diff --git a/bind-9.20.0.tar.xz b/bind-9.20.0.tar.xz deleted file mode 100644 index 669dbef..0000000 --- a/bind-9.20.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cc580998017b51f273964058e8cb3aa5482bc785243dea71e5556ec565a13347 -size 5760416 diff --git a/bind-9.20.0.tar.xz.asc b/bind-9.20.0.tar.xz.asc deleted file mode 100644 index 9f46a95..0000000 --- a/bind-9.20.0.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmaNMyYACgkQUQpkKgbF -LOzwnBAAgICQ7MC0rkXZxD/8X3vatdpDZ4MkUvkhOR+J4kkKWBuSqZJQvuWA8XeS -/rycCHWFeUf3V9Wj6XbCPa1l4eV5rAnSVJtHHoDoK9Tt/1H6HCd0v2b270a9q1pU -ra5Jdi/ZP76iRYAAse8FpRymMcjEk/aXnnnOsCACOY8MNvxC83mmrciPJJxloEBy -9zGPGzkvnYTM1H/qSR0GrUsGLtzKPiXbvtsRo9jI3f8kL9Tdxw9IlmH0OY14L26L -QKgaFC4Sa3J2PmELLCORtvUEDeKi9FAG9+6ua3h7ork2n/cARmOhvmZ8FFgLlB1e -7GSWCMujw+h44vNJrz1w14Bm1sN3k9PgY34i7ter/WA6ZTFDIWyhQh5tHrbjsdyv -DTlE8EvVNIg4fYMCew57yedXqzWO6bavwFlsiPyjXyG9+k9xSeQEYuuLGismF3gQ -AGXPyUUAiqhnyQd1uCf8qK5sgkH39+g5TRFl5oSvZavOAr/GtzsNhAo5Ii5ia8qL -mUVESk+Jyl4/rKJAAMwWtdl8mk8RYx1BF0XAG/mnvC81HBcuiu5aRBa5N3p8Kg+W -cUMPOjDhXn90pxEcD1MSg6nH1P0sVVOYWaQvJ1FtzKUp7JKNJus0yjgQarF5VI/l -7VSUi36dGSlDyM4EvspS/KAnItErzA8Vn40R9x8qbmzjD1Ka5LU= -=wneo ------END PGP SIGNATURE----- diff --git a/bind-9.20.3.tar.xz b/bind-9.20.3.tar.xz new file mode 100644 index 0000000..06a4568 --- /dev/null +++ b/bind-9.20.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f90c2da1621299f56a2e6585a6fe459ec3efd6f2fdf84a8fbf31b40be7698a73 +size 5664328 diff --git a/bind-9.20.3.tar.xz.asc b/bind-9.20.3.tar.xz.asc new file mode 100644 index 0000000..c90bc90 --- /dev/null +++ b/bind-9.20.3.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmcFmzcACgkQUQpkKgbF +LOy7HA//bEjc3SPdNiCQgodOj4w+7o4hmcnbxb7HWJcmV1kNlwHFB9ZzoQzVdFGI +C9/+O3WMjk8EeLUYyip+ZMU6KEb55DwqSGX+TNPl+UiVZmIfCEmZ657KXhflcPjc +xYEg2XzL8u2MuKLglEB8FK23zdki13bre/GcdfqMtHowZiln60KaPYR1VeS28m14 +4p4VzDfLSq2vrlzpLiT7KlSds2mHDfWWxXDNwFIPZ5vlvtLyzbozRQ9X8p1wseO7 +3jjUPMGNNcx0EYZQ88KbTtv2eLxrYK8NRU4M47iXpP5/AYAzsq1gD+7mYNxLeIv+ +hbL5X7hxLl5OMNU47tHM/xgRcrGppeDSeKEihr/+1Z9JPL3Zq+oS6XwlzH1KmxQ6 +6mi6Z1SgAQNlfrFC11fxSokS7C/lWIOmXKa19tdHbsAw/kU9Onk6gh1D4BVTbKfJ +dbEl7/rJB14Er9+C6N3DB28HwgtlDC+ZLX79OqY9GN67LWHUkbGoKB7REkVQ0vMq +JzU9L+R+8sJQXvgqj/Ei9KRA08QxdetTTtigA75yGzyn2HWgDl1CTfFIYCEDZr9T +AJdim31gFlqIq1M8OwcynsthZswlFFwvHDpKuS9/AqXVaK1KSkpYfb+8gLl/l+bA +dcMFEckN7J60Qhqx/BAyBk/6vZ3F6FBmotKMctq9rpvCf1coM/E= +=vNN/ +-----END PGP SIGNATURE----- diff --git a/bind.changes b/bind.changes index fea5750..9666b49 100644 --- a/bind.changes +++ b/bind.changes @@ -1,3 +1,244 @@ +------------------------------------------------------------------- +Mon Oct 21 08:42:47 UTC 2024 - Jorik Cronenberg + +- Update to release 9.20.3 + New Features: + * Log query response status to the query log. + * Log a query response summary using the new responses category. + Logging can be controlled via the responselog option and via + rndc responselog. + * Added WALLET type. + * Add the new record type WALLET (262). This provides a mapping + from a domain name to a cryptographic currency wallet. Multiple + mappings can exist if multiple records exist. + + Feature Changes: + * Set logging category for notify/xfer-in-related messages. + * Some notify and xfer-in-related log messages were logged at the + “general” category level instead of their own category. This + has been fixed. + * Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS. + * This change allows fallback from an IXFR failure to AXFR when + the reason is DNS_R_TOOMANYRECORDS. + + Bug Fixes: + * Fix a statistics channel counter bug when “forward only” zones + are used. + * When resolving a zone with a “forward only” policy, and finding + out that all the forwarders were marked as “bad”, the + “ServerQuota” counter of the statistics channel was incorrectly + increased. This has been fixed. + * Fix a bug in the static-stub implementation. + * Static-stub addresses and addresses from other sources were + being mixed together, resulting in static-stub queries going to + addresses not specified in the configuration, or alternatively, + static-stub addresses being used instead of the correct server + addresses. + * Don’t allow statistics-channels if libxml2 and libjson-c are + not configured. + * When BIND 9 is not configured with the libxml2 and libjson-c + libraries, the use of the statistics-channels option is a fatal + error. + * Separate DNSSEC validation from long-running tasks. + * Split CPU-intensive and long-running tasks into separate + threadpools in a way that the long-running tasks - like RPZ, + catalog zone processing, or zone file operations - don’t block + CPU-intensive operations like DNSSEC validations. + * Fix an assertion failure when processing access control lists. + * The named process could terminate unexpectedly when processing + ACLs. This has been fixed. + * Fix a bug in Offline KSK using a ZSK with an unlimited + lifetime. + * If the ZSK had an unlimited lifetime, the timing metadata + Inactive and Delete could not be found and were treated as an + error, preventing the zone from being signed. This has been + fixed. + * Limit the outgoing UDP send queue size. + * If the operating system UDP queue got full and the outgoing UDP + sending started to be delayed, BIND 9 could exhibit memory + spikes as it tried to enqueue all the outgoing UDP messages. It + now tries to deliver the outgoing UDP messages synchronously; + if that fails, it drops the outgoing DNS message that would get + queued up and then timeout on the client side. + * Do not set SO_INCOMING_CPU. + * Remove the SO_INCOMING_CPU setting as kernel scheduling + performs better without constraints. + * Fix the rndc dumpdb command’s error reporting. + * The rndc dumpdb command was not reporting errors that occurred + when named started up the database dump process. This has been + fixed. + * Fix long-running incoming transfers. + * Incoming transfers that took longer than 30 seconds would stop + reading from the TCP stream and the incoming transfer would be + indefinitely stuck, causing BIND 9 to hang during shutdown. + * This has been fixed, and the max-transfer-time-in and + max-transfer-idle-in timeouts are now honored. + * Fix an assertion failure when receiving DNS responses over TCP. + * When matching the received Query ID in the TCP connection, an + invalid Query ID could cause an assertion failure. This has + been fixed. + +------------------------------------------------------------------- +Thu Sep 19 08:57:57 UTC 2024 - Jorik Cronenberg + +- Update to release 9.20.2 + New Features: + * Support for Offline KSK implemented. + * Add a new configuration option offline-ksk to enable Offline + KSK key management. Signed Key Response (SKR) files created + with dnssec-ksr (or other programs) can now be imported into + named with the new rndc skr -import command. Rather than + creating new DNSKEY, CDS, and CDNSKEY records and generating + signatures covering these types, these records are loaded from + the currently active bundle from the imported SKR. + * The implementation is loosely based on + draft-icann-dnssec-keymgmt-01.txt. + * Print the full path of the working directory in startup log + messages. + * named now prints its initial working directory during startup, + and the changed working directory when loading or reloading its + configuration file, if it has a valid directory option defined. + * Support a restricted key tag range when generating new keys. + * When multiple signers are being used to sign a zone, it is + useful to be able to specify a restricted range of key tags to + be used by an operator to sign the zone. The range can be + specified with tag-range in dnssec-policy’s keys (for named and + dnssec-ksr) and with the new options dnssec-keyfromlabel -M and + dnssec-keygen -M. + + Feature Changes: + * Exempt prefetches from the fetches-per-zone and + fetches-per-server quotas. + * Fetches generated automatically as a result of prefetch are now + exempt from the fetches-per-zone and fetches-per-server quotas. + This should help in maintaining the cache from which query + responses can be given. + * Follow the number of CPUs set by taskset/cpuset. + * Administrators may wish to constrain the set of cores that + named runs on via the taskset, cpuset, or numactl programs (or + equivalents on other OSes). + * If the admin has used taskset, named now automatically uses the + given number of CPUs rather than the system-wide count. + + Bug Fixes: + * Delay the release of root privileges until after configuring + controls. + * Delay relinquishing root privileges until the control channel + has been configured, for the benefit of systems that require + root to use privileged port numbers. This mostly affects + systems without fine- grained privilege systems (i.e., other + than Linux). + * Fix a rare assertion failure when shutting down incoming + transfer. + * A very rare assertion failure could be triggered when the + incoming transfer was either forcefully shut down, or it + finished during the printing of the details about the + statistics channel. This has been fixed. + * Fix algorithm rollover bug when there are two keys with the + same keytag. + * If there was an algorithm rollover and two keys of different + algorithms shared the same keytags, there was the possibility + that the check of whether the key matched a specific state + could be performed against the wrong key. This has been fixed + by not only checking for the matching key tag but also the key + algorithm. + * Fix an assertion failure in validate_dnskey_dsset_done(). + * Under rare circumstances, named could terminate unexpectedly + when validating a DNSKEY resource record if the validation had + been canceled in the meantime. This has been fixed. + + Known Issues: + * Long-running tasks in offloaded threads (e.g. the loading of + RPZ zones or processing zone transfers) may block the + resolution of queries during these operations and cause the + queries to time out. To work around the issue, the + UV_THREADPOOL_SIZE environment variable can be set to a larger + value before starting named. The recommended value is the + number of RPZ zones (or number of transfers) plus the number of + threads BIND should use, which is typically the number of CPUs. + + +------------------------------------------------------------------- +Fri Aug 23 09:26:22 UTC 2024 - Jorik Cronenberg + +- Update to release 9.20.1 + New Features: + * Implement rndc retransfer -force. + * A new optional argument -force has been added to the command + rndc retransfer. When it is specified, named aborts the ongoing + zone transfer (if there is one) and starts a new transfer. + * dig now reports a missing QUESTION section for messages with + opcode QUERY. + * Query responses should contain the QUESTION section, with some + exceptions. dig was not reporting this. + + Feature Changes: + * Tighten max-recursion-queries and add max-query-restarts + configuration statement. + * There were cases when the max-recursion-queries quota was + ineffective. It was possible to craft zones that would cause a + resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by + correcting errors in the implementation of + max-recursion-queries and by reducing the default value from + 100 to 32. + * In addition, a new max-query-restarts configuration statement + has been added, which limits the number of times a recursive + server will follow CNAME or DNAME records before terminating + resolution. This was previously a hard-coded limit of 16 but is + now configurable with a default value of 11. + * ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, + and Cagin Tanir from NetSec group, ETH Zurich for discovering + and notifying us about the issue. + * Allow shorter resolver-query-timeout configuration. + * The minimum allowed value of resolver-query-timeout was lowered + from its previous value of 10 000 milliseconds (which is still + the default) to 301 milliseconds. Note however that values of 1 + to 300 inclusive are interpreted as seconds before applying the + limit. A value of zero is interpreted as the default. + * Raise the log level of priming failures. + * When a priming query is complete, it was previously logged at + level DEBUG(1), regardless of success or failure. It is now + logged to NOTICE in the case of failure. + + Bug Fixes: + * Fix a crash caused by valid TSIG signatures with invalid time. + * An assertion failure was triggered when the TSIG had a valid + cryptographic signature but the time was invalid. This could + happen when the times between the primary and secondary servers + were not synchronised. The crash has now been fixed. + * Return SERVFAIL for a too long CNAME chain. + * When following long CNAME chains, named was returning NOERROR + (along with a partial answer) instead of SERVFAIL, if the chain + exceeded the maximum length. This has been fixed. + * Reconfigure catz member zones during named reconfiguration. + * During a reconfiguration, named wasn’t reconfiguring catalog + zones’ member zones. This has been fixed. + * Update key lifetime and metadata after dnssec-policy + reconfiguration. + * Adjust key state and timing metadata if dnssec-policy key + lifetime configuration is updated, so that it also affects + existing keys. + * Fix a crash during zone modification. + * Fix an assertion failure that could happen when an + authoritative zone was modified while the server was generating + an answer from that zone. + * Fix assertion failure when executing named-checkconf -v to + print its version. + * Fix generation of 6to4-self name expansion from IPv4 address. + * The period between the most significant nibble of the encoded + IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing, + resulting in the wrong name being checked. This has been fixed. + * dig +yaml was producing unexpected and/or invalid YAML. output. + * SVBC ALPN text parsing failed to reject zero-length ALPN. + * Fix false QNAME minimisation error being reported. + * Remove the false positive success resolving log message when + QNAME minimisation is in effect and the final result is an + NXDOMAIN. + * Fix --enable-tracing build on systems without dtrace. + * A missing util/dtrace.sh file prevented builds on systems + without the dtrace utility. This has been corrected. + ------------------------------------------------------------------- Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg diff --git a/bind.spec b/bind.spec index f2c74e8..cfeb0a8 100644 --- a/bind.spec +++ b/bind.spec @@ -56,7 +56,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.20.0 +Version: 9.20.3 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0