The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
1d416c2d77
6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] Resolves: CVE-2022-3094 |
||
---|---|---|
.gitignore | ||
bind93-rh490837.patch | ||
bind97-rh478718.patch | ||
bind97-rh645544.patch | ||
bind97-rh669163.patch | ||
bind99-rh640538.patch | ||
bind-9.3.1rc1-sdb_tools-Makefile.in | ||
bind-9.3.2-redhat_doc.patch | ||
bind-9.3.2b1-fix_sdb_ldap.patch | ||
bind-9.3.2b2-sdbsrc.patch | ||
bind-9.5-dlz-64bit.patch | ||
bind-9.5-PIE.patch | ||
bind-9.9.1-P2-dlz-libdb.patch | ||
bind-9.9.1-P2-multlib-conflict.patch | ||
bind-9.10-dist-native-pkcs11.patch | ||
bind-9.10-sdb.patch | ||
bind-9.10-use-of-strlcat.patch | ||
bind-9.11-CVE-2021-25220-test.patch | ||
bind-9.11-CVE-2021-25220.patch | ||
bind-9.11-CVE-2022-2795.patch | ||
bind-9.11-dhcp-time-monotonic.patch | ||
bind-9.11-engine-pkcs11.patch | ||
bind-9.11-export-suffix.patch | ||
bind-9.11-fips-code-includes.patch | ||
bind-9.11-fips-code.patch | ||
bind-9.11-fips-disable.patch | ||
bind-9.11-fips-tests.patch | ||
bind-9.11-host-idn-disable.patch | ||
bind-9.11-json-c.patch | ||
bind-9.11-kyua-pkcs11.patch | ||
bind-9.11-oot-manual.patch | ||
bind-9.11-pk11.patch | ||
bind-9.11-rh1205168.patch | ||
bind-9.11-rh1410433.patch | ||
bind-9.11-rh1668682.patch | ||
bind-9.11-rh1980757.patch | ||
bind-9.11-rh2101712.patch | ||
bind-9.11-rh2133889.patch | ||
bind-9.11-rt31459.patch | ||
bind-9.11-rt46047.patch | ||
bind-9.11-serve-stale.patch | ||
bind-9.11-unit-disable-random.patch | ||
bind-9.11-zone2ldap.patch | ||
bind-9.15-resolver-ntasks.patch | ||
bind-9.16-CVE-2022-3094-1.patch | ||
bind-9.16-CVE-2022-3094-2.patch | ||
bind-9.16-CVE-2022-3094-3.patch | ||
bind-9.16-CVE-2022-38177.patch | ||
bind-9.16-CVE-2022-38178.patch | ||
bind-95-rh452060.patch | ||
bind-96-old-api.patch | ||
bind.spec | ||
bind.tmpfiles.d | ||
dnszone.schema | ||
gating.yaml | ||
generate-rndc-key.sh | ||
ldap2zone.1 | ||
ldap2zone.c | ||
named-chroot-setup.service | ||
named-chroot.files | ||
named-chroot.service | ||
named-pkcs11.service | ||
named-sdb-chroot-setup.service | ||
named-sdb-chroot.service | ||
named-sdb.8 | ||
named-sdb.service | ||
named-setup-rndc.service | ||
named.conf | ||
named.conf.sample | ||
named.empty | ||
named.localhost | ||
named.logrotate | ||
named.loopback | ||
named.rfc1912.zones | ||
named.root | ||
named.root.key | ||
named.rwtab | ||
named.service | ||
named.sysconfig | ||
README.sdb_pgsql | ||
setup-named-chroot.sh | ||
setup-named-softhsm.sh | ||
sources | ||
trusted-key.key | ||
zone2sqlite.1 | ||
zonetodb.1 |
PGSQL BIND SDB driver The postgresql BIND SDB driver is of experimental status and should not be used for production systems. Usage: o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named ) o Edit your named.conf to contain a database zone, eg. : zone "pgdb.net." IN { type master; database "pgsql bind pgdb localhost pguser pgpasswd"; # ^- DB name ^-Table ^-host ^-user ^-password }; o Create the database zone table The table must contain the columns "name", "rdtype", and "rdata", and is expected to contain a properly constructed zone. The program "zonetodb" creates such a table. zonetodb usage: zonetodb origin file dbname dbtable where origin : zone origin, eg "pgdb.net." file : master zone database file, eg. pgdb.net.db dbname : name of postgresql database dbtable: name of table in database Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database 'pgdb' table: --- #pgdb.net.db: $TTL 1H @ SOA localhost. root.localhost. ( 1 3H 1H 1W 1H ) NS localhost. host1 A 192.168.2.1 host2 A 192.168.2.2 host3 A 192.168.2.3 host4 A 192.168.2.4 host5 A 192.168.2.5 host6 A 192.168.2.6 host7 A 192.168.2.7 --- Issue this command as the pgsql user authorized to update the bind database: # zonetodb pgdb.net. pgdb.net.db bind pgdb will create / update the pgdb table in the 'bind' db: $ psql -dbind -c 'select * from pgdb;' name | ttl | rdtype | rdata ----------------+------+--------+----------------------------------------------------- pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600 pgdb.net | 3600 | NS | localhost. host1.pgdb.net | 3600 | A | 192.168.2.1 host2.pgdb.net | 3600 | A | 192.168.2.2 host3.pgdb.net | 3600 | A | 192.168.2.3 host4.pgdb.net | 3600 | A | 192.168.2.4 host5.pgdb.net | 3600 | A | 192.168.2.5 host6.pgdb.net | 3600 | A | 192.168.2.6 host7.pgdb.net | 3600 | A | 192.168.2.7 (9 rows) I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK. NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named service . USE AT YOUR OWN RISK!