The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
5573a679ad
Be more strict when encountering DNSSEC validation failures - fail on the first failure. This will break domains that have DNSSEC signing keys with duplicate key ids, but this is something that's much easier to fix on the authoritative side, so we are just going to be strict on the resolver side where it is causing performance problems. (cherry picked from commit 8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34) Add normal and slow task queues Split the task manager queues into normal and slow task queues, so we can move the tasks that blocks processing for a long time (like DNSSEC validation) into the slow queue which doesn't block fast operations (like responding from the cache). This mitigates the whole class of KeyTrap-like issues. (cherry picked from commit db083a21726300916fa0b9fd8a433a796fedf636) Don't iterate from start every time we select new signing key Improve the selecting of the new signing key by remembering where we stopped the iteration and just continue from that place instead of iterating from the start over and over again each time. (cherry picked from commit 75faeefcab47e4f1e12b358525190b4be90f97de) Optimize selecting the signing key Don't parse the crypto data before parsing and matching the id and the algorithm. (cherry picked from commit b38552cca7200a72658e482f8407f57516efc5db) 6322. [security] Specific DNS answers could cause a denial-of-service condition due to DNS validation taking a long time. (CVE-2023-50387) [GL #4424] The same code change also addresses another problem: preparing NSEC3 closest encloser proofs could exhaust available CPU resources. (CVE-2023-50868) [GL #4459] ; Resolves: CVE-2023-50387 CVE-2023-50868 Resolves: RHEL-25681 RHEL-25649 |
||
---|---|---|
.gitignore | ||
bind93-rh490837.patch | ||
bind97-rh478718.patch | ||
bind97-rh645544.patch | ||
bind97-rh669163.patch | ||
bind99-rh640538.patch | ||
bind-9.3.1rc1-sdb_tools-Makefile.in | ||
bind-9.3.2-redhat_doc.patch | ||
bind-9.3.2b1-fix_sdb_ldap.patch | ||
bind-9.3.2b2-sdbsrc.patch | ||
bind-9.5-dlz-64bit.patch | ||
bind-9.5-PIE.patch | ||
bind-9.9.1-P2-dlz-libdb.patch | ||
bind-9.9.1-P2-multlib-conflict.patch | ||
bind-9.10-dist-native-pkcs11.patch | ||
bind-9.10-sdb.patch | ||
bind-9.10-use-of-strlcat.patch | ||
bind-9.11-CVE-2021-25220-test.patch | ||
bind-9.11-CVE-2021-25220.patch | ||
bind-9.11-CVE-2022-2795.patch | ||
bind-9.11-CVE-2023-2828.patch | ||
bind-9.11-CVE-2023-4408.patch | ||
bind-9.11-CVE-2023-50387.patch | ||
bind-9.11-dhcp-time-monotonic.patch | ||
bind-9.11-engine-pkcs11.patch | ||
bind-9.11-export-suffix.patch | ||
bind-9.11-fips-code-includes.patch | ||
bind-9.11-fips-code.patch | ||
bind-9.11-fips-disable.patch | ||
bind-9.11-fips-tests.patch | ||
bind-9.11-host-idn-disable.patch | ||
bind-9.11-json-c.patch | ||
bind-9.11-kyua-pkcs11.patch | ||
bind-9.11-oot-manual.patch | ||
bind-9.11-pk11.patch | ||
bind-9.11-rh1205168.patch | ||
bind-9.11-rh1410433.patch | ||
bind-9.11-rh1668682.patch | ||
bind-9.11-rh1980757.patch | ||
bind-9.11-rh2101712.patch | ||
bind-9.11-rh2133889.patch | ||
bind-9.11-rt31459.patch | ||
bind-9.11-rt46047.patch | ||
bind-9.11-serve-stale.patch | ||
bind-9.11-stale-cache.patch | ||
bind-9.11-unit-disable-random.patch | ||
bind-9.11-zone2ldap.patch | ||
bind-9.15-resolver-ntasks.patch | ||
bind-9.16-CVE-2022-3094-1.patch | ||
bind-9.16-CVE-2022-3094-2.patch | ||
bind-9.16-CVE-2022-3094-3.patch | ||
bind-9.16-CVE-2022-3094-test.patch | ||
bind-9.16-CVE-2022-38177.patch | ||
bind-9.16-CVE-2022-38178.patch | ||
bind-9.16-CVE-2023-3341.patch | ||
bind-9.16-update-b.root-servers.net.patch | ||
bind-95-rh452060.patch | ||
bind-96-old-api.patch | ||
bind.spec | ||
bind.tmpfiles.d | ||
dnszone.schema | ||
gating.yaml | ||
generate-rndc-key.sh | ||
ldap2zone.1 | ||
ldap2zone.c | ||
named-chroot-setup.service | ||
named-chroot.files | ||
named-chroot.service | ||
named-pkcs11.service | ||
named-sdb-chroot-setup.service | ||
named-sdb-chroot.service | ||
named-sdb.8 | ||
named-sdb.service | ||
named-setup-rndc.service | ||
named.conf | ||
named.conf.sample | ||
named.empty | ||
named.localhost | ||
named.logrotate | ||
named.loopback | ||
named.rfc1912.zones | ||
named.root | ||
named.root.key | ||
named.rwtab | ||
named.service | ||
named.sysconfig | ||
README.sdb_pgsql | ||
setup-named-chroot.sh | ||
setup-named-softhsm.sh | ||
sources | ||
trusted-key.key | ||
zone2sqlite.1 | ||
zonetodb.1 |
PGSQL BIND SDB driver The postgresql BIND SDB driver is of experimental status and should not be used for production systems. Usage: o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named ) o Edit your named.conf to contain a database zone, eg. : zone "pgdb.net." IN { type master; database "pgsql bind pgdb localhost pguser pgpasswd"; # ^- DB name ^-Table ^-host ^-user ^-password }; o Create the database zone table The table must contain the columns "name", "rdtype", and "rdata", and is expected to contain a properly constructed zone. The program "zonetodb" creates such a table. zonetodb usage: zonetodb origin file dbname dbtable where origin : zone origin, eg "pgdb.net." file : master zone database file, eg. pgdb.net.db dbname : name of postgresql database dbtable: name of table in database Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database 'pgdb' table: --- #pgdb.net.db: $TTL 1H @ SOA localhost. root.localhost. ( 1 3H 1H 1W 1H ) NS localhost. host1 A 192.168.2.1 host2 A 192.168.2.2 host3 A 192.168.2.3 host4 A 192.168.2.4 host5 A 192.168.2.5 host6 A 192.168.2.6 host7 A 192.168.2.7 --- Issue this command as the pgsql user authorized to update the bind database: # zonetodb pgdb.net. pgdb.net.db bind pgdb will create / update the pgdb table in the 'bind' db: $ psql -dbind -c 'select * from pgdb;' name | ttl | rdtype | rdata ----------------+------+--------+----------------------------------------------------- pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600 pgdb.net | 3600 | NS | localhost. host1.pgdb.net | 3600 | A | 192.168.2.1 host2.pgdb.net | 3600 | A | 192.168.2.2 host3.pgdb.net | 3600 | A | 192.168.2.3 host4.pgdb.net | 3600 | A | 192.168.2.4 host5.pgdb.net | 3600 | A | 192.168.2.5 host6.pgdb.net | 3600 | A | 192.168.2.6 host7.pgdb.net | 3600 | A | 192.168.2.7 (9 rows) I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK. NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named service . USE AT YOUR OWN RISK!