Revisions of bind
Jorik Cronenberg (jcronenberg)
committed
(revision 20)
- Update to release 9.18.10 Feature Changes: * To reduce unnecessary memory consumption in the cache, NXDOMAIN records are no longer retained past the normal negative cache TTL, even if stale-cache-enable is set to yes. * The auto-dnssec option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate to dnssec-policy. * The coresize, datasize, files, and stacksize options have been deprecated. The limits these options set should be enforced externally, either by manual configuration (e.g. using ulimit) or via the process supervisor (e.g. systemd). * Setting alternate local addresses for inbound zone transfers has been deprecated. The relevant options (alt-transfer-source, alt-transfer-source-v6, and use-alt-transfer-source) will be removed in a future BIND 9.19.x release. * The number of HTTP headers allowed in requests sent to named’s statistics channel has been increased from 10 to 100, to accommodate some browsers that send more than 10 headers by default. Bug Fixes: * named could crash due to an assertion failure when an HTTP connection to the statistics channel was closed prematurely (due to a connection error, shutdown, etc.). * When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the named process to crash. * When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly
Jorik Cronenberg (jcronenberg)
committed
(revision 19)
Accidentally added back a obsolete patch
Jorik Cronenberg (jcronenberg)
committed
(revision 18)
- Update to bind release 9.18.9 Bug Fixes: * A crash was fixed that happened when a dnssec-policy zone that used NSEC3 was reconfigured to enable inline-signing. * In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. * rpz-ip rules in response-policy zones could be ineffective in some cases if a query had the CD (Checking Disabled) bit set to 1. * Previously, if Internet connectivity issues were experienced during the initial startup of named, a BIND resolver with dnssec-validation set to auto could enter into a state where it would not recover without stopping named, manually deleting the managed-keys.bind and managed-keys.bind.jnl files, and starting named again. * The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could overflow in certain resolution scenarios. * Previously, the port in remote servers such as in primaries and parental-agents could be wrongly configured because of an inheritance bug. * Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs. * When a DNS resource record’s TTL value was equal to the resolver’s configured prefetch “eligibility” value, the record was erroneously not treated as eligible for prefetching.
Jorik Cronenberg (jcronenberg)
committed
(revision 17)
Jorik Cronenberg (jcronenberg)
committed
(revision 16)
- Update to bind release 9.18.8 New Features: * Support for parsing and validating the dohpath service parameter in SVCB records was added. * named now logs the supported cryptographic algorithms during startup and in the output of named -V. * The recursion not available and query (cache) '...' denied log messages were extended to include the name of the ACL that caused a given query to be denied. Bug Fixes: * An assertion failure was fixed in named that was caused by aborting the statistics channel connection while sending statistics data to the client. * Changing just the TSIG key names for primaries in catalog zones’ member zones was not effective. This has been fixed. Known Issues: * Upgrading from BIND 9.16.32, 9.18.6, or any older version may require a manual configuration change. The following configurations are affected: - type primary zones configured with dnssec-policy but without either allow-update or update-policy, - type secondary zones configured with dnssec-policy. In these cases please add inline-signing yes; to the individual zone configuration(s). Without applying this change, named will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing * BIND 9.18 does not support dynamic update forwarding (see allow-update-forwarding) in conjuction with zone transfers over TLS (XoT).
Jorik Cronenberg (jcronenberg)
committed
(revision 15)
Jorik Cronenberg (jcronenberg)
committed
(revision 14)
- Add fix_documentation-Sphinx.patch to fix building with the current Sphinx (https://gitlab.isc.org/isc-projects/bind9/-/issues/3572). - Reapply bind-ldapdump-use-valid-host.patch
buildservice-autocommit
accepted
request 1005206
from
Jorik Cronenberg (jcronenberg)
(revision 13)
baserev update by copy to link target
Jorik Cronenberg (jcronenberg)
committed
(revision 12)
Jorik Cronenberg (jcronenberg)
committed
(revision 11)
Jorik Cronenberg (jcronenberg)
committed
(revision 10)
- Update to bind release 9.18.7 Security Fixes: * Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of named running as a recursive resolver. This has been fixed. (CVE-2022-2795) * When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) * Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) * named running as a resolver with the stale-answer-client-timeout option set to 0 could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) * Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) Feature Changes: * Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. * Zones using dnssec-policy now require dynamic DNS or inline-signing to be configured explicitly. * When reconfiguring dnssec-policy from using NSEC with an NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC until the offending DNSKEY records have been removed from the zone, then switches to using NSEC3.
buildservice-autocommit
accepted
request 998005
from
Jorik Cronenberg (jcronenberg)
(revision 9)
baserev update by copy to link target
Jorik Cronenberg (jcronenberg)
committed
(revision 8)
- Fix typo in contrib/dlz/modules/{mysql,mysqldyn} that references LDAP_LIBS instead of MYSQL_LIBS. [bsc#1202149, bind.spec, bind-fix-mysql-bindings.patch]
Jorik Cronenberg (jcronenberg)
committed
(revision 7)
- Update to bind release 9.18.6 Bug Fixes: * When running as a validating resolver forwarding all queries to another resolver, named could crash with an assertion failure. These crashes occurred when the configured forwarder sent a broken DS response and named failed its attempts to find a proper one instead. This has been fixed. * Non-dynamic zones that inherit dnssec-policy from the view or options blocks were not marked as inline-signed and therefore never scheduled to be re-signed. This has been fixed. * The old max-zone-ttl zone option was meant to be superseded by the max-zone-ttl option in dnssec-policy; however, the latter option was not fully effective. This has been corrected: zones no longer load if they contain TTLs greater than the limit configured in dnssec-policy. For zones with both the old max-zone-ttl option and dnssec-policy configured, the old option is ignored, and a warning is generated. * rndc dumpdb -expired was fixed to include expired RRsets, even if stale-cache-enable is set to no and the cache-cleaning time window has passed. For a complete list of changes, see * Bind Release Notes https://downloads.isc.org/isc/bind9/9.18.6/doc/arm/html/notes.html * The CHANGES file in the source RPM [bind.spec bind-9.18.6.tar.xz bind-9.18.6.tar.xz.sha512.asc]
buildservice-autocommit
accepted
request 992780
from
Jorik Cronenberg (jcronenberg)
(revision 6)
baserev update by copy to link target
Jorik Cronenberg (jcronenberg)
committed
(revision 5)
Jorik Cronenberg (jcronenberg)
committed
(revision 4)
Jorik Cronenberg (jcronenberg)
committed
(revision 3)
Jorik Cronenberg (jcronenberg)
committed
(revision 2)
- When enabling query_logging by un-commenting an example in bind.conf, named attempts to create a file in /var/log which fails due to missing credentials. This also applies to the "dump-file" and the "statistics-file". This is solved by having systemd-tmpfiles create a subdirectory "/var/log/named" owned by named:named and changing the file paths accordingly: /var/log/named_querylog -> /var/log/named/querylog /var/log/named_dump.db -> /var/log/named/dump.db /var/log/named.stats -> /var/log/named/stats Also, in "named.service", the ReadWritePath was changed to include "/var/log/named" rather than just "var/log". [bsc#1200685, bind.spec, vendor-files/config/named.conf, vendor-files/system/named.service]
Jorik Cronenberg (jcronenberg)
committed
(revision 1)
Displaying revisions 21 - 40 of 40