: <20250913125405.2642510-1-matthias.fischer@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
X-Spamd-Result: default: False [-11.21 / 11.00];
	BAYES_HAM(-3.00)[99.99%];
	DWL_DNSWL_MED(-2.00)[ipfire.org:dkim];
	FROM_INTERNAL_BULK_SENDERS(-2.00)[2001:678:b28::201];
	R_DKIM_ALLOW(-1.68)[ipfire.org:s=202003ed25519,ipfire.org:s=202003rsa];
	NEURAL_HAM(-1.00)[-1.000];
	MID_CONTAINS_FROM(1.00)[];
	DKIM_REPUTATION(-0.95)[-0.95142617534898];
	IP_REPUTATION_HAM(-0.79)[asn: 204867(-0.22), country: DE(-0.00),
 ip: 2001:678:b28::(-0.56)];
	DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	MAILLIST(-0.18)[generic];
	MIME_GOOD(-0.10)[text/plain];
	HAS_LIST_UNSUB(-0.01)[];
	MX_GOOD(-0.01)[];
	RECEIVED_HELO_LOCALHOST(0.00)[];
	FUZZY_RATELIMITED(0.00)[rspamd.com];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	RCVD_TLS_LAST(0.00)[];
	TAGGED_FROM(0.00)[bounces-975-patchwork=ipfire.org];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:204867, ipnet:2001:678:b28::/48, country:DE];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	FROM_NEQ_ENVFROM(0.00)[matthias.fischer@ipfire.org,development@lists.ipfire.org];
	DKIM_TRACE(0.00)[ipfire.org:+];
	ARC_SIGNED(0.00)[ipfire.org:s=202003rsa:i=1];
	DMARC_POLICY_ALLOW(0.00)[ipfire.org,reject];
	R_SPF_SOFTFAIL(0.00)[~all:c];
	FORGED_SENDER_MAILLIST(0.00)[]
X-Rspamd-Action: no action
X-Rspamd-Server: mail01.haj.ipfire.org
X-Rspamd-Queue-Id: 4cPB7t0220z3sf

For details see:

https://downloads.isc.org/isc/bind9/9.20.13/doc/arm/html/notes.html#notes-for-bind-9-20-13

"Notes for BIND 9.20.13
New Features

    Add a new option manual-mode to dnssec-policy.

    When enabled, named will not modify DNSSEC keys or key states
    automatically. The proposed change will be logged and only after manual
    confirmation with rndc dnssec -step will the modification be made. [GL
    #4606]

    Add a new option servfail-until-ready to response-policy zones.

    By default, when named is started, it starts answering queries before
    all response policy zones are completely loaded and processed. This new
    option instructs named to respond with SERVFAIL until all the response
    policy zones are processed and ready. Note that if one or more response
    policy zones fail to load, named starts responding to queries according
    to those zones that did load.

    Note, that enabling this option has no effect when a DNS Response
    Policy Service (DNSRPS) interface is used. [GL #5222]

    Support for parsing HHIT and BRID records has been added.

    [GL #5444]

Removed Features

    Deprecate the tkey-gssapi-credential statement.

    The tkey-gssapi-keytab statement allows GSS-TSIG to be set up in a
    simpler and more reliable way than using the tkey-gssapi-credential
    statement and setting environment variables (e.g. KRB5_KTNAME).
    Therefore, the tkey-gssapi-credential statement has been deprecated;
    tkey-gssapi-keytab should be used instead.

    For configurations currently using a combination of both
    tkey-gssapi-keytab and tkey-gssapi-credential, the latter should be
    dropped and the keytab pointed to by tkey-gssapi-keytab should now only
    contain the credential previously specified by tkey-gssapi-credential.
    [GL #4204]

    Obsolete the “tkey-domain” statement.

    Mark the tkey-domain statement as obsolete because it has not had any
    effect on server behavior since support for TKEY Mode 2
    (Diffie-Hellman) was removed (in BIND 9.20.0). [GL #4204]

Bug Fixes

    Prevent spurious SERVFAILs for certain 0-TTL resource records.

    Under certain circumstances, BIND 9 can return SERVFAIL when updating
    existing entries in the cache with new NS, A, AAAA, or DS records that
    have a TTL of zero. [GL #5294]

    Fix unexpected termination if catalog-zones had undefined
    default-primaries.

    The issue manifested only if the server was reloaded or reconfigured
    twice. [GL #5494]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/bind | 10 +++++-----
 lfs/bind                     |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 538f4a6dd..db57a9d40 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -241,18 +241,18 @@ usr/bin/nsupdate
 #usr/include/ns/types.h
 #usr/include/ns/update.h
 #usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.12.so
+usr/lib/libdns-9.20.13.so
 #usr/lib/libdns.la
 #usr/lib/libdns.so
-usr/lib/libisc-9.20.12.so
+usr/lib/libisc-9.20.13.so
 #usr/lib/libisc.la
 #usr/lib/libisc.so
-usr/lib/libisccc-9.20.12.so
+usr/lib/libisccc-9.20.13.so
 #usr/lib/libisccc.la
 #usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.12.so
+usr/lib/libisccfg-9.20.13.so
 #usr/lib/libisccfg.la
 #usr/lib/libisccfg.so
-usr/lib/libns-9.20.12.so
+usr/lib/libns-9.20.13.so
 #usr/lib/libns.la
 #usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index d62846f58..9befe9bfc 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 9.20.12
+VER        = 9.20.13
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = f2135301ab04121c1ae82fc9283f0f03b0d11b634aaee49c072bb9a2a0f7e643a8f6c1f3890648e5d008a7d2c84953617b330241e3f856e33b56e64fb0312f0a
+$(DL_FILE)_BLAKE2 = c3738ebe468849293bec3d89499d7607b76fb636c7d21833dd56414fb569c1edfaa84d152ff9febfe0ebd5c65fa351423fbfbeaaee294d57949eb45631fd5623
 
 install : $(TARGET)