diff --git a/_service b/_service
new file mode 100644
index 0000000..dd5a972
--- /dev/null
+++ b/_service
@@ -0,0 +1,15 @@
+
+
+ git
+ https://gitlab.isc.org/isc-projects/dlz-modules.git
+ main
+ %h
+ dlz-modules
+ yes
+
+
+
+ *.tar
+ gz
+
+
diff --git a/bind-9.20.3.tar.xz b/bind-9.20.3.tar.xz
deleted file mode 100644
index 06a4568..0000000
--- a/bind-9.20.3.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f90c2da1621299f56a2e6585a6fe459ec3efd6f2fdf84a8fbf31b40be7698a73
-size 5664328
diff --git a/bind-9.20.3.tar.xz.asc b/bind-9.20.3.tar.xz.asc
deleted file mode 100644
index c90bc90..0000000
--- a/bind-9.20.3.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmcFmzcACgkQUQpkKgbF
-LOy7HA//bEjc3SPdNiCQgodOj4w+7o4hmcnbxb7HWJcmV1kNlwHFB9ZzoQzVdFGI
-C9/+O3WMjk8EeLUYyip+ZMU6KEb55DwqSGX+TNPl+UiVZmIfCEmZ657KXhflcPjc
-xYEg2XzL8u2MuKLglEB8FK23zdki13bre/GcdfqMtHowZiln60KaPYR1VeS28m14
-4p4VzDfLSq2vrlzpLiT7KlSds2mHDfWWxXDNwFIPZ5vlvtLyzbozRQ9X8p1wseO7
-3jjUPMGNNcx0EYZQ88KbTtv2eLxrYK8NRU4M47iXpP5/AYAzsq1gD+7mYNxLeIv+
-hbL5X7hxLl5OMNU47tHM/xgRcrGppeDSeKEihr/+1Z9JPL3Zq+oS6XwlzH1KmxQ6
-6mi6Z1SgAQNlfrFC11fxSokS7C/lWIOmXKa19tdHbsAw/kU9Onk6gh1D4BVTbKfJ
-dbEl7/rJB14Er9+C6N3DB28HwgtlDC+ZLX79OqY9GN67LWHUkbGoKB7REkVQ0vMq
-JzU9L+R+8sJQXvgqj/Ei9KRA08QxdetTTtigA75yGzyn2HWgDl1CTfFIYCEDZr9T
-AJdim31gFlqIq1M8OwcynsthZswlFFwvHDpKuS9/AqXVaK1KSkpYfb+8gLl/l+bA
-dcMFEckN7J60Qhqx/BAyBk/6vZ3F6FBmotKMctq9rpvCf1coM/E=
-=vNN/
------END PGP SIGNATURE-----
diff --git a/bind-9.20.4.tar.xz b/bind-9.20.4.tar.xz
new file mode 100644
index 0000000..dc56479
--- /dev/null
+++ b/bind-9.20.4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3a8e1a05e00e3e9bc02bdffded7862faf7726ba76ba997f42ab487777bd8210b
+size 5620536
diff --git a/bind-9.20.4.tar.xz.asc b/bind-9.20.4.tar.xz.asc
new file mode 100644
index 0000000..2e4476d
--- /dev/null
+++ b/bind-9.20.4.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmdW77UACgkQGC4jV5Ri
+76pE3BAAxOXpxdb0MRWRDBIA4rMw8oscMy9e76h4B8MGsn25SEa7nJ5lFgp29HZ0
+vVZQu6dTd7chGHEi97wZjbsgvu2wwVQOANRpA349UY+UqPtXZOJi1d9OMNxZqJnU
+UZcNr9jCX+CvEfmmsIfMuOdL1rDJcD2qaeXVmFmwYiQdmG80RURqOXnSDhftSCYd
+o1mYryg+Sgyhlg8vo9RvVAPTwak9agnauDzaOXHhLvJYsmow40l6MSG70glep5Qs
+s9ekveQlXX8I/6IDSLtOk+BQVnn0EKL5GTa4/xq/skYDFZQ4id53/XG8yXmnAGK7
+gWbgr8Dh0P2h8caNP8nSDSiog1pFdIo9+W0pHWNICTKGbC2xP+oumUaPjK+XK4vI
+dvVpSTOYB/tHXl4SBq4Day4Sfa0DAhtPkKAkfK+g3L4QJrZLbjLpYLZCZv5vnr3a
+QE0fwrUiguElgWLs1Qx9yI09AYDSfCVwAsiS8GdgwvqJ0LM7kYVyR6AkSdHZTt/X
+/dQMRBK1Hx4HaGeX8/8EeXyFyiOp8ds36jJM+lYkVVe3AV1q2xa4+X7YJvI7XmmG
+QeqZ4KR3pxxBaoFcWlTXLqRJZZSy4yjaBxO5aQvErJ1wlY5FMbgqB9jdw9FOQj6w
++voFX+yyb7HfO2hAr7NEfNcDNJNWSh7BS3ZZk3EZR3fkVEEnrn8=
+=xbdk
+-----END PGP SIGNATURE-----
diff --git a/bind.changes b/bind.changes
index 5dfe864..52dfd25 100644
--- a/bind.changes
+++ b/bind.changes
@@ -1,3 +1,89 @@
+-------------------------------------------------------------------
+Thu Dec 12 12:38:04 UTC 2024 - Jorik Cronenberg
+
+- Add new dlz-modules source
+- Update to release 9.20.4
+ New Features:
+ * Update built-in bind.keys file with the new 2025 IANA root key.
+ * Add an initial-ds entry to bind.keys for the new root key, ID
+ 38696, which is scheduled for publication in January 2025.
+
+ Removed Features:
+ * Move contributed DLZ modules into a separate repository. DLZ
+ modules should not be used except in testing.
+ * The DLZ modules were not maintained, the DLZ interface itself
+ is going to be scheduled for removal, and the DLZ interface is
+ blocking. Any module that blocks the query to the database
+ blocks the whole server.
+ * The DLZ modules now live in
+ https://gitlab.isc.org/isc-projects/dlz-modules repository.
+
+ Feature Changes:
+ * dnssec-ksr now supports KSK rollovers.
+ * The tool now allows for KSK generation, as well as planned KSK
+ rollovers. When signing a bundle from a Key Signing Request
+ (KSR), only the key that is active in that time frame is used
+ for signing. Also, the CDS and CDNSKEY records are now added
+ and removed at the correct time.
+ * Print RFC 7314: EXPIRE option in transfer summary.
+ * Emit more helpful log messages for exceeding
+ max-records-per-type.
+ * The new log message is emitted when adding or updating an RRset
+ fails due to exceeding the max-records-per-type limit. The log
+ includes the owner name and type, corresponding zone name, and
+ the limit value. It will be emitted on loading a zone file,
+ inbound zone transfer (both AXFR and IXFR), handling a DDNS
+ update, or updating a cache DB. It’s especially helpful in the
+ case of zone transfer, since the secondary side doesn’t have
+ direct access to the offending zone data.
+ * It could also be used for max-types-per-name, but this change
+ doesn’t implement it yet as it’s much less likely to happen in
+ practice.
+ * Harden key management when key files have become unavailable.
+ * Prior to doing key management, BIND 9 will check if the key
+ files on disk match the expected keys. If key files for
+ previously observed keys have become unavailable, this will
+ prevent the internal key manager from running.
+
+ Bug Fixes:
+ * Use TLS for notifies if configured to do so.
+ * Notifies configured to use TLS will now be sent over TLS,
+ instead of plain text UDP or TCP. Also, failing to load the TLS
+ configuration for notify now results in an error.
+ * {&dns} is as valid as {?dns} in a SVCB’s dohpath.
+ * dig failed to parse a valid SVCB record with a dohpath URI
+ template containing a {&dns}, like
+ dohpath=/some/path?key=value{&dns}”.
+ * Fix NSEC3 closest encloser lookup for names with empty
+ non-terminals.
+ * A previous performance optimization for finding the NSEC3
+ closest encloser when generating authoritative responses could
+ cause servers to return incorrect NSEC3 records in some cases.
+ This has been fixed.
+ * recursive-clients statement with value 0 triggered an assertion
+ failure.
+ * BIND 9.20.0 broke recursive-clients 0;. This has now been
+ fixed.
+ * Parsing of hostnames in rndc.conf was broken.
+ * When DSCP support was removed, parsing of hostnames in
+ rndc.conf was accidentally broken, resulting in an assertion
+ failure. This has been fixed.
+ * dig options of the form [+-]option= failed to display
+ the value on the printed command line. This has been fixed.
+ * Provide more visibility into TLS configuration errors by
+ logging SSL_CTX_use_certificate_chain_file() and
+ SSL_CTX_use_PrivateKey_file() errors individually.
+ * Fix a race condition when canceling ADB find which could cause
+ an assertion failure.
+ * SERVFAIL cache memory cleaning is now more aggressive; it no
+ longer consumes a lot of memory if the server encounters many
+ SERVFAILs at once.
+ * Fix trying the next primary XoT server when the previous one
+ was marked as unreachable.
+ * In some cases named failed to try the next primary server in
+ the primaries list when the previous one was marked as
+ unreachable. This has been fixed.
+
-------------------------------------------------------------------
Thu Dec 12 09:54:08 UTC 2024 - Andreas Stieger
diff --git a/bind.spec b/bind.spec
index ef149d5..18fdad3 100644
--- a/bind.spec
+++ b/bind.spec
@@ -1,7 +1,7 @@
#
# spec file for package bind
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2024 Andreas Stieger
#
# All modifications and additions to the file contributed by third parties
@@ -52,12 +52,14 @@
%define with_sfw2 0
%endif
+%define dlz_modules_hash 5923650
+
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
-Version: 9.20.3
+Version: 9.20.4
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
@@ -68,6 +70,7 @@ Source1: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.t
Source2: vendor-files.tar.bz2
# from http://www.isc.org/about/openpgp/ ... changes yearly apparently.
Source3: %{name}.keyring
+Source4: dlz-modules-%{dlz_modules_hash}.tar.gz
Source9: https://www.internic.net/domain/named.root
Source40: dnszone-schema.txt
Source60: dlz-schema.txt
@@ -232,6 +235,7 @@ possible string of labels in the query name that matches the wildcard.
%prep
%autosetup -p1 -a2
+%setup -T -D -a4
# use the year from source gzip header instead of current one to make reproducible rpms
year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{SOURCE0})
@@ -308,8 +312,8 @@ done
%sysusers_generate_pre %{SOURCE72} named named.conf
%endif
# special build for the plugins
-for d in contrib/dlz/modules/*; do
- [ -e $d/Makefile ] && make -C $d
+for d in dlz-modules-%{dlz_modules_hash}/modules/*; do
+ [ -e $d/Makefile ] && make -C $d
done
%install
@@ -340,25 +344,28 @@ rm -rf %{buildroot}%{_includedir}
# Install the plugins
mkdir -p %{buildroot}/%{_libdir}/bind-plugins
+pushd dlz-modules-%{dlz_modules_hash}/modules
%if %{with_modules_perl}
- install -m 0644 contrib/dlz/modules/perl/*.so %{buildroot}/%{_libdir}/bind-plugins
+ install -m 0644 perl/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_mysql}
- install -m 0644 contrib/dlz/modules/mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
- install -m 0644 contrib/dlz/modules/mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
+ install -m 0644 mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
+ install -m 0644 mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_ldap}
- install -m 0644 contrib/dlz/modules/ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
+ install -m 0644 ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_bdbhpt}
- install -m 0644 contrib/dlz/modules/bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
+ install -m 0644 bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_sqlite3}
- install -m 0644 contrib/dlz/modules/sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
+ install -m 0644 sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_generic}
- install -m 0644 contrib/dlz/modules/{filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
+ install -m 0644 {filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
+popd
+
# remove useless .la files
rm -f %{buildroot}/%{_libdir}/lib*.{la,a} %{buildroot}/%{_libdir}/bind/*.la
mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir}
diff --git a/dlz-modules-5923650.obscpio b/dlz-modules-5923650.obscpio
new file mode 100644
index 0000000..44eb4e5
--- /dev/null
+++ b/dlz-modules-5923650.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4c5e9ce87c314852fc1844bd930ac3ba2d5ed80e3a52cfcc0b58443d0ac98d5a
+size 478731
diff --git a/dlz-modules.obsinfo b/dlz-modules.obsinfo
new file mode 100644
index 0000000..ea40a30
--- /dev/null
+++ b/dlz-modules.obsinfo
@@ -0,0 +1,4 @@
+name: dlz-modules
+version: 5923650
+mtime: 1731483151
+commit: 5923650dbb69eac5006938218d0bc11ad9b41696
diff --git a/named.root b/named.root
index c39256a..3006d3d 100644
--- a/named.root
+++ b/named.root
@@ -9,8 +9,8 @@
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
-; last update: November 20, 2024
-; related version of root zone: 2024112001
+; last update: December 18, 2024
+; related version of root zone: 2024121801
;
; FORMERLY NS.INTERNIC.NET
;