packages/net/bind/Makefile, branch master

bind: prevent mismatch of bind-libs version

2026-04-07T18:59:27Z

When upgrading specific packages manually, like: apk upgrade bind-dig the bind-libs package is not upgraded automatically, which results in problems when running the program, for example: root@OpenWrt:~# dig Error loading shared library libisc-9.20.10.so: No such file or directory (needed by /usr/bin/dig) Error loading shared library libdns-9.20.10.so: No such file or directory (needed by /usr/bin/dig) Error loading shared library libisccfg-9.20.10.so: No such file or directory (needed by /usr/bin/dig) Error relocating /usr/bin/dig: cfg_map_getname: symbol not found Error relocating /usr/bin/dig: irs_resconf_getndots: symbol not found Error relocating /usr/bin/dig: isc_managers_destroy: symbol not found Error relocating /usr/bin/dig: dns_fixedname_init: symbol not found Error relocating /usr/bin/dig: isc_nm_read: symbol not found Error relocating /usr/bin/dig: dns_rdata_init: symbol not found Error relocating /usr/bin/dig: isc_random_uniform: symbol not found [...] This has happened to me twice on OpenWRT 24.10. To fix this, enforce that the version of bind-libs matches the version of any dependent packages. Use the same approach as in net/knot/Makefile: make the dependency be present twice, once in the DEPENDS variable, the other one in the EXTRA_DEPENDS variable. Also, add an explicit EXTRA_DEPENDS variable to other internal dependencies. For example, versions of the bind-server-filter-aaaa and bind-server packages must match. Tested on snapshot, on x86/64. Signed-off-by: Mateusz Jończyk

bind: bump to 9.20.21

2026-03-31T11:42:09Z

Fixes several security issues: - CVE-2026-1519 Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations. - CVE-2026-3104 Fix memory leaks in code preparing DNSSEC proofs of non-existence. - CVE-2026-3119 Prevent a crash in code processing queries containing a TKEY record. - CVE-2026-3591 Fix a stack use-after-return flaw in SIG(0) handling code. Signed-off-by: Noah Meyerhans

bind: backport patch replace automatic empty zones

2026-02-01T14:01:50Z

The RFC-1918 zones are automatically synthesized locally by bind to avoid forwarding queries about them to root nameservers. As a result, we can't easily replace them with rndc addzone on the fly. We need this for DHCP integration. Signed-off-by: Philip Prindeville

bind: bump to 9.20.18

2026-01-24T08:05:56Z

Fixes security issues: - CVE-2025-13878: Malformed BRID and HHIT records could trigger an assertion failure. Signed-off-by: Noah Meyerhans

bind: manual fix for IPv6 server unreachable noise

2025-12-13T01:06:44Z

Until we have a failsafe way of detecting no IPv6 internet connectivity automatically, allow the users to set it manually for now. Signed-off-by: Philip Prindeville

bind: save out served domains on service stop

2025-12-06T21:05:05Z

If named gets stopped, then started again, but isc-dhcpd isn't also restarted, then we want named to at least have the existing content. Signed-off-by: Philip Prindeville

bind: bump to 9.20.15

2025-10-22T23:12:41Z

Fixes the following security issues: - CVE-2025-8677: DNSSEC validation fails if matching but invalid DNSKEY is found. - CVE-2025-40778 Address various spoofing attacks. - CVE-2025-40780 Cache-poisoning due to weak pseudo-random number generator. The complete list of changes from version 9.20.11 is available in the upstream changelog at https://ftp.isc.org/isc/bind9/9.20.15/doc/arm/html/changelog.html Signed-off-by: Noah Meyerhans

bind: don't break IPv6 support

2025-09-19T15:35:38Z

What started in #20183 as a attempt to clean up noise in the logfiles, turned out to be causing denial-of-service for dual-stack and especially IPv6-only environments. Breaking core network functionality cannot possibly be less important than cosmetic issues, and those affected by log spam can avoid it via other means (e.g. "query-source-v6 none;" in named.conf). There's no reliable heuristic for determining whether there's IPv6 connectivity at the time bind is started which will catch any and all corner cases, as discussed in #26327. So, remove this logic for now. If a suitable heuristic can be devised, it can always be added in a subsequent patch, but I have my doubts. (Also, quote one variable to make shellcheck happy) Closes: #26327 Closes: #20468 Signed-off-by: David Härdeman

bind: fix build and bump PKG_RELEASE

2025-09-13T20:36:41Z

bind9 builds for me on 24.10, but it doesn't build on master with or without my patches. The build already dies on the configure stage (without my patches applied), because the autoconf magic manages to mix up the host gcc and the cross-compiling gcc. Removing PKG_FIXUP:=autoreconf from the Makefile fixes that, but compilation chokes later instead on libtool magic: make[7]: Entering directory '/home/build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/bind-9.20.11/bin/rndc' ... /bin/bash ../../libtool --tag=CC --mode=link arm-openwrt-linux-muslgnueabi-gcc ... libtool: link: arm-openwrt-linux-muslgnueabi-gcc ... .../bin/ld.bfd: warning: libns-9.20.11.so, needed by ../../lib/isccfg/.libs/libisccfg.so, not found (try using -rpath or -rpath-link) ... collect2: error: ld returned 1 exit status Which I did a (compile-tested only) quick and dirty fix for. Also, BUILD_CC isn't defined anywhere in the current bind sources, so I removed that as well. Signed-off-by: David Härdeman

bind: update conffiles list

2025-09-13T20:36:41Z

The previous patches removed a number of conffiles that weren't necessary, meaning we can now assume that any changes or additional files in /etc/bind are things that the user wants to keep. Since /var/lib/bind is the standard location for longer-lived zone data (i.e. not zones that secondary servers have obtained via XFER), we symlink it to /etc/bind/zones so that it survives a sysupgrade. Temporary files (such as XFER:ed zones for secondaries) stay in /var/cache/bind. Signed-off-by: David Härdeman