• https://downloads.isc.org/isc/bind9/9.16.7/ (Download)
• https://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/9.16.7/ (Download)
• http://ftp.iij.ad.jp/pub/network/isc/bind9/9.16.7/ (Download)
• ftp://ftp.nominum.com/pub/isc/bind9/9.16.7/ (Download)

• geoip

• (2020-09-17) Updated to version: isc-bind-9.16.7
• (2020-08-21) Updated to version: isc-bind-9.16.6
• (2020-07-16) Updated to version: isc-bind-9.16.5
• (2020-06-18) Updated to version: isc-bind-9.16.4
• (2020-05-19) Updated to version: isc-bind-9.16.3
• (2020-04-16) Updated to version: isc-bind-9.16.2
• (2020-03-20) Updated to version: isc-bind-9.16.1
• (2020-02-20) Updated to version: isc-bind-9.16.0
• (2020-01-24) Updated to version: isc-bind-9.14.10
• (2019-12-19) Updated to version: isc-bind-9.14.9

Log message:
update to BIND-9.16.7

Log message:
update to BIND 9.16.6, fixes various assertion failures. https://downloads.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6

Log message:
update to BIND 9.16.6, fixes various assertion failures. https://downloads.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6

Log message:
update to BIND 9.16.5

Log message:
switch my maintainer email addresses to my own domain

Log message:
bump; plist changed but no forced python dep

Log message:
update to BIND 9.16.4
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]

Log message:
update to BIND 9.16.4
- It was possible to trigger an assertion when attempting to fill an
oversized TCP buffer. This was disclosed in CVE-2020-8618. [GL #1850]
- It was possible to trigger an INSIST failure when a zone with an
interior wildcard label was queried in a certain pattern. This was
disclosed in CVE-2020-8619. [GL #1111] [GL #1718]

Log message:
isc-bind (6.7-stable): use absolute not relative paths in sample config,
relative paths have $directory prepended. drop root.hint from sample config
as a clue not to use it. update root.hint file for people who are using
it anyway. handled differently in -current (by removing most of the sample
config instead).

Log message:
isc-bind: drop most of the outdated sample config files (including a very
old root.hint, the compiled-in defaults are better). there isn't really a
"one size fits all" configuration, these files gave bad examples (combined
recursive+auth hasn't been recommended in years), and as this is not the
default nameserver on the OS any more hand-holding isn't really needed.
by way of compensation: install the docs.

Log message:
isc-bind 6.7-stable: fix plist, from Ian McWilliam

Log message:
update 6.6-stable to BIND 9.11.19
CVE-2020-8616: BIND does not sufficiently limit the number of fetches
performed when processing referrals
CVE-2020-8617: A logic error in code which checks TSIG validity can be
used to trigger an assertion failure in tsig.c

Log message:
update 6.7-stable to BIND 9.16.3
CVE-2020-8616: BIND does not sufficiently limit the number of fetches
performed when processing referrals
CVE-2020-8617: A logic error in code which checks TSIG validity can be
used to trigger an assertion failure in tsig.c

Log message:
update to BIND 9.16.3
CVE-2020-8616: BIND does not sufficiently limit the number of fetches
performed when processing referrals
CVE-2020-8617: A logic error in code which checks TSIG validity can be
used to trigger an assertion failure in tsig.c
More info on the referral problem in http://www.nxnsattack.com/dns-ns-paper.pdf

Log message:
isc-bind: remove obsolote CONFIGURE_ARGS (noop; they were ignored anyway).
From Claus Assmann.

Log message:
update -stable to BIND 9.11.18, various fixes including "Fix ineffective DNS
rebinding protection when BIND is configured as a forwarding DNS server."

Log message:
update to BIND 9.16.2, various fixes including "Fix ineffective DNS
rebinding protection when BIND is configured as a forwarding DNS server."

Log message:
fix atomic for macppc base-clang

Log message:
isc-bind: don't pick up cmocka if present at autoconf time

Log message:
update net/isc-bind to 9.16.1

Log message:
net/isc-bind: apply upstream patch for problem with TCP client quota limits
https://kb.isc.org/docs/operational-notification-an-error-in-handling-tcp-client-quota-limits-can-exhaust-tcp-connections-in-bind-9160

Log message:
update -stable to BIND 9.11.16

Log message:
update to BIND 9.16.0 (new stable/ESV release)

Log message:
get rid of some of bind's "|| defined(LIBRESSL_VERSION_NUMBER)" for things
that libressl now has

Log message:
update to BIND 9.14.10

Log message:
garbage-collect DIG_SIGCHASE, no longer used upstream
(use delv if you want to do full validation)

Log message:
struct stat definition is in sys/stat.h, not sys/fcntl.h. fix so that
libisc knows that we do have nsec timestamps. spotted by florian@ in
src/usr.sbin/bind.

Log message:
use COMPILER="base-clang ports-gcc" for all flavours, not just geoip.
fixes build error relating to atomics on e.g. sparc64.
(ports BIND in -current is built using this already).
problem reported by solene@

Log message:
remove SEPARATE_BUILD=Yes from -stable too, unbreak build on clean system

Log message:
disable SEPARATE_BUILD, fixes build failure (on a system which doesn't
already have bind installed) reported by naddy

Log message:
update to bind 9.14.9 (released today)
remove the no_openssl flavour, openssl/libressl is required in the
current versions

Log message:
update -stable to bind 9.11.14 and merge the pledge improvements from -current

Log message:
major version update to BIND 9.14.8

Log message:
update HOMEPAGE

Log message:
add edig/ehost/enslookup symlinks
move another pledge to a better place, drop some rpath

Log message:
move down the second ratchetted pledge in the ports-BIND version of dig,
it should have been done after loading a tsig keyfile.
drop rpath from that pledge, it used to be needed for charset conversion
with idn names, but this just prints "Cannot represent '%s' in the current
locale" now for !utf8 locales (maybe as a result of dropping the !utf8
ctype files?)

Log message:
update to bind-9.11.13
CVE-2019-6477, TCP-pipelined queries can bypass tcp-clients limit

Log message:
update to bind-9.11.13
CVE-2019-6477, TCP-pipelined queries can bypass tcp-clients limit

Log message:
update to isc-bind-9.11.12

Log message:
update to isc-bind-9.11.11

Log message:
update to bind-9.11.10

Log message:
the geoip flavour requires COMPILER=base-clang ports-gcc / COMPILER_LANGS=c

Log message:
update to isc-bind-9.11.9, staying with old geoip for -stable
CVE-2019-6471

Log message:
update to isc-bind 9.11.9, switch the geoip support to newly added geoip2/libmaxminddb
CVE-2019-6471

Log message:
update to BIND 9.11.8
CVE-2019-6471:  A race condition when discarding malformed
packets can cause BIND to exit with an assertion failure
https://kb.isc.org/docs/cve-2019-6471

Log message:
update to BIND 9.11.8
CVE-2019-6471:  A race condition when discarding malformed
packets can cause BIND to exit with an assertion failure
https://kb.isc.org/docs/cve-2019-6471

Log message:
s/PERMIT_PACKAGE_CDROM/PERMIT_PACKAGE/ and some light whitespace tidying
in ports which I maintain

Log message:
update to BIND 9.11.7

Log message:
Security update to bind 9.11.6-P1, plus patches ("Replace atomic
operations in bin/named/client.c with isc_refcount reference counting")
from https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch
for wider arch support.
Fixes:
CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
https://kb.isc.org/docs/cve-2018-5743

Log message:
update to BIND 9.11.6

Log message:
MFC security update to isc-bind 9.11.5-P4

Log message:
security update to isc-bind 9.11.5-P4
CVE-2018-5744: A specially crafted packet can cause named to leak memory
...
A failure to free memory can occur when processing messages
having a specific combination of EDNS options.
By exploiting this condition, an attacker can potentially cause
named's memory use to grow without bounds until all memory
available to the process is exhausted. Typically a server process
is limited as to the amount of memory it can use but if the named
process is not limited by the operating system all free memory
on the server could be exhausted.
...
CVE-2018-5745: An assertion failure can occur if a trust anchor
rolls over to an unsupported key algorithm when using managed-keys
(there is also CVE-2019-6465 but we don't build dlz)

Log message:
update to BIND 9.11.5-P1
5108.   [bug]           Named could fail to determine bottom of zone when
removing out of date keys leading to invalid NSEC
and NSEC3 records being added to the zone. [GL #771]

Log message:
drop back to isc-bind 9.11.x pending investigation into how to fix the
named's requirement that cwd is writable.
install bind.keys to the right path (it used the compiled-in default
anyway but this gives the wrong cue to anyone wanting to update dnssec
root zone trust anchors).
problems reported by Mikolaj Kucharski

Log message:
update to BIND 9.12.3, switching to 9.12.x branch

Log message:
update to bind-9.11.5
enable idn in utilities (dig/etc)

Log message:
update to isc-bind 9.11.4-P2, fixing dnssec inline signing
https://kb.isc.org/docs/change-4892-exposed-multiple-problems-affecting-dnssec-inline-signing

Log message:
update to BIND 9.11.4-P1
4997.   [security]      named could crash during recursive processing
of DNAME records when "deny-answer-aliases" was
in use. (CVE-2018-5740) [GL #387]

Log message:
update to isc-bind-9.11.4

Log message:
drop hidden dep on lmdb responsible for zkt build failures, reported by
naddy@ landry@, thanks landry for testing which led to the cause

Log message:
fix; we now have ECDSA_SIG accessors

Log message:
add a comment re upstream supported version policy

Log message:
update to bind-9.11.3

Log message:
typo in ifdef, thanks patrick keshishian for noticing.

Log message:
fix, we have all the DH_ DSA_ RSA_ needed

Log message:
fix; we now have DSA_set0_key DH_set0_key

Log message:
handle next round of libressl changes

Log message:
fix: various get0_key/pqg functions, ok jsing

Log message:
update BIND in -stable to 9.10.6-P1
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this happening
were remote, but the introduction of a delay in resolution increased
them. (The delay will be addressed in an upcoming maintenance release.)
This bug is disclosed in CVE-2017-3145. [RT #46839]

Log message:
security update to BIND 9.11.2-P1
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this happening
were remote, but the introduction of a delay in resolution increased
them. (The delay will be addressed in an upcoming maintenance release.)
This bug is disclosed in CVE-2017-3145. [RT #46839]

Log message:
update BIND to 9.11.2, switching from 9.10 to 9.11 branch (which is a long
term support branch).
note, the license changed to MPL.

Log message:
Change the shebang line from /bin/sh to /bin/ksh in all ports rc.d
daemon scripts and bump subpackages that contain the *.rc scripts.
discussed with and OK aja@
OK tb

Log message:
update to bind 9.10.6

Log message:
let it build with clang, just grab the unwinder from c++abi

Log message:
update to BIND-9.10.5-P3
9.10.5-P2 broke verification of TSIG signed TCP message sequences where
not all the messages contain TSIG records. These may be used in AXFR and
IXFR responses. [RT #45509]

Log message:
update to BIND-9.10.5-P3
9.10.5-P2 broke verification of TSIG signed TCP message sequences where
not all the messages contain TSIG records. These may be used in AXFR and
IXFR responses. [RT #45509]

Log message:
Update to BIND 9.10.5-P2
An error in TSIG handling could permit unauthorized zone transfers
or zone updates. CVE-2017-3142, CVE-2017-3143.
Also updates the address of b.root in hints.

Log message:
Update to BIND 9.10.5-P2
An error in TSIG handling could permit unauthorized zone transfers
or zone updates. CVE-2017-3142, CVE-2017-3143.
Also updates the address of b.root in hints.

Log message:
update to BIND 9.10.5-P1
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query

Log message:
update to BIND 9.10.5-P1
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
A server is potentially vulnerable to degradation of service if
1. the server is configured to use RPZ,
2. the server uses NSDNAME or NSIP policy rules, and
3. an attacker can cause the server to process a specific query

Log message:
update to BIND 9.10.5

Log message:
MFC update to BIND 9.10.4-P8 (-P7 was withdrawn)
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives
a null command string on its control channel

Log message:
update to BIND 9.10.4-P8 (-P7 was withdrawn)
CVE-2017-3136: An error handling synthesized records could cause an
assertion failure when using DNS64 with "break-dnssec yes;"
CVE-2017-3137: A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME
CVE-2017-3138: named exits with a REQUIRE assertion failure if it receives
a null command string on its control channel

Log message:
update to BIND 9.10.4-P6
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]
* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]

Log message:
update to BIND 9.10.4-P6
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server crash.
This flaw is disclosed in CVE-2017-3135. [RT #44434]
* A synthesized CNAME record appearing in a response before the associated
DNAME could be cached, when it should not have been. This was a
regression introduced while addressing CVE-2016-8864. [RT #44318]

Log message:
add pledges for dig/host/nslookup in the ports version of BIND. initial
pledge is "stdio rpath inet unix dns", dropping to "stdio inet dns"
after argument parsing.
access to resolv.conf is required late; the dns pledge is used for this
rather than requiring full rpath; however contrary to the version in
base, inet is allowed as well, so that it can be used as a debug tool
for servers on alternate ports.
works fine for me; no feedback after posting yet so committing to get
real-world testing. please report any issues.

Log message:
MFC: SECURITY update to BIND 9.10.4-P5
Named could mishandle authority sections that were missing RRSIGs triggering
an assertion failure.  CVE-2016-9444
Named mishandled some responses where covering RRSIG records are returned
without the requested data resulting in a assertion failure.  CVE-2016-9147
Named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch.  CVE-2016-9131

Log message:
SECURITY update to BIND 9.10.4-P5
Named could mishandle authority sections that were missing RRSIGs triggering
an assertion failure.  CVE-2016-9444
Named mishandled some responses where covering RRSIG records are returned
without the requested data resulting in a assertion failure.  CVE-2016-9147
Named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch.  CVE-2016-9131

Log message:
update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864

Log message:
update to BIND 9.10.4-P1, fixing a resolver DoS in DNAME handling. CVE-2016-8864

Log message:
-stable update to BIND 9.10.4-P3, fixing
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only)
https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if
they can receive request packets from any source")

Log message:
update to BIND 9.10.4-P3, fixing
https://kb.isc.org/article/AA-01393/74/CVE-2016-2775 (lwres only)
https://kb.isc.org/article/AA-01419/74/CVE-2016-2776 ("all servers if
they can receive request packets from any source")

Log message:
replace libiconv module

Log message:
Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
ok sthen@

Log message:
Update to BIND 9.10.4-P2, fixes CVE-2016-2775 ("getrrsetbyname with a non
absolute name could trigger an infinite recursion bug in lwres[..]"; affects
users of lwresd and users with "lwres" enabled in their configuration).
Also has a couple of regression fixes. OK naddy@

Log message:
update to BIND 9.10.4-P1, fixing a problem where adjacent bitfields
were protected by different locks.
See http://fanf.livejournal.com/144615.html for an informative write-up
on the issue: "Even the Deathstation 9000 can't screw up the BIND 9.10.4
fix".

Log message:
update to bind-9.10.4

Log message:
garbage collect CONFIGURE_SHARED

Log message:
update to BIND 9.10.3-P4
https://kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html

Log message:
update to BIND 9.10.3-P4, fixes crashes (assertion failures), one present
since 9.0.0.  CVE-2016-1285 CVE-2016-1286 CVE-2016-2088

Log message:
bump (GeoIP pkgpath change)

Log message:
- security update to BIND 9.10.3P3
https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html

Log message:
update to BIND 9.10.3P3
- Fixed a regression in resolver.c:possibly_mark() which caused
known-bogus servers to be queried anyway. [RT #41321]
- render_ecs errors were mishandled when printing out a OPT record
resulting in a assertion failure. (CVE-2015-8705) [RT #41397]
- Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]

Log message:
bump isc-bind REVISION to avoid warnings with updates (different deps
between 5.8-stable and -current)

Log message:
MFC update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]

Log message:
update to bind-9.10.3-P2
4260.   [security]      Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
4253.   [security]      Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]

Log message:
oops, forgot to re-add json-c to WANTLIB/LIB_DEPENDS in previous commit.
spotted by nigel@

Log message:
reenable json stats in BIND, there used to be a problem with build on arch
without sync_val_compare_and_swap_4 but this was worked around in json-c.
reminded by jca.

Log message:
build dig with SIGCHASE support

Log message:
update to BIND 9.10.3. add a bunch of patches because they now support
OpenSSL 1.1 api (OPENSSL_VERSION_NUMBER < / >= 0x10100000L checks).

Log message:
SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986

Log message:
SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986

Log message:
SECURITY update to bind-9.10.2-P4: CVE-2015-5722, CVE-2015-5986

Log message:
Add a no_ssl flavour to BIND.
Expand the comment about json-c as that's broken on mips64 as well as hppa.

Log message:
Apply BIND security update to OPENBSD_5_6 as well
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)

Log message:
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)

Log message:
Security update to BIND 9.10.2p3 - a failure to reset a value to NULL in tkey.c
could result in an assertion failure. (CVE-2015-5477)

Log message:
Build BIND with --enable-filter-aaaa, no change by default, but this allows
use of the filter-aaaa-on-v4 config option. Req'd by Marcus Andree.

Log message:
MFC update to BIND 9.10.2-P2, fixes CVE-2015-4620 - querying a malicious zone
can trigger a "REQUIRE" assertion failure in the resolver if DNSSEC validation
is enabled.

Log message:
update to BIND 9.10.2-P2, fixes CVE-2015-4620 - querying a malicious zone can
trigger a "REQUIRE" assertion failure in the resolver if DNSSEC validation
is enabled.

Log message:
MFC: SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones),
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."

Log message:
SECURITY update to BIND 9.10.2-P1, various problems with RPZ (policy zones),
and a possible crash with async zone loads. https://kb.isc.org/article/AA-01266
"If you are using RPZ in BIND 9.10 in a production environment, and
particularly if you have multiple policy zones, you should upgrade to
BIND 9.10.2-P1. Otherwise, this upgrade is not urgent."

Log message:
Use $CC to link shared library to make sure crtbeginS.o gets linked in.
Switches CONFIGURE_STYLE to autoconf to make sure configure gets regenerated.
ok (and help from) sthen@

Log message:
take MAINTAINER

Log message:
update to BIND 9.10.2

Log message:
Update to BIND 9.10.1P2
On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys, or
implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
revoking a trust anchor and sending a new untrusted replacement could
cause named to crash with an assertion failure.  This could occur in
the event of a botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to monitor the
victim's DNS traffic.  This flaw was discovered by Jan-Piet Mens, and
is disclosed in [CVE-2015-1349] [RT #38344] (**)

Log message:
update to BIND 9.10.2P2
On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys, or
implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
revoking a trust anchor and sending a new untrusted replacement could
cause named to crash with an assertion failure.  This could occur in
the event of a botched key rollover, or potentially as a result of a
deliberate attack if the attacker was in position to monitor the
victim's DNS traffic.  This flaw was discovered by Jan-Piet Mens, and
is disclosed in [CVE-2015-1349] [RT #38344] (**)

Log message:
previous change ("Disable json stats in bind") resulted in losing a couple
of symbols from libdns; bump SHARED_LIBS version and REVISION.

Log message:
Disable json stats in bind and zap BROKEN-hppa.

Log message:
BROKEN-hppa =   uses json-c which requires atomic ops

Log message:
Revert previous BIND workaround for query failures when coming up cold.
Instead, cherrypick a fix from git at source.isc.org; this exempts TLD and
root zone lookups from max-recursion-queries and changes the default to 75.

Log message:
MFC BIND update:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.

Log message:
Update to BIND 9.10.1-P1, including query limits for recursion (DoS avoidance,
CVE-2014-8500), assertion DoS (recursive only, only with prefetch enabled,
CVE-2014-3214), assertion DoS (EDNS option processing, CVE-2014-3859) and
fixes to GeoIP (CVE-2014-8680 and another unclassified).
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
Add a local patch to increase the default query limit, during testing it
appears that the standard defaults can be easily falsely triggered during
priming at startup.