All DLZ modules were installed by mistake in main bind package.
Remove them from there, they should be offered only by each dlz
subpackage.
Move modules to upstream used directory %{_libdir}/named.
I find no reason to turn off devel package creation. It can be ignored
if required, but is mandatory due to Fedora packaging guidelines.
Simplify it a bit.
Those packages were very similar in BIND 9.11. Since there is no
isc-config.sh, no significant or required reason to have them separated
exist. Keep separated libraries, but only one devel package.
DLZ modules turned built-in support into named, just like former
named-sdb package had. That was non-intentional and is disabled now.
Instead, build only dynamically loaded modules with support for various
database access.
Because pending issues with PDF regeneration, disable PDF for now.
Allow turning it on with --with DOCPDF.
It prevents building successfully on Rawhide/f33 for some reason.
Subpackage is there just as shared documentation for main package.
I want to stay in original directory, files should not move since they
were in bind package.
Documentation is not regenerated, but used as shipped by upstream.
Subpackage is there just as shared documentation for main package.
I want to stay in original directory, even most of paths have changed
since move to sphinx generated documentation.
Do not depend hard on initscript just to provide fancy colored status.
When started from systemd, it does not really matter.
Return exactly the same return code as returned by the original tool.
Do not depend hard on initscript just to provide fancy colored status.
When started from systemd, it does not really matter.
Return exactly the same return code as returned by the original tool.
softhsm is not provided on RHEL 8 as normal package. It is distributed
only in idm:DL1 module. If unittest or systemtest is not enabled, skip
configuring softhsm. It would not be used anyway.
Set of patches and changes, that fixes compilation of native PKCS11
support as subpackage. Moves definition of USE_PKCS11 from config.h to
Makefiles. Defaults to off and only PKCS11 subdirectories set it to
true.
Notes for BIND 9.16.2
Security Fixes
DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]
Known Issues
We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685]
Feature Changes
The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179]
Bug Fixes
When an RPZ policy zone was updated via zone transfer and a large number of records was deleted, named could become nonresponsive for a short period while deleted names were removed from the RPZ summary database. This database cleanup is now done incrementally over a longer period of time, reducing such delays. [GL #1447]
When trying to migrate an already-signed zone from auto-dnssec maintain to one based on dnssec-policy, the existing keys were immediately deleted and replaced with new ones. As the key rollover timing constraints were not being followed, it was possible that some clients would not have been able to validate responses until all old DNSSEC information had timed out from caches. BIND now looks at the time metadata of the existing keys and incorporates it into its DNSSEC policy operation. [GL #1706]
From Upstream Release notes:
Security Fixes
DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]
Known Issues
We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investigated. [GL #1685]
Updated from 9.14 to 9.16.1.
Disabled SIGCHASE, since it no longer exists.
Disabled PKCS11 native build for now
Disabled EXPORT_LIBS
No longer ships isc-config.sh, missing it.
Unlike other build dependencies, no public headers include from
libmaxminddb any symbols. That means no build would ever fail
if libmaxminddb-devel package is not installed. Do not require it when
installing bind-lite-devel but keep the requirement when building from
sources.
Has to be enabled in build by --with TSAN.
Would make build fail unit tests and print many warnings about possible
race conditions. Not useful for production build, but useful for
debugging thread related problems in system tests.
It might not fix all issues, but was detected by upstream using
automated tool. Should not break anything new, but might fix issue
triggered usually on ppc64le platform.
Previous fix included just part inside named. However, checking part
would check algorithm support also in check library. The code is almost
the same. Permit already disabled algoritms also in libbind9.
Use the same change as RHEL.
Return failed status code to command. Not only report error message to
the log, but also report reload success. Must not terminate running
service on failed reload.
Use parallel execution on test run. Support already configured
interfaces without special permissions on build. It can either use
already present addresses or configure it on build time. If it has no
rights to configure it, just skip the test and continue.
Few configuration and zone files were moved into tarball by commit
55b04de09a. It makes tracking of changes difficult, hardens rebases,
makes difficult building without proper lookaside cache. Those files are
tiny, no need to hold them inside compressed binary archive. Move them
out.
Replaces also few places with proper directory macros.
Previous build recommended bind-dnssec-utils just to provide manual for
pkcs11 variants. Instead, share the same files between pkcs11-utils and
dnssec-utils. Skip unnecessary manual of non-existent dnssec-coverage-pkcs11 tool.
Manual pages are just links to pages in bind-dnssec-utils. Do not copy
them, but suggest them for installation is possible. It would be handy
to have them available, but are not required for any function.
named can use ACLs defined by GeoIP of request. Such information is not
available by default under named-chroot service. Enable GeoIP databases
under chroot without explicit configuration.
Make it easier to manage list of used directories in chroot. Use
appropriate macros for system directories everywhere in chroot package.
Share common variable with -sdb-chroot and -chroot packages.
Some utilities are not related DNSSEC at all, but are just bind related
tools. Because they do not require additional dependencies, they do not
save any space in containers.
When MD5 is disabled in library, it behaved like RSAMD5 were unknown.
But security-policy disables it explicitly. It failed to even start in
FIPS mode, because such algorithm were unknown. Fix disabled algorithm
to return disabled result code. Accept such algorithm only when
disabling it.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Contains:
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
[GL #225]
5237. [bug] Recurse to find the root server list with 'dig +trace'.
[GL #1028]
Upstream no longer ships bundled libatf library and no longer uses ATF
in sources. kyua and cmocka are mandatory for unit tests now. Removes
--with KYUA, use --with UNITTEST on different builds when cmocka and
kyua are available.
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
followed by make test in build directory.
Note: PKCS11 tests are still skipped, it requires SLOT variable
exported. Fails in some cases.
System tests are failing for named, because it cannot detect it does not
support filesystem SDB. Move feature test to named directory, so it is
built for every variant.
Output produced by helper is multiline starting with comment. Unless it
is enclosed in quotes, it will be concatenated into single line.
Fixes commit fa1631eef7
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
Dig could be used to receive zone via AXFR. If IDN data are inside and
are decoded, it cannot be used as named zone file. Disable +idnout if
stdin is not a tty.