Drop original user creating in favor of sysusers file definition.
(cherry picked from commit 071ec07d27989a8d548834292fa46ca2312b4862)
(cherry picked from commit efb20ad8e740aafb410c0609fe94551135f2054b)
Resolves: RHEL-132054
(cherry picked from commit 4f18fb958fc3108bdca4c8192f7872db02c49673)
Imagemode might have separate /var partition not properly initialized by
package installation. Add creation of compat files into tmpfiles.d
definition.
Make copies of those files from /var/named to /usr/shared/named, so we
even have some place to symlink them from. Originally it had only copy
in sample documentation, which may not be installed.
These source file should be read-only from named and not modified
anyway. Copy them to /usr/share/named as read-only, always present
sources. Make symlinks in /var/named to point to them only when files
are missing.
To maximize backward compatibility, make copies and avoid replacing
those files with symlinks.
Resolves: RHEL-122168
Many variants are never built anymore. Clean actions to just those still
shipped. But do not trigger named reload when named.run file is empty.
That is common on freeipa installation, where configuration changes
logging to put it elsewhere. named reload is disruptive because how
bind-dyndb-ldap behaves during reloads. Avoid unnecessary reloads with
visible service disruption.
Keep named-pkcs11 reload variant.
Resolves: RHEL-113968
resume_qmin did not handle special case of recursing query hit
unexpected DNS_R_CNAME result. Change result to SERVFAIL in case
of a zone loaded after the recursion started. That prevents crashing
later in query_setorder, where there is uninitialized foundname compared
with absolute order names.
https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
Resolves: RHEL-96648
Fix DNS-over-HTTP(S) implementation issues that arise under heavy
query load. Optimize resource usage for :iscman:`named` instances
that accept queries over DNS-over-HTTP(S).
Previously, :iscman:`named` would process all incoming HTTP/2 data
at once, which could overwhelm the server, especially when dealing
with clients that send requests but don't wait for responses. That
has been fixed. Now, :iscman:`named` handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many requests
at once.
Additionally, :iscman:`named` now carefully processes data sent by
some clients, which can be considered "flooding." It logs these
clients and drops connections from them.
:gl:`#4795`
In some cases, :iscman:`named` could leave DNS-over-HTTP(S)
connections in the `CLOSE_WAIT` state indefinitely. That also has
been fixed. ISC would like to thank JF Billaud for thoroughly
investigating the issue and verifying the fix.
:gl:`#5083`
Vulnerability: CVE-2024-12705
Resolves: RHEL-76868
When answering queries, don't add data to the additional section if the answer has more
than 13 names in the RDATA. This limits the number of lookups into the database(s) during
a single client query, reducing query processing load.
Vulnerability: CVE-2024-11187
Resolves: RHEL-76889
component is used in tests/bind tests to choose correct requirements for
otherwise shared tests. Try to put context propagated from original
package to those tests.
Do not use public repo import, but (re)define it manually to keep
context propagated.
Move license to libs subpackage, it is required for everything except
documentation. Include license file in docs and bind-libs, avoid extra
package just for single file.
Resolves: RHEL-14898
New Features
- A new option signatures-jitter has been added to dnssec-policy to allow
signature expirations to be spread out over a period of time. [GL #4554]
Feature Changes
- DNSSEC signatures that are not valid because the current time falls
outside the signature inception and expiration dates are skipped
instead of causing an immediate validation failure. [GL #4586]
https://downloads.isc.org/isc/bind9/9.18.27/doc/arm/html/notes.html#notes-for-bind-9-18-27
