Few configuration and zone files were moved into tarball by commit
55b04de09a. It makes tracking of changes difficult, hardens rebases,
makes difficult building without proper lookaside cache. Those files are
tiny, no need to hold them inside compressed binary archive. Move them
out.
Replaces also few places with proper directory macros.
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
cause unexpected results; this has been fixed. [GL #1106]
- named-checkconf now checks DNS64 prefixes
to ensure bits 64-71 are zero. [GL #1159]
- named-checkconf could crash during configuration
if configured to use "geoip continent" ACLs with
legacy GeoIP. [GL #1163]
- named-checkconf now correctly reports missing
dnstap-output option when
dnstap is set. [GL #1136
- Handle ETIMEDOUT error on connect() with a non-blocking
socket. [GL #1133]
Testing takes quite long. For now, use by default only normal variant.
SDB variant is not much used and pkcs11 variant is failing now. Keep
ability to enable variants by parameter:
TEST_VARIANTS="normal sdb pkcs11"
bind-devel should now provide all dependencies required. Omit explicitl
requirements for building. Drop atf building support, since upstream
moved to cmocka.
Make it possible to skip some test using parameter. In some cases, just
single pass is required.
Also fix case when no known defects are specified for a variant.
Previous build recommended bind-dnssec-utils just to provide manual for
pkcs11 variants. Instead, share the same files between pkcs11-utils and
dnssec-utils. Skip unnecessary manual of non-existent dnssec-coverage-pkcs11 tool.
Manual pages are just links to pages in bind-dnssec-utils. Do not copy
them, but suggest them for installation is possible. It would be handy
to have them available, but are not required for any function.
named can use ACLs defined by GeoIP of request. Such information is not
available by default under named-chroot service. Enable GeoIP databases
under chroot without explicit configuration.
Make it easier to manage list of used directories in chroot. Use
appropriate macros for system directories everywhere in chroot package.
Share common variable with -sdb-chroot and -chroot packages.
Some utilities are not related DNSSEC at all, but are just bind related
tools. Because they do not require additional dependencies, they do not
save any space in containers.
When MD5 is disabled in library, it behaved like RSAMD5 were unknown.
But security-policy disables it explicitly. It failed to even start in
FIPS mode, because such algorithm were unknown. Fix disabled algorithm
to return disabled result code. Accept such algorithm only when
disabling it.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Contains:
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
[GL #225]
5237. [bug] Recurse to find the root server list with 'dig +trace'.
[GL #1028]