named contains high number of assertions checking expected state of the
daemon. That is part of defensive code style to prevent many attacks.
The most common failure is failing some assertion check in rare
circumstances. Even when this should not happen, try keeping the service
running. If such failed assertion produces coredump just from time to
time, avoid failing hard the whole service. coredumpctl will keep track
of all crashes anyway.
Last version installed can be 9.18.4-1, which still provides dnssec-doc
subpackage. Make it more specific to obsolete even that version and
allow smooth upgrade.
Set CI=true only when --with UNITTEST_ALL is not used, which is a
default. Should skip problematic and often failing test in netmgr:
- tcp_recv_two_quota
- tcp_noresponse
Engine interface were deprecated in OpenSSL and therefore removed from
normal compilation. But it is possible to compile on OpenSSL with compat
define. That disables deprecation warnings and use functions same as for
OpenSSL 1.1. That is required to keep working engine pkcs11 support.
Otherwise loading keys via ENGINE_load_private_key would always fail.
Resolves: rhbz:#2122010
Previous change did not do anything, because rpm will terminate the
recipe on the first failed command. Make make check not failing
directly, but fail it later explicitly. Show details in the mean time.
Recent freeipa uses openssl backend pkcs11 to offload keys to secure
storage. Remove duplicate native builds of pkcs11 tools and daemon. Do
not build tools like pkcs11-tokens, rely or more advanced tools p11tool
and pkcs11-tool. Keep setup-named-softhsm as part of named package.
SELinux booleans system pushes enablement into a stack. It saves
previous values and restores them on removal. But the default for
boolean named_write_master_zones has changed to true. Update it just
single time on upgrade from previous bind versions. Then rely on
previous version being a permanent value.
bind-dyndb-ldap requires sending from custom spawned thread to main
named threads. Change queue type to locked variant, which would not
crash when isc_send_task() is called from dyndb worker thread.
Related: rhbz#2048235
Those errors can be dropped by simple configuration:
logging {
category lame_servers { null; };
};
Do not hide them into debug log on all servers. Expect lame servers are
not so common to drop it always.
Allow all subsequent patches with higher number to be added to normal
common list of patches. Make just initial patches special.
Ensure all patch chunks use -p1 prefix.
bind-dyndb-ldap started crashing after memory optimization made in
9.16.25 release. It attempts to use now uninitialized memory part. Work
around this problem by extra command line parameters, which would
request additional threads. Those threads then would be safely used by
bind-dyndb-ldap. Requires change to bind-dyndb-ldap and freeipa
packages.
Needs freeipa to add OPTIONS+="-H 200" to /etc/sysconfig/named
Related: rhbz#2048235
Use more friendly value for primary and secondary zones. It used master
for ages, but that might have wrong connotation to someone. Use
something without problematic history.
Thread removal were incomplete, it has broken some dlz modules
compilation. Ensure threaded variant is always used, remove
remains of single-thread variant.
Rename internal function to not start with just ldap_ prefix. OpenLDAP
library provides such function with different parameters and compiler
cannot pass it.
BIND reads default system port ranges from /proc file. Propagate just
that single file to bind chroot. Defaults should be therefore the same
as on named.service.
Resolves: rhbz#2013597