Sync from SUSE:SLFO:Main bind revision eb07042c402e055efee691bdab7bd1ae

This commit is contained in:
Adrian Schröter 2024-10-29 09:32:49 +01:00
parent 80ae6a9e4b
commit 1632751445
6 changed files with 261 additions and 20 deletions

BIN
bind-9.20.0.tar.xz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmaNMyYACgkQUQpkKgbF
LOzwnBAAgICQ7MC0rkXZxD/8X3vatdpDZ4MkUvkhOR+J4kkKWBuSqZJQvuWA8XeS
/rycCHWFeUf3V9Wj6XbCPa1l4eV5rAnSVJtHHoDoK9Tt/1H6HCd0v2b270a9q1pU
ra5Jdi/ZP76iRYAAse8FpRymMcjEk/aXnnnOsCACOY8MNvxC83mmrciPJJxloEBy
9zGPGzkvnYTM1H/qSR0GrUsGLtzKPiXbvtsRo9jI3f8kL9Tdxw9IlmH0OY14L26L
QKgaFC4Sa3J2PmELLCORtvUEDeKi9FAG9+6ua3h7ork2n/cARmOhvmZ8FFgLlB1e
7GSWCMujw+h44vNJrz1w14Bm1sN3k9PgY34i7ter/WA6ZTFDIWyhQh5tHrbjsdyv
DTlE8EvVNIg4fYMCew57yedXqzWO6bavwFlsiPyjXyG9+k9xSeQEYuuLGismF3gQ
AGXPyUUAiqhnyQd1uCf8qK5sgkH39+g5TRFl5oSvZavOAr/GtzsNhAo5Ii5ia8qL
mUVESk+Jyl4/rKJAAMwWtdl8mk8RYx1BF0XAG/mnvC81HBcuiu5aRBa5N3p8Kg+W
cUMPOjDhXn90pxEcD1MSg6nH1P0sVVOYWaQvJ1FtzKUp7JKNJus0yjgQarF5VI/l
7VSUi36dGSlDyM4EvspS/KAnItErzA8Vn40R9x8qbmzjD1Ka5LU=
=wneo
-----END PGP SIGNATURE-----

BIN
bind-9.20.3.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

16
bind-9.20.3.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmcFmzcACgkQUQpkKgbF
LOy7HA//bEjc3SPdNiCQgodOj4w+7o4hmcnbxb7HWJcmV1kNlwHFB9ZzoQzVdFGI
C9/+O3WMjk8EeLUYyip+ZMU6KEb55DwqSGX+TNPl+UiVZmIfCEmZ657KXhflcPjc
xYEg2XzL8u2MuKLglEB8FK23zdki13bre/GcdfqMtHowZiln60KaPYR1VeS28m14
4p4VzDfLSq2vrlzpLiT7KlSds2mHDfWWxXDNwFIPZ5vlvtLyzbozRQ9X8p1wseO7
3jjUPMGNNcx0EYZQ88KbTtv2eLxrYK8NRU4M47iXpP5/AYAzsq1gD+7mYNxLeIv+
hbL5X7hxLl5OMNU47tHM/xgRcrGppeDSeKEihr/+1Z9JPL3Zq+oS6XwlzH1KmxQ6
6mi6Z1SgAQNlfrFC11fxSokS7C/lWIOmXKa19tdHbsAw/kU9Onk6gh1D4BVTbKfJ
dbEl7/rJB14Er9+C6N3DB28HwgtlDC+ZLX79OqY9GN67LWHUkbGoKB7REkVQ0vMq
JzU9L+R+8sJQXvgqj/Ei9KRA08QxdetTTtigA75yGzyn2HWgDl1CTfFIYCEDZr9T
AJdim31gFlqIq1M8OwcynsthZswlFFwvHDpKuS9/AqXVaK1KSkpYfb+8gLl/l+bA
dcMFEckN7J60Qhqx/BAyBk/6vZ3F6FBmotKMctq9rpvCf1coM/E=
=vNN/
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,244 @@
-------------------------------------------------------------------
Mon Oct 21 08:42:47 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.3
New Features:
* Log query response status to the query log.
* Log a query response summary using the new responses category.
Logging can be controlled via the responselog option and via
rndc responselog.
* Added WALLET type.
* Add the new record type WALLET (262). This provides a mapping
from a domain name to a cryptographic currency wallet. Multiple
mappings can exist if multiple records exist.
Feature Changes:
* Set logging category for notify/xfer-in-related messages.
* Some notify and xfer-in-related log messages were logged at the
“general” category level instead of their own category. This
has been fixed.
* Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
* This change allows fallback from an IXFR failure to AXFR when
the reason is DNS_R_TOOMANYRECORDS.
Bug Fixes:
* Fix a statistics channel counter bug when “forward only” zones
are used.
* When resolving a zone with a “forward only” policy, and finding
out that all the forwarders were marked as “bad”, the
“ServerQuota” counter of the statistics channel was incorrectly
increased. This has been fixed.
* Fix a bug in the static-stub implementation.
* Static-stub addresses and addresses from other sources were
being mixed together, resulting in static-stub queries going to
addresses not specified in the configuration, or alternatively,
static-stub addresses being used instead of the correct server
addresses.
* Dont allow statistics-channels if libxml2 and libjson-c are
not configured.
* When BIND 9 is not configured with the libxml2 and libjson-c
libraries, the use of the statistics-channels option is a fatal
error.
* Separate DNSSEC validation from long-running tasks.
* Split CPU-intensive and long-running tasks into separate
threadpools in a way that the long-running tasks - like RPZ,
catalog zone processing, or zone file operations - dont block
CPU-intensive operations like DNSSEC validations.
* Fix an assertion failure when processing access control lists.
* The named process could terminate unexpectedly when processing
ACLs. This has been fixed.
* Fix a bug in Offline KSK using a ZSK with an unlimited
lifetime.
* If the ZSK had an unlimited lifetime, the timing metadata
Inactive and Delete could not be found and were treated as an
error, preventing the zone from being signed. This has been
fixed.
* Limit the outgoing UDP send queue size.
* If the operating system UDP queue got full and the outgoing UDP
sending started to be delayed, BIND 9 could exhibit memory
spikes as it tried to enqueue all the outgoing UDP messages. It
now tries to deliver the outgoing UDP messages synchronously;
if that fails, it drops the outgoing DNS message that would get
queued up and then timeout on the client side.
* Do not set SO_INCOMING_CPU.
* Remove the SO_INCOMING_CPU setting as kernel scheduling
performs better without constraints.
* Fix the rndc dumpdb commands error reporting.
* The rndc dumpdb command was not reporting errors that occurred
when named started up the database dump process. This has been
fixed.
* Fix long-running incoming transfers.
* Incoming transfers that took longer than 30 seconds would stop
reading from the TCP stream and the incoming transfer would be
indefinitely stuck, causing BIND 9 to hang during shutdown.
* This has been fixed, and the max-transfer-time-in and
max-transfer-idle-in timeouts are now honored.
* Fix an assertion failure when receiving DNS responses over TCP.
* When matching the received Query ID in the TCP connection, an
invalid Query ID could cause an assertion failure. This has
been fixed.
-------------------------------------------------------------------
Thu Sep 19 08:57:57 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.2
New Features:
* Support for Offline KSK implemented.
* Add a new configuration option offline-ksk to enable Offline
KSK key management. Signed Key Response (SKR) files created
with dnssec-ksr (or other programs) can now be imported into
named with the new rndc skr -import command. Rather than
creating new DNSKEY, CDS, and CDNSKEY records and generating
signatures covering these types, these records are loaded from
the currently active bundle from the imported SKR.
* The implementation is loosely based on
draft-icann-dnssec-keymgmt-01.txt.
* Print the full path of the working directory in startup log
messages.
* named now prints its initial working directory during startup,
and the changed working directory when loading or reloading its
configuration file, if it has a valid directory option defined.
* Support a restricted key tag range when generating new keys.
* When multiple signers are being used to sign a zone, it is
useful to be able to specify a restricted range of key tags to
be used by an operator to sign the zone. The range can be
specified with tag-range in dnssec-policys keys (for named and
dnssec-ksr) and with the new options dnssec-keyfromlabel -M and
dnssec-keygen -M.
Feature Changes:
* Exempt prefetches from the fetches-per-zone and
fetches-per-server quotas.
* Fetches generated automatically as a result of prefetch are now
exempt from the fetches-per-zone and fetches-per-server quotas.
This should help in maintaining the cache from which query
responses can be given.
* Follow the number of CPUs set by taskset/cpuset.
* Administrators may wish to constrain the set of cores that
named runs on via the taskset, cpuset, or numactl programs (or
equivalents on other OSes).
* If the admin has used taskset, named now automatically uses the
given number of CPUs rather than the system-wide count.
Bug Fixes:
* Delay the release of root privileges until after configuring
controls.
* Delay relinquishing root privileges until the control channel
has been configured, for the benefit of systems that require
root to use privileged port numbers. This mostly affects
systems without fine- grained privilege systems (i.e., other
than Linux).
* Fix a rare assertion failure when shutting down incoming
transfer.
* A very rare assertion failure could be triggered when the
incoming transfer was either forcefully shut down, or it
finished during the printing of the details about the
statistics channel. This has been fixed.
* Fix algorithm rollover bug when there are two keys with the
same keytag.
* If there was an algorithm rollover and two keys of different
algorithms shared the same keytags, there was the possibility
that the check of whether the key matched a specific state
could be performed against the wrong key. This has been fixed
by not only checking for the matching key tag but also the key
algorithm.
* Fix an assertion failure in validate_dnskey_dsset_done().
* Under rare circumstances, named could terminate unexpectedly
when validating a DNSKEY resource record if the validation had
been canceled in the meantime. This has been fixed.
Known Issues:
* Long-running tasks in offloaded threads (e.g. the loading of
RPZ zones or processing zone transfers) may block the
resolution of queries during these operations and cause the
queries to time out. To work around the issue, the
UV_THREADPOOL_SIZE environment variable can be set to a larger
value before starting named. The recommended value is the
number of RPZ zones (or number of transfers) plus the number of
threads BIND should use, which is typically the number of CPUs.
-------------------------------------------------------------------
Fri Aug 23 09:26:22 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.1
New Features:
* Implement rndc retransfer -force.
* A new optional argument -force has been added to the command
rndc retransfer. When it is specified, named aborts the ongoing
zone transfer (if there is one) and starts a new transfer.
* dig now reports a missing QUESTION section for messages with
opcode QUERY.
* Query responses should contain the QUESTION section, with some
exceptions. dig was not reporting this.
Feature Changes:
* Tighten max-recursion-queries and add max-query-restarts
configuration statement.
* There were cases when the max-recursion-queries quota was
ineffective. It was possible to craft zones that would cause a
resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by
correcting errors in the implementation of
max-recursion-queries and by reducing the default value from
100 to 32.
* In addition, a new max-query-restarts configuration statement
has been added, which limits the number of times a recursive
server will follow CNAME or DNAME records before terminating
resolution. This was previously a hard-coded limit of 16 but is
now configurable with a default value of 11.
* ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli,
and Cagin Tanir from NetSec group, ETH Zurich for discovering
and notifying us about the issue.
* Allow shorter resolver-query-timeout configuration.
* The minimum allowed value of resolver-query-timeout was lowered
from its previous value of 10 000 milliseconds (which is still
the default) to 301 milliseconds. Note however that values of 1
to 300 inclusive are interpreted as seconds before applying the
limit. A value of zero is interpreted as the default.
* Raise the log level of priming failures.
* When a priming query is complete, it was previously logged at
level DEBUG(1), regardless of success or failure. It is now
logged to NOTICE in the case of failure.
Bug Fixes:
* Fix a crash caused by valid TSIG signatures with invalid time.
* An assertion failure was triggered when the TSIG had a valid
cryptographic signature but the time was invalid. This could
happen when the times between the primary and secondary servers
were not synchronised. The crash has now been fixed.
* Return SERVFAIL for a too long CNAME chain.
* When following long CNAME chains, named was returning NOERROR
(along with a partial answer) instead of SERVFAIL, if the chain
exceeded the maximum length. This has been fixed.
* Reconfigure catz member zones during named reconfiguration.
* During a reconfiguration, named wasnt reconfiguring catalog
zones member zones. This has been fixed.
* Update key lifetime and metadata after dnssec-policy
reconfiguration.
* Adjust key state and timing metadata if dnssec-policy key
lifetime configuration is updated, so that it also affects
existing keys.
* Fix a crash during zone modification.
* Fix an assertion failure that could happen when an
authoritative zone was modified while the server was generating
an answer from that zone.
* Fix assertion failure when executing named-checkconf -v to
print its version.
* Fix generation of 6to4-self name expansion from IPv4 address.
* The period between the most significant nibble of the encoded
IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing,
resulting in the wrong name being checked. This has been fixed.
* dig +yaml was producing unexpected and/or invalid YAML. output.
* SVBC ALPN text parsing failed to reject zero-length ALPN.
* Fix false QNAME minimisation error being reported.
* Remove the false positive success resolving log message when
QNAME minimisation is in effect and the final result is an
NXDOMAIN.
* Fix --enable-tracing build on systems without dtrace.
* A missing util/dtrace.sh file prevented builds on systems
without the dtrace utility. This has been corrected.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com> Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>

View File

@ -56,7 +56,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: bind Name: bind
Version: 9.20.0 Version: 9.20.3
Release: 0 Release: 0
Summary: Domain Name System (DNS) Server (named) Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0 License: MPL-2.0