Update to 9.16.2
Notes for BIND 9.16.2 Security Fixes DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] Known Issues We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685] Feature Changes The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179] Bug Fixes When an RPZ policy zone was updated via zone transfer and a large number of records was deleted, named could become nonresponsive for a short period while deleted names were removed from the RPZ summary database. This database cleanup is now done incrementally over a longer period of time, reducing such delays. [GL #1447] When trying to migrate an already-signed zone from auto-dnssec maintain to one based on dnssec-policy, the existing keys were immediately deleted and replaced with new ones. As the key rollover timing constraints were not being followed, it was possible that some clients would not have been able to validate responses until all old DNSSEC information had timed out from caches. BIND now looks at the time metadata of the existing keys and incorporates it into its DNSSEC policy operation. [GL #1706]
This commit is contained in:
parent
5e13eb8e75
commit
1b133224fc
4
.gitignore
vendored
4
.gitignore
vendored
@ -104,4 +104,6 @@ bind-9.7.2b1.tar.gz
|
||||
/bind-9.11.14.tar.gz
|
||||
/bind-9.11.14.tar.gz.asc
|
||||
/bind-9.16.1.tar.xz
|
||||
/bind-9.16.1.tar.xz.asc
|
||||
/bind-9.16.1.tar.xz.asc
|
||||
/bind-9.16.2.tar.xz
|
||||
/bind-9.16.2.tar.xz.asc
|
||||
|
@ -1,4 +1,4 @@
|
||||
From df27b2a23a195f844687c424a9117d4da14bc6dd Mon Sep 17 00:00:00 2001
|
||||
From 64f29512679fd00c89473d93d8b22017b018dd8f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 30 Jan 2019 14:37:17 +0100
|
||||
Subject: [PATCH] Create feature-test in source directory
|
||||
@ -41,7 +41,7 @@ index dd25774..cb187e5 100644
|
||||
|
||||
docclean manclean maintainer-clean::
|
||||
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||||
index 0d83fdf..be4123b 100644
|
||||
index 2317bd8..5015d5c 100644
|
||||
--- a/bin/tests/system/conf.sh.in
|
||||
+++ b/bin/tests/system/conf.sh.in
|
||||
@@ -37,7 +37,7 @@ DELV=$TOP/bin/delv/delv
|
||||
@ -51,8 +51,8 @@ index 0d83fdf..be4123b 100644
|
||||
-FEATURETEST=$TOP/bin/tests/system/feature-test
|
||||
+FEATURETEST=$TOP/bin/named/feature-test
|
||||
FSTRM_CAPTURE=@FSTRM_CAPTURE@
|
||||
HOST=$TOP/bin/dig/host
|
||||
IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
|
||||
JOURNALPRINT=$TOP/bin/tools/named-journalprint
|
||||
--
|
||||
2.21.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From e706bb1dccf0b3492664c591f99f698a2a40fce7 Mon Sep 17 00:00:00 2001
|
||||
From 2faaad96a86614f2df13e65f3d3a31cc2d4155c0 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 1 Mar 2019 15:48:20 +0100
|
||||
Subject: [PATCH] Make alternative named builds testable in system tests
|
||||
@ -17,10 +17,10 @@ export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||||
index 0f4ead0..e7831d8 100644
|
||||
index 5015d5c..331b728 100644
|
||||
--- a/bin/tests/system/conf.sh.in
|
||||
+++ b/bin/tests/system/conf.sh.in
|
||||
@@ -37,16 +37,16 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
|
||||
@@ -36,17 +36,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
|
||||
DELV=$TOP/bin/delv/delv
|
||||
DIG=$TOP/bin/dig/dig
|
||||
DNSTAPREAD=$TOP/bin/tools/dnstap-read
|
||||
@ -29,6 +29,7 @@ index 0f4ead0..e7831d8 100644
|
||||
+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
|
||||
+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
|
||||
FSTRM_CAPTURE=@FSTRM_CAPTURE@
|
||||
HOST=$TOP/bin/dig/host
|
||||
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
|
||||
+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
|
||||
JOURNALPRINT=$TOP/bin/tools/named-journalprint
|
||||
@ -60,5 +61,5 @@ index 0f4ead0..e7831d8 100644
|
||||
VERIFY=$TOP/bin/dnssec/dnssec-verify
|
||||
WIRETEST=$TOP/bin/tests/wire_test
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
@ -1,27 +0,0 @@
|
||||
From 5ee0a7ace7588b986f41ac68f51b315fece69094 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 1 Apr 2020 14:28:42 +0200
|
||||
Subject: [PATCH] Link all required libraries to libisc
|
||||
|
||||
It would fail to link -lisc without additional libraries, which should
|
||||
not be required.
|
||||
---
|
||||
lib/isc/Makefile.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
|
||||
index 1b6b4466cd..e9df8d1e17 100644
|
||||
--- a/lib/isc/Makefile.in
|
||||
+++ b/lib/isc/Makefile.in
|
||||
@@ -81,7 +81,7 @@ SRCS = pk11.c pk11_result.c \
|
||||
symtab.c task.c taskpool.c timer.c \
|
||||
tm.c version.c
|
||||
|
||||
-LIBS = ${OPENSSL_LIBS} @LIBS@
|
||||
+LIBS = ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS} ${ZLIB_LIBS} @LIBS@
|
||||
|
||||
# Note: the order of SUBDIRS is important.
|
||||
# Attempt to disable parallel processing.
|
||||
--
|
||||
2.21.1
|
||||
|
16
bind.spec
16
bind.spec
@ -52,8 +52,8 @@
|
||||
# no more isc-config.sh and bind9-config
|
||||
|
||||
# lib*.so.X versions of selected libraries
|
||||
%global sover_dns 1601
|
||||
%global sover_isc 1601
|
||||
%global sover_dns 1602
|
||||
%global sover_isc 1602
|
||||
%global sover_irs 1600
|
||||
%global sover_isccfg 1600
|
||||
|
||||
@ -61,8 +61,8 @@
|
||||
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.16.1
|
||||
Release: 2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Version: 9.16.2
|
||||
Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -121,8 +121,6 @@ Patch164:bind-9.11-rh1666814.patch
|
||||
Patch170:bind-9.11-feature-test-named.patch
|
||||
Patch171:bind-9.11-tests-variants.patch
|
||||
Patch172:bind-9.11-tests-pkcs11.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3323
|
||||
Patch173:bind-9.16-libisc-link.patch
|
||||
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
@ -437,7 +435,6 @@ This package provides a module which allows commands to be sent to rndc directly
|
||||
%patch170 -p1 -b .featuretest-named
|
||||
%patch171 -p1 -b .test-variant
|
||||
%patch172 -p1 -b .test-pkcs11
|
||||
%patch173 -p1 -b .link-isc
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -980,7 +977,7 @@ fi;
|
||||
%files libs
|
||||
%{_libdir}/libbind9.so.1600*
|
||||
%{_libdir}/libisccc.so.1600*
|
||||
%{_libdir}/libns.so.1601*
|
||||
%{_libdir}/libns.so.1602*
|
||||
|
||||
%files libs-lite
|
||||
%{_libdir}/libdns.so.%{sover_dns}*
|
||||
@ -1162,6 +1159,9 @@ fi;
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.16.2-1
|
||||
- Update to 9.16.2
|
||||
|
||||
* Wed Apr 01 2020 Petr Menšík <pemensik@redhat.com> - 32:9.16.1-2
|
||||
- Link all used libraries to libisc
|
||||
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (bind-9.16.1.tar.xz) = 9a1e8987f312b09a16c2ee0fd1d1eb8e4951b8dbcf3c0d51a1a1fb179a261028239ab2bebc3e559592cc766de57a26ba37b27621a0c5e1711d36c2416f0a0c26
|
||||
SHA512 (bind-9.16.1.tar.xz.asc) = fb9967033a0f8efbc05537ce4f3b315607ff06805b415303cf338afab303ca0f146a4d8049e7166971969b87064aa480a72c41d2c0ab1a8f3165e2049ccc4cb0
|
||||
SHA512 (bind-9.16.2.tar.xz) = fec47a0df6f91318504d57730148816ee19d7d14769d9c6f84ecd2ced9f575ea86bac2eac65886835aae99f7120495150a40923ee06a7755c6118ffb1f7f166f
|
||||
SHA512 (bind-9.16.2.tar.xz.asc) = 854a5f2e82e491e74cfafb874f5cd614c9cb289e1c1bfae66ba37a881d7f8ee0acca99ff9aaddc118e8d52474121a81b627c475e432536cd99411c084479b69b
|
||||
|
Loading…
Reference in New Issue
Block a user