Sync from SUSE:SLFO:Main bind revision eb07042c402e055efee691bdab7bd1ae

bind-9.20.0.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmaNMyYACgkQUQpkKgbF
-LOzwnBAAgICQ7MC0rkXZxD/8X3vatdpDZ4MkUvkhOR+J4kkKWBuSqZJQvuWA8XeS
-/rycCHWFeUf3V9Wj6XbCPa1l4eV5rAnSVJtHHoDoK9Tt/1H6HCd0v2b270a9q1pU
-ra5Jdi/ZP76iRYAAse8FpRymMcjEk/aXnnnOsCACOY8MNvxC83mmrciPJJxloEBy
-9zGPGzkvnYTM1H/qSR0GrUsGLtzKPiXbvtsRo9jI3f8kL9Tdxw9IlmH0OY14L26L
-QKgaFC4Sa3J2PmELLCORtvUEDeKi9FAG9+6ua3h7ork2n/cARmOhvmZ8FFgLlB1e
-7GSWCMujw+h44vNJrz1w14Bm1sN3k9PgY34i7ter/WA6ZTFDIWyhQh5tHrbjsdyv
-DTlE8EvVNIg4fYMCew57yedXqzWO6bavwFlsiPyjXyG9+k9xSeQEYuuLGismF3gQ
-AGXPyUUAiqhnyQd1uCf8qK5sgkH39+g5TRFl5oSvZavOAr/GtzsNhAo5Ii5ia8qL
-mUVESk+Jyl4/rKJAAMwWtdl8mk8RYx1BF0XAG/mnvC81HBcuiu5aRBa5N3p8Kg+W
-cUMPOjDhXn90pxEcD1MSg6nH1P0sVVOYWaQvJ1FtzKUp7JKNJus0yjgQarF5VI/l
-7VSUi36dGSlDyM4EvspS/KAnItErzA8Vn40R9x8qbmzjD1Ka5LU=
-=wneo
------END PGP SIGNATURE-----

bind-9.20.3.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmcFmzcACgkQUQpkKgbF
+LOy7HA//bEjc3SPdNiCQgodOj4w+7o4hmcnbxb7HWJcmV1kNlwHFB9ZzoQzVdFGI
+C9/+O3WMjk8EeLUYyip+ZMU6KEb55DwqSGX+TNPl+UiVZmIfCEmZ657KXhflcPjc
+xYEg2XzL8u2MuKLglEB8FK23zdki13bre/GcdfqMtHowZiln60KaPYR1VeS28m14
+4p4VzDfLSq2vrlzpLiT7KlSds2mHDfWWxXDNwFIPZ5vlvtLyzbozRQ9X8p1wseO7
+3jjUPMGNNcx0EYZQ88KbTtv2eLxrYK8NRU4M47iXpP5/AYAzsq1gD+7mYNxLeIv+
+hbL5X7hxLl5OMNU47tHM/xgRcrGppeDSeKEihr/+1Z9JPL3Zq+oS6XwlzH1KmxQ6
+6mi6Z1SgAQNlfrFC11fxSokS7C/lWIOmXKa19tdHbsAw/kU9Onk6gh1D4BVTbKfJ
+dbEl7/rJB14Er9+C6N3DB28HwgtlDC+ZLX79OqY9GN67LWHUkbGoKB7REkVQ0vMq
+JzU9L+R+8sJQXvgqj/Ei9KRA08QxdetTTtigA75yGzyn2HWgDl1CTfFIYCEDZr9T
+AJdim31gFlqIq1M8OwcynsthZswlFFwvHDpKuS9/AqXVaK1KSkpYfb+8gLl/l+bA
+dcMFEckN7J60Qhqx/BAyBk/6vZ3F6FBmotKMctq9rpvCf1coM/E=
+=vNN/
+-----END PGP SIGNATURE-----

bind.changes

@@ -1,3 +1,244 @@
+-------------------------------------------------------------------
+Mon Oct 21 08:42:47 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 9.20.3
+  New Features:
+  * Log query response status to the query log.
+  * Log a query response summary using the new responses category.
+    Logging can be controlled via the responselog option and via
+    rndc responselog.
+  * Added WALLET type.
+  * Add the new record type WALLET (262). This provides a mapping
+    from a domain name to a cryptographic currency wallet. Multiple
+    mappings can exist if multiple records exist.
+
+  Feature Changes:
+  * Set logging category for notify/xfer-in-related messages.
+  * Some notify and xfer-in-related log messages were logged at the
+    “general” category level instead of their own category. This
+    has been fixed.
+  * Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
+  * This change allows fallback from an IXFR failure to AXFR when
+    the reason is DNS_R_TOOMANYRECORDS.
+
+  Bug Fixes:
+  * Fix a statistics channel counter bug when “forward only” zones
+    are used.
+  * When resolving a zone with a “forward only” policy, and finding
+    out that all the forwarders were marked as “bad”, the
+    “ServerQuota” counter of the statistics channel was incorrectly
+    increased. This has been fixed.
+  * Fix a bug in the static-stub implementation.
+  * Static-stub addresses and addresses from other sources were
+    being mixed together, resulting in static-stub queries going to
+    addresses not specified in the configuration, or alternatively,
+    static-stub addresses being used instead of the correct server
+    addresses.
+  * Don’t allow statistics-channels if libxml2 and libjson-c are
+    not configured.
+  * When BIND 9 is not configured with the libxml2 and libjson-c
+    libraries, the use of the statistics-channels option is a fatal
+    error.
+  * Separate DNSSEC validation from long-running tasks.
+  * Split CPU-intensive and long-running tasks into separate
+    threadpools in a way that the long-running tasks - like RPZ,
+    catalog zone processing, or zone file operations - don’t block
+    CPU-intensive operations like DNSSEC validations.
+  * Fix an assertion failure when processing access control lists.
+  * The named process could terminate unexpectedly when processing
+    ACLs. This has been fixed.
+  * Fix a bug in Offline KSK using a ZSK with an unlimited
+    lifetime.
+  * If the ZSK had an unlimited lifetime, the timing metadata
+    Inactive and Delete could not be found and were treated as an
+    error, preventing the zone from being signed. This has been
+    fixed.
+  * Limit the outgoing UDP send queue size.
+  * If the operating system UDP queue got full and the outgoing UDP
+    sending started to be delayed, BIND 9 could exhibit memory
+    spikes as it tried to enqueue all the outgoing UDP messages. It
+    now tries to deliver the outgoing UDP messages synchronously;
+    if that fails, it drops the outgoing DNS message that would get
+    queued up and then timeout on the client side.
+  * Do not set SO_INCOMING_CPU.
+  * Remove the SO_INCOMING_CPU setting as kernel scheduling
+    performs better without constraints.
+  * Fix the rndc dumpdb command’s error reporting.
+  * The rndc dumpdb command was not reporting errors that occurred
+    when named started up the database dump process. This has been
+    fixed.
+  * Fix long-running incoming transfers.
+  * Incoming transfers that took longer than 30 seconds would stop
+    reading from the TCP stream and the incoming transfer would be
+    indefinitely stuck, causing BIND 9 to hang during shutdown.
+  * This has been fixed, and the max-transfer-time-in and
+    max-transfer-idle-in timeouts are now honored.
+  * Fix an assertion failure when receiving DNS responses over TCP.
+  * When matching the received Query ID in the TCP connection, an
+    invalid Query ID could cause an assertion failure. This has
+    been fixed.
+
+-------------------------------------------------------------------
+Thu Sep 19 08:57:57 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 9.20.2
+  New Features:
+  * Support for Offline KSK implemented.
+  * Add a new configuration option offline-ksk to enable Offline
+    KSK key management. Signed Key Response (SKR) files created
+    with dnssec-ksr (or other programs) can now be imported into
+    named with the new rndc skr -import command. Rather than
+    creating new DNSKEY, CDS, and CDNSKEY records and generating
+    signatures covering these types, these records are loaded from
+    the currently active bundle from the imported SKR.
+  * The implementation is loosely based on
+    draft-icann-dnssec-keymgmt-01.txt.
+  * Print the full path of the working directory in startup log
+    messages.
+  * named now prints its initial working directory during startup,
+    and the changed working directory when loading or reloading its
+    configuration file, if it has a valid directory option defined.
+  * Support a restricted key tag range when generating new keys.
+  * When multiple signers are being used to sign a zone, it is
+    useful to be able to specify a restricted range of key tags to
+    be used by an operator to sign the zone. The range can be
+    specified with tag-range in dnssec-policy’s keys (for named and
+    dnssec-ksr) and with the new options dnssec-keyfromlabel -M and
+    dnssec-keygen -M.
+
+  Feature Changes:
+  * Exempt prefetches from the fetches-per-zone and
+    fetches-per-server quotas.
+  * Fetches generated automatically as a result of prefetch are now
+    exempt from the fetches-per-zone and fetches-per-server quotas.
+    This should help in maintaining the cache from which query
+    responses can be given.
+  * Follow the number of CPUs set by taskset/cpuset.
+  * Administrators may wish to constrain the set of cores that
+    named runs on via the taskset, cpuset, or numactl programs (or
+    equivalents on other OSes).
+  * If the admin has used taskset, named now automatically uses the
+    given number of CPUs rather than the system-wide count.
+
+  Bug Fixes:
+  * Delay the release of root privileges until after configuring
+    controls.
+  * Delay relinquishing root privileges until the control channel
+    has been configured, for the benefit of systems that require
+    root to use privileged port numbers. This mostly affects
+    systems without fine- grained privilege systems (i.e., other
+    than Linux).
+  * Fix a rare assertion failure when shutting down incoming
+    transfer.
+  * A very rare assertion failure could be triggered when the
+    incoming transfer was either forcefully shut down, or it
+    finished during the printing of the details about the
+    statistics channel. This has been fixed.
+  * Fix algorithm rollover bug when there are two keys with the
+    same keytag.
+  * If there was an algorithm rollover and two keys of different
+    algorithms shared the same keytags, there was the possibility
+    that the check of whether the key matched a specific state
+    could be performed against the wrong key. This has been fixed
+    by not only checking for the matching key tag but also the key
+    algorithm.
+  * Fix an assertion failure in validate_dnskey_dsset_done().
+  * Under rare circumstances, named could terminate unexpectedly
+    when validating a DNSKEY resource record if the validation had
+    been canceled in the meantime. This has been fixed.
+
+  Known Issues:
+  * Long-running tasks in offloaded threads (e.g. the loading of
+    RPZ zones or processing zone transfers) may block the
+    resolution of queries during these operations and cause the
+    queries to time out. To work around the issue, the
+    UV_THREADPOOL_SIZE environment variable can be set to a larger
+    value before starting named. The recommended value is the
+    number of RPZ zones (or number of transfers) plus the number of
+    threads BIND should use, which is typically the number of CPUs.
+
+
+-------------------------------------------------------------------
+Fri Aug 23 09:26:22 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 9.20.1
+  New Features:
+  * Implement rndc retransfer -force.
+  * A new optional argument -force has been added to the command
+    rndc retransfer. When it is specified, named aborts the ongoing
+    zone transfer (if there is one) and starts a new transfer.
+  * dig now reports a missing QUESTION section for messages with
+    opcode QUERY.
+  * Query responses should contain the QUESTION section, with some
+    exceptions. dig was not reporting this.
+
+  Feature Changes:
+  * Tighten max-recursion-queries and add max-query-restarts
+    configuration statement.
+  * There were cases when the max-recursion-queries quota was
+    ineffective. It was possible to craft zones that would cause a
+    resolver to waste resources by sending excessive queries while
+    attempting to resolve a name. This has been addressed by
+    correcting errors in the implementation of
+    max-recursion-queries and by reducing the default value from
+    100 to 32.
+  * In addition, a new max-query-restarts configuration statement
+    has been added, which limits the number of times a recursive
+    server will follow CNAME or DNAME records before terminating
+    resolution. This was previously a hard-coded limit of 16 but is
+    now configurable with a default value of 11.
+  * ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli,
+    and Cagin Tanir from NetSec group, ETH Zurich for discovering
+    and notifying us about the issue.
+  * Allow shorter resolver-query-timeout configuration.
+  * The minimum allowed value of resolver-query-timeout was lowered
+    from its previous value of 10 000 milliseconds (which is still
+    the default) to 301 milliseconds. Note however that values of 1
+    to 300 inclusive are interpreted as seconds before applying the
+    limit. A value of zero is interpreted as the default.
+  * Raise the log level of priming failures.
+  * When a priming query is complete, it was previously logged at
+    level DEBUG(1), regardless of success or failure. It is now
+    logged to NOTICE in the case of failure.
+
+  Bug Fixes:
+  * Fix a crash caused by valid TSIG signatures with invalid time.
+  * An assertion failure was triggered when the TSIG had a valid
+    cryptographic signature but the time was invalid. This could
+    happen when the times between the primary and secondary servers
+    were not synchronised. The crash has now been fixed.
+  * Return SERVFAIL for a too long CNAME chain.
+  * When following long CNAME chains, named was returning NOERROR
+    (along with a partial answer) instead of SERVFAIL, if the chain
+    exceeded the maximum length. This has been fixed.
+  * Reconfigure catz member zones during named reconfiguration.
+  * During a reconfiguration, named wasn’t reconfiguring catalog
+    zones’ member zones. This has been fixed.
+  * Update key lifetime and metadata after dnssec-policy
+    reconfiguration.
+  * Adjust key state and timing metadata if dnssec-policy key
+    lifetime configuration is updated, so that it also affects
+    existing keys.
+  * Fix a crash during zone modification.
+  * Fix an assertion failure that could happen when an
+    authoritative zone was modified while the server was generating
+    an answer from that zone.
+  * Fix assertion failure when executing named-checkconf -v to
+    print its version.
+  * Fix generation of 6to4-self name expansion from IPv4 address.
+  * The period between the most significant nibble of the encoded
+    IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing,
+    resulting in the wrong name being checked. This has been fixed.
+  * dig +yaml was producing unexpected and/or invalid YAML. output.
+  * SVBC ALPN text parsing failed to reject zero-length ALPN.
+  * Fix false QNAME minimisation error being reported.
+  * Remove the false positive success resolving log message when
+    QNAME minimisation is in effect and the final result is an
+    NXDOMAIN.
+  * Fix --enable-tracing build on systems without dtrace.
+  * A missing util/dtrace.sh file prevented builds on systems
+    without the dtrace utility. This has been corrected.
+
 -------------------------------------------------------------------
 Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

bind.spec

@@ -56,7 +56,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.20.0
+Version:        9.20.3
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0