Commit Graph

911 Commits

Author SHA1 Message Date
Petr Menšík
b8ccda0801 Update to 9.16.4
Documentation changed and requires another commit.
2020-06-18 04:30:24 +02:00
Petr Menšík
f82859a3a0 Update to 9.11.20
Fixes CVE-2020-8619 and few more issues
2020-06-17 22:53:13 +02:00
Miro Hrončok
8aa5837978 Rebuilt for Python 3.9 2020-05-26 02:41:36 +02:00
Petr Menšík
674cbdbb3e Make usage of initscripts optional
Do not depend hard on initscript just to provide fancy colored status.
When started from systemd, it does not really matter.

Return exactly the same return code as returned by the original tool.
2020-05-25 22:52:44 +02:00
Petr Menšík
f9201b844d Update to 9.11.19
Includes new CVE fixes
2020-05-25 12:15:44 +02:00
Petr Menšík
23458b3db1 Make usage of initscripts optional
Do not depend hard on initscript just to provide fancy colored status.
When started from systemd, it does not really matter.

Return exactly the same return code as returned by the original tool.
2020-05-22 12:18:30 +02:00
Petr Menšík
7fe31e1892 Update to 9.16.3
Changes some solib versions and fixes two important CVEs:
CVE-2020-8616 CVE-2020-8617
2020-05-20 13:25:26 +02:00
Petr Menšík
775befed48 Try successful build on epel8
softhsm is not provided on RHEL 8 as normal package. It is distributed
only in idm:DL1 module. If unittest or systemtest is not enabled, skip
configuring softhsm. It would not be used anyway.
2020-04-28 10:18:03 +02:00
Petr Menšík
40861268f3 Enable native PKCS11 build again
It was disabled because patches were not fixed. It compiles now, try it.
2020-04-27 22:22:47 +02:00
Petr Menšík
afbbd0be52 Add support to native PKCS11
Set of patches and changes, that fixes compilation of native PKCS11
support as subpackage. Moves definition of USE_PKCS11 from config.h to
Makefiles. Defaults to off and only PKCS11 subdirectories set it to
true.
2020-04-27 21:59:25 +02:00
Petr Menšík
8b8d05ffc0 Update sample config to match current version 2020-04-27 12:01:53 +02:00
Petr Menšík
aaa1cdaabf Update configuration to 9.16
Fixes warnings in default configuration file. Skip always enabled DNSSEC
and use more recent trust anchor format.
2020-04-24 15:21:33 +02:00
Björn Esser
b72488cc24 Rebuild (json-c) 2020-04-22 00:01:59 +02:00
Petr Menšík
076f5f80bc fixup! Make spec work also on CentOS 8 2020-04-16 12:46:45 +02:00
Petr Menšík
1d9c1cf435 fixup! Make spec work also on CentOS 8 2020-04-16 12:42:58 +02:00
Petr Menšík
1b133224fc Update to 9.16.2
Notes for BIND 9.16.2
Security Fixes

    DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]

Known Issues

    We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685]

Feature Changes

    The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179]

Bug Fixes

    When an RPZ policy zone was updated via zone transfer and a large number of records was deleted, named could become nonresponsive for a short period while deleted names were removed from the RPZ summary database. This database cleanup is now done incrementally over a longer period of time, reducing such delays. [GL #1447]

    When trying to migrate an already-signed zone from auto-dnssec maintain to one based on dnssec-policy, the existing keys were immediately deleted and replaced with new ones. As the key rollover timing constraints were not being followed, it was possible that some clients would not have been able to validate responses until all old DNSSEC information had timed out from caches. BIND now looks at the time metadata of the existing keys and incorporates it into its DNSSEC policy operation. [GL #1706]
2020-04-16 12:38:00 +02:00
Petr Menšík
5e13eb8e75 Make spec work also on CentOS 8
Move some conditional requirements to be enabled just on Fedora.
2020-04-16 11:21:47 +02:00
Petr Menšík
96e1d963a4 Make spec work also on CentOS 8
Move some conditional requirements to be enabled just on Fedora.
2020-04-16 11:10:15 +02:00
Petr Menšík
6e3b160e37 Update to BIND 9.11.18
From Upstream Release notes:

Security Fixes

    DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]

Known Issues

    We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685]
2020-04-16 10:53:28 +02:00
Petr Menšík
304cfaa8e0 Enable source verification only on Fedora builds 2020-04-08 20:50:01 +02:00
Petr Menšík
6b3788d026 Provide link to merge request for lastest patch
Document when it should be removed
2020-04-08 20:15:42 +02:00
Petr Menšík
ec5a01d972 Remove SDB sections
Since 9.12 BIND no longer ships required files to create SDB version.
Limited support should still be possible with DLZ modules.
2020-04-01 20:25:56 +02:00
Petr Menšík
74c92fb0da Enable DLZ dependencies without SDB 2020-04-01 20:17:37 +02:00
Petr Menšík
29036faad7 Link all used libraries to libisc
Library should link all required libraries. Link all used libraries
directly to libisc. Should help with dynamic linking of -lisc alone.
2020-04-01 19:56:12 +02:00
Petr Menšík
5c15ad824e Remove unused patches 2020-03-31 20:50:35 +02:00
Petr Menšík
c223e3e275 Update to 9.11.17
Updated a bit SDB related patches.
2020-03-31 20:37:08 +02:00
Petr Menšík
fcefdeb129 Disable SDB and its patches, enable DLZ
SDB is no longer part of bind distribution. Do not try to compile static
linked version named-sdb. But DLZ modules work, enable them without
tools.
2020-03-27 16:06:37 +01:00
Petr Menšík
15cfc8b402 Disable GEOIP and compile on s390x without SDB 2020-03-27 13:35:09 +01:00
Petr Menšík
80d0367669 Remove GEOIP and EXPORT_LIBS
Most recent release is no longer able to statisfy export libs and geoip
legacy. Remove its support from GeoIP.
2020-03-27 12:53:49 +01:00
Petr Menšík
a6f9fe005e Remove unused 9.14 patches 2020-03-27 12:39:30 +01:00
Petr Menšík
814547323e Update patches after rebase 2020-03-27 12:30:39 +01:00
Petr Menšík
b626a2bfa5 Compilable 9.16.1 package
Updated from 9.14 to 9.16.1.
Disabled SIGCHASE, since it no longer exists.
Disabled PKCS11 native build for now
Disabled EXPORT_LIBS

No longer ships isc-config.sh, missing it.
2020-03-27 11:28:11 +01:00
Petr Menšík
05dbc88928 Iterative update, not working properly
Fixed PKCS#11 used everywhere. Just custom system to use PKCS11 on part
of built tools.

FIXME: unit tests not passing, something broken inside.
2020-03-27 11:26:09 +01:00
Petr Menšík
6a048cc0b6 Tweaks to PKCS11 support
Current build has PKCS11 enabled for both variants, because USE_PKCS11
is configured in config.h.
2020-03-27 11:26:07 +01:00
Petr Menšík
a6454b966c Update to 9.14.7
Rebase to new sources

14.5:
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
2020-03-27 11:25:12 +01:00
Petr Menšík
cc967eb09e Enable GeoLite2 support
Make GeoIP support controlled by bcond, defaults to off now.
Instead enable GeoLite2 support.
2020-03-27 11:23:16 +01:00
Petr Menšík
eeb7df78d9 Remove no longer distributed tools, include named plugin
Includes new functionality as separate loadable library.
Currently it uses another directory %{_libdir}/named. bind-dyndb-ldap
uses %{_libdir}/bind.
2020-03-27 11:23:13 +01:00
Petr Menšík
e34707285d Update so version, remove unused patches
Remove already deleted patches from the list. Some patches still kept
intact.
2020-03-27 11:21:35 +01:00
Petr Menšík
0990c9b32d Remove last lwres remains 2020-03-27 11:20:47 +01:00
Petr Menšík
2dbb099871 Update to 9.14.4
Current latest version fixes unit tests.
2020-03-27 11:20:45 +01:00
Petr Menšík
3c4d9d472a Update changelog 2020-03-27 11:16:50 +01:00
Petr Menšík
aaee84a4fb First version compiling up to tests
Unfortunately, test fails.
2020-03-27 11:11:55 +01:00
Petr Menšík
df81e828c7 Update patches to build on 9.14 2020-03-27 11:08:21 +01:00
Petr Menšík
0b18b1b517 Initial steps towards buildable 9.14 2020-03-27 10:56:58 +01:00
Petr Menšík
7726ce77a6 Some patches adapted to v9_14 2020-03-27 10:53:44 +01:00
Fedora Release Engineering
a1d448dbef - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-28 12:57:50 +00:00
Petr Menšík
c23c15d73b Remove libmaxminddb-devel from devel dependencies
Unlike other build dependencies, no public headers include from
libmaxminddb any symbols. That means no build would ever fail
if libmaxminddb-devel package is not installed. Do not require it when
installing bind-lite-devel but keep the requirement when building from
sources.
2020-01-08 16:36:11 +01:00
Petr Menšík
4fa84d9ccc Preserve symlinks to named.conf on iscdlv modification (#1786626) 2020-01-03 20:26:39 +01:00
Petr Menšík
b4802c2e65 Fix oot build
gen would not compile under oot build
2020-01-02 11:44:53 +01:00
Petr Menšík
43f4de9bf3 Include more Thread Sanitizer changes
Fix as much race conditions as possible.
2019-12-19 19:38:56 +01:00
Petr Menšík
23657868e6 Update to 9.11.14
Includes ThreadSanitizer fixes already included as downstream patches.
Adjusts serve-stale patch, one new statistics.
2019-12-19 18:43:23 +01:00
Petr Menšík
9406a85e89 Fix dnf builddep when python3-devel is not installed
Build requirements fetch fail on clean system with just basic utils.
2019-12-19 18:42:50 +01:00
Petr Menšík
d5106d287e Add one more candidate for issue fixing
Imported from upstream commit 6eed12605154b8ce10e9be0f51253e6ec318550e
2019-12-19 18:42:47 +01:00
Petr Menšík
9cfd91a473 Add ThreadSanitizer support
Has to be enabled in build by --with TSAN.
Would make build fail unit tests and print many warnings about possible
race conditions. Not useful for production build, but useful for
debugging thread related problems in system tests.
2019-12-04 17:57:12 +01:00
Petr Menšík
ccf1b03734 Disable Berkeley DB support (#1779190)
Allow enabling it by build --with BDB, but keep it disabled by default.
2019-12-03 19:05:53 +01:00
Petr Menšík
c44ebdeade Bump spec for bug #1736762 2019-12-02 20:35:43 +01:00
Petr Menšík
1a4de8b956 Backport a few upstream thread safety fixes
It might not fix all issues, but was detected by upstream using
automated tool. Should not break anything new, but might fix issue
triggered usually on ppc64le platform.
2019-12-02 20:34:08 +01:00
Petr Menšík
6f27f8e4a7 Complete explicit disabling of RSAMD5 in FIPS mode (#1709553)
Previous fix included just part inside named. However, checking part
would check algorithm support also in check library. The code is almost
the same. Permit already disabled algoritms also in libbind9.

Use the same change as RHEL.
2019-11-26 19:37:29 +01:00
Petr Menšík
adcfd20cb2 Remove tabs from spec
rpmlint complains about mixed spaces and tabs. Set vim mode and remove
tabs added by recent commit.
2019-11-25 21:32:36 +01:00
Petr Menšík
547656b469 Add source verification on build
Include verification on build time, with link to GPG keys on upstream
site.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-11-25 21:06:06 +01:00
Petr Menšík
74b53c3a58 Update to 9.11.13 2019-11-25 21:06:06 +01:00
Petr Menšík
b29a7e26db Report error on reload failure
Return failed status code to command. Not only report error message to
the log, but also report reload success. Must not terminate running
service on failed reload.
2019-11-19 13:37:14 +01:00
Petr Menšík
c45a218eef fixup! Remove config archive with zone files 2019-11-19 12:01:15 +01:00
Petr Menšík
9bef003ee5 Fix binary compatibility after serve-stale patch (#1770492)
Move new entry to the end. Do not break already compiled bind-dyndb-ldap
compatibility.
2019-11-12 11:17:43 +01:00
Petr Menšík
8544584691 Add serve-stale feature
Backported from 9.12 version, adds support for stale-answer-enable
option, as well stale-answer-ttl and max-stale-ttl.
2019-11-07 14:36:47 +01:00
Petr Menšík
dff9083e8c Fix wrong default GeoIP directory (#1768258) 2019-11-06 21:31:14 +01:00
Petr Menšík
cba49a643a Improve SYSTEMTEST running on build time
Use parallel execution on test run. Support already configured
interfaces without special permissions on build. It can either use
already present addresses or configure it on build time. If it has no
rights to configure it, just skip the test and continue.
2019-11-05 13:03:34 +01:00
Petr Menšík
63bb1cf127 Add GeoIP configuration into config file
Upstream has wrong default path of GeoIP2. Use it explicitly.
2019-11-04 21:48:36 +01:00
Petr Menšík
ed8f6043d7 Bump version 2019-11-04 21:45:08 +01:00
Petr Menšík
86712fc834 Remove config archive with zone files
Few configuration and zone files were moved into tarball by commit
55b04de09a. It makes tracking of changes difficult, hardens rebases,
makes difficult building without proper lookaside cache. Those files are
tiny, no need to hold them inside compressed binary archive. Move them
out.

Replaces also few places with proper directory macros.
2019-11-04 21:45:08 +01:00
Petr Menšík
176d144f32 Adjust patches to 9.11.12
Few changes occured, remove one upstream applied patch.
2019-10-21 14:40:42 +02:00
Petr Menšík
d0053ae530 Update to 9.11.12 (#1557762) 2019-10-21 14:26:32 +02:00
Petr Menšík
833ef7b7b4 Adjust downstream patches to 9.11.11 2019-09-25 21:30:47 +02:00
Petr Menšík
d568c54c25 Share pkcs11-utils and dnssec-utils manuals
Previous build recommended bind-dnssec-utils just to provide manual for
pkcs11 variants. Instead, share the same files between pkcs11-utils and
dnssec-utils. Skip unnecessary manual of non-existent dnssec-coverage-pkcs11 tool.
2019-09-05 21:18:52 +02:00
Petr Menšík
9d1aaa502b Recommend bind-dnssec-utils from bind-pkcs11-utils
Manual pages are just links to pages in bind-dnssec-utils. Do not copy
them, but suggest them for installation is possible. It would be handy
to have them available, but are not required for any function.
2019-09-03 18:34:04 +02:00
Petr Menšík
bf5bc99f81 Add GeoIP to bind-chroot (#1497646)
named can use ACLs defined by GeoIP of request. Such information is not
available by default under named-chroot service. Enable GeoIP databases
under chroot without explicit configuration.
2019-09-03 13:58:49 +02:00
Petr Menšík
0fa39c28ad Move created empty directories to single define
Make it easier to manage list of used directories in chroot. Use
appropriate macros for system directories everywhere in chroot package.
Share common variable with -sdb-chroot and -chroot packages.
2019-09-03 13:58:31 +02:00
Petr Menšík
8cd5c11f0d Move some administration utilities back to utils (#1720380)
Some utilities are not related DNSSEC at all, but are just bind related
tools. Because they do not require additional dependencies, they do not
save any space in containers.
2019-09-03 11:37:26 +02:00
Petr Menšík
c5d9a5c66a Avoid conflicts between OpenSSL and native PKCS#11
Do not set default engine when native module should be used.
2019-08-27 21:39:46 +02:00
Petr Menšík
72f1dad845 Update to BIND 9.11.10 2019-08-27 21:39:46 +02:00
Miro Hrončok
c92fe260ae Rebuilt for Python 3.8 2019-08-19 10:10:45 +02:00
Petr Menšík
b75571c4df Add changelog and bump spec 2019-08-09 12:39:58 +02:00
Petr Menšík
963c4b916b Fix rpmlint warnings
Clean whitespace to satisfy rpmlint
2019-08-08 15:08:53 +02:00
Petr Menšík
dab22dd2c2 Permit explicit disabling of RSAMD5 in FIPS mode (#1709553)
When MD5 is disabled in library, it behaved like RSAMD5 were unknown.
But security-policy disables it explicitly. It failed to even start in
FIPS mode, because such algorithm were unknown. Fix disabled algorithm
to return disabled result code. Accept such algorithm only when
disabling it.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-08-08 14:19:59 +02:00
Petr Menšík
fac5ed036c Disable building of export-libs
DHCP no longer needs export libs, stop building them.
2019-08-08 14:19:59 +02:00
Petr Menšík
b4e74efbf2 Enable GeoLite2 support
Make GeoIP support controlled by bcond, defaults to off now.
Instead enable GeoLite2 support.
2019-08-08 12:16:51 +02:00
Petr Menšík
448b6647dc Solve conflicting jsoncpp-devel and json-c-devel 2019-08-08 12:16:51 +02:00
Petr Menšík
afa1fa2af7 Update to 9.11.9 2019-08-08 12:16:51 +02:00
Petr Menšík
1050b1aed6 Use monotonic time in export library (#1732883)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-08-08 12:16:51 +02:00
Fedora Release Engineering
3a67af20ad - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 19:16:14 +00:00
Petr Menšík
16ecf0736f Update to 9.11.8
Contains:
5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
			that could cause an assertion failure if a
			significant number of incoming packets were
			rejected. (CVE-2019-6471) [GL #942]

5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
			[GL #225]

5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
			[GL #1028]
2019-07-02 11:10:03 +02:00
Petr Menšík
564c143a1b Fix OpenSSL random generator initialization
Also fix warning in test.
2019-06-17 13:56:47 +02:00
Petr Menšík
ecef966359 Fix libisc so version 2019-06-11 14:56:08 +02:00
Petr Menšík
2a466330c5 Update patches to new sources
Modify current and remove already merged patches.
Adjust versions of so libs.
2019-06-11 12:08:54 +02:00
Petr Menšík
625ca235be Update to BIND 9.11.7
Fixes trusted-keys and managed-keys using the same filename.

https://downloads.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html
2019-06-10 10:41:28 +02:00
Petr Menšík
e97d036624 Fix also postun script 2019-05-06 14:04:12 +02:00
Petr Menšík
926c8e07af Fix error in scriptlet condition
Selinux boolean is not correctly set, correct syntax of bash condition.
2019-05-06 13:05:44 +02:00
Petr Menšík
4b42a5c162 5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
                        (CVE-2018-5743) [GL #615]
2019-05-02 14:49:56 +02:00
Petr Menšík
7232bc0a99 Attempt to use rich dependencies
Selinux boolean should be set only in case given selinux policy is
installed. Do not require it inside containers.
2019-04-09 22:18:22 +02:00
Petr Menšík
e2a32c8eca Revert shell change to /bin/false 2019-04-09 20:27:00 +02:00
Petr Menšík
ae423dfbeb Enable optional features by default 2019-03-15 17:48:06 +01:00
Petr Menšík
16bdca79ba Workaround to broken kyua handling of empty test
Also filter used subdirectories, run tests only for compiled libraries
for export-libs.
2019-03-15 15:46:04 +01:00
Petr Menšík
812f6fb336 Fix dnstap unit test issue with pkcs11 2019-03-14 15:59:22 +01:00
Petr Menšík
395fbedb17 Use libcmocka instead of libatf
Upstream no longer ships bundled libatf library and no longer uses ATF
in sources. kyua and cmocka are mandatory for unit tests now. Removes
--with KYUA, use --with UNITTEST on different builds when cmocka and
kyua are available.
2019-03-14 11:41:44 +01:00
Petr Menšík
bcfdb893b9 So versions change
Requires rebuild of all dependent packages.
2019-03-05 21:50:48 +01:00
Petr Menšík
7bc8b1b992 Atf support was removed
cmocka is used instead. Unfortunately it is not packaged in Fedora yet.
2019-03-05 21:50:22 +01:00
Petr Menšík
1e4169114f Adapted patches for new version
Removed merged upstream.
2019-03-05 21:49:26 +01:00
Petr Menšík
2aa49f0cec Update to 9.11.6
Update lastest release, patches not yet adepted for it.
2019-03-05 14:35:50 +01:00
Petr Menšík
25e332108e Make alternative named builds testable in system tests
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.

For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=

For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11

followed by make test in build directory.

Note: PKCS11 tests are still skipped, it requires SLOT variable
exported. Fails in some cases.
2019-03-04 14:18:15 +01:00
Petr Menšík
d0d728803b Modify feature test to detect dlz support
System tests are failing for named, because it cannot detect it does not
support filesystem SDB. Move feature test to named directory, so it is
built for every variant.
2019-03-04 14:18:15 +01:00
Petr Menšík
321554b987 Update to BIND 9.11.5-P4
Add also PGP signature as part of repository.
2019-02-22 19:40:00 +01:00
Petr Menšík
d3fe8d6248 Enable json statistics format
Statistics channel would include also json format, use URL
http://localhost:80/v3/json/. XML format is still supported.
2019-02-22 19:19:59 +01:00
Petr Menšík
ec6f94669a Enable LMDB support
Provides faster adding and removing of dynamically created zones
runtime. Useful on higher number of zones used.
2019-02-22 19:18:45 +01:00
Petr Menšík
f0b6f15ced Enable DNSTAP (#1564776)
Enable support for DNSTAP. It will introduce new linked libraries to
bind and its tools, including bind-utils.
2019-02-22 19:14:36 +01:00
Petr Menšík
bd6e8b8965 Fix spec usage of softhsm helper
Output produced by helper is multiline starting with comment. Unless it
is enclosed in quotes, it will be concatenated into single line.

Fixes commit fa1631eef7
2019-02-22 16:39:54 +01:00
Petr Menšík
ad76423202 Disable random_test in unit tests
It fails sometimes, but aborts whole build just because some fail. Keep
it disabled until fixed.
2019-02-21 22:50:12 +01:00
Petr Menšík
c2772a07e8 Disable ED448
It is breaking dnssec system test. Its implementation in BIND is broken.
2019-02-21 15:36:27 +01:00
Petr Menšík
fa1631eef7 Simplify pkcs11 token generation
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
2019-02-20 19:06:03 +01:00
Petr Menšík
6fee3d63e9 Remove revoked KSK 19164 from trusted root keys 2019-02-15 19:50:20 +01:00
Petr Menšík
6ecd16d458 Update project URL 2019-02-15 18:09:57 +01:00
Petr Menšík
1da60a891a More fixes to compile DLZ 2019-02-12 22:21:31 +01:00
Petr Menšík
de8fa0799a Improve descriptions for DLZ plugins 2019-02-12 20:46:17 +01:00
Petr Menšík
7a958a2a9f Disable dig IDN output into scripts
Dig could be used to receive zone via AXFR. If IDN data are inside and
are decoded, it cannot be used as named zone file. Disable +idnout if
stdin is not a tty.
2019-02-07 10:46:05 +01:00
Petr Menšík
a699858667 dig prints ASCII name instead of failure (#1647829) 2019-02-07 10:46:05 +01:00
Petr Menšík
432a81aeff Fix DLZ in oot builds
DLZ has no VPATH support. Just make duplicates in build directory
2019-02-06 22:08:27 +01:00
Fedora Release Engineering
9a4b768e18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-01-31 14:36:55 +00:00
Igor Gnatenko
b2a708808a Remove unneeded %clean section
It is the behavior since EPEL5.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-01-29 05:45:26 +01:00
Petr Menšík
13f8f23ec5 Update to 9.11.5-P1 2019-01-28 00:47:11 +01:00
Petr Menšík
32d91f12ca Made RAND_status check optional (broke --disable-crypto-rand)
Unlike upstream, skip it also for DHCP.

Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.

Resolves: #1663318

(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
2019-01-23 21:15:03 +01:00
Petr Menšík
219b0e889f Remove conditional patch for alpha and ia64
It emits warning just because architectures no longer supported
2019-01-17 13:52:22 +01:00
Petr Menšík
2830e00b88 Move dnssec related tools to bind-dnssec-utils
Most often clients require just dig or host to lookup addresses.
Move dnssec and zone file into dedicated subpackage. For a limited time,
make bind-utils suggest bind-dnssec-utils, until all dependencies are
resolved. (#1649398)
2019-01-17 13:52:22 +01:00
Petr Menšík
685f10cbfd Reject invalid rbt file if header is corrupted
Resolves: rhbz#1666814
2019-01-16 17:43:33 +01:00
Petr Menšík
67a5cd83ff Made RAND_status check optional (broke --disable-crypto-rand)
dhclient can terminate if not enough entropy, but it never requires
random data. On a new virtual machine, lack of entropy can be common.
Ensure it does not prevent DHCP client assigning an IP address.
2019-01-16 17:43:33 +01:00
Petr Menšík
ae36af4c9f Add support for DNSTAP
Not enabled by default yet. Enables dumping of dns traffic.
Fix DNSTAP issues in build and unit tests.

Fool rpmlint to accept dnstap relative path. Rpmlint emited error
hardcoded-library-path on dnstap path. It is not system-wide library,
workaround by using variable.

Add dnstap-read utility to utils. When dnstap is enabled,
dnstap-read will be part of utils. Disadvantage is all utilities would have
dependency on protobuf library, including host and dig.

Resolves: #1564776
2018-11-05 18:28:47 +01:00
Petr Menšík
eba5779fc1 Add JSON statistics support
Optional support for HTTP statistics. For now it is still disabled.
2018-11-05 18:27:07 +01:00
Petr Menšík
ad7b3b8f12 Update to 9.11.5
Bump to higher version, update sources.

More fixes to rebased BIND. Many patches are affected by stdbool change.
Update libraries so versions.
2018-11-05 18:12:29 +01:00
Petr Menšík
c64b079c36 Add Requires to devel packages referenced by bind-devel
bind-devel requires openssl-devel to be installed for any digest
function. Prevent failures of depending packages if they do not depend
on other devel packages themselves. bind-dyndb-ldap is one such example.
2018-10-11 12:35:49 +02:00
Igor Gnatenko
5efb1da1ac
fixup export-libs macro logic
1 /sbin/ldconfig: relative path `1' used to build cache
   2 warning: %postun(bind-export-libs-32:9.11.4-6.P1.fc29.x86_64) scriptlet failed, exit status 1

The reason for that is that macro defined below becomes part of
export-libs subpackage. %end will terminate post/postun immediately
without such side-effect.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-09-29 09:53:22 +02:00
Petr Menšík
e665b7deb0 Reenable IDN output but allow turning it off
Remove invalid downstream patch that disabled IDN output by default.
Dig could enable it, but it could not be enabled in nslookup and host.
Fix instead broken disable.

Resolves: #1580200
2018-09-26 20:31:46 +02:00
Petr Menšík
135784d7f2 Include /dev/urandom in chroot
Changed feature using OpenSSL RAND function requires /dev/urandom. It
was not provided in chroot and caused failure. Bug #1631515
2018-09-24 18:06:04 +02:00
Petr Menšík
fdbf64ca93 Fix changelog entry 2018-09-20 11:40:32 +02:00
Petr Menšík
0b3ef49c00 Update to bind-9.11.4-P2 2018-09-20 11:38:06 +02:00
Petr Menšík
8c65390bb6 Add versioned depends to all library subpackages 2018-09-19 21:04:52 +02:00
Petr Menšík
2ac37f7a75 Fix multilib conflict after 9.11 rebase
Conflict with devel headers reappeared after rebase to 9.11. Fix
socklen_t in a way that would generate the same types on 32 and 64 bit
architectures.
2018-09-19 21:04:52 +02:00
Petr Menšík
aeea22afaa Fix annobin failures
Replace isc_safe routines with their OpenSSL counter parts

(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)

Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()

(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)

Fix the isc_safe_memwipe() usage with (NULL, >0)

(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)

Resolves: rhbz#1624100
2018-09-19 21:04:52 +02:00
Petr Menšík
cc69cd1e32 Use sed to modify generated Makefile
Custom patch application is not recognized by checking tools.
Use more readable and understandable way.
2018-09-19 21:04:52 +02:00
Petr Menšík
328fbf43a1 Add manual page for new comand dnssec-importkey
Pkcs11 variant did not have it, add a symlink also to real manual.
2018-09-19 21:04:52 +02:00
Petr Menšík
595af1f3d5 [master] completed and corrected the crypto-random change
4724.	[func]		By default, BIND now uses the random number
			functions provided by the crypto library (i.e.,
			OpenSSL or a PKCS#11 provider) as a source of
			randomness rather than /dev/random.  This is
			suitable for virtual machine environments
			which have limited entropy pools and lack
			hardware random number generators.

			This can be overridden by specifying another
			entropy source via the "random-device" option
			in named.conf, or via the -r command line option;
			however, for functions requiring full cryptographic
			strength, such as DNSSEC key generation, this
			cannot be overridden. In particular, the -r
			command line option no longer has any effect on
			dnssec-keygen.

			This can be disabled by building with
			"configure --disable-crypto-rand".
			[RT #31459] [RT #46047]
2018-09-19 21:04:52 +02:00
Petr Menšík
6e9104cae5 Add support for OpenSSL provided random data
Modified pkcs11 patch, problem with openssl/pkcs11 includes and
ISC_PLATFORM_CRYPTOLIB
2018-09-19 21:04:52 +02:00
Pavel Raiskup
0ae69e04e1 BuildRequires: s/postgresql-devel/libpq-devel/
That's because we moved libpq.so.5 into libpq package, per
devel list discussion:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/U3XR5EGU2TPI2CDHBRBUD4M4LK5OHKU3/

Related: rhbz#1618698, rhbz#1623764
2018-09-05 14:55:41 +02:00