From 54e84fd35b477c2f29a5800747cfc6103a3db69d Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 18 Feb 2015 22:20:19 +0000
Subject: [PATCH] MFV r278971: Apply vendor fix for CVE-2015-1349.

This is a direct commit to stable/9 because BIND is removed from
HEAD.


git-svn-id: svn://svn.freebsd.org/base/stable/9@278972 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 contrib/bind9/CHANGES        | 7 +++++++
 contrib/bind9/lib/dns/zone.c | 8 +++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index e8d75ea9d..b45be6dab 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,3 +1,10 @@
+	--- 9.9.6-P2 released ---
+
+4053.	[security]	Revoking a managed trust anchor and supplying
+			an untrusted replacement could cause named
+			to crash with an assertion failure.
+			(CVE-2015-1349) [RT #38344]
+
 	--- 9.9.6-P1 released ---
 
 4006.	[security]	A flaw in delegation handling could be exploited
diff --git a/contrib/bind9/lib/dns/zone.c b/contrib/bind9/lib/dns/zone.c
index 7a9825bd9..5db28449b 100644
--- a/contrib/bind9/lib/dns/zone.c
+++ b/contrib/bind9/lib/dns/zone.c
@@ -8508,6 +8508,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					     namebuf, tag);
 				trustkey = ISC_TRUE;
 			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
 		}
 
 		/* Delete old version */
@@ -8556,7 +8562,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			trust_key(zone, keyname, &dnskey, mctx);
 		}
 
-		if (!deletekey) {
+		if (secure && !deletekey) {
 			INSIST(newkey || updatekey);
 			set_refreshkeytimer(zone, &keydata, now);
 		}
-- 
2.45.0