Still start if inline-signing and dyn. updates are not set
Attempts to modify behaviour done in 9.16.33. It requires explicit specification of inline-signing yes for any zone, which has specified dnssec-policy. For primary zones also when allow-update and update-policy are disabled. Turn it into warning only on RHEL builds, do not prevent starting of named. That should roughly emulate error message present on 9.16.23: 'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on a non-dynamic DNS zone. But point a link into upstream KB article in any case. This has appeared only when inline-signing were specified in a zone block. For that case make it still fatal, but with new message. https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#known-issues Related to upstream commit 30fceec069ae0942749e6aa783f67756e82fcaae. Resolves: RHEL-6454
This commit is contained in:
parent
852e1cb6c3
commit
fa95441ced
70
bind-9.16-RH-inline-signing.patch
Normal file
70
bind-9.16-RH-inline-signing.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From fb3761d9b1ca804fd6c2acabe42745f9ee79bac0 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 18 Jul 2024 19:36:04 +0200
|
||||
Subject: [PATCH] Do not block start if inline-signing and dyn. updates are not
|
||||
set
|
||||
|
||||
Attempts to modify behaviour done in 9.16.33. It requires explicit
|
||||
specification of inline-signing yes for any zone, which has specified
|
||||
dnssec-policy. For primary zones also when allow-update and
|
||||
update-policy are disabled. Turn it into warning only on RHEL builds,
|
||||
do not prevent starting of named.
|
||||
|
||||
That should roughly emulate error message present on 9.16.23:
|
||||
'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on
|
||||
a non-dynamic DNS zone.
|
||||
|
||||
But point a link into upstream KB article in any case. This has appeared
|
||||
only when inline-signing were specified in a zone block. For that case
|
||||
make it still fatal, but with new message.
|
||||
|
||||
https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#known-issues
|
||||
|
||||
Related to upstream commit 30fceec069ae0942749e6aa783f67756e82fcaae.
|
||||
---
|
||||
lib/bind9/check.c | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
|
||||
index ee64543..01c03d3 100644
|
||||
--- a/lib/bind9/check.c
|
||||
+++ b/lib/bind9/check.c
|
||||
@@ -2951,20 +2951,32 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
|
||||
}
|
||||
|
||||
if (has_dnssecpolicy) {
|
||||
+ /* Red Hat downstream change. Warn only about inline-signing
|
||||
+ * if inline-signing is not present in zone definition.
|
||||
+ * But fail hard if present, but disabled, like before. */
|
||||
if (!ddns && !signing) {
|
||||
- cfg_obj_log(kasp, logctx, ISC_LOG_ERROR,
|
||||
- "'inline-signing yes;' must also "
|
||||
+ const char *verb = "should";
|
||||
+ int log_lvl = ISC_LOG_WARNING;
|
||||
+
|
||||
+ if (res1 == ISC_R_SUCCESS) {
|
||||
+ verb = "must";
|
||||
+ log_lvl = ISC_LOG_ERROR;
|
||||
+ result = ISC_R_FAILURE;
|
||||
+ }
|
||||
+
|
||||
+ cfg_obj_log(kasp, logctx, log_lvl,
|
||||
+ "'inline-signing yes;' %s also "
|
||||
"be configured explicitly for "
|
||||
"zones using dnssec-policy%s. See "
|
||||
"https://kb.isc.org/docs/"
|
||||
"dnssec-policy-requires-dynamic-"
|
||||
"dns-or-inline-signing",
|
||||
+ verb,
|
||||
(ztype == CFG_ZONE_PRIMARY)
|
||||
? " without a configured "
|
||||
"'allow-update' or "
|
||||
"'update-policy'"
|
||||
: "");
|
||||
- result = ISC_R_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -105,6 +105,8 @@ Patch137:bind-9.11-kyua-pkcs11.patch
|
||||
|
||||
Patch157:bind-9.11-fips-tests.patch
|
||||
Patch164:bind-9.11-rh1666814.patch
|
||||
# Downstream, make error only warning
|
||||
Patch165: bind-9.16-RH-inline-signing.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/26c9da5f2857b72077c17e06ac79f068c63782cc
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/c5ebda6deb0997dc520b26fa0639891459de5cb6
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/d56d2a32b861e81c2aaaabd309c4c58b629ede32
|
||||
@ -1219,6 +1221,7 @@ fi;
|
||||
%changelog
|
||||
* Mon Mar 16 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.50-1
|
||||
- Update to 9.16.50 (RHEL-6454)
|
||||
- Allow starting without inline-signing and dnssec-policy
|
||||
|
||||
* Mon May 25 2026 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-44
|
||||
- Fix GSS-API resource leak (CVE-2026-3039)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user