Commit Graph

891 Commits

Author SHA1 Message Date
Petr Menšík
1d9c1cf435 fixup! Make spec work also on CentOS 8 2020-04-16 12:42:58 +02:00
Petr Menšík
1b133224fc Update to 9.16.2
Notes for BIND 9.16.2
Security Fixes

    DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]

Known Issues

    We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685]

Feature Changes

    The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179]

Bug Fixes

    When an RPZ policy zone was updated via zone transfer and a large number of records was deleted, named could become nonresponsive for a short period while deleted names were removed from the RPZ summary database. This database cleanup is now done incrementally over a longer period of time, reducing such delays. [GL #1447]

    When trying to migrate an already-signed zone from auto-dnssec maintain to one based on dnssec-policy, the existing keys were immediately deleted and replaced with new ones. As the key rollover timing constraints were not being followed, it was possible that some clients would not have been able to validate responses until all old DNSSEC information had timed out from caches. BIND now looks at the time metadata of the existing keys and incorporates it into its DNSSEC policy operation. [GL #1706]
2020-04-16 12:38:00 +02:00
Petr Menšík
5e13eb8e75 Make spec work also on CentOS 8
Move some conditional requirements to be enabled just on Fedora.
2020-04-16 11:21:47 +02:00
Petr Menšík
304cfaa8e0 Enable source verification only on Fedora builds 2020-04-08 20:50:01 +02:00
Petr Menšík
6b3788d026 Provide link to merge request for lastest patch
Document when it should be removed
2020-04-08 20:15:42 +02:00
Petr Menšík
ec5a01d972 Remove SDB sections
Since 9.12 BIND no longer ships required files to create SDB version.
Limited support should still be possible with DLZ modules.
2020-04-01 20:25:56 +02:00
Petr Menšík
74c92fb0da Enable DLZ dependencies without SDB 2020-04-01 20:17:37 +02:00
Petr Menšík
29036faad7 Link all used libraries to libisc
Library should link all required libraries. Link all used libraries
directly to libisc. Should help with dynamic linking of -lisc alone.
2020-04-01 19:56:12 +02:00
Petr Menšík
fcefdeb129 Disable SDB and its patches, enable DLZ
SDB is no longer part of bind distribution. Do not try to compile static
linked version named-sdb. But DLZ modules work, enable them without
tools.
2020-03-27 16:06:37 +01:00
Petr Menšík
15cfc8b402 Disable GEOIP and compile on s390x without SDB 2020-03-27 13:35:09 +01:00
Petr Menšík
80d0367669 Remove GEOIP and EXPORT_LIBS
Most recent release is no longer able to statisfy export libs and geoip
legacy. Remove its support from GeoIP.
2020-03-27 12:53:49 +01:00
Petr Menšík
a6f9fe005e Remove unused 9.14 patches 2020-03-27 12:39:30 +01:00
Petr Menšík
814547323e Update patches after rebase 2020-03-27 12:30:39 +01:00
Petr Menšík
78968700e2 Fix tsig system test
During rebase, custom md5 part gone missing.
2020-03-27 11:28:13 +01:00
Petr Menšík
b626a2bfa5 Compilable 9.16.1 package
Updated from 9.14 to 9.16.1.
Disabled SIGCHASE, since it no longer exists.
Disabled PKCS11 native build for now
Disabled EXPORT_LIBS

No longer ships isc-config.sh, missing it.
2020-03-27 11:28:11 +01:00
Petr Menšík
05dbc88928 Iterative update, not working properly
Fixed PKCS#11 used everywhere. Just custom system to use PKCS11 on part
of built tools.

FIXME: unit tests not passing, something broken inside.
2020-03-27 11:26:09 +01:00
Petr Menšík
b4a5bc525b Create place for documenting changes in upstream 2020-03-27 11:26:09 +01:00
Petr Menšík
6a048cc0b6 Tweaks to PKCS11 support
Current build has PKCS11 enabled for both variants, because USE_PKCS11
is configured in config.h.
2020-03-27 11:26:07 +01:00
Petr Menšík
a6454b966c Update to 9.14.7
Rebase to new sources

14.5:
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
2020-03-27 11:25:12 +01:00
Petr Menšík
cc967eb09e Enable GeoLite2 support
Make GeoIP support controlled by bcond, defaults to off now.
Instead enable GeoLite2 support.
2020-03-27 11:23:16 +01:00
Petr Menšík
eeb7df78d9 Remove no longer distributed tools, include named plugin
Includes new functionality as separate loadable library.
Currently it uses another directory %{_libdir}/named. bind-dyndb-ldap
uses %{_libdir}/bind.
2020-03-27 11:23:13 +01:00
Petr Menšík
e34707285d Update so version, remove unused patches
Remove already deleted patches from the list. Some patches still kept
intact.
2020-03-27 11:21:35 +01:00
Petr Menšík
0990c9b32d Remove last lwres remains 2020-03-27 11:20:47 +01:00
Petr Menšík
2dbb099871 Update to 9.14.4
Current latest version fixes unit tests.
2020-03-27 11:20:45 +01:00
Petr Menšík
3c4d9d472a Update changelog 2020-03-27 11:16:50 +01:00
Petr Menšík
aaee84a4fb First version compiling up to tests
Unfortunately, test fails.
2020-03-27 11:11:55 +01:00
Petr Menšík
df81e828c7 Update patches to build on 9.14 2020-03-27 11:08:21 +01:00
Petr Menšík
0b18b1b517 Initial steps towards buildable 9.14 2020-03-27 10:56:58 +01:00
Petr Menšík
7726ce77a6 Some patches adapted to v9_14 2020-03-27 10:53:44 +01:00
Petr Menšík
c23c15d73b Remove libmaxminddb-devel from devel dependencies
Unlike other build dependencies, no public headers include from
libmaxminddb any symbols. That means no build would ever fail
if libmaxminddb-devel package is not installed. Do not require it when
installing bind-lite-devel but keep the requirement when building from
sources.
2020-01-08 16:36:11 +01:00
Petr Menšík
4fa84d9ccc Preserve symlinks to named.conf on iscdlv modification (#1786626) 2020-01-03 20:26:39 +01:00
Petr Menšík
b4802c2e65 Fix oot build
gen would not compile under oot build
2020-01-02 11:44:53 +01:00
Petr Menšík
43f4de9bf3 Include more Thread Sanitizer changes
Fix as much race conditions as possible.
2019-12-19 19:38:56 +01:00
Petr Menšík
23657868e6 Update to 9.11.14
Includes ThreadSanitizer fixes already included as downstream patches.
Adjusts serve-stale patch, one new statistics.
2019-12-19 18:43:23 +01:00
Petr Menšík
9406a85e89 Fix dnf builddep when python3-devel is not installed
Build requirements fetch fail on clean system with just basic utils.
2019-12-19 18:42:50 +01:00
Petr Menšík
d5106d287e Add one more candidate for issue fixing
Imported from upstream commit 6eed12605154b8ce10e9be0f51253e6ec318550e
2019-12-19 18:42:47 +01:00
Petr Menšík
9cfd91a473 Add ThreadSanitizer support
Has to be enabled in build by --with TSAN.
Would make build fail unit tests and print many warnings about possible
race conditions. Not useful for production build, but useful for
debugging thread related problems in system tests.
2019-12-04 17:57:12 +01:00
Petr Menšík
ccf1b03734 Disable Berkeley DB support (#1779190)
Allow enabling it by build --with BDB, but keep it disabled by default.
2019-12-03 19:05:53 +01:00
Petr Menšík
c44ebdeade Bump spec for bug #1736762 2019-12-02 20:35:43 +01:00
Petr Menšík
1a4de8b956 Backport a few upstream thread safety fixes
It might not fix all issues, but was detected by upstream using
automated tool. Should not break anything new, but might fix issue
triggered usually on ppc64le platform.
2019-12-02 20:34:08 +01:00
Petr Menšík
6f27f8e4a7 Complete explicit disabling of RSAMD5 in FIPS mode (#1709553)
Previous fix included just part inside named. However, checking part
would check algorithm support also in check library. The code is almost
the same. Permit already disabled algoritms also in libbind9.

Use the same change as RHEL.
2019-11-26 19:37:29 +01:00
Petr Menšík
adcfd20cb2 Remove tabs from spec
rpmlint complains about mixed spaces and tabs. Set vim mode and remove
tabs added by recent commit.
2019-11-25 21:32:36 +01:00
Petr Menšík
547656b469 Add source verification on build
Include verification on build time, with link to GPG keys on upstream
site.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-11-25 21:06:06 +01:00
Petr Menšík
74b53c3a58 Update to 9.11.13 2019-11-25 21:06:06 +01:00
Petr Menšík
4f643ffc70 Remove reload related comments from services
Seems systemd already fixes reload return codes. Remove comment from
systemd service files.
2019-11-19 14:01:06 +01:00
Petr Menšík
b29a7e26db Report error on reload failure
Return failed status code to command. Not only report error message to
the log, but also report reload success. Must not terminate running
service on failed reload.
2019-11-19 13:37:14 +01:00
Petr Menšík
c45a218eef fixup! Remove config archive with zone files 2019-11-19 12:01:15 +01:00
Petr Menšík
9bef003ee5 Fix binary compatibility after serve-stale patch (#1770492)
Move new entry to the end. Do not break already compiled bind-dyndb-ldap
compatibility.
2019-11-12 11:17:43 +01:00
Petr Menšík
8f4225c8a7 Add helper for testing system daemons
Modifies already generated Makefiles to link against system libraries,
instead of static built artifacts.
2019-11-07 14:41:36 +01:00
Petr Menšík
8544584691 Add serve-stale feature
Backported from 9.12 version, adds support for stale-answer-enable
option, as well stale-answer-ttl and max-stale-ttl.
2019-11-07 14:36:47 +01:00