prep 9.11.6-P1

CHANGES

+	--- 9.11.6-P1 released ---
+
 5200.	[security]	tcp-clients settings could be exceeded in some cases,
 			which could lead to exhaustion of file descriptors.
 			(CVE-2018-5743) [GL #615]

README.md

@@ -282,6 +282,11 @@ feature:
 BIND 9.11.6 is a maintenance release, and also addresses the security
 flaws disclosed in CVE-2018-5744, CVE-2018-5745, and CVE-2019-6465.
 
+#### BIND 9.11.6-P1
+
+BIND 9.11.6-P1 addresses the security vulnerability disclosed in
+CVE-2018-5743.
+
 ### <a name="build"/> Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX

doc/arm/notes.xml

@@ -76,66 +76,12 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
-      <listitem>
-	<para>
-	  <command>named</command> could crash during recursive processing
-	  of DNAME records when <command>deny-answer-aliases</command> was
-	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  When recursion is enabled but the <command>allow-recursion</command>
-	  and <command>allow-query-cache</command> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <command>allow-query</command>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Code change #4964, intended to prevent double signatures
-	  when deleting an inactive zone DNSKEY in some situations,
-	  introduced a new problem during zone processing in which
-	  some delegation glue RRsets are incorrectly identified
-	  as needing RRSIGs, which are then created for them using
-	  the current active ZSK for the zone. In some, but not all
-	  cases, the newly-signed RRsets are added to the zone's
-	  NSEC/NSEC3 chain, but incompletely -- this can result in
-	  a broken chain, affecting validation of proof of nonexistence
-	  for records in the zone. [GL #771]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  <command>named</command> could crash if it managed a DNSSEC
-	  security root with <command>managed-keys</command> and the
-	  authoritative zone rolled the key to an algorithm not supported
-	  by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  <command>named</command> leaked memory when processing a
-	  request with multiple Key Tag EDNS options present. ISC
-	  would like to thank Toshifumi Sakaguchi for bringing this
-	  to our attention.  This flaw is disclosed in CVE-2018-5744.
-	  [GL #772]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Zone transfer controls for writable DLZ zones were not
-	  effective as the <command>allowzonexfr</command> method was
-	  not being called for such zones. This flaw is disclosed in
-	  CVE-2019-6465. [GL #790]
-	</para>
-      </listitem>
       <listitem>
 	<para>
 	  The TCP client quota set using the <command>tcp-clients</command>
 	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+	  exhaustion of file descriptors. This flaw is disclosed in
+	  CVE-2018-5743. [GL #615]
 	</para>
       </listitem>
     </itemizedlist>
@@ -145,55 +91,7 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  <command>named</command> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <command>root-key-sentinel no;</command> to
-	  <filename>named.conf</filename>.
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Added the ability not to return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned,
-	  add <command>answer-cookie no;</command> to
-	  <filename>named.conf</filename>. [GL #173]
-	</para>
-	<para>
-	  <command>answer-cookie no</command> is only intended as a
-	  temporary measure, for use when <command>named</command>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the
-	  same address is not expected to cause operational problems,
-	  but the option to disable COOKIE responses so that all
-	  servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security
-	  mechanism, and should not be disabled unless absolutely
-	  necessary.
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Two new update policy rule types have been added
-	  <command>krb5-selfsub</command> and <command>ms-selfsub</command>
-	  which allow machines with Kerberos principals to update
-	  the name space at or below the machine names identified
-	  in the respective principals.
-	</para>
-      </listitem>
-    </itemizedlist>
-  </section>
-
-  <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
-    <itemizedlist>
-      <listitem>
-	<para>
-	  <command>named</command> will now log a warning if the old
-	  BIND now can be compiled against libidn2 library to add
-	  IDNA2008 support.  Previously BIND only supported IDNA2003
-	  using (now obsolete) idnkit-1 library.
+	  None.
 	</para>
       </listitem>
     </itemizedlist>
@@ -203,37 +101,7 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  <command>dig +noidnin</command> can be used to disable IDN
-	  processing on the input domain name, when BIND is compiled
-	  with IDN support.
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Multiple <command>cookie-secret</command> clause are now
-	  supported.  The first <command>cookie-secret</command> in
-	  <filename>named.conf</filename> is used to generate new
-	  server cookies.  Any others are used to accept old server
-	  cookies or those generated by other servers using the
-	  matching <command>cookie-secret</command>.
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  The <command>rndc nta</command> command could not differentiate
-	  between views of the same name but different class; this
-	  has been corrected with the addition of a <command>-class</command>
-	  option. [GL #105]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  When compiled with IDN support, the <command>dig</command> and the
-	  <command>nslookup</command> commands now disable IDN processing when
-	  the standard output is not a tty (e.g. not used by human).  The command
-	  line options +idnin and +idnout need to be used to enable IDN
-	  processing when <command>dig</command> or <command>nslookup</command>
-	  is used from the shell scripts.
+	  None.
 	</para>
       </listitem>
     </itemizedlist>
@@ -243,27 +111,7 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  When a negative trust anchor was added to multiple views
-	  using <command>rndc nta</command>, the text returned via
-	  <command>rndc</command> was incorrectly truncated after the
-	  first line, making it appear that only one NTA had been
-	  added. This has been fixed. [GL #105]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  <command>named</command> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <command>named</command> to abort when loading zones. [GL #339]
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  <command>rndc reload</command> could cause <command>named</command>
-	  to leak memory if it was invoked before the zone loading actions
-	  from a previous <command>rndc reload</command> command were
-	  completed. [RT #47076]
+	  None.
 	</para>
       </listitem>
     </itemizedlist>

lib/isc/api

@@ -8,6 +8,6 @@
 # 9.10-sub: 180-189
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
-LIBINTERFACE = 1100
-LIBREVISION = 1
-LIBAGE = 0
+LIBINTERFACE = 1101
+LIBREVISION = 0
+LIBAGE = 1

version

@@ -6,6 +6,6 @@ DESCRIPTION="(Extended Support Version)"
 MAJORVER=9
 MINORVER=11
 PATCHVER=6
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1
 EXTENSIONS=