Petr Menšík
01dd585828
Fix broken pkcs11 initialization
...
Broken by commit 2a466330c5
2019-08-27 21:39:46 +02:00
Petr Menšík
1b89e61546
Fix broken system/tsig test
...
On rebases, md5 keys were accidentally dropped. Put them back.
2019-08-27 21:39:46 +02:00
Petr Menšík
843e5f5094
Update patches to 9.11.10
2019-08-27 21:39:46 +02:00
Petr Menšík
72f1dad845
Update to BIND 9.11.10
2019-08-27 21:39:46 +02:00
Miro Hrončok
c92fe260ae
Rebuilt for Python 3.8
2019-08-19 10:10:45 +02:00
Petr Menšík
b75571c4df
Add changelog and bump spec
2019-08-09 12:39:58 +02:00
Petr Menšík
23eefd9798
Report errors from rndc reload ( #1739441 )
...
Success status has to be ignored until systemd is fixed. Now it would
kill service on reload failure, which is far worse than reload error.
2019-08-09 12:32:48 +02:00
Petr Menšík
963c4b916b
Fix rpmlint warnings
...
Clean whitespace to satisfy rpmlint
2019-08-08 15:08:53 +02:00
Petr Menšík
dab22dd2c2
Permit explicit disabling of RSAMD5 in FIPS mode ( #1709553 )
...
When MD5 is disabled in library, it behaved like RSAMD5 were unknown.
But security-policy disables it explicitly. It failed to even start in
FIPS mode, because such algorithm were unknown. Fix disabled algorithm
to return disabled result code. Accept such algorithm only when
disabling it.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-08-08 14:19:59 +02:00
Petr Menšík
fac5ed036c
Disable building of export-libs
...
DHCP no longer needs export libs, stop building them.
2019-08-08 14:19:59 +02:00
Petr Menšík
b4e74efbf2
Enable GeoLite2 support
...
Make GeoIP support controlled by bcond, defaults to off now.
Instead enable GeoLite2 support.
2019-08-08 12:16:51 +02:00
Petr Menšík
448b6647dc
Solve conflicting jsoncpp-devel and json-c-devel
2019-08-08 12:16:51 +02:00
Petr Menšík
371a1e3b7d
Update patches to 9.11.9
...
Maxmind library and defines modifies many patches changing flags.
Conflicts a lot especially with PKCS11 build.
2019-08-08 12:16:51 +02:00
Petr Menšík
afa1fa2af7
Update to 9.11.9
2019-08-08 12:16:51 +02:00
Petr Menšík
1050b1aed6
Use monotonic time in export library ( #1732883 )
...
Signed-off-by: Petr Menšík <pemensik@redhat.com>
2019-08-08 12:16:51 +02:00
Fedora Release Engineering
3a67af20ad
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 19:16:14 +00:00
Petr Menšík
16ecf0736f
Update to 9.11.8
...
Contains:
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942 ]
5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
[GL #225 ]
5237. [bug] Recurse to find the root server list with 'dig +trace'.
[GL #1028 ]
2019-07-02 11:10:03 +02:00
Petr Menšík
564c143a1b
Fix OpenSSL random generator initialization
...
Also fix warning in test.
2019-06-17 13:56:47 +02:00
Petr Menšík
ecef966359
Fix libisc so version
2019-06-11 14:56:08 +02:00
Petr Menšík
2a466330c5
Update patches to new sources
...
Modify current and remove already merged patches.
Adjust versions of so libs.
2019-06-11 12:08:54 +02:00
Petr Menšík
625ca235be
Update to BIND 9.11.7
...
Fixes trusted-keys and managed-keys using the same filename.
https://downloads.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html
2019-06-10 10:41:28 +02:00
Petr Menšík
e97d036624
Fix also postun script
2019-05-06 14:04:12 +02:00
Petr Menšík
926c8e07af
Fix error in scriptlet condition
...
Selinux boolean is not correctly set, correct syntax of bash condition.
2019-05-06 13:05:44 +02:00
Petr Menšík
4b42a5c162
5200. [security] tcp-clients settings could be exceeded in some cases,
...
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615 ]
2019-05-02 14:49:56 +02:00
Petr Menšík
7232bc0a99
Attempt to use rich dependencies
...
Selinux boolean should be set only in case given selinux policy is
installed. Do not require it inside containers.
2019-04-09 22:18:22 +02:00
Petr Menšík
e2a32c8eca
Revert shell change to /bin/false
2019-04-09 20:27:00 +02:00
Petr Menšík
ae423dfbeb
Enable optional features by default
2019-03-15 17:48:06 +01:00
Petr Menšík
16bdca79ba
Workaround to broken kyua handling of empty test
...
Also filter used subdirectories, run tests only for compiled libraries
for export-libs.
2019-03-15 15:46:04 +01:00
Petr Menšík
812f6fb336
Fix dnstap unit test issue with pkcs11
2019-03-14 15:59:22 +01:00
Petr Menšík
395fbedb17
Use libcmocka instead of libatf
...
Upstream no longer ships bundled libatf library and no longer uses ATF
in sources. kyua and cmocka are mandatory for unit tests now. Removes
--with KYUA, use --with UNITTEST on different builds when cmocka and
kyua are available.
2019-03-14 11:41:44 +01:00
Petr Menšík
bcfdb893b9
So versions change
...
Requires rebuild of all dependent packages.
2019-03-05 21:50:48 +01:00
Petr Menšík
7bc8b1b992
Atf support was removed
...
cmocka is used instead. Unfortunately it is not packaged in Fedora yet.
2019-03-05 21:50:22 +01:00
Petr Menšík
1e4169114f
Adapted patches for new version
...
Removed merged upstream.
2019-03-05 21:49:26 +01:00
Petr Menšík
2aa49f0cec
Update to 9.11.6
...
Update lastest release, patches not yet adepted for it.
2019-03-05 14:35:50 +01:00
Petr Menšík
25e332108e
Make alternative named builds testable in system tests
...
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
followed by make test in build directory.
Note: PKCS11 tests are still skipped, it requires SLOT variable
exported. Fails in some cases.
2019-03-04 14:18:15 +01:00
Petr Menšík
d0d728803b
Modify feature test to detect dlz support
...
System tests are failing for named, because it cannot detect it does not
support filesystem SDB. Move feature test to named directory, so it is
built for every variant.
2019-03-04 14:18:15 +01:00
Petr Menšík
8da0172aac
Upstream tests in beakerlib
...
Prepare system tests from source package and start them. Check results
and report failure.
2019-03-04 14:17:25 +01:00
Petr Menšík
321554b987
Update to BIND 9.11.5-P4
...
Add also PGP signature as part of repository.
2019-02-22 19:40:00 +01:00
Petr Menšík
d3fe8d6248
Enable json statistics format
...
Statistics channel would include also json format, use URL
http://localhost:80/v3/json/ . XML format is still supported.
2019-02-22 19:19:59 +01:00
Petr Menšík
ec6f94669a
Enable LMDB support
...
Provides faster adding and removing of dynamically created zones
runtime. Useful on higher number of zones used.
2019-02-22 19:18:45 +01:00
Petr Menšík
f0b6f15ced
Enable DNSTAP ( #1564776 )
...
Enable support for DNSTAP. It will introduce new linked libraries to
bind and its tools, including bind-utils.
2019-02-22 19:14:36 +01:00
Petr Menšík
bd6e8b8965
Fix spec usage of softhsm helper
...
Output produced by helper is multiline starting with comment. Unless it
is enclosed in quotes, it will be concatenated into single line.
Fixes commit fa1631eef7
2019-02-22 16:39:54 +01:00
Petr Menšík
ad76423202
Disable random_test in unit tests
...
It fails sometimes, but aborts whole build just because some fail. Keep
it disabled until fixed.
2019-02-21 22:50:12 +01:00
Petr Menšík
c2772a07e8
Disable ED448
...
It is breaking dnssec system test. Its implementation in BIND is broken.
2019-02-21 15:36:27 +01:00
Petr Menšík
fa1631eef7
Simplify pkcs11 token generation
...
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
2019-02-20 19:06:03 +01:00
Petr Menšík
6fee3d63e9
Remove revoked KSK 19164 from trusted root keys
2019-02-15 19:50:20 +01:00
Petr Menšík
6ecd16d458
Update project URL
2019-02-15 18:09:57 +01:00
Petr Menšík
1da60a891a
More fixes to compile DLZ
2019-02-12 22:21:31 +01:00
Petr Menšík
de8fa0799a
Improve descriptions for DLZ plugins
2019-02-12 20:46:17 +01:00
Petr Menšík
7a958a2a9f
Disable dig IDN output into scripts
...
Dig could be used to receive zone via AXFR. If IDN data are inside and
are decoded, it cannot be used as named zone file. Disable +idnout if
stdin is not a tty.
2019-02-07 10:46:05 +01:00