import bind-9.11.36-3.el8

c8 imports/c8/bind-9.11.36-3.el8
CentOS Sources 9 months ago committed by Stepan Oksanichenko
parent 0f18d3fb97
commit d8d371d1e8
  1. 2
      .bind.metadata
  2. 2
      .gitignore
  3. 46
      SOURCES/bind-9.10-dist-native-pkcs11.patch
  4. 27
      SOURCES/bind-9.11-CVE-2020-8625.patch
  5. 44
      SOURCES/bind-9.11-CVE-2021-25214.patch
  6. 40
      SOURCES/bind-9.11-CVE-2021-25215.patch
  7. 64
      SOURCES/bind-9.11-fips-tests.patch
  8. 38
      SOURCES/bind-9.11-rh1935152.patch
  9. 140
      SOURCES/bind-9.11-rt31459.patch
  10. 58
      SOURCES/bind-9.15-resolver-ntasks.patch
  11. 1
      SOURCES/named-chroot.files
  12. 50
      SPECS/bind.spec

@ -1,2 +1,2 @@
14064c865920842e48f444be2bda9dc91770e439 SOURCES/bind-9.11.26.tar.gz
4b45d15edc1e3b7902129ce27baec58a50d76b5c SOURCES/bind-9.11.36.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

2
.gitignore vendored

@ -1,2 +1,2 @@
SOURCES/bind-9.11.26.tar.gz
SOURCES/bind-9.11.36.tar.gz
SOURCES/random.data

@ -143,7 +143,7 @@ index 390aa0c..851a008 100644
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index 3166368..a403941 100644
index 277a0f5..52a6375 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
@ -260,7 +260,7 @@ index 3166368..a403941 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 3166368..890574f 100644
index 277a0f5..0e00885 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
@ -294,10 +294,10 @@ index 2c19e7e..8223d5e 100644
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.ac b/configure.ac
index c6715b4..8144268 100644
index 83cad4a..e1e1a32 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI)
@@ -1178,12 +1178,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -312,7 +312,7 @@ index c6715b4..8144268 100644
#
# was --with-randomdev specified?
@@ -1554,12 +1556,12 @@ AC_ARG_ENABLE(openssl-hash,
@@ -1556,12 +1558,12 @@ AC_ARG_ENABLE(openssl-hash,
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
@ -331,7 +331,7 @@ index c6715b4..8144268 100644
if test "auto" = "$use_openssl"
then
@@ -1572,6 +1574,7 @@ then
@@ -1574,6 +1576,7 @@ then
fi
done
fi
@ -339,7 +339,7 @@ index c6715b4..8144268 100644
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1593,11 +1596,10 @@ case "$with_gost" in
@@ -1595,11 +1598,10 @@ case "$with_gost" in
;;
esac
@ -354,7 +354,7 @@ index c6715b4..8144268 100644
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
@@ -1607,7 +1609,9 @@ case "$use_openssl" in
@@ -1609,7 +1611,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
@ -365,7 +365,7 @@ index c6715b4..8144268 100644
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1639,7 +1643,7 @@ case "$use_openssl" in
@@ -1641,7 +1645,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
@ -374,7 +374,7 @@ index c6715b4..8144268 100644
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519)
@@ -2077,6 +2081,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -382,7 +382,7 @@ index c6715b4..8144268 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2353,6 +2358,7 @@ esac
@@ -2363,6 +2368,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@ -390,7 +390,7 @@ index c6715b4..8144268 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([
@@ -5491,8 +5497,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@ -402,7 +402,7 @@ index c6715b4..8144268 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([
@@ -5565,6 +5574,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@ -413,7 +413,7 @@ index c6715b4..8144268 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([
@@ -5589,6 +5602,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@ -452,21 +452,21 @@ index f089bea..3ed939b 100644
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 8fc4e94..5eefb14 100644
index 1d0f5df..98c9ba0 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
@@ -24,17 +24,17 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@
CWARNINGS =
@ -478,7 +478,7 @@ index 8fc4e94..5eefb14 100644
LIBS = ${MAXMINDDB_LIBS} @LIBS@
@@ -150,15 +149,15 @@ version.@O@: version.c
@@ -148,15 +148,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@ -498,7 +498,7 @@ index 8fc4e94..5eefb14 100644
include: gen
${MAKE} include/dns/enumtype.h
@@ -189,22 +188,22 @@ gen: gen.c
@@ -187,22 +187,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}

@ -1,27 +0,0 @@
From 9f331a945071365ccc0cfba24241c4af6919af30 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 15 Feb 2021 12:18:14 +0100
Subject: [PATCH] CVE-2020-8625
5562. [security] Fix off-by-one bug in ISC SPNEGO implementation.
(CVE-2020-8625) [GL #2354]
---
lib/dns/spnego.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index dea108b..13cf15d 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -877,7 +877,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
return (ASN1_OVERRUN);
}
- data->components = malloc(len * sizeof(*data->components));
+ data->components = malloc((len + 1) * sizeof(*data->components));
if (data->components == NULL) {
return (ENOMEM);
}
--
2.26.2

@ -1,44 +0,0 @@
From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 3 Feb 2021 11:10:20 +1100
Subject: [PATCH] Check SOA owner names in zone transfers
An IXFR containing SOA records with owner names different than the
transferred zone's origin can result in named serving a version of that
zone without an SOA record at the apex. This causes a RUNTIME_CHECK
assertion failure the next time such a zone is refreshed. Fix by
immediately rejecting a zone transfer (either an incremental or
non-incremental one) upon detecting an SOA record not placed at the apex
of the transferred zone.
---
lib/dns/xfrin.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 3a3f407289..0ba82e4974 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
dns_rdatatype_ismeta(rdata->type))
FAIL(DNS_R_FORMERR);
+ /*
+ * Immediately reject the entire transfer if the RR that is currently
+ * being processed is an SOA record that is not placed at the zone
+ * apex.
+ */
+ if (rdata->type == dns_rdatatype_soa &&
+ !dns_name_equal(&xfr->name, name)) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(name, namebuf, sizeof(namebuf));
+ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+ namebuf);
+ FAIL(DNS_R_NOTZONETOP);
+ }
+
redo:
switch (xfr->state) {
case XFRST_SOAQUERY:
--
2.26.3

@ -1,40 +0,0 @@
From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 27 Apr 2021 10:56:12 +0200
Subject: [PATCH 2/2] CVE-2021-25215
5616. [security] named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query. (CVE-2021-25215) [GL #2540]
---
bin/named/query.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/bin/named/query.c b/bin/named/query.c
index a95f5ad..11a888e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
if (noqname != NULL)
query_addnoqnameproof(client, noqname);
/*
- * We shouldn't ever fail to add 'rdataset'
- * because it's already in the answer.
+ * 'rdataset' will only be non-NULL here if the ANSWER section
+ * of the message to be sent to the client already contains an
+ * RRset with the same owner name and the same type as
+ * 'rdataset'. This should never happen, with one exception:
+ * when chasing DNAME records, one of the DNAME records placed
+ * in the ANSWER section may turn out to be the final answer to
+ * the client's query, but we have no way of knowing that until
+ * now. In such a case, 'rdataset' will be freed later, so we
+ * do not need to free it here.
*/
- INSIST(rdataset == NULL);
+ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
}
addauth:
--
2.26.3

@ -1,4 +1,4 @@
From 14ad3e0b42bc999072d30268396412bec158a22d Mon Sep 17 00:00:00 2001
From 1dc81c51cd5c70b783aab8b6156aec4cfedd6fe3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes
@ -96,12 +96,14 @@ Date: Wed Mar 7 10:44:23 2018 +0100
bin/tests/system/rndc/setup.sh | 2 +-
bin/tests/system/rndc/tests.sh | 23 ++++---
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
bin/tests/system/tsig/setup.sh | 5 ++
bin/tests/system/tsig/tests.sh | 65 +++++++++++-------
bin/tests/system/tsiggss/setup.sh | 2 +-
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +-
43 files changed, 220 insertions(+), 170 deletions(-)
44 files changed, 230 insertions(+), 170 deletions(-)
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
index 9999ada..e3f8d0e 100644
@ -598,10 +600,10 @@ index b66207a..359b220 100644
; TTL of 3 weeks
weeks 1814400 A 10.53.0.2
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index 2109001..ded5557 100644
index a3ebc31..0d9b9b8 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -155,7 +155,7 @@ if [ -x "$DIG" ] ; then
@@ -173,7 +173,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +rrcomments works for DNSKEY($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -610,7 +612,7 @@ index 2109001..ded5557 100644
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -164,7 +164,7 @@ if [ -x "$DIG" ] ; then
@@ -182,7 +182,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -619,7 +621,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -172,7 +172,7 @@ if [ -x "$DIG" ] ; then
@@ -190,7 +190,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +nosplit works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -628,7 +630,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -180,7 +180,7 @@ if [ -x "$DIG" ] ; then
@@ -198,7 +198,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -637,7 +639,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -197,7 +197,7 @@ if [ -x "$DIG" ] ; then
@@ -215,7 +215,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -646,7 +648,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -827,7 +827,7 @@ if [ -x ${DELV} ] ; then
@@ -846,7 +846,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +rrcomments works for DNSKEY($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -655,7 +657,7 @@ index 2109001..ded5557 100644
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -836,7 +836,7 @@ if [ -x ${DELV} ] ; then
@@ -855,7 +855,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -664,7 +666,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -844,7 +844,7 @@ if [ -x ${DELV} ] ; then
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -673,7 +675,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -852,7 +852,7 @@ if [ -x ${DELV} ] ; then
@@ -871,7 +871,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -682,7 +684,7 @@ index 2109001..ded5557 100644
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 14 || ret=1
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
@@ -882,7 +882,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -909,7 +911,7 @@ index ba39f90..f20a2dd 100755
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index e28b3f1..29c169b 100644
index d401823..139c7ad 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
@ -953,10 +955,10 @@ index 75cf699..b4d848c 100644
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
};
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 3e8e4d5..da692f9 100644
index 30f7fc5..2f34b6d 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3257,8 +3257,8 @@ do
@@ -3281,8 +3281,8 @@ do
alg=`expr $alg + 1`
continue;;
3) size="-b 512";;
@ -1112,10 +1114,10 @@ index e6e2382..b0a94e0 100644
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 6fbf1d7..a712b17 100644
index 2b3b154..8240c42 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -53,7 +53,12 @@ EOF
@@ -68,7 +68,12 @@ EOF
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
@ -1130,10 +1132,10 @@ index 6fbf1d7..a712b17 100644
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 6b2c8f6..96ad95e 100755
index 60cf7ee..f8994ff 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -788,7 +788,14 @@ fi
@@ -804,7 +804,14 @@ fi
n=`expr $n + 1`
ret=0
echo_i "check TSIG key algorithms ($n)"
@ -1149,7 +1151,7 @@ index 6b2c8f6..96ad95e 100755
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -796,7 +803,7 @@ send
@@ -812,7 +819,7 @@ send
END
done
sleep 2
@ -1233,6 +1235,22 @@ index 4905ffd..958d9fb 100644
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000..0682194
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index f42aa79..bfcf4a6 100644
--- a/bin/tests/system/tsig/setup.sh
@ -1247,7 +1265,7 @@ index f42aa79..bfcf4a6 100644
+ cat ns1/rndc5.conf.in >> ns1/named.conf
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index ed41e1d..98c542e 100644
index e0c2903..327fa50 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
@ -1375,5 +1393,5 @@ index 1cf8d3b..f4c3216 100644
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
--
2.26.2
2.31.1

@ -1,38 +0,0 @@
From 4757898440d52b0adbf7ec7ee7f0f89b61aac0fb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 18 Dec 2020 13:31:07 +1100
Subject: [PATCH] Inactive incorrectly incremented
It is possible to have two threads destroying an rbtdb at the same
time when detachnode() executes and removes the last reference to
a node between exiting being set to true for the node and testing
if the references are zero in maybe_free_rbtdb(). Move NODE_UNLOCK()
to after checking if references is zero to prevent detachnode()
changing the reference count too early.
(cherry picked from commit 859d2fdad6d1c6ff20083a4c463a929cbeb26438)
(cherry picked from commit 25150c15e7cfa73289f04470e2e699ebb7c28fef)
---
lib/dns/rbtdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 8ea4d47..77ef7a4 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1460,11 +1460,11 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
for (i = 0; i < rbtdb->node_lock_count; i++) {
NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
rbtdb->node_locks[i].exiting = true;
- NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
if (isc_refcount_current(&rbtdb->node_locks[i].references)
== 0) {
inactive++;
}
+ NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
}
if (inactive != 0) {
--
2.26.3

@ -1,4 +1,4 @@
From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001
From 346683631ae0f83ad4f09a69cfa5e5c6ea49e5d9 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c
@ -199,10 +199,10 @@ index f017895..2c568fc 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index dde1b2f..7308fc6 100644
index a097ac8..6567421 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3465,14 +3465,15 @@ main(int argc, char *argv[]) {
@@ -3472,14 +3472,15 @@ main(int argc, char *argv[]) {
if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY;
@ -222,7 +222,7 @@ index dde1b2f..7308fc6 100644
isc_stdtime_get(&now);
if (startstr != NULL) {
@@ -3884,8 +3885,8 @@ main(int argc, char *argv[]) {
@@ -3896,8 +3897,8 @@ main(int argc, char *argv[]) {
dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log);
@ -293,7 +293,7 @@ index 7f045e8..2a0f9c6 100644
usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c
index 30d38be..b2ae57c 100644
index 9826588..b3e3fc3 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@ -304,7 +304,7 @@ index 30d38be..b2ae57c 100644
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
@@ -8286,6 +8287,10 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8291,6 +8292,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
@ -315,7 +315,7 @@ index 30d38be..b2ae57c 100644
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
@@ -8320,6 +8325,7 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8325,6 +8330,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@ -324,10 +324,10 @@ index 30d38be..b2ae57c 100644
}
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 5a2c660..7f15cbc 100644
index 52b0274..23b69c9 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@@ -279,7 +279,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS)
@ -337,7 +337,7 @@ index 5a2c660..7f15cbc 100644
ISC_LIST_INIT(sources);
}
@@ -287,6 +288,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@@ -288,6 +289,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
randomfile = NULL;
}
@ -351,7 +351,7 @@ index 5a2c660..7f15cbc 100644
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
@@ -989,11 +997,11 @@ setup_system(void) {
@@ -990,11 +998,11 @@ setup_system(void) {
}
}
@ -561,10 +561,10 @@ index 34360aa..3236968 100644
isc_mem_destroy(&mctx);
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 4b5b901..43fb6b0 100644
index a3dd450..350723f 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
@@ -137,6 +137,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
int
main(int argc, char **argv) {
char *keyname;
@ -572,7 +572,7 @@ index 4b5b901..43fb6b0 100644
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr;
@@ -156,10 +157,21 @@ main(int argc, char **argv) {
@@ -157,10 +158,21 @@ main(int argc, char **argv) {
RUNCHECK(isc_app_start());
@ -594,7 +594,7 @@ index 4b5b901..43fb6b0 100644
keyname = argv[1];
dns_result_register();
@@ -169,14 +181,22 @@ main(int argc, char **argv) {
@@ -170,14 +182,22 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
@ -619,7 +619,7 @@ index 4b5b901..43fb6b0 100644
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -264,8 +284,8 @@ main(int argc, char **argv) {
@@ -265,8 +285,8 @@ main(int argc, char **argv) {
isc_log_destroy(&log);
@ -688,7 +688,7 @@ index 26fa609..fb34aa0 100644
parse_args(false, argc, argv);
if (server == NULL)
diff --git a/configure b/configure
index 0faca65..d5ffc87 100755
index 368112f..e060e9d 100755
--- a/configure
+++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@ -699,7 +699,7 @@ index 0faca65..d5ffc87 100755
BUILD_LIBS
BUILD_LDFLAGS
BUILD_CPPFLAGS
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
@@ -822,6 +823,7 @@ LIBXML2_CFLAGS
NZDTARGETS
NZDSRCS
NZD_TOOLS
@ -707,7 +707,7 @@ index 0faca65..d5ffc87 100755
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
@@ -1047,6 +1049,7 @@ with_eddsa
@@ -1046,6 +1048,7 @@ with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
@ -715,7 +715,7 @@ index 0faca65..d5ffc87 100755
with_lmdb
with_libxml2
with_libjson
@@ -1749,6 +1752,7 @@ Optional Features:
@@ -1747,6 +1750,7 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
@ -723,7 +723,7 @@ index 0faca65..d5ffc87 100755
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
@@ -17205,6 +17209,7 @@ case "$use_openssl" in
@@ -17204,6 +17208,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@ -731,7 +731,7 @@ index 0faca65..d5ffc87 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
@@ -17218,6 +17223,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
@ -739,7 +739,7 @@ index 0faca65..d5ffc87 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17231,6 +17237,7 @@ $as_echo "no" >&6; }
@@ -17230,6 +17236,7 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@ -747,7 +747,7 @@ index 0faca65..d5ffc87 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17240,7 +17247,7 @@ $as_echo "no" >&6; }
@@ -17239,7 +17246,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -756,7 +756,7 @@ index 0faca65..d5ffc87 100755
;;
*)
if test "yes" = "$want_native_pkcs11"
@@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; }
@@ -17270,6 +17277,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
fi
CRYPTO='-DOPENSSL'
@ -764,7 +764,7 @@ index 0faca65..d5ffc87 100755
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@@ -17897,8 +17905,6 @@ fi
@@ -17904,8 +17912,6 @@ fi
# Use OpenSSL for hash functions
#
@ -773,7 +773,7 @@ index 0faca65..d5ffc87 100755
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
@@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then
@@ -18280,6 +18286,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@ -860,7 +860,7 @@ index 0faca65..d5ffc87 100755
#
# was --with-lmdb specified?
#
@@ -20549,9 +20635,12 @@ _ACEOF
@@ -20556,9 +20642,12 @@ _ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
$as_echo "size_t for buflen; int for flags" >&6; }
@ -875,7 +875,7 @@ index 0faca65..d5ffc87 100755
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
@@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
@@ -21856,12 +21945,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@ -889,7 +889,7 @@ index 0faca65..d5ffc87 100755
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
@@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF
@@ -21894,6 +21978,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
@ -901,7 +901,7 @@ index 0faca65..d5ffc87 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -21923,39 +22012,6 @@ _ACEOF
@@ -21902,39 +21991,6 @@ _ACEOF
fi
;;
x86_64-*|amd64-*)
@ -941,7 +941,7 @@ index 0faca65..d5ffc87 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
@@ -21965,6 +22021,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
$as_echo "$arch" >&6; }
fi
@ -952,7 +952,7 @@ index 0faca65..d5ffc87 100755
if test "yes" = "$have_atomic"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
@@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
@@ -24547,6 +24607,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
#
dlzdir='${DLZ_DRIVER_DIR}'
@ -983,7 +983,7 @@ index 0faca65..d5ffc87 100755
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -24897,11 +24981,11 @@ $as_echo "no" >&6; }
@@ -24877,11 +24961,11 @@ $as_echo "no" >&6; }
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
;;
*)
@ -998,7 +998,7 @@ index 0faca65..d5ffc87 100755
fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
@@ -24986,7 +25070,7 @@ $as_echo "" >&6; }
@@ -24966,7 +25050,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).
@ -1007,7 +1007,7 @@ index 0faca65..d5ffc87 100755
# include a blank element first
for d in "" $bdb_incdirs
do
@@ -25011,57 +25095,9 @@ $as_echo "" >&6; }
@@ -24991,57 +25075,9 @@ $as_echo "" >&6; }
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
@ -1067,7 +1067,7 @@ index 0faca65..d5ffc87 100755
break
fi
done
@@ -25220,10 +25256,10 @@ $as_echo "no" >&6; }
@@ -25200,10 +25236,10 @@ $as_echo "no" >&6; }
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
fi
@ -1081,7 +1081,7 @@ index 0faca65..d5ffc87 100755
fi
@@ -25309,11 +25345,11 @@ fi
@@ -25289,11 +25325,11 @@ fi
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
@ -1095,7 +1095,7 @@ index 0faca65..d5ffc87 100755
break
fi
done
@@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@@ -25568,6 +25604,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@ -1104,7 +1104,7 @@ index 0faca65..d5ffc87 100755
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
@@ -27966,6 +28004,8 @@ report() {
@@ -27946,6 +27984,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1113,7 +1113,7 @@ index 0faca65..d5ffc87 100755
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -28006,6 +28046,8 @@ report() {
@@ -27986,6 +28026,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@ -1122,7 +1122,7 @@ index 0faca65..d5ffc87 100755
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
@@ -28053,6 +28095,8 @@ report() {
@@ -28033,6 +28075,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@ -1132,10 +1132,10 @@ index 0faca65..d5ffc87 100755
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/configure.ac b/configure.ac
index 78535bd..faef2e8 100644
index 11f41e8..fdcfc62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1598,6 +1598,7 @@ case "$use_openssl" in
@@ -1600,6 +1600,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@ -1143,7 +1143,7 @@ index 78535bd..faef2e8 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1611,6 +1612,7 @@ case "$use_openssl" in
@@ -1613,6 +1614,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
@ -1151,7 +1151,7 @@ index 78535bd..faef2e8 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1623,6 +1625,7 @@ case "$use_openssl" in
@@ -1625,6 +1627,7 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@ -1159,7 +1159,7 @@ index 78535bd..faef2e8 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1633,7 +1636,7 @@ case "$use_openssl" in
@@ -1635,7 +1638,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -1168,7 +1168,7 @@ index 78535bd..faef2e8 100644
;;
*)
if test "yes" = "$want_native_pkcs11"
@@ -1663,6 +1666,7 @@ If you don't want OpenSSL, use --without-openssl])
@@ -1665,6 +1668,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi
CRYPTO='-DOPENSSL'
@ -1176,7 +1176,7 @@ index 78535bd..faef2e8 100644
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@@ -2099,7 +2103,6 @@ fi
@@ -2109,7 +2113,6 @@ fi
# Use OpenSSL for hash functions
#
@ -1184,7 +1184,7 @@ index 78535bd..faef2e8 100644
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
@@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then
@@ -2381,6 +2384,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@ -1252,7 +1252,7 @@ index 78535bd..faef2e8 100644
#
# was --with-lmdb specified?
#
@@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
@@ -4174,12 +4238,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@ -1266,7 +1266,7 @@ index 78535bd..faef2e8 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then
@@ -4188,7 +4252,6 @@ if test "yes" = "$use_atomic"; then
fi
;;
x86_64-*|amd64-*)
@ -1274,7 +1274,7 @@ index 78535bd..faef2e8 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -5635,6 +5698,8 @@ report() {
@@ -5622,6 +5685,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1283,7 +1283,7 @@ index 78535bd..faef2e8 100644
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -5675,6 +5740,8 @@ report() {
@@ -5662,6 +5727,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@ -1292,7 +1292,7 @@ index 78535bd..faef2e8 100644
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
@@ -5722,6 +5789,8 @@ report() {
@@ -5709,6 +5776,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@ -2015,7 +2015,7 @@ index 1f785e0..f9051c3 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/win32utils/Configure b/win32utils/Configure
index 5f66a82..ff39910 100644
index 7ac30fb..55b6c23 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
@ -2026,7 +2026,7 @@ index 5f66a82..ff39910 100644
"ISC_PLATFORM_HAVEATOMICSTORE",
"ISC_PLATFORM_HAVEATOMICSTOREQ",
"ISC_PLATFORM_HAVECMPXCHG",
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
@@ -516,7 +517,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
# enable-xxx/disable-xxx
@ -2035,16 +2035,16 @@ index 5f66a82..ff39910 100644
+ "developer",
"fixed-rrset",
"intrinsics",
"isc-spnego",
@@ -580,6 +582,7 @@ my @help = (
"native-pkcs11",
@@ -578,6 +580,7 @@ my @help = (
"\nOptional Features:\n",
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
@@ -628,7 +631,9 @@ my $want_clean = "no";
" enable-fixed-rrset enable fixed rrset ordering [default=no]\n",
@@ -625,7 +628,9 @@ my $want_clean = "no";
my $want_unknown = "no";
my $unknown_value;
my $enable_intrinsics = "yes";
@ -2053,8 +2053,8 @@ index 5f66a82..ff39910 100644
+my $enable_crypto_rand = "yes";
my $enable_openssl_hash = "auto";
my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes";
@@ -848,6 +853,10 @@ sub myenable {
my $enable_fixed_rrset = "no";
@@ -844,6 +849,10 @@ sub myenable {
if ($val =~ /^yes$/i) {
$enable_native_pkcs11 = "yes";
}
@ -2065,7 +2065,7 @@ index 5f66a82..ff39910 100644
} elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes";
@@ -1154,6 +1163,11 @@ if ($verbose) {
@@ -1146,6 +1155,11 @@ if ($verbose) {
} else {
print "native-pkcs11: disabled\n";
}
@ -2077,7 +2077,7 @@ index 5f66a82..ff39910 100644
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
@@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") {
@@ -1498,6 +1512,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") {
@ -2085,15 +2085,15 @@ index 5f66a82..ff39910 100644
if ($use_openssl eq "auto") {
$use_openssl = "no";
}
@@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") {
@@ -1707,6 +1722,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
}
}
+ $cryptolib = "openssl";
$configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
@@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") {
@@ -2278,6 +2294,15 @@ if ($use_aes eq "yes") {
}
@ -2109,7 +2109,7 @@ index 5f66a82..ff39910 100644
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") {
@@ -3673,6 +3698,7 @@ exit 0;
@@ -3650,6 +3675,7 @@ exit 0;
# --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported
@ -2118,5 +2118,5 @@ index 5f66a82..ff39910 100644
# --enable-openssl-hash supported
# --enable-threads included without a way to disable it
--
2.26.2
2.31.1

@ -0,0 +1,58 @@
From 6d6acf236841da5c2511f8afcd3e4a89af4c5658 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
Date: Fri, 14 Feb 2020 09:18:48 +0100
Subject: [PATCH] Use RESOLVER_NTASKS_PERCPU - 32 for regular tuning, 8 for
small
Modify original upstream commit 0d80266f7e3, add high limit of used
tasks. Minimum would be lower on machines with few cpus, but maximum
would stay unchanged. Should prevent negatives of this change.
Signed-off-by: Petr Mensik <pemensik@redhat.com>
---
bin/named/server.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 39b1124..94b4daa 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -148,11 +148,13 @@
#endif
#ifdef TUNE_LARGE
-#define RESOLVER_NTASKS 523
+#define RESOLVER_NTASKS_MAX 523
+#define RESOLVER_NTASKS_PERCPU 32
#define UDPBUFFERS 32768
#define EXCLBUFFERS 32768
#else
-#define RESOLVER_NTASKS 31
+#define RESOLVER_NTASKS_MAX 31
+#define RESOLVER_NTASKS_PERCPU 8
#define UDPBUFFERS 1000
#define EXCLBUFFERS 4096
#endif /* TUNE_LARGE */
@@ -3318,7 +3320,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
ns_cache_t *nsc;
bool zero_no_soattl;
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
- unsigned int query_timeout, ndisp;
+ unsigned int query_timeout, ndisp, ntasks;
bool old_rpz_ok = false;
isc_dscp_t dscp4 = -1, dscp6 = -1;
dns_dyndbctx_t *dctx = NULL;
@@ -3926,7 +3928,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_view_setresquerystats(view, resquerystats);
ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
- CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,
+ ntasks = ISC_MIN(RESOLVER_NTASKS_PERCPU * ns_g_cpus,
+ RESOLVER_NTASKS_MAX);
+ CHECK(dns_view_createresolver(view, ns_g_taskmgr, ntasks,
ndisp, ns_g_socketmgr, ns_g_timermgr,
resopts, ns_g_dispatchmgr,
dispatch4, dispatch6));
--
2.34.1

@ -18,6 +18,7 @@
/usr/lib/bind
/usr/share/GeoIP
/run/named
/proc/sys/net/ipv4/ip_local_port_range
# Warning: the order is important
# If a directory containing $ROOTDIR is listed here,
# it MUST be listed last. (/var/named contains /var/named/chroot)

@ -47,7 +47,7 @@
%endif
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
%{_libdir}/bind %{_datadir}/GeoIP
%{_libdir}/bind %{_datadir}/GeoIP %{_datadir}/GeoIP /proc/sys/net/ipv4
## The order of libs is important. See lib/Makefile.in for details
%define bind_export_libs isc dns isccfg irs
@ -59,7 +59,7 @@
#
# lib*.so.X versions of selected libraries
%global sover_dns 1112
%global sover_dns 1115
%global sover_isc 1107
%global sover_irs 161
%global sover_isccfg 163
@ -67,12 +67,12 @@
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
Version: 9.11.26
Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Version: 9.11.36
Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
Source: https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
Source: https://downloads.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
Source1: named.sysconfig
Source3: named.logrotate
Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
@ -154,14 +154,10 @@ Patch174:bind-9.11-fips-disable.patch
Patch175:bind-9.11-json-c.patch
Patch177:bind-9.11-serve-stale.patch
Patch178:bind-9.11-dhcp-time-monotonic.patch
Patch179:bind-9.11-CVE-2020-8625.patch
Patch180:bind-9.11-CVE-2021-25215.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf
Patch181:bind-9.11-CVE-2021-25214.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4533/diffs?commit_id=25150c15e7cfa73289f04470e2e699ebb7c28fef
Patch182:bind-9.11-rh1935152.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5253
Patch183:bind-9.11-rh1980757.patch
# modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067
Patch184: bind-9.15-resolver-ntasks.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@ -205,7 +201,7 @@ BuildRequires: libdb-devel
# make unit dependencies
BuildRequires: libcmocka-devel kyua
%endif
%if %{with PKCS11}
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
BuildRequires: softhsm
%endif
%if %{with SYSTEMTEST}
@ -253,7 +249,6 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: softhsm
%description pkcs11
This is a version of BIND server built with native PKCS#11 functionality.
@ -556,11 +551,8 @@ are used for building ISC DHCP.
%patch175 -p1 -b .json-c
%patch177 -p1 -b .serve-stale
%patch178 -p1 -b .time-monotonic
%patch179 -p1 -b .CVE-2020-8625
%patch180 -p1 -b .CVE-2021-25215
%patch181 -p1 -b .CVE-2021-25214
%patch182 -p1 -b .rh1935152
%patch183 -p1 -b .rh1980757
%patch184 -p1 -b .rh2030239
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -576,13 +568,13 @@ find bin lib/lwres/man -name '*.docbook' -exec \
-i '{}' ';'
%if %{with PKCS11}
%patch150 -p1 -b .engine-pkcs11
cp -r bin/named{,-pkcs11}
cp -r bin/dnssec{,-pkcs11}
cp -r lib/isc{,-pkcs11}
cp -r lib/dns{,-pkcs11}
%patch136 -p1 -b .dist_pkcs11
%patch149 -p1 -b .kyua-pkcs11
%patch150 -p1 -b .engine-pkcs11
%endif
%if %{with SDB}
@ -849,7 +841,7 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \
%endif
%check
%if %{with PKCS11}
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
# Tests require initialization of pkcs11 token
export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
@ -1459,6 +1451,7 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_prefix}/%{_libdir}
%dir %{chroot_prefix}/%{_libdir}/bind
%dir %{chroot_prefix}/%{_datadir}/GeoIP
%{chroot_prefix}/proc
%defattr(0660,root,named,01770)
%dir %{chroot_prefix}%{_localstatedir}/named
%defattr(0660,named,named,0770)
@ -1612,6 +1605,25 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
- Reduce memory used per-view on machine with few processors (#2030239)
* Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
- Rebuilt on a new side-tag (#2013993)
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-1
- Update to 9.11.36
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-9
- Correct tsig system test
* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-8
- Propagate ephemeral port ranges to chroot (#1950714)
* Tue Aug 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-7
- Do not request softhsm from bind-pkcs11, it is only in modular build
(#1934035)
* Fri Jul 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-6
- Use random entropy to generate unique TKEY identifiers (#1980916)

Loading…
Cancel
Save