Commit Graph

830 Commits

Author SHA1 Message Date
Petr Menšík
d0d728803b Modify feature test to detect dlz support
System tests are failing for named, because it cannot detect it does not
support filesystem SDB. Move feature test to named directory, so it is
built for every variant.
2019-03-04 14:18:15 +01:00
Petr Menšík
8da0172aac Upstream tests in beakerlib
Prepare system tests from source package and start them. Check results
and report failure.
2019-03-04 14:17:25 +01:00
Petr Menšík
321554b987 Update to BIND 9.11.5-P4
Add also PGP signature as part of repository.
2019-02-22 19:40:00 +01:00
Petr Menšík
d3fe8d6248 Enable json statistics format
Statistics channel would include also json format, use URL
http://localhost:80/v3/json/. XML format is still supported.
2019-02-22 19:19:59 +01:00
Petr Menšík
ec6f94669a Enable LMDB support
Provides faster adding and removing of dynamically created zones
runtime. Useful on higher number of zones used.
2019-02-22 19:18:45 +01:00
Petr Menšík
f0b6f15ced Enable DNSTAP (#1564776)
Enable support for DNSTAP. It will introduce new linked libraries to
bind and its tools, including bind-utils.
2019-02-22 19:14:36 +01:00
Petr Menšík
bd6e8b8965 Fix spec usage of softhsm helper
Output produced by helper is multiline starting with comment. Unless it
is enclosed in quotes, it will be concatenated into single line.

Fixes commit fa1631eef7
2019-02-22 16:39:54 +01:00
Petr Menšík
ad76423202 Disable random_test in unit tests
It fails sometimes, but aborts whole build just because some fail. Keep
it disabled until fixed.
2019-02-21 22:50:12 +01:00
Petr Menšík
c2772a07e8 Disable ED448
It is breaking dnssec system test. Its implementation in BIND is broken.
2019-02-21 15:36:27 +01:00
Petr Menšík
fa1631eef7 Simplify pkcs11 token generation
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
2019-02-20 19:06:03 +01:00
Petr Menšík
6fee3d63e9 Remove revoked KSK 19164 from trusted root keys 2019-02-15 19:50:20 +01:00
Petr Menšík
6ecd16d458 Update project URL 2019-02-15 18:09:57 +01:00
Petr Menšík
1da60a891a More fixes to compile DLZ 2019-02-12 22:21:31 +01:00
Petr Menšík
de8fa0799a Improve descriptions for DLZ plugins 2019-02-12 20:46:17 +01:00
Petr Menšík
7a958a2a9f Disable dig IDN output into scripts
Dig could be used to receive zone via AXFR. If IDN data are inside and
are decoded, it cannot be used as named zone file. Disable +idnout if
stdin is not a tty.
2019-02-07 10:46:05 +01:00
Petr Menšík
a699858667 dig prints ASCII name instead of failure (#1647829) 2019-02-07 10:46:05 +01:00
Petr Menšík
432a81aeff Fix DLZ in oot builds
DLZ has no VPATH support. Just make duplicates in build directory
2019-02-06 22:08:27 +01:00
Fedora Release Engineering
9a4b768e18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-01-31 14:36:55 +00:00
Igor Gnatenko
b2a708808a Remove unneeded %clean section
It is the behavior since EPEL5.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-01-29 05:45:26 +01:00
Petr Menšík
13f8f23ec5 Update to 9.11.5-P1 2019-01-28 00:47:11 +01:00
Petr Menšík
32d91f12ca Made RAND_status check optional (broke --disable-crypto-rand)
Unlike upstream, skip it also for DHCP.

Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.

Resolves: #1663318

(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
2019-01-23 21:15:03 +01:00
Petr Menšík
219b0e889f Remove conditional patch for alpha and ia64
It emits warning just because architectures no longer supported
2019-01-17 13:52:22 +01:00
Petr Menšík
2830e00b88 Move dnssec related tools to bind-dnssec-utils
Most often clients require just dig or host to lookup addresses.
Move dnssec and zone file into dedicated subpackage. For a limited time,
make bind-utils suggest bind-dnssec-utils, until all dependencies are
resolved. (#1649398)
2019-01-17 13:52:22 +01:00
Petr Menšík
685f10cbfd Reject invalid rbt file if header is corrupted
Resolves: rhbz#1666814
2019-01-16 17:43:33 +01:00
Petr Menšík
67a5cd83ff Made RAND_status check optional (broke --disable-crypto-rand)
dhclient can terminate if not enough entropy, but it never requires
random data. On a new virtual machine, lack of entropy can be common.
Ensure it does not prevent DHCP client assigning an IP address.
2019-01-16 17:43:33 +01:00
Adam Williamson
a1558710fb Correct a backport inconsistency in bind-9.11-rt46047.patch
The patch seems to have been generated from a more recent bind
tree in which `ns_g_lctx` was renamed `named_g_lctx`. So the
patch uses the `named_g_lctx` name, but the rest of server.c
in bind-9.11 still uses the name `ns_g_lctx`, so if you compile
with --disable-crypto-rand, the build actually fails with an
undeclared name error.
2019-01-11 23:35:03 -08:00
Petr Menšík
ae36af4c9f Add support for DNSTAP
Not enabled by default yet. Enables dumping of dns traffic.
Fix DNSTAP issues in build and unit tests.

Fool rpmlint to accept dnstap relative path. Rpmlint emited error
hardcoded-library-path on dnstap path. It is not system-wide library,
workaround by using variable.

Add dnstap-read utility to utils. When dnstap is enabled,
dnstap-read will be part of utils. Disadvantage is all utilities would have
dependency on protobuf library, including host and dig.

Resolves: #1564776
2018-11-05 18:28:47 +01:00
Petr Menšík
eba5779fc1 Add JSON statistics support
Optional support for HTTP statistics. For now it is still disabled.
2018-11-05 18:27:07 +01:00
Petr Menšík
ad7b3b8f12 Update to 9.11.5
Bump to higher version, update sources.

More fixes to rebased BIND. Many patches are affected by stdbool change.
Update libraries so versions.
2018-11-05 18:12:29 +01:00
Petr Menšík
c64b079c36 Add Requires to devel packages referenced by bind-devel
bind-devel requires openssl-devel to be installed for any digest
function. Prevent failures of depending packages if they do not depend
on other devel packages themselves. bind-dyndb-ldap is one such example.
2018-10-11 12:35:49 +02:00
Petr Menšík
cda9d12b65 Add test for bind-chroot
Test each build with simple request. Ensure it can start as normal
service with default configuration and also in chroot.
2018-10-11 12:25:05 +02:00
Igor Gnatenko
5efb1da1ac
fixup export-libs macro logic
1 /sbin/ldconfig: relative path `1' used to build cache
   2 warning: %postun(bind-export-libs-32:9.11.4-6.P1.fc29.x86_64) scriptlet failed, exit status 1

The reason for that is that macro defined below becomes part of
export-libs subpackage. %end will terminate post/postun immediately
without such side-effect.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-09-29 09:53:22 +02:00
Petr Menšík
e665b7deb0 Reenable IDN output but allow turning it off
Remove invalid downstream patch that disabled IDN output by default.
Dig could enable it, but it could not be enabled in nslookup and host.
Fix instead broken disable.

Resolves: #1580200
2018-09-26 20:31:46 +02:00
Petr Menšík
135784d7f2 Include /dev/urandom in chroot
Changed feature using OpenSSL RAND function requires /dev/urandom. It
was not provided in chroot and caused failure. Bug #1631515
2018-09-24 18:06:04 +02:00
Petr Menšík
e0ab89b893 Fix OpenSSL random patch
- Add new notes into notes.xml
- Initialize random provider before creation
2018-09-24 18:05:26 +02:00
Petr Menšík
fdbf64ca93 Fix changelog entry 2018-09-20 11:40:32 +02:00
Petr Menšík
0b3ef49c00 Update to bind-9.11.4-P2 2018-09-20 11:38:06 +02:00
Petr Menšík
8c65390bb6 Add versioned depends to all library subpackages 2018-09-19 21:04:52 +02:00
Petr Menšík
2ac37f7a75 Fix multilib conflict after 9.11 rebase
Conflict with devel headers reappeared after rebase to 9.11. Fix
socklen_t in a way that would generate the same types on 32 and 64 bit
architectures.
2018-09-19 21:04:52 +02:00
Petr Menšík
aeea22afaa Fix annobin failures
Replace isc_safe routines with their OpenSSL counter parts

(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)

Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()

(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)

Fix the isc_safe_memwipe() usage with (NULL, >0)

(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)

Resolves: rhbz#1624100
2018-09-19 21:04:52 +02:00
Petr Menšík
cc69cd1e32 Use sed to modify generated Makefile
Custom patch application is not recognized by checking tools.
Use more readable and understandable way.
2018-09-19 21:04:52 +02:00
Petr Menšík
328fbf43a1 Add manual page for new comand dnssec-importkey
Pkcs11 variant did not have it, add a symlink also to real manual.
2018-09-19 21:04:52 +02:00
Petr Menšík
595af1f3d5 [master] completed and corrected the crypto-random change
4724.	[func]		By default, BIND now uses the random number
			functions provided by the crypto library (i.e.,
			OpenSSL or a PKCS#11 provider) as a source of
			randomness rather than /dev/random.  This is
			suitable for virtual machine environments
			which have limited entropy pools and lack
			hardware random number generators.

			This can be overridden by specifying another
			entropy source via the "random-device" option
			in named.conf, or via the -r command line option;
			however, for functions requiring full cryptographic
			strength, such as DNSSEC key generation, this
			cannot be overridden. In particular, the -r
			command line option no longer has any effect on
			dnssec-keygen.

			This can be disabled by building with
			"configure --disable-crypto-rand".
			[RT #31459] [RT #46047]
2018-09-19 21:04:52 +02:00
Petr Menšík
6e9104cae5 Add support for OpenSSL provided random data
Modified pkcs11 patch, problem with openssl/pkcs11 includes and
ISC_PLATFORM_CRYPTOLIB
2018-09-19 21:04:52 +02:00
Pavel Raiskup
0ae69e04e1 BuildRequires: s/postgresql-devel/libpq-devel/
That's because we moved libpq.so.5 into libpq package, per
devel list discussion:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/U3XR5EGU2TPI2CDHBRBUD4M4LK5OHKU3/

Related: rhbz#1618698, rhbz#1623764
2018-09-05 14:55:41 +02:00
Petr Menšík
37943d075e Do not print errors on configuration failure (#1595782) 2018-08-14 22:28:45 +02:00
Petr Menšík
95d8248d50 Automatically replace obsoleted ISC DLV key with root key (#1595782) 2018-08-14 22:13:44 +02:00
Petr Menšík
e1f8ad2217 Fix sdb-chroot devices upgrade (#1592873)
Move common part to rpm define, use similar parts with different
parameter. Correct /dev/zero instead of missing /dev/dev.
2018-08-14 17:43:33 +02:00
Petr Menšík
35334375ff Update to 9.11.4-P1
- Fixes CVE-2018-5740
- Adds root key sentinel mechanism support
- incremental zone transfer limit to prevent journal corruption
- rndc reload memory leak
2018-08-09 13:13:02 +02:00
Petr Menšík
899014a8d1 Add support for disabled MD5
Do not crash named if MD5 function is not available. Instead gracefully
refuse to use such functions.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2018-08-02 23:51:45 +02:00