rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Update to BIND 9.11.18

Browse Source 
From Upstream Release notes:

Security Fixes

    DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]

Known Issues

    We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685]
This commit is contained in:
Petr Menšík 2020-04-16 10:53:28 +02:00
parent 485d16a77e
commit 6e3b160e37
5 changed files with 35 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -104,3 +104,5 @@ bind-9.7.2b1.tar.gz
/bind-9.11.14.tar.gz.asc
/bind-9.11.17.tar.gz
/bind-9.11.17.tar.gz.asc
/bind-9.11.18.tar.gz
/bind-9.11.18.tar.gz.asc

34
bind-9.11-kyua-pkcs11.patch
View File

@ -1,4 +1,4 @@
From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001
From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
6 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0532feb..a83ddd5 100644
index 62ecf56..0940a7d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([
@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 7671e1d..e237d5c 100644
index 22a06a8..5df5b15 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 4dbfd82..a383b8e 100644
index a5bf46c..9ff2b76 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644
dst_key_free(&key);
}
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index 2fdee0b..a263b35 100644
index 36d2207..00dfbc9 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 9c4d299..d9deba2 100644
index 4fafc38..5eb2be2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -85,7 +85,7 @@ typedef struct hash_testcase {
@@ -84,7 +84,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644
} hash_test_key_t;
/* non-hmac tests */
@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha1_update(&hmacsha1,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha224_update(&hmacsha224,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha256_update(&hmacsha256,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha384_update(&hmacsha384,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha512_update(&hmacsha512,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644
(const uint8_t *) testcase->input,
testcase->input_len);
--
2.20.1
2.21.1

20
bind-9.11-tests-variants.patch
View File

@ -1,4 +1,4 @@
From 06a22ff20ac3d68fa1f995c91068b43392425e43 Mon Sep 17 00:00:00 2001
From 9576e960ad3719aa9c1707734ad7ba0eccf16e5f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 1 Mar 2019 15:48:20 +0100
Subject: [PATCH] Make alternative named builds testable in system tests
@ -13,14 +13,14 @@ export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
---
bin/tests/system/conf.sh.in | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
bin/tests/system/conf.sh.in | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 4b0fe39..f135af6 100644
index 6f2dbcd..05605ae 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -34,7 +34,7 @@ DISABLED_ALGORITHM=ECDSAP384SHA384
@@ -37,7 +37,7 @@ DISABLED_ALGORITHM=ECDSAP384SHA384
DISABLED_ALGORITHM_NUMBER=14
DISABLED_BITS=384
@ -29,7 +29,7 @@ index 4b0fe39..f135af6 100644
# We must use "named -l" instead of "lwresd" because argv[0] is lost
# if the program is libtoolized.
LWRESD="$TOP/bin/named/named -l"
@@ -45,13 +45,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
@@ -48,14 +48,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
@ -39,19 +39,19 @@ index 4b0fe39..f135af6 100644
-REVOKE=$TOP/bin/dnssec/dnssec-revoke
-SETTIME=$TOP/bin/dnssec/dnssec-settime
-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
HOST=$TOP/bin/dig/host
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
+CHECKDS=$TOP/bin/python/dnssec-checkds
CHECKDS=$TOP/bin/python/dnssec-checkds
COVERAGE=$TOP/bin/python/dnssec-coverage
KEYMGR=$TOP/bin/python/dnssec-keymgr
@@ -71,7 +72,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
@@ -75,7 +75,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
MDIG=$TOP/bin/tools/mdig
NZD2NZF=$TOP/bin/tools/named-nzd2nzf
FSTRM_CAPTURE=@FSTRM_CAPTURE@
@ -61,5 +61,5 @@ index 4b0fe39..f135af6 100644
RANDFILE=$TOP/bin/tests/system/random.data
--
2.20.1
2.21.1

5
bind.spec
View File

@ -63,7 +63,7 @@
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
Version: 9.11.17
Version: 9.11.18
Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
@ -1600,6 +1600,9 @@ fi;
%changelog
* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.18-1
- Update to 9.11.18
* Tue Mar 31 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.17-1
- Update to 9.11.17

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (bind-9.11.17.tar.gz) = 0c5aebd9763fdf61709d347abc79c898f62bcc6bc19bcae0e355804cfee3fd24d7054ebb574dce1987138e4a755c4bc963afb92f920ac15223c1a738d831b652
SHA512 (bind-9.11.17.tar.gz.asc) = fb5c03facaf8530bf4168be6a106bc75517bb4b45e164fbadd20ce9968098e43badff854ca735b14cddbeb76f8cc10cfaf7cad760b7b630639a1c9243dd7c422
SHA512 (bind-9.11.18.tar.gz) = 947a7f9f58ac40744c541b2c23ef3eb9d8b6ecc8e3bb4f4b102ba5aafcc20c58ad5e8bacdd338821369c1f7de9d1073c264208e45f054ff7e3a9391894b424ab
SHA512 (bind-9.11.18.tar.gz.asc) = aeeef8b211199a5d2715b63da9d648322241726e60b8cffae883bcec0e6335fd6c5ee431755a0bcb5b2a39ce540986edb0c9f51c6365aa226cff83ba358bac1a