openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of bind

Jorik Cronenberg (jcronenberg) committed over 1 year ago (revision 367)

- Update to release 9.18.11
  Security Fixes:
  * An UPDATE message flood could cause named to exhaust all
    available memory. This flaw was addressed by adding a new
    update-quota option that controls the maximum number of
    outstanding DNS UPDATE messages that named can hold in a queue
    at any given time (default: 100). (CVE-2022-3094)
  * named could crash with an assertion failure when an RRSIG query
    was received and stale-answer-client-timeout was set to a
    non-zero value. This has been fixed. (CVE-2022-3736)
  * named running as a resolver with the
    stale-answer-client-timeout option set to any value greater
    than 0 could crash with an assertion failure, when the
    recursive-clients soft quota was reached. This has been fixed.
    (CVE-2022-3924)
  New Features:
  * The new update-quota option can be used to control the number
    of simultaneous DNS UPDATE messages that can be processed to
    update an authoritative zone on a primary server, or forwarded
    to the primary server by a secondary server. The default is
    100. A new statistics counter has also been added to record
    events when this quota is exceeded, and the version numbers for
    the XML and JSON statistics schemas have been updated.
  Removed Features:
  * The Differentiated Services Code Point (DSCP) feature in BIND
    has been non-operational since the new Network Manager was
    introduced in BIND 9.16. It is now marked as obsolete, and
    vestigial code implementing it has been removed. Configuring
    DSCP values in named.conf now causes a warning to be logged.
  Feature Changes:

Jorik Cronenberg (jcronenberg) accepted request 1055962 from

Thiago Macieira (thiagomacieira) over 1 year ago (revision 366)

- Declare that named.service depends on network-online.target, otherwise named
  may start too early and thus fail (time out) when resolving some
  domains. This happens easily in containers.

Jorik Cronenberg (jcronenberg) committed over 1 year ago (revision 365)

- Update to release 9.18.10
  Feature Changes:
  * To reduce unnecessary memory consumption in the cache, NXDOMAIN
    records are no longer retained past the normal negative cache
    TTL, even if stale-cache-enable is set to yes.
  * The auto-dnssec option has been deprecated and will be removed
    in a future BIND 9.19.x release. Please migrate to
    dnssec-policy.
  * The coresize, datasize, files, and stacksize options have been
    deprecated. The limits these options set should be enforced
    externally, either by manual configuration (e.g. using ulimit)
    or via the process supervisor (e.g. systemd).
  * Setting alternate local addresses for inbound zone transfers
    has been deprecated. The relevant options (alt-transfer-source,
    alt-transfer-source-v6, and use-alt-transfer-source) will be
    removed in a future BIND 9.19.x release.
  * The number of HTTP headers allowed in requests sent to named’s
    statistics channel has been increased from 10 to 100, to
    accommodate some browsers that send more than 10 headers by
    default.
  Bug Fixes:
  * named could crash due to an assertion failure when an HTTP
    connection to the statistics channel was closed prematurely
    (due to a connection error, shutdown, etc.).
  * When a catalog zone was removed from the configuration, in some
    cases a dangling pointer could cause the named process to
    crash.
  * When a zone was deleted from a server, a key management object
    related to that zone was inadvertently kept in memory and only
    released upon shutdown. This could lead to constantly

Jorik Cronenberg (jcronenberg) accepted request 1037145 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 364)

- Update to bind release 9.18.9
  Bug Fixes:
  * A crash was fixed that happened when a dnssec-policy zone that
    used NSEC3 was reconfigured to enable inline-signing.
  * In certain resolution scenarios, quotas could be erroneously
    reached for servers, including any configured forwarders,
    resulting in SERVFAIL answers being sent to clients.
  * rpz-ip rules in response-policy zones could be ineffective in
    some cases if a query had the CD (Checking Disabled) bit set to
    1.
  * Previously, if Internet connectivity issues were experienced
    during the initial startup of named, a BIND resolver with
    dnssec-validation set to auto could enter into a state where it
    would not recover without stopping named, manually deleting the
    managed-keys.bind and managed-keys.bind.jnl files, and starting
    named again.
  * The statistics counter representing the current number of
    clients awaiting recursive resolution results (RecursClients)
    could overflow in certain resolution scenarios.
  * Previously, the port in remote servers such as in primaries and
    parental-agents could be wrongly configured because of an
    inheritance bug.
  * Previously, BIND failed to start on Solaris-based systems with
    hundreds of CPUs.
  * When a DNS resource record’s TTL value was equal to the
    resolver’s configured prefetch “eligibility” value, the record
    was erroneously not treated as eligible for prefetching.

Jorik Cronenberg (jcronenberg) accepted request 1034321 from

Bjørn Lie (iznogood) over 1 year ago (revision 363)

Forgot to drop the patch...

Jorik Cronenberg (jcronenberg) accepted request 1034274 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 362)

- Update to bind release 9.18.8
  New Features:
  * Support for parsing and validating the dohpath service
    parameter in SVCB records was added.
  * named now logs the supported cryptographic algorithms during
    startup and in the output of named -V.
  * The recursion not available and query (cache) '...' denied log
    messages were extended to include the name of the ACL that
    caused a given query to be denied.
  Bug Fixes:
  * An assertion failure was fixed in named that was caused by
    aborting the statistics channel connection while sending
    statistics data to the client.
  * Changing just the TSIG key names for primaries in catalog
    zones’ member zones was not effective. This has been fixed.
  Known Issues:
  * Upgrading from BIND 9.16.32, 9.18.6, or any older version may
    require a manual configuration change. The following
    configurations are affected:
    - type primary zones configured with dnssec-policy but without
      either allow-update or update-policy,
    - type secondary zones configured with dnssec-policy.
    In these cases please add inline-signing yes; to the individual
    zone configuration(s). Without applying this change, named will
    fail to start. For more details, see
    https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
  * BIND 9.18 does not support dynamic update forwarding (see
    allow-update-forwarding) in conjuction with zone transfers over
    TLS (XoT).
  This obsoletes the following patch:
  * fix_documentation-Sphinx.patch

buildservice-autocommit accepted request 1008629 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 361)

baserev update by copy to link target

Jorik Cronenberg (jcronenberg) committed over 1 year ago (revision 360)

Jorik Cronenberg (jcronenberg) accepted request 1008578 from

Matej Cepl (mcepl) over 1 year ago (revision 359)

- Add fix_documentation-Sphinx.patch to fix building with the
  current Sphinx
  (https://gitlab.isc.org/isc-projects/bind9/-/issues/3572).
- Reapply bind-ldapdump-use-valid-host.patch

buildservice-autocommit accepted request 1005207 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 358)

baserev update by copy to link target

Jorik Cronenberg (jcronenberg) accepted request 1005206 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 357)

- Update to bind release 9.18.7
  Security Fixes:
  * Previously, there was no limit to the number of database lookups
    performed while processing large delegations, which could be
    abused to severely impact the performance of named running as a
    recursive resolver. This has been fixed. (CVE-2022-2795)
  * When an HTTP connection was reused to request statistics from the
    stats channel, the content length of successive responses could
    grow in size past the end of the allocated buffer.
    This has been fixed. (CVE-2022-2881)
  * Memory leaks in code handling Diffie-Hellman (DH) keys were fixed
    that could be externally triggered, when using TKEY records in DH
    mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906)
  * named running as a resolver with the stale-answer-client-timeout
    option set to 0 could crash with an assertion failure, when there
    was a stale CNAME in the cache for the incoming query.
    This has been fixed. (CVE-2022-3080)
  * Memory leaks were fixed that could be externally triggered in the
    DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
  Feature Changes:
  * Response Rate Limiting (RRL) code now treats all QNAMEs that are
    subject to wildcard processing within a given zone as the same
    name, to prevent circumventing the limits enforced by RRL.
  * Zones using dnssec-policy now require dynamic DNS or
    inline-signing to be configured explicitly.
  * When reconfiguring dnssec-policy from using NSEC with an NSEC-only
    DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
    BIND 9 no longer fails to sign the zone; instead, it keeps using
    NSEC until the offending DNSKEY records have been removed from the
    zone, then switches to using NSEC3.
  * A backward-compatible approach was implemented for encoding
    internationalized domain names (IDN) in dig and converting the
    domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
    conversion.
  Bug Fixes:
  * A serve-stale bug was fixed, where BIND would try to return stale
    data from cache for lookups that received duplicate queries or
    queries that would be dropped. This bug resulted in premature
    SERVFAIL responses, and has now been resolved.
  This obsoletes the following patch:
  * bind-fix-mysql-bindings.patch
  [bsc#1203614, bsc#1203615, bsc#1203616, bsc#1203618, bsc#1203620]

buildservice-autocommit accepted request 998091 from

Dirk Mueller (dirkmueller) over 1 year ago (revision 356)

baserev update by copy to link target

Dirk Mueller (dirkmueller) accepted request 998005 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 355)

- Fix typo in contrib/dlz/modules/{mysql,mysqldyn} that references
  LDAP_LIBS instead of MYSQL_LIBS.
  [bsc#1202149, bind.spec, bind-fix-mysql-bindings.patch]
- Update to bind release 9.18.6
  Bug Fixes:
  * When running as a validating resolver forwarding all queries
    to another resolver, named could crash with an assertion failure.
    These crashes occurred when the configured forwarder sent
    a broken DS response and named failed its attempts to find
    a proper one instead. This has been fixed.
  * Non-dynamic zones that inherit dnssec-policy from the view
    or options blocks were not marked as inline-signed
    and therefore never scheduled to be re-signed. This has been fixed.
  * The old max-zone-ttl zone option was meant to be superseded
    by the max-zone-ttl option in dnssec-policy; however,
    the latter option was not fully effective. This has been corrected:
    zones no longer load if they contain TTLs greater than the limit
    configured in dnssec-policy. For zones with both the old
    max-zone-ttl option and dnssec-policy configured,
    the old option is ignored, and a warning is generated.
  * rndc dumpdb -expired was fixed to include expired RRsets,
    even if stale-cache-enable is set to no and the cache-cleaning
    time window has passed.
  For a complete list of changes, see
  * Bind Release Notes
    https://downloads.isc.org/isc/bind9/9.18.6/doc/arm/html/notes.html
  * The CHANGES file in the source RPM
  [bind.spec bind-9.18.6.tar.xz bind-9.18.6.tar.xz.sha512.asc]

buildservice-autocommit accepted request 993089 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 354)

baserev update by copy to link target

Jorik Cronenberg (jcronenberg) accepted request 992780 from

Jorik Cronenberg (jcronenberg) over 1 year ago (revision 353)

- When enabling query_logging by un-commenting an example in
  bind.conf, named attempts to create a file in /var/log which
  fails due to missing credentials. This also applies to the
  "dump-file" and the "statistics-file".
  This is solved by having systemd-tmpfiles create a subdirectory
  "/var/log/named" owned by named:named and changing the file
  paths accordingly:
  /var/log/named_querylog -> /var/log/named/querylog
  /var/log/named_dump.db -> /var/log/named/dump.db
  /var/log/named.stats -> /var/log/named/stats
  Also, in "named.service", the ReadWritePath was changed to
  include "/var/log/named" rather than just "var/log".
  [bsc#1200685, bind.conf, vendor-files/config/named.conf,
   vendor-files/system/named.service]

buildservice-autocommit accepted request 992020 from

Reinhard Max (rmax) almost 2 years ago (revision 352)

baserev update by copy to link target

Reinhard Max (rmax) accepted request 992008 from

Jorik Cronenberg (jcronenberg) almost 2 years ago (revision 351)

- Add systemd drop-in directory for named service

buildservice-autocommit accepted request 990523 from

Dirk Mueller (dirkmueller) almost 2 years ago (revision 350)

baserev update by copy to link target

Dirk Mueller (dirkmueller) accepted request 990505 from

Josef Möllers (jmoellers) almost 2 years ago (revision 349)

buildservice-autocommit accepted request 983574 from

Dirk Mueller (dirkmueller) almost 2 years ago (revision 348)

baserev update by copy to link target

Displaying revisions 21 - 40 of 387

Places

Revisions of bind

Places