Log message:
*: recursive bump for abseil-20260107.0 shlib version bump

Log message:
bind918: use SED instead of HEAD, since SED is defined earlier

Log message:
*: recursive bump for icu 78.1

Log message:
net/bind918: update to version 9.18.43.

Pkgsrc changes:
 * Bump version & re-compute checksums.
 * Adapt one of the patches.

Upstream changes:

Notes for BIND 9.18.43
----------------------

Bug Fixes
~~~~~~~~~

- Adding NSEC3 opt-out records could leave invalid records in chain.

  When creating an NSEC3 opt-out chain, a node in the chain could be
  removed too soon. The previous NSEC3 would therefore not be found,
  resulting in invalid NSEC3 records being left in the zone. This has
  been fixed. :gl:`#5671`

- ``AMTRELAY`` type 0 presentation format handling was wrong.

  :rfc:`8777` specifies a placeholder value of ``.`` for the gateway field
  when the gateway type is 0 (no gateway). This was not being checked
  for, nor was it emitted when displaying the record. This has been corrected.

  Instances of this record will need the placeholder period added to
  them when upgrading. :gl:`#5639`

OKed by maya@ and wiz@.

Log message:
net/bind918: update BIND to version 9.18.42.

Pkgsrc changes:
 * version bump, checksum updates.

Upstream changes:

BIND 9.18.42
------------

Bug Fixes
~~~~~~~~~

- Skip unsupported algorithms when looking for signing key.
  ``2882dbfc803``

  A mix of supported and unsupported DNSSEC algorithms in the same zone
  could have caused validation failures. Ignore the DNSSEC keys with
  unsupported algorithm when looking for the signing keys. :gl:`#5622`
  :gl:`!11211`

Log message:
net/bind918: update to 9.18.41

BIND 9.18.41 (2025-10-22)

Security Fixes

* DNSSEC validation fails if matching but invalid DNSKEY is
  found. (CVE-2025-8677)

  Previously, if a matching but cryptographically invalid key was
  encountered during DNSSEC validation, the key was skipped and not counted
  towards validation failures.  named now treats such DNSSEC keys as hard
  failures and the DNSSEC validation fails immediately, instead of
  continuing with the next DNSKEYs in the RRset.

  ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security
  and Privacy Laboratory at Nankai University for bringing this
  vulnerability to our attention.  [GL #5343]

* Address various spoofing attacks. (CVE-2025-40778)

  Previously, several issues could be exploited to poison a DNS cache with
  spoofed records for zones which were not DNSSEC-signed or if the resolver
  was configured to not do DNSSEC validation.  These issues were assigned
  CVE-2025-40778 and have now been fixed.

  As an additional layer of protection, named no longer accepts DNAME
  records or extraneous NS records in the AUTHORITY section unless these are
  received via spoofing-resistant transport (TCP, UDP with DNS cookies,
  TSIG, or SIG(0)).

  ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
  Duan from Tsinghua University for bringing this vulnerability to our
  attention.  [GL #5414]

* Cache-poisoning due to weak pseudo-random number
  generator. (CVE-2025-40780)

  It was discovered during research for an upcoming academic paper that a
  xoshiro128** internal state can be recovered by an external 3rd party,
  allowing the prediction of UDP ports and DNS IDs in outgoing queries.
  This could lead to an attacker spoofing the DNS answers with great
  efficiency and poisoning the DNS cache.

  The internal random generator has been changed to a cryptographically
  secure pseudo-random generator.

  ISC would like to thank Prof.  Amit Klein and Omer Ben Simhon from Hebrew
  University of Jerusalem for bringing this vulnerability to our attention.
  [GL #5484]

New Features

* Support for parsing HHIT and BRID records has been added.

  [GL #5444]

Removed Features

* Deprecate the "tkey-domain" statement.

  Mark the tkey-domain statement as deprecated since it is only used by code
  implementing TKEY Mode 2 (Diffie-Hellman), which was removed from newer
  BIND 9 branches.  [GL #4204]

* Deprecate the "tkey-gssapi-credential" statement.

  The tkey-gssapi-keytab statement allows GSS-TSIG to be set up in a simpler
  and more reliable way than using the tkey-gssapi-credential statement and
  setting environment variables (e.g. KRB5_KTNAME).  Therefore, the
  tkey-gssapi-credential statement has been deprecated; tkey-gssapi-keytab
  should be used instead.

  For configurations currently using a combination of both
  tkey-gssapi-keytab and tkey-gssapi-credential, the latter should be
  dropped and the keytab pointed to by tkey-gssapi-keytab should now only
  contain the credential previously specified by tkey-gssapi-credential.
  [GL #4204]

Bug Fixes

* Prevent spurious SERVFAILs for certain 0-TTL resource records.

  Under certain circumstances, BIND 9 can return SERVFAIL when updating
  existing entries in the cache with new NS, A, AAAA, or DS records that
  have a TTL of zero.  [GL #5294]

* Missing DNSSEC information when CD bit is set in query.

  The RRSIGs for glue records were not being cached correctly for CD=1
  queries.  This has been fixed. [GL #5502]

Log message:
*: reset maintainer

Log message:
*: recursive bump for abseil 20250814.0