Commit Graph

193 Commits

Author SHA1 Message Date
Petr Menšík
9c54517d6f Update to 9.16.16 (#1954827)
https://downloads.isc.org/isc/bind9/9.16.16/doc/arm/html/notes.html#notes-for-bind-9-16-16
2021-05-21 10:39:29 +02:00
Petr Menšík
f8cb93d57c Update to 9.16.15
Resolves CVE-2021-25215 and CVE-2021-25214.
Removes disable-isc-spnego flag, because custom isc spnego code were
removed with also this flag. It is default (and the only) option now.
2021-04-29 18:13:33 +02:00
Petr Menšík
76074cd59a Update to 9.16.13
Reworked custom redhat version. Complete version is now part of library
names. Libraries are not recommended for any third party application.
They are still required for bind-dyndb-ldap only.

Version of named changed, only suffix -RH is appended to upstream
version. Therefore dig would not contain version
9.6.11-RedHat-9.6.11-1.fc34, but only 9.6.13-RH. Version of fedora build
have to be obtained from rpm -q bind.

Version is now part of library names, bind-libs-lite was merged to
bind-libs. bind-dyndb-ldap needs whole bind, no point to offer smaller
library set just for its dependencies.

Updated also named(8) manual page to match current state of SELinux.
2021-03-25 22:23:27 +01:00
Petr Menšík
f3d54bbf18 Update to 9.16.11 (#1827602)
https://downloads.isc.org/isc/bind9/9.16.11/RELEASE-NOTES-bind-9.16.11.html
2021-01-21 11:34:02 +01:00
Petr Menšík
ddf24a90e3 Update to 9.16.10
Enhancement and bugfix update.

Changes documented at upstream release note:
https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10
2021-01-05 15:16:21 +01:00
Petr Menšík
1f381a9469 Update to 9.16.9
Changes solib version, requires rebuild of dependent packages.

Upstream release notes:
https://downloads.isc.org/isc/bind9/9.16.9/doc/arm/html/notes.html#notes-for-bind-9-16-9
2020-11-26 15:17:59 +01:00
Petr Menšík
b4711541c2 Update to 9.16.8
DNS Flag Day 2020 - reduced default EDNS buffer to 1232.
New rndc dnssec -rollover command.

https://downloads.isc.org/isc/bind9/9.16.8/doc/arm/html/notes.html#notes-for-bind-9-16-8
2020-10-23 20:30:49 +02:00
Petr Menšík
9e7477b3c4 Update to 9.16.7
Bugfix release.

https://downloads.isc.org/isc/bind9/9.16.7/doc/arm/html/notes.html#notes-for-bind-9-16-7
2020-09-17 12:11:10 +02:00
Petr Menšík
cb3f3691e4 Update to 9.16.6
Release notes:
https://downloads.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
2020-08-22 11:44:09 +02:00
Petr Menšík
23ca292909 Update to 9.16.5
Modifies API of libraries, needs rebuild of dependent packages.
2020-07-15 22:39:37 +02:00
Petr Menšík
2a2d2faeae fixup! Update to 9.16.4 2020-06-18 14:07:00 +02:00
Petr Menšík
1b133224fc Update to 9.16.2
Notes for BIND 9.16.2
Security Fixes

    DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]

Known Issues

    We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685]

Feature Changes

    The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179]

Bug Fixes

    When an RPZ policy zone was updated via zone transfer and a large number of records was deleted, named could become nonresponsive for a short period while deleted names were removed from the RPZ summary database. This database cleanup is now done incrementally over a longer period of time, reducing such delays. [GL #1447]

    When trying to migrate an already-signed zone from auto-dnssec maintain to one based on dnssec-policy, the existing keys were immediately deleted and replaced with new ones. As the key rollover timing constraints were not being followed, it was possible that some clients would not have been able to validate responses until all old DNSSEC information had timed out from caches. BIND now looks at the time metadata of the existing keys and incorporates it into its DNSSEC policy operation. [GL #1706]
2020-04-16 12:38:00 +02:00
Petr Menšík
b626a2bfa5 Compilable 9.16.1 package
Updated from 9.14 to 9.16.1.
Disabled SIGCHASE, since it no longer exists.
Disabled PKCS11 native build for now
Disabled EXPORT_LIBS

No longer ships isc-config.sh, missing it.
2020-03-27 11:28:11 +01:00
Petr Menšík
2dbb099871 Update to 9.14.4
Current latest version fixes unit tests.
2020-03-27 11:20:45 +01:00
Petr Menšík
23657868e6 Update to 9.11.14
Includes ThreadSanitizer fixes already included as downstream patches.
Adjusts serve-stale patch, one new statistics.
2019-12-19 18:43:23 +01:00
Petr Menšík
74b53c3a58 Update to 9.11.13 2019-11-25 21:06:06 +01:00
Petr Menšík
86712fc834 Remove config archive with zone files
Few configuration and zone files were moved into tarball by commit
55b04de09a. It makes tracking of changes difficult, hardens rebases,
makes difficult building without proper lookaside cache. Those files are
tiny, no need to hold them inside compressed binary archive. Move them
out.

Replaces also few places with proper directory macros.
2019-11-04 21:45:08 +01:00
Petr Menšík
d0053ae530 Update to 9.11.12 (#1557762) 2019-10-21 14:26:32 +02:00
Petr Menšík
69b861316f Update to 9.11.11
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
  cause unexpected results; this has been fixed. [GL #1106]

- named-checkconf now checks DNS64 prefixes
  to ensure bits 64-71 are zero. [GL #1159]

- named-checkconf could crash during configuration
  if configured to use "geoip continent" ACLs with
  legacy GeoIP. [GL #1163]

- named-checkconf now correctly reports missing
  dnstap-output option when
  dnstap is set. [GL #1136

- Handle ETIMEDOUT error on connect() with a non-blocking
  socket. [GL #1133]
2019-09-25 21:24:23 +02:00
Petr Menšík
72f1dad845 Update to BIND 9.11.10 2019-08-27 21:39:46 +02:00
Petr Menšík
afa1fa2af7 Update to 9.11.9 2019-08-08 12:16:51 +02:00
Petr Menšík
16ecf0736f Update to 9.11.8
Contains:
5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
			that could cause an assertion failure if a
			significant number of incoming packets were
			rejected. (CVE-2019-6471) [GL #942]

5241.	[bug]		Fix Ed448 private and public key ASN.1 prefix blobs.
			[GL #225]

5237.	[bug]		Recurse to find the root server list with 'dig +trace'.
			[GL #1028]
2019-07-02 11:10:03 +02:00
Petr Menšík
625ca235be Update to BIND 9.11.7
Fixes trusted-keys and managed-keys using the same filename.

https://downloads.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html
2019-06-10 10:41:28 +02:00
Petr Menšík
4b42a5c162 5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
                        (CVE-2018-5743) [GL #615]
2019-05-02 14:49:56 +02:00
Petr Menšík
2aa49f0cec Update to 9.11.6
Update lastest release, patches not yet adepted for it.
2019-03-05 14:35:50 +01:00
Petr Menšík
321554b987 Update to BIND 9.11.5-P4
Add also PGP signature as part of repository.
2019-02-22 19:40:00 +01:00
Petr Menšík
6fee3d63e9 Remove revoked KSK 19164 from trusted root keys 2019-02-15 19:50:20 +01:00
Petr Menšík
13f8f23ec5 Update to 9.11.5-P1 2019-01-28 00:47:11 +01:00
Petr Menšík
ad7b3b8f12 Update to 9.11.5
Bump to higher version, update sources.

More fixes to rebased BIND. Many patches are affected by stdbool change.
Update libraries so versions.
2018-11-05 18:12:29 +01:00
Petr Menšík
0b3ef49c00 Update to bind-9.11.4-P2 2018-09-20 11:38:06 +02:00
Petr Menšík
35334375ff Update to 9.11.4-P1
- Fixes CVE-2018-5740
- Adds root key sentinel mechanism support
- incremental zone transfer limit to prevent journal corruption
- rndc reload memory leak
2018-08-09 13:13:02 +02:00
Petr Menšík
a38c250807 Update to 9.11.4
- Use more recent kyua, upstream bind now requires parallelism.
- Make global so version variables for libraries with multiple builds.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2018-07-13 14:14:38 +02:00
Petr Menšík
b8176e5eb4 Update named.ca 2018-04-05 16:38:16 +02:00
Petr Menšík
86ff90b834 Rebase to 9.11.3
Signed-off-by: Petr Menšík <pemensik@redhat.com>
2018-03-21 17:59:41 +01:00
Petr Menšík
cb2172301b Rebase to 9.11.3b1
Remove merged upstream patches

Signed-off-by: Petr Menšík <pemensik@redhat.com>

Update new so names
2018-02-17 09:29:59 +01:00
Petr Menšík
7556fb076a Fix CVE-2017-3145, rebase to 9.11.2-P1
Signed-off-by: Petr Menšík <pemensik@redhat.com>
2018-01-16 23:38:29 +01:00
Petr Menšík
5d8eb8cf1d Update named.ca, move named.conf out of config archive 2017-08-16 22:47:09 +02:00
Petr Menšík
7584e54e6c Update to 9.11.2 2017-08-14 12:17:30 +02:00
Petr Menšík
79d28ed32a Update to 9.11.2b1 2017-08-08 17:14:41 +02:00
Petr Menšík
e42c700db9 Update to 9.11.1-P3 2017-07-10 10:21:43 +02:00
Petr Menšík
85d0fb613e Update to 9.11.1-P2 2017-06-30 16:06:24 +02:00
Petr Menšík
08bdf0ebe6 Update to 9.11.1-P1 2017-06-15 17:19:36 +02:00
Petr Menšík
09e4b5788e - Update to 9.11.0-P5
- Use BINDVERSION for upstream version

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2017-04-18 10:51:38 +02:00
Petr Menšík
bbe4229562 Update to 9.11.0-P3 2017-02-10 09:20:33 +01:00
Petr Menšík
f696d69809 Update to 9.11.0-P2
Signed-off-by: Petr Menšík <pemensik@redhat.com>
2017-01-12 16:09:05 +01:00
Michal Ruprich
d886cd072d Update to 9.11.0-P1 2016-11-16 08:46:09 +01:00
Petr Menšík
e94c66494e Update to 9.10.4-P4 2016-11-08 16:31:48 +01:00
Tomas Hozza
27a8e54aa7 Update to 9.10.4-P3
Signed-off-by: Tomas Hozza <thozza@redhat.com>
2016-09-29 10:23:55 +02:00
Michal Ruprich
02e0755d17 Update to 9.10.4-P2
Signed-off-by: Michal Ruprich <mruprich@redhat.com>
2016-07-20 13:51:14 +02:00
Tomas Hozza
3fed71e579 Update to 9.10.4-P1 2016-05-26 17:23:15 +02:00