Merge 9.10.4-P6 trunk
authorchristos <christos@NetBSD.org>
Thu, 09 Feb 2017 00:23:26 +0000
branchtrunk
changeset 248529 b2dde1088876
parent 248528 f5cc12b90086
child 248530 5ec4ac2a3dd2
Merge 9.10.4-P6 4558. [bug] Synthesised CNAME before matching DNAME was still being cached when it should have been. [RT #44318] 4557. [security] Combining dns64 and rpz can result in dereferencing a NULL pointer (read). (CVE-2017-3135) [RT#44434]
external/bsd/bind/dist/CHANGES
external/bsd/bind/dist/README
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html
external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html
external/bsd/bind/dist/doc/arm/Bv9ARM.html
external/bsd/bind/dist/doc/arm/Bv9ARM.pdf
external/bsd/bind/dist/doc/arm/man.arpaname.html
external/bsd/bind/dist/doc/arm/man.ddns-confgen.html
external/bsd/bind/dist/doc/arm/man.delv.html
external/bsd/bind/dist/doc/arm/man.dig.html
external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html
external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html
external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html
external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html
external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html
external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html
external/bsd/bind/dist/doc/arm/man.dnssec-settime.html
external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html
external/bsd/bind/dist/doc/arm/man.dnssec-verify.html
external/bsd/bind/dist/doc/arm/man.genrandom.html
external/bsd/bind/dist/doc/arm/man.host.html
external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html
external/bsd/bind/dist/doc/arm/man.named-checkconf.html
external/bsd/bind/dist/doc/arm/man.named-checkzone.html
external/bsd/bind/dist/doc/arm/man.named-journalprint.html
external/bsd/bind/dist/doc/arm/man.named-rrchecker.html
external/bsd/bind/dist/doc/arm/man.named.html
external/bsd/bind/dist/doc/arm/man.nsec3hash.html
external/bsd/bind/dist/doc/arm/man.nsupdate.html
external/bsd/bind/dist/doc/arm/man.rndc-confgen.html
external/bsd/bind/dist/doc/arm/man.rndc.conf.html
external/bsd/bind/dist/doc/arm/man.rndc.html
external/bsd/bind/dist/lib/dns/api
external/bsd/bind/dist/lib/dns/message.c
external/bsd/bind/dist/lib/dns/rdataset.c
external/bsd/bind/dist/lib/dns/resolver.c
external/bsd/bind/dist/srcid
external/bsd/bind/dist/version
--- a/external/bsd/bind/dist/CHANGES	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/CHANGES	Thu Feb 09 00:23:26 2017 +0000
@@ -1,3 +1,11 @@
+	--- 9.10.4-P6 released ---
+
+4558.	[bug]		Synthesised CNAME before matching DNAME was still
+			being cached when it should have been.  [RT #44318]
+
+4557.	[security]	Combining dns64 and rpz can result in dereferencing
+			a NULL pointer (read).  (CVE-2017-3135) [RT#44434]
+
 	--- 9.10.4-P5 released ---
 
 4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
--- a/external/bsd/bind/dist/README	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/README	Thu Feb 09 00:23:26 2017 +0000
@@ -51,6 +51,12 @@
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.10.4-P6
+
+	This version contains a fix for CVE-2017-3135, and a bug fix
+	for a regression in CNAME/DNAME caching that was introduced
+	in an earlier security release.
+
 BIND 9.10.4-P5
 
 	This version contains fixes for CVE-2016-9131, CVE-2016-9147,
--- a/external/bsd/bind/dist/bin/named/query.c	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Thu Feb 09 00:23:26 2017 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: query.c,v 1.22 2016/05/26 16:49:56 christos Exp $	*/
+/*	$NetBSD: query.c,v 1.23 2017/02/09 00:23:26 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -6245,7 +6245,7 @@
 	dns_rpz_st_t *rpz_st;
 	isc_boolean_t resuming;
 	int line = -1;
-	isc_boolean_t dns64_exclude, dns64;
+	isc_boolean_t dns64_exclude, dns64, rpz;
 	isc_boolean_t nxrewrite = ISC_FALSE;
 	isc_boolean_t redirected = ISC_FALSE;
 	dns_clientinfomethods_t cm;
@@ -6258,6 +6258,7 @@
 	char mbuf[BUFSIZ];
 	char qbuf[DNS_NAME_FORMATSIZE];
 #endif
+	dns_name_t *rpzqname;
 
 	CTRACE(ISC_LOG_DEBUG(3), "query_find");
 
@@ -6283,7 +6284,7 @@
 	zone = NULL;
 	need_wildcardproof = ISC_FALSE;
 	empty_wild = ISC_FALSE;
-	dns64_exclude = dns64 = ISC_FALSE;
+	dns64_exclude = dns64 = rpz = ISC_FALSE;
 	options = 0;
 	resuming = ISC_FALSE;
 	is_zone = ISC_FALSE;
@@ -6473,6 +6474,7 @@
 	authoritative = ISC_FALSE;
 	version = NULL;
 	need_wildcardproof = ISC_FALSE;
+	rpz = ISC_FALSE;
 
 	if (client->view->checknames &&
 	    !dns_rdata_checkowner(client->query.qname,
@@ -6614,11 +6616,29 @@
 	}
 
 	/*
-	 * Now look for an answer in the database.
-	 */
-	result = dns_db_findext(db, client->query.qname, version, type,
+	 * Now look for an answer in the database.  If this is a dns64
+	 * AAAA lookup on a rpz database adjust the qname.
+	 */
+	if (dns64 && rpz)
+		rpzqname = client->query.rpz_st->p_name;
+	else
+		rpzqname = client->query.qname;
+
+	result = dns_db_findext(db, rpzqname, version, type,
 				client->query.dboptions, client->now,
 				&node, fname, &cm, &ci, rdataset, sigrdataset);
+	/*
+	 * Fixup fname and sigrdataset.
+	 */
+	if (dns64 && rpz) {
+		isc_result_t rresult;
+
+		rresult = dns_name_copy(client->query.qname, fname, NULL);
+		RUNTIME_CHECK(rresult == ISC_R_SUCCESS);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+	}
 
 	if (!is_zone)
 		dns_cache_updatestats(client->view->cache, result);
@@ -6848,10 +6868,12 @@
 			case DNS_RPZ_POLICY_NXDOMAIN:
 				result = DNS_R_NXDOMAIN;
 				nxrewrite = ISC_TRUE;
+				rpz = ISC_TRUE;
 				break;
 			case DNS_RPZ_POLICY_NODATA:
 				result = DNS_R_NXRRSET;
 				nxrewrite = ISC_TRUE;
+				rpz = ISC_TRUE;
 				break;
 			case DNS_RPZ_POLICY_RECORD:
 				result = rpz_st->m.result;
@@ -6871,6 +6893,7 @@
 					rdataset->ttl = ISC_MIN(rdataset->ttl,
 								rpz_st->m.ttl);
 				}
+				rpz = ISC_TRUE;
 				break;
 			case DNS_RPZ_POLICY_WILDCNAME:
 				result = dns_rdataset_first(rdataset);
@@ -6913,7 +6936,6 @@
 						NS_CLIENTATTR_WANTAD);
 			client->message->flags &= ~DNS_MESSAGEFLAG_AD;
 			query_putrdataset(client, &sigrdataset);
-			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
 			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
 					rpz_st->m.type, zone, rpz_st->p_name);
@@ -7297,15 +7319,6 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
-			rpz_st = client->query.rpz_st;
-			if (rpz_st != NULL) {
-				/*
-				 * Arrange for RPZ rewriting of any A records.
-				 */
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
-					is_zone = rpz_st->q.is_zone;
-				rpz_st_clear(client);
-			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -7620,15 +7633,6 @@
 			sigrdataset = NULL;
 			fname = NULL;
 			type = qtype = dns_rdatatype_a;
-			rpz_st = client->query.rpz_st;
-			if (rpz_st != NULL) {
-				/*
-				 * Arrange for RPZ rewriting of any A records.
-				 */
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
-					is_zone = rpz_st->q.is_zone;
-				rpz_st_clear(client);
-			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -8162,15 +8166,6 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
-			rpz_st = client->query.rpz_st;
-			if (rpz_st != NULL) {
-				/*
-				 * Arrange for RPZ rewriting of any A records.
-				 */
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
-					is_zone = rpz_st->q.is_zone;
-				rpz_st_clear(client);
-			}
 			dns64_exclude = dns64 = ISC_TRUE;
 			goto db_find;
 		}
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html	Thu Feb 09 00:23:26 2017 +0000
@@ -2326,6 +2326,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html	Thu Feb 09 00:23:26 2017 +0000
@@ -12845,6 +12845,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html	Thu Feb 09 00:23:26 2017 +0000
@@ -248,6 +248,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html	Thu Feb 09 00:23:26 2017 +0000
@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html	Thu Feb 09 00:23:26 2017 +0000
@@ -44,7 +44,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -60,7 +60,7 @@
 </div>
 <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P5</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
@@ -68,8 +68,13 @@
       This document summarizes changes since BIND 9.10.4:
     </p>
 <p>
+      BIND 9.10.4-P6 addresses the security issue described in
+      CVE-2017-3135, and fixes a regression introduced in a prior
+      security release.
+    </p>
+<p>
       BIND 9.10.4-P5 addresses the security issues described in
-      CVE-2016-9131, CVE-2016-9147 and CVE-2016-9444.
+      CVE-2016-9131, CVE-2016-9147, CVE-2016-9444 and CVE-2016-9778.
     </p>
 <p>
       BIND 9.10.4-P4 addresses the security issue described in
@@ -107,24 +112,33 @@
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem"><p>
-	  Named could mishandle authority sections that were missing
-	  RRSIGs triggering an assertion failure.  This flaw is
-	  disclosed in CVE-2016-9444. [RT # 43632]
+	  If a server is configured with a response policy zone (RPZ)
+	  that rewrites an answer with local data, and is also configured
+	  for DNS64 address mapping, a NULL pointer can be read
+	  triggering a server crash.  This flaw is disclosed in
+	  CVE-2017-3135. [RT #44434]
 	</p></li>
 <li class="listitem"><p>
-	  Named mishandled some responses where covering RRSIG
-	  records are returned without the requested data
-	  resulting in a assertion failure. This flaw is disclosed in
-	  CVE-2016-9147. [RT #43548]
+	  <span class="command"><strong>named</strong></span> could mishandle authority sections
+	  with missing RRSIGs, triggering an assertion failure. This
+	  flaw is disclosed in CVE-2016-9444. [RT #43632]
 	</p></li>
 <li class="listitem"><p>
-	  Named incorrectly tried to cache TKEY records which could
-	  trigger a assertion failure when there was a class mismatch.
-	  This flaw is disclosed in CVE-2016-9131.  [RT #43522]
+	  <span class="command"><strong>named</strong></span> mishandled some responses where
+	  covering RRSIG records were returned without the requested
+	  data, resulting in an assertion failure. This flaw is
+	  disclosed in CVE-2016-9147. [RT #43548]
+	</p></li>
+<li class="listitem"><p>
+	  <span class="command"><strong>named</strong></span> incorrectly tried to cache TKEY
+	  records which could trigger an assertion failure when there was
+	  a class mismatch. This flaw is disclosed in CVE-2016-9131.
+	  [RT #43522]
 	</p></li>
 <li class="listitem"><p>
 	  It was possible to trigger assertions when processing
-	  a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]
+	  responses containing answers of type DNAME. This flaw is
+	  disclosed in CVE-2016-8864. [RT #43465]
 	</p></li>
 <li class="listitem"><p>
 	  It was possible to trigger a assertion when rendering a
@@ -132,11 +146,13 @@
 	  disclosed in CVE-2016-2776. [RT #43139]
 	</p></li>
 <li class="listitem"><p>
-	 getrrsetbyname with a non absolute name could trigger an
-	 infinite recursion bug in lwresd and named with lwres
-	 configured if when combined with a search list entry the
-	 resulting name is too long.  This flaw is disclosed in
-	 CVE-2016-2775. [RT #42694]
+	  Calling <span class="command"><strong>getrrsetbyname()</strong></span> with a non
+	  absolute name could trigger an infinite recursion bug in
+	  <span class="command"><strong>lwresd</strong></span> or <span class="command"><strong>named</strong></span> with
+	  <span class="command"><strong>lwres</strong></span> configured if, when combined with
+	  a search list entry from <code class="filename">resolv.conf</code>,
+	  the resulting name is too long.  This flaw is disclosed in
+	  CVE-2016-2775. [RT #42694]
 	</p></li>
 </ul></div>
 </div>
@@ -166,8 +182,19 @@
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem"><p>
+	  A synthesized CNAME record appearing in a response before the
+	  associated DNAME could be cached, when it should not have been.
+	  This was a regression introduced while addressing CVE-2016-8864.
+	  [RT #44318]
+	</p></li>
+<li class="listitem"><p>
+	  Fixed a crash when calling <span class="command"><strong>rndc stats</strong></span> on some
+	  Windows builds: some Visual Studio compilers generate code that
+	  crashes when the "%z" printf() format specifier is used. [RT #42380]
+	</p></li>
+<li class="listitem"><p>
 	  ECS clients with the option set to 0.0.0.0/0/0 or ::/0/0
-	  where incorrectly getting a FORMERR response.
+	  were incorrectly getting a FORMERR response.
 	</p></li>
 <li class="listitem"><p>
 	  Windows installs were failing due to triggering UAC without
@@ -218,6 +245,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/Bv9ARM.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.html	Thu Feb 09 00:23:26 2017 +0000
@@ -40,7 +40,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.10.4-P5</p></div>
+<div><p class="releaseinfo">BIND Version 9.10.4-P6</p></div>
 <div><p class="copyright">Copyright  2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright  2000-2003 Internet Software Consortium.</p></div>
 </div>
@@ -239,7 +239,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P5</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -385,6 +385,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
Binary file external/bsd/bind/dist/doc/arm/Bv9ARM.pdf has changed
--- a/external/bsd/bind/dist/doc/arm/man.arpaname.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.arpaname.html	Thu Feb 09 00:23:26 2017 +0000
@@ -81,6 +81,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html	Thu Feb 09 00:23:26 2017 +0000
@@ -185,6 +185,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.delv.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.delv.html	Thu Feb 09 00:23:26 2017 +0000
@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dig.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dig.html	Thu Feb 09 00:23:26 2017 +0000
@@ -809,6 +809,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html	Thu Feb 09 00:23:26 2017 +0000
@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html	Thu Feb 09 00:23:26 2017 +0000
@@ -219,6 +219,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html	Thu Feb 09 00:23:26 2017 +0000
@@ -213,6 +213,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html	Thu Feb 09 00:23:26 2017 +0000
@@ -177,6 +177,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html	Thu Feb 09 00:23:26 2017 +0000
@@ -381,6 +381,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html	Thu Feb 09 00:23:26 2017 +0000
@@ -455,6 +455,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html	Thu Feb 09 00:23:26 2017 +0000
@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html	Thu Feb 09 00:23:26 2017 +0000
@@ -264,6 +264,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html	Thu Feb 09 00:23:26 2017 +0000
@@ -564,6 +564,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html	Thu Feb 09 00:23:26 2017 +0000
@@ -164,6 +164,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.genrandom.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.genrandom.html	Thu Feb 09 00:23:26 2017 +0000
@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.host.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.host.html	Thu Feb 09 00:23:26 2017 +0000
@@ -247,6 +247,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html	Thu Feb 09 00:23:26 2017 +0000
@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-checkconf.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-checkconf.html	Thu Feb 09 00:23:26 2017 +0000
@@ -151,6 +151,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-checkzone.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-checkzone.html	Thu Feb 09 00:23:26 2017 +0000
@@ -338,6 +338,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-journalprint.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-journalprint.html	Thu Feb 09 00:23:26 2017 +0000
@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html	Thu Feb 09 00:23:26 2017 +0000
@@ -104,6 +104,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.named.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.named.html	Thu Feb 09 00:23:26 2017 +0000
@@ -369,6 +369,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.nsec3hash.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.nsec3hash.html	Thu Feb 09 00:23:26 2017 +0000
@@ -103,6 +103,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.nsupdate.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.nsupdate.html	Thu Feb 09 00:23:26 2017 +0000
@@ -663,6 +663,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html	Thu Feb 09 00:23:26 2017 +0000
@@ -223,6 +223,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.rndc.conf.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.rndc.conf.html	Thu Feb 09 00:23:26 2017 +0000
@@ -246,6 +246,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/doc/arm/man.rndc.html	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/doc/arm/man.rndc.html	Thu Feb 09 00:23:26 2017 +0000
@@ -621,6 +621,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P5</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p>
 </body>
 </html>
--- a/external/bsd/bind/dist/lib/dns/api	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/lib/dns/api	Thu Feb 09 00:23:26 2017 +0000
@@ -6,5 +6,5 @@
 # 9.9-sub: 130-139, 150-159
 # 9.10: 140-149, 160-169
 LIBINTERFACE = 165
-LIBREVISION = 4
+LIBREVISION = 5
 LIBAGE = 0
--- a/external/bsd/bind/dist/lib/dns/message.c	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/lib/dns/message.c	Thu Feb 09 00:23:26 2017 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: message.c,v 1.21 2017/01/12 08:21:32 spz Exp $	*/
+/*	$NetBSD: message.c,v 1.22 2017/02/09 00:23:27 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -1221,8 +1221,8 @@
 {
 	isc_region_t r;
 	unsigned int count, rdatalen;
-	dns_name_t *name;
-	dns_name_t *name2;
+	dns_name_t *name = NULL;
+	dns_name_t *name2 = NULL;
 	dns_offsets_t *offsets;
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist;
@@ -1232,7 +1232,7 @@
 	dns_rdata_t *rdata;
 	dns_ttl_t ttl;
 	dns_namelist_t *section;
-	isc_boolean_t free_name, free_rdataset;
+	isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE;
 	isc_boolean_t preserve_order, best_effort, seen_problem;
 	isc_boolean_t issigzero;
 
--- a/external/bsd/bind/dist/lib/dns/rdataset.c	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/lib/dns/rdataset.c	Thu Feb 09 00:23:26 2017 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: rdataset.c,v 1.8 2015/07/08 17:28:59 christos Exp $	*/
+/*	$NetBSD: rdataset.c,v 1.9 2017/02/09 00:23:27 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
@@ -340,6 +340,7 @@
 	 */
 
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
 	REQUIRE(countp != NULL);
 	REQUIRE((order == NULL) == (order_arg == NULL));
 	REQUIRE(cctx != NULL && cctx->mctx != NULL);
--- a/external/bsd/bind/dist/lib/dns/resolver.c	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/lib/dns/resolver.c	Thu Feb 09 00:23:26 2017 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: resolver.c,v 1.28 2017/01/12 08:21:32 spz Exp $	*/
+/*	$NetBSD: resolver.c,v 1.29 2017/02/09 00:23:27 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
@@ -6101,9 +6101,13 @@
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Construct the synthesised CNAME from the existing QNAME and
+ * the DNAME RR and store it in 'target'.
+ */
 static inline isc_result_t
 dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
-	     unsigned int nlabels, dns_fixedname_t *fixeddname)
+	     unsigned int nlabels, dns_name_t *target)
 {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -6123,14 +6127,33 @@
 
 	dns_fixedname_init(&prefix);
 	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
-	dns_fixedname_init(fixeddname);
 	result = dns_name_concatenate(dns_fixedname_name(&prefix),
-				      &dname.dname,
-				      dns_fixedname_name(fixeddname), NULL);
+				      &dname.dname, target, NULL);
 	dns_rdata_freestruct(&dname);
 	return (result);
 }
 
+/*%
+ * Check if it was possible to construct 'qname' from 'lastcname'
+ * and 'rdataset'.
+ */
+static inline isc_result_t
+fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname,
+	  unsigned int nlabels, const dns_name_t *qname)
+{
+	dns_fixedname_t fixed;
+	isc_result_t result;
+	dns_name_t *target;
+
+	dns_fixedname_init(&fixed);
+	target = dns_fixedname_name(&fixed);
+	result = dname_target(rdataset, lastcname, nlabels, target);
+	if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target))
+		return (ISC_R_NOTFOUND);
+
+	return (ISC_R_SUCCESS);
+}
+
 static isc_boolean_t
 is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
 			 dns_rdataset_t *rdataset)
@@ -6747,12 +6770,12 @@
 	isc_result_t result;
 	dns_message_t *message;
 	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
-	dns_name_t *cname = NULL;
+	dns_name_t *cname = NULL, *lastcname = NULL;
 	dns_rdataset_t *rdataset, *ns_rdataset;
-	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+	isc_boolean_t done, external, aa, found, want_chaining;
 	isc_boolean_t have_answer, found_cname, found_dname, found_type;
 	isc_boolean_t wanted_chaining;
-	unsigned int aflag;
+	unsigned int aflag, chaining;
 	dns_rdatatype_t type;
 	dns_fixedname_t fdname, fqname;
 	dns_view_t *view;
@@ -6770,9 +6793,9 @@
 	found_cname = ISC_FALSE;
 	found_dname = ISC_FALSE;
 	found_type = ISC_FALSE;
-	chaining = ISC_FALSE;
 	have_answer = ISC_FALSE;
 	want_chaining = ISC_FALSE;
+	chaining = 0;
 	POST(want_chaining);
 	if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
 		aa = ISC_TRUE;
@@ -6783,14 +6806,15 @@
 	view = fctx->res->view;
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (!done && result == ISC_R_SUCCESS) {
-		dns_namereln_t namereln;
-		int order;
-		unsigned int nlabels;
+		dns_namereln_t namereln, lastreln;
+		int order, lastorder;
+		unsigned int nlabels, lastnlabels;
 
 		name = NULL;
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+
 		if (namereln == dns_namereln_equal) {
 			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6896,6 +6920,7 @@
 							&fctx->domain)) {
 						return (DNS_R_SERVFAIL);
 					}
+					lastcname = name;
 				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
 					      dns_rdatatype_cname
@@ -6919,7 +6944,7 @@
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_answer;
-					if (!chaining) {
+					if (chaining == 0) {
 						/*
 						 * This data is "the" answer
 						 * to our question only if
@@ -6996,10 +7021,21 @@
 			 * cause us to ignore the signatures of
 			 * CNAMEs.
 			 */
-			if (wanted_chaining)
-				chaining = ISC_TRUE;
+			if (wanted_chaining && chaining < 2U)
+				chaining++;
 		} else {
 			dns_rdataset_t *dnameset = NULL;
+			isc_boolean_t synthcname = ISC_FALSE;
+
+			if (lastcname != NULL) {
+				lastreln = dns_name_fullcompare(lastcname,
+								name,
+								&lastorder,
+								&lastnlabels);
+				if (lastreln == dns_namereln_subdomain &&
+				    lastnlabels == dns_name_countlabels(name))
+					synthcname = ISC_TRUE;
+			}
 
 			/*
 			 * Look for a DNAME (or its SIG).  Anything else is
@@ -7028,7 +7064,7 @@
 				 * If we're not chaining, then the DNAME and
 				 * its signature should not be external.
 				 */
-				if (!chaining && external) {
+				if (chaining == 0 && external) {
 					char qbuf[DNS_NAME_FORMATSIZE];
 					char obuf[DNS_NAME_FORMATSIZE];
 
@@ -7046,16 +7082,9 @@
 				/*
 				 * If DNAME + synthetic CNAME then the
 				 * namereln is dns_namereln_subdomain.
-				 *
-				 * If synthetic CNAME + DNAME then the
-				 * namereln is dns_namereln_commonancestor
-				 * and the number of label must match the
-				 * DNAME.  This order is not RFC compliant.
 				 */
-
 				if (namereln != dns_namereln_subdomain &&
-				    (namereln != dns_namereln_commonancestor ||
-				     nlabels != dns_name_countlabels(name)))
+				    !synthcname)
 				{
 					char qbuf[DNS_NAME_FORMATSIZE];
 					char obuf[DNS_NAME_FORMATSIZE];
@@ -7075,8 +7104,19 @@
 					want_chaining = ISC_TRUE;
 					POST(want_chaining);
 					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(rdataset, qname,
-							      nlabels, &fdname);
+					dns_fixedname_init(&fdname);
+					dname = dns_fixedname_name(&fdname);
+					if (synthcname) {
+						result = fromdname(rdataset,
+								   lastcname,
+								   lastnlabels,
+								   qname);
+					} else {
+						result = dname_target(rdataset,
+								      qname,
+								      nlabels,
+								      dname);
+					}
 					if (result == ISC_R_NOSPACE) {
 						/*
 						 * We can't construct the
@@ -7090,8 +7130,8 @@
 					else
 						dnameset = rdataset;
 
-					dname = dns_fixedname_name(&fdname);
-					if (!is_answertarget_allowed(view,
+					if (!synthcname &&
+					    !is_answertarget_allowed(view,
 						     qname, rdataset->type,
 						     dname, &fctx->domain))
 					{
@@ -7112,7 +7152,13 @@
 				name->attributes |= DNS_NAMEATTR_CACHE;
 				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
 				rdataset->trust = dns_trust_answer;
-				if (!chaining) {
+				/*
+				 * If we are not chaining or the first CNAME
+				 * is a synthesised CNAME before the DNAME.
+				 */
+				if ((chaining == 0) ||
+				    (chaining == 1U && synthcname))
+				{
 					/*
 					 * This data is "the" answer to
 					 * our question only if we're
@@ -7122,9 +7168,12 @@
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
 						found_dname = ISC_TRUE;
-						if (cname != NULL)
+						if (cname != NULL &&
+						    synthcname)
+						{
 							cname->attributes &=
 							   ~DNS_NAMEATTR_ANSWER;
+						}
 						name->attributes |=
 							DNS_NAMEATTR_ANSWER;
 					}
@@ -7142,26 +7191,35 @@
 			 * DNAME chaining.
 			 */
 			if (dnameset != NULL) {
-				/*
-				 * Copy the dname into the qname fixed name.
-				 *
-				 * Although we check for failure of the copy
-				 * operation, in practice it should never fail
-				 * since we already know that the  result fits
-				 * in a fixedname.
-				 */
-				dns_fixedname_init(&fqname);
-				qname = dns_fixedname_name(&fqname);
-				result = dns_name_copy(dname, qname, NULL);
-				if (result != ISC_R_SUCCESS)
-					return (result);
+				if (!synthcname) {
+					/*
+					 * Copy the dname into the qname fixed
+					 * name.
+					 *
+					 * Although we check for failure of the
+					 * copy operation, in practice it
+					 * should never fail since we already
+					 * know that the result fits in a
+					 * fixedname.
+					 */
+					dns_fixedname_init(&fqname);
+					qname = dns_fixedname_name(&fqname);
+					result = dns_name_copy(dname, qname,
+							       NULL);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+				}
 				wanted_chaining = ISC_TRUE;
 				name->attributes |= DNS_NAMEATTR_CHAINING;
 				dnameset->attributes |=
 					    DNS_RDATASETATTR_CHAINING;
 			}
-			if (wanted_chaining)
-				chaining = ISC_TRUE;
+			/*
+			 * Ensure that we can't ever get chaining == 1
+			 * above if we have processed a DNAME.
+			 */
+			if (wanted_chaining && chaining < 2U)
+				chaining += 2;
 		}
 		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
 	}
@@ -7186,7 +7244,7 @@
 	/*
 	 * Did chaining end before we got the final answer?
 	 */
-	if (chaining) {
+	if (chaining != 0) {
 		/*
 		 * Yes.  This may be a negative reply, so hand off
 		 * authority section processing to the noanswer code.
@@ -7235,7 +7293,7 @@
 						DNS_NAMEATTR_CACHE;
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
-					if (aa && !chaining)
+					if (aa && chaining == 0)
 						rdataset->trust =
 						    dns_trust_authauthority;
 					else
--- a/external/bsd/bind/dist/srcid	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/srcid	Thu Feb 09 00:23:26 2017 +0000
@@ -1,1 +1,1 @@
-SRCID=2b12043
+SRCID=a6837d0
--- a/external/bsd/bind/dist/version	Thu Feb 09 00:18:48 2017 +0000
+++ b/external/bsd/bind/dist/version	Thu Feb 09 00:23:26 2017 +0000
@@ -7,5 +7,5 @@
 MINORVER=10
 PATCHVER=4
 RELEASETYPE=-P
-RELEASEVER=5
+RELEASEVER=6
 EXTENSIONS=