- Update to release 9.18.10
  Feature Changes:
  * To reduce unnecessary memory consumption in the cache, NXDOMAIN
    records are no longer retained past the normal negative cache
    TTL, even if stale-cache-enable is set to yes.
  * The auto-dnssec option has been deprecated and will be removed
    in a future BIND 9.19.x release. Please migrate to
    dnssec-policy.
  * The coresize, datasize, files, and stacksize options have been
    deprecated. The limits these options set should be enforced
    externally, either by manual configuration (e.g. using ulimit)
    or via the process supervisor (e.g. systemd).
  * Setting alternate local addresses for inbound zone transfers
    has been deprecated. The relevant options (alt-transfer-source,
    alt-transfer-source-v6, and use-alt-transfer-source) will be
    removed in a future BIND 9.19.x release.
  * The number of HTTP headers allowed in requests sent to named’s
    statistics channel has been increased from 10 to 100, to
    accommodate some browsers that send more than 10 headers by
    default.
  Bug Fixes:
  * named could crash due to an assertion failure when an HTTP
    connection to the statistics channel was closed prematurely
    (due to a connection error, shutdown, etc.).
  * When a catalog zone was removed from the configuration, in some
    cases a dangling pointer could cause the named process to
    crash.
  * When a zone was deleted from a server, a key management object
    related to that zone was inadvertently kept in memory and only
    released upon shutdown. This could lead to constantly

• Files Changed
• Browse Source

Accidentally added back a obsolete patch

• Files Changed
• Browse Source

- Update to bind release 9.18.9
  Bug Fixes:
  * A crash was fixed that happened when a dnssec-policy zone that
    used NSEC3 was reconfigured to enable inline-signing.
  * In certain resolution scenarios, quotas could be erroneously
    reached for servers, including any configured forwarders,
    resulting in SERVFAIL answers being sent to clients.
  * rpz-ip rules in response-policy zones could be ineffective in
    some cases if a query had the CD (Checking Disabled) bit set to
    1.
  * Previously, if Internet connectivity issues were experienced
    during the initial startup of named, a BIND resolver with
    dnssec-validation set to auto could enter into a state where it
    would not recover without stopping named, manually deleting the
    managed-keys.bind and managed-keys.bind.jnl files, and starting
    named again.
  * The statistics counter representing the current number of
    clients awaiting recursive resolution results (RecursClients)
    could overflow in certain resolution scenarios.
  * Previously, the port in remote servers such as in primaries and
    parental-agents could be wrongly configured because of an
    inheritance bug.
  * Previously, BIND failed to start on Solaris-based systems with
    hundreds of CPUs.
  * When a DNS resource record’s TTL value was equal to the
    resolver’s configured prefetch “eligibility” value, the record
    was erroneously not treated as eligible for prefetching.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to bind release 9.18.8
  New Features:
  * Support for parsing and validating the dohpath service
    parameter in SVCB records was added.
  * named now logs the supported cryptographic algorithms during
    startup and in the output of named -V.
  * The recursion not available and query (cache) '...' denied log
    messages were extended to include the name of the ACL that
    caused a given query to be denied.
  Bug Fixes:
  * An assertion failure was fixed in named that was caused by
    aborting the statistics channel connection while sending
    statistics data to the client.
  * Changing just the TSIG key names for primaries in catalog
    zones’ member zones was not effective. This has been fixed.
  Known Issues:
  * Upgrading from BIND 9.16.32, 9.18.6, or any older version may
    require a manual configuration change. The following
    configurations are affected:
    - type primary zones configured with dnssec-policy but without
      either allow-update or update-policy,
    - type secondary zones configured with dnssec-policy.
    In these cases please add inline-signing yes; to the individual
    zone configuration(s). Without applying this change, named will
    fail to start. For more details, see
    https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
  * BIND 9.18 does not support dynamic update forwarding (see
    allow-update-forwarding) in conjuction with zone transfers over
    TLS (XoT).

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Add fix_documentation-Sphinx.patch to fix building with the
  current Sphinx
  (https://gitlab.isc.org/isc-projects/bind9/-/issues/3572).
- Reapply bind-ldapdump-use-valid-host.patch

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to bind release 9.18.7
  Security Fixes:
  * Previously, there was no limit to the number of database lookups
    performed while processing large delegations, which could be
    abused to severely impact the performance of named running as a
    recursive resolver. This has been fixed. (CVE-2022-2795)
  * When an HTTP connection was reused to request statistics from the
    stats channel, the content length of successive responses could
    grow in size past the end of the allocated buffer.
    This has been fixed. (CVE-2022-2881)
  * Memory leaks in code handling Diffie-Hellman (DH) keys were fixed
    that could be externally triggered, when using TKEY records in DH
    mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906)
  * named running as a resolver with the stale-answer-client-timeout
    option set to 0 could crash with an assertion failure, when there
    was a stale CNAME in the cache for the incoming query.
    This has been fixed. (CVE-2022-3080)
  * Memory leaks were fixed that could be externally triggered in the
    DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
  Feature Changes:
  * Response Rate Limiting (RRL) code now treats all QNAMEs that are
    subject to wildcard processing within a given zone as the same
    name, to prevent circumventing the limits enforced by RRL.
  * Zones using dnssec-policy now require dynamic DNS or
    inline-signing to be configured explicitly.
  * When reconfiguring dnssec-policy from using NSEC with an NSEC-only
    DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
    BIND 9 no longer fails to sign the zone; instead, it keeps using
    NSEC until the offending DNSKEY records have been removed from the
    zone, then switches to using NSEC3.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Fix typo in contrib/dlz/modules/{mysql,mysqldyn} that references
  LDAP_LIBS instead of MYSQL_LIBS.
  [bsc#1202149, bind.spec, bind-fix-mysql-bindings.patch]

• Files Changed
• Browse Source

- Update to bind release 9.18.6
  Bug Fixes:
  * When running as a validating resolver forwarding all queries
    to another resolver, named could crash with an assertion failure.
    These crashes occurred when the configured forwarder sent
    a broken DS response and named failed its attempts to find
    a proper one instead. This has been fixed.
  * Non-dynamic zones that inherit dnssec-policy from the view
    or options blocks were not marked as inline-signed
    and therefore never scheduled to be re-signed. This has been fixed.
  * The old max-zone-ttl zone option was meant to be superseded
    by the max-zone-ttl option in dnssec-policy; however,
    the latter option was not fully effective. This has been corrected:
    zones no longer load if they contain TTLs greater than the limit
    configured in dnssec-policy. For zones with both the old
    max-zone-ttl option and dnssec-policy configured,
    the old option is ignored, and a warning is generated.
  * rndc dumpdb -expired was fixed to include expired RRsets,
    even if stale-cache-enable is set to no and the cache-cleaning
    time window has passed.
  For a complete list of changes, see
  * Bind Release Notes
    https://downloads.isc.org/isc/bind9/9.18.6/doc/arm/html/notes.html
  * The CHANGES file in the source RPM
  [bind.spec bind-9.18.6.tar.xz bind-9.18.6.tar.xz.sha512.asc]

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- When enabling query_logging by un-commenting an example in
  bind.conf, named attempts to create a file in /var/log which
  fails due to missing credentials. This also applies to the
  "dump-file" and the "statistics-file".
  This is solved by having systemd-tmpfiles create a subdirectory
  "/var/log/named" owned by named:named and changing the file
  paths accordingly:
  /var/log/named_querylog -> /var/log/named/querylog
  /var/log/named_dump.db -> /var/log/named/dump.db
  /var/log/named.stats -> /var/log/named/stats
  Also, in "named.service", the ReadWritePath was changed to
  include "/var/log/named" rather than just "var/log".
  [bsc#1200685, bind.spec, vendor-files/config/named.conf,
   vendor-files/system/named.service]

• Files Changed
• Browse Source

• Browse Source