Few configuration and zone files were moved into tarball by commit
55b04de09a. It makes tracking of changes difficult, hardens rebases,
makes difficult building without proper lookaside cache. Those files are
tiny, no need to hold them inside compressed binary archive. Move them
out.
Replaces also few places with proper directory macros.
Previous build recommended bind-dnssec-utils just to provide manual for
pkcs11 variants. Instead, share the same files between pkcs11-utils and
dnssec-utils. Skip unnecessary manual of non-existent dnssec-coverage-pkcs11 tool.
Manual pages are just links to pages in bind-dnssec-utils. Do not copy
them, but suggest them for installation is possible. It would be handy
to have them available, but are not required for any function.
named can use ACLs defined by GeoIP of request. Such information is not
available by default under named-chroot service. Enable GeoIP databases
under chroot without explicit configuration.
Make it easier to manage list of used directories in chroot. Use
appropriate macros for system directories everywhere in chroot package.
Share common variable with -sdb-chroot and -chroot packages.
Some utilities are not related DNSSEC at all, but are just bind related
tools. Because they do not require additional dependencies, they do not
save any space in containers.
When MD5 is disabled in library, it behaved like RSAMD5 were unknown.
But security-policy disables it explicitly. It failed to even start in
FIPS mode, because such algorithm were unknown. Fix disabled algorithm
to return disabled result code. Accept such algorithm only when
disabling it.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Contains:
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
[GL #225]
5237. [bug] Recurse to find the root server list with 'dig +trace'.
[GL #1028]
Upstream no longer ships bundled libatf library and no longer uses ATF
in sources. kyua and cmocka are mandatory for unit tests now. Removes
--with KYUA, use --with UNITTEST on different builds when cmocka and
kyua are available.
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
followed by make test in build directory.
Note: PKCS11 tests are still skipped, it requires SLOT variable
exported. Fails in some cases.
System tests are failing for named, because it cannot detect it does not
support filesystem SDB. Move feature test to named directory, so it is
built for every variant.
Output produced by helper is multiline starting with comment. Unless it
is enclosed in quotes, it will be concatenated into single line.
Fixes commit fa1631eef7
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
Dig could be used to receive zone via AXFR. If IDN data are inside and
are decoded, it cannot be used as named zone file. Disable +idnout if
stdin is not a tty.
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.
Resolves: #1663318
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
Most often clients require just dig or host to lookup addresses.
Move dnssec and zone file into dedicated subpackage. For a limited time,
make bind-utils suggest bind-dnssec-utils, until all dependencies are
resolved. (#1649398)
dhclient can terminate if not enough entropy, but it never requires
random data. On a new virtual machine, lack of entropy can be common.
Ensure it does not prevent DHCP client assigning an IP address.
Not enabled by default yet. Enables dumping of dns traffic.
Fix DNSTAP issues in build and unit tests.
Fool rpmlint to accept dnstap relative path. Rpmlint emited error
hardcoded-library-path on dnstap path. It is not system-wide library,
workaround by using variable.
Add dnstap-read utility to utils. When dnstap is enabled,
dnstap-read will be part of utils. Disadvantage is all utilities would have
dependency on protobuf library, including host and dig.
Resolves: #1564776
bind-devel requires openssl-devel to be installed for any digest
function. Prevent failures of depending packages if they do not depend
on other devel packages themselves. bind-dyndb-ldap is one such example.
1 /sbin/ldconfig: relative path `1' used to build cache
2 warning: %postun(bind-export-libs-32:9.11.4-6.P1.fc29.x86_64) scriptlet failed, exit status 1
The reason for that is that macro defined below becomes part of
export-libs subpackage. %end will terminate post/postun immediately
without such side-effect.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
Remove invalid downstream patch that disabled IDN output by default.
Dig could enable it, but it could not be enabled in nslookup and host.
Fix instead broken disable.
Resolves: #1580200
Replace isc_safe routines with their OpenSSL counter parts
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
Resolves: rhbz#1624100
4724. [func] By default, BIND now uses the random number
functions provided by the crypto library (i.e.,
OpenSSL or a PKCS#11 provider) as a source of
randomness rather than /dev/random. This is
suitable for virtual machine environments
which have limited entropy pools and lack
hardware random number generators.
This can be overridden by specifying another
entropy source via the "random-device" option
in named.conf, or via the -r command line option;
however, for functions requiring full cryptographic
strength, such as DNSSEC key generation, this
cannot be overridden. In particular, the -r
command line option no longer has any effect on
dnssec-keygen.
This can be disabled by building with
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
Upstream code will always install manual pages of upstream.
Manuals generated on build will be again installed. Broken by
out-of-tree build to support export-lib.
- Use more recent kyua, upstream bind now requires parallelism.
- Make global so version variables for libraries with multiple builds.
Signed-off-by: Petr Menšík <pemensik@redhat.com>