diff --git a/bind-9.16-RH-inline-signing.patch b/bind-9.16-RH-inline-signing.patch new file mode 100644 index 0000000..9c6f19e --- /dev/null +++ b/bind-9.16-RH-inline-signing.patch @@ -0,0 +1,70 @@ +From fb3761d9b1ca804fd6c2acabe42745f9ee79bac0 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 18 Jul 2024 19:36:04 +0200 +Subject: [PATCH] Do not block start if inline-signing and dyn. updates are not + set + +Attempts to modify behaviour done in 9.16.33. It requires explicit +specification of inline-signing yes for any zone, which has specified +dnssec-policy. For primary zones also when allow-update and +update-policy are disabled. Turn it into warning only on RHEL builds, +do not prevent starting of named. + +That should roughly emulate error message present on 9.16.23: +'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on +a non-dynamic DNS zone. + +But point a link into upstream KB article in any case. This has appeared +only when inline-signing were specified in a zone block. For that case +make it still fatal, but with new message. + +https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#known-issues + +Related to upstream commit 30fceec069ae0942749e6aa783f67756e82fcaae. +--- + lib/bind9/check.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/lib/bind9/check.c b/lib/bind9/check.c +index ee64543..01c03d3 100644 +--- a/lib/bind9/check.c ++++ b/lib/bind9/check.c +@@ -2951,20 +2951,32 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, + } + + if (has_dnssecpolicy) { ++ /* Red Hat downstream change. Warn only about inline-signing ++ * if inline-signing is not present in zone definition. ++ * But fail hard if present, but disabled, like before. */ + if (!ddns && !signing) { +- cfg_obj_log(kasp, logctx, ISC_LOG_ERROR, +- "'inline-signing yes;' must also " ++ const char *verb = "should"; ++ int log_lvl = ISC_LOG_WARNING; ++ ++ if (res1 == ISC_R_SUCCESS) { ++ verb = "must"; ++ log_lvl = ISC_LOG_ERROR; ++ result = ISC_R_FAILURE; ++ } ++ ++ cfg_obj_log(kasp, logctx, log_lvl, ++ "'inline-signing yes;' %s also " + "be configured explicitly for " + "zones using dnssec-policy%s. See " + "https://kb.isc.org/docs/" + "dnssec-policy-requires-dynamic-" + "dns-or-inline-signing", ++ verb, + (ztype == CFG_ZONE_PRIMARY) + ? " without a configured " + "'allow-update' or " + "'update-policy'" + : ""); +- result = ISC_R_FAILURE; + } + } + +-- +2.45.2 + diff --git a/bind.spec b/bind.spec index b4af6a7..7ef2b5e 100644 --- a/bind.spec +++ b/bind.spec @@ -105,6 +105,8 @@ Patch137:bind-9.11-kyua-pkcs11.patch Patch157:bind-9.11-fips-tests.patch Patch164:bind-9.11-rh1666814.patch +# Downstream, make error only warning +Patch165: bind-9.16-RH-inline-signing.patch # https://gitlab.isc.org/isc-projects/bind9/commit/26c9da5f2857b72077c17e06ac79f068c63782cc # https://gitlab.isc.org/isc-projects/bind9/commit/c5ebda6deb0997dc520b26fa0639891459de5cb6 # https://gitlab.isc.org/isc-projects/bind9/commit/d56d2a32b861e81c2aaaabd309c4c58b629ede32 @@ -1219,6 +1221,7 @@ fi; %changelog * Mon Mar 16 2026 Petr Menšík - 32:9.16.50-1 - Update to 9.16.50 (RHEL-6454) +- Allow starting without inline-signing and dnssec-policy * Mon May 25 2026 Petr Menšík - 32:9.16.23-44 - Fix GSS-API resource leak (CVE-2026-3039)