pool/bind
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 554965 from network

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/554965
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=129
This commit is contained in:
Dominique Leuenberger 2018-01-13 20:36:06 +00:00 committed by Git OBS Bridge
commit 4b487a5807
19 changed files with 815 additions and 6051 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Makefile.in.diff
View File

@ -1,8 +1,8 @@
Index: bind-9.9.3-P1/bin/named/Makefile.in
Index: bind-9.11.2/bin/named/Makefile.in
===================================================================
--- bind-9.9.3-P1.orig/bin/named/Makefile.in
+++ bind-9.9.3-P1/bin/named/Makefile.in
@@ -173,9 +173,7 @@ installdirs:
--- bind-9.11.2.orig/bin/named/Makefile.in 2017-07-24 07:36:50.000000000 +0200
+++ bind-9.11.2/bin/named/Makefile.in 2017-08-15 10:27:54.263889946 +0200
@@ -168,9 +168,7 @@ installdirs:
install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
@ -11,5 +11,5 @@ Index: bind-9.9.3-P1/bin/named/Makefile.in
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
+ for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man$${m##*.}; done
@DLZ_DRIVER_RULES@
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5

35
baselibs.conf
View File

@ -1,25 +1,18 @@
libbind9-140
libdns165
libidnkit1
libidnkitlite1
libidnkitres1
libirs141
libisc160
libbind9-160
libdns169
libirs160
libisc166
obsoletes "bind-libs-<targettype> = <version>"
provides "bind-libs-<targettype> = <version>"
libisccc140
libisccfg140
liblwres141
libisccc160
libisccfg160
liblwres160
bind-devel
requires -bind-<targettype>
requires "libbind9-140-<targettype> = <version>"
requires "libdns165-<targettype> = <version>"
requires "libirs141-<targettype> = <version>"
requires "libisc160-<targettype> = <version>"
requires "libisccc140-<targettype> = <version>"
requires "libisccfg140-<targettype> = <version>"
requires "liblwres141-<targettype> = <version>"
idnkit-devel
requires "libdns165-<targettype> = <version>"
requires "libidnkit1-<targettype> = <version>"
requires "libidnkitlite1-<targettype> = <version>"
requires "libbind9-160-<targettype> = <version>"
requires "libdns169-<targettype> = <version>"
requires "libirs160-<targettype> = <version>"
requires "libisc166-<targettype> = <version>"
requires "libisccc160-<targettype> = <version>"
requires "libisccfg160-<targettype> = <version>"
requires "liblwres160-<targettype> = <version>"

3
bind-9.10.4-P5.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:89c47b413613feddb1b623ad092f3def2247402e4148c464dbc6c0021e3f0feb
size 9303205

17
bind-9.10.4-P5.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJYUCKuAAoJEPGxG/Bc8C5XAawQAL/ZOekecEnCL9G7htXCttBd
1C/5l42RhgEi0dqclc4BfqB8PqHKYiTEpRrouyQjNBJTjw/KLFST5BfHDyRJ/1BB
z7+b5TNuPyM+v29j5eT7l//Y5C92CNazu7fwbKgq3+Nz1XrGCC1gMD2/45GwB8BA
WMTEYCPqBPwfu2Rhg/pcAga/5a9ymTzFTlB/sZJ74gMpjEMDdqeR3tILAqGzIOGE
kORJspF2ZKCvzCmv1ATP5VFH+iUgY/8nE0vuiun+cXXYlqLXVcyNWdgFgMx5ozcE
Wrf6MSjgdh697C8rvdJEld7xcOC6XGZLU1RgykloW+rb19pLliEi5chPtWVEuVSm
Hn9HqzUZSrmmqZpgHvbQvhVYoJsIgfS3lRdQIqiRZn2oKnUdHW7FwOU/ZH+L5elK
Ggta7UYNZvLsGPtu997hZNB7javrlUGLVZzgl/LB4mBa2xI+hMgAyOE09CsTvVAE
yBVuxnJ/L2yIjtdO7fy5C9HGyzN+vf5WUxZcfKpi1zLByEp9Pm71O0YWW9LNeU14
qAFEcE3vvV0pAgE9tVBIPYf7AtO8O2tZVR/AGl9suacLzh5vXWy8WyXqPbZvBhQ/
zVVhxlVIJQ9JtVfB1L8t2GT2lgMIN58V45C6ulXuN9RbcwbNerLBHDyIyzLBgX6p
lFafztjStRds/JW9cnkd
=Kgbj
-----END PGP SIGNATURE-----

3
bind-9.11.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7f46ad8620f7c3b0ac375d7a5211b15677708fda84ce25d7aeb7222fe2e3c77a
size 9782180

17
bind-9.11.2.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJZea3wAAoJEPGxG/Bc8C5Xh2oP/R1iUkk2l5Gp67xfitJLaFM6
uA5t+pezactdPzwQkP30R5DxC05h3LHV1jBwC39Y9AzAcq4TNXqg4yClQmGSFfoS
JTM5LXguCw2LLqd1VzQgSTAb6Urmk+1HToasN5ct6u/gTi1W6l7Hg8aZrqPYKtov
0bI7wmo6z+vH+vgbl0hHoHBxdZaamt8VTIhBF/JP59WkxJHalf90VrDK/Ivx+lZY
9d0QjqCJsQZpZ9tGn01WW73NQQxtitrT0RoKfPWNp218QnJUZgebXvxxzxxarC/N
4HI8+vQTDQMWq6DS64ipZ0PhJofnQKHuTWg3qX/PTGNuDkrqRGAPBsEsbPv4Flqi
ieaf50ky+68ghBcGDS8DyFFXhZjjnIGQKgE5j3xlxqEqvmE944kMx/ty5/7rUCI4
50zHJE6zfrsDaRAAOtudzw3nmI6lpetEk67k9u67rojZL36BVXrZPiUPldpToD9s
sJpep6KuEVG//Xcc5DVrmfYvxUASVa7uAPOfyvgSlW2f4xb7x2ZAS5t3H8/M5CiT
S+fiGzcGQAzckylwqOlVM/JfWkM19z56uE4kShMR8bj0oHE/zOFpfqFWpQ/jhxy6
fIGrBFLAbm1wGOOhntN7833+OkOeucVqrBRTZ+HE4sRI4P0t2sZFtStYRV89TDPu
TwWLWtNVQ8rHKTKNAdkn
=q9OM
-----END PGP SIGNATURE-----

297
bind-99-libidn.patch Normal file
View File

@ -0,0 +1,297 @@
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index bd219c5..f71685b 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -38,10 +38,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCLIBS} @IDNLIBS@ @LIBS@
+ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn
NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
+ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn
SUBDIRS =
@@ -59,6 +59,8 @@ HTMLPAGES = dig.html host.html nslookup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -DWITH_LIBIDN
+
@BIND9_MAKE_RULES@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 7a7e8e4..b36047f 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1251,8 +1251,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
<command>dig</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
- the <envar>IDN_DISABLE</envar> environment variable.
+ If you'd like to turn off the IDN support for some reason, define
+ the <envar>CHARSET=ASCII</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>dig</command> runs.
</para>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 1f8bcf2..f657c30 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -33,6 +33,11 @@
#include <idn/api.h>
#endif
+#ifdef WITH_LIBIDN
+#include <stringprep.h>
+#include <idna.h>
+#endif
+
#include <dns/byaddr.h>
#ifdef DIG_SIGCHASE
#include <dns/callbacks.h>
@@ -158,6 +163,14 @@ static void idn_check_result(idn_result_t r, const char *msg);
int idnoptions = 0;
#endif
+#ifdef WITH_LIBIDN
+static isc_result_t libidn_locale_to_utf8 (const char* from, char *to);
+static isc_result_t libidn_utf8_to_ascii (const char* from, char *to);
+static isc_result_t output_filter (isc_buffer_t *buffer,
+ unsigned int used_org,
+ isc_boolean_t absolute);
+#endif
+
isc_socket_t *keep = NULL;
isc_sockaddr_t keepaddr;
@@ -1448,8 +1461,15 @@ setup_system(isc_boolean_t ipv4only, isc_boolean_t ipv6only) {
#ifdef WITH_IDN
initialize_idn();
+
+#endif
+#ifdef WITH_LIBIDN
+ result = dns_name_settotextfilter(output_filter);
+ check_result(result, "dns_name_settotextfilter");
+#ifdef HAVE_SETLOCALE
+ setlocale (LC_ALL, "");
+#endif
#endif
-
if (keyfile[0] != 0)
setup_file_key();
else if (keysecret[0] != 0)
@@ -2231,8 +2251,11 @@ setup_lookup(dig_lookup_t *lookup) {
idn_result_t mr;
char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
#endif
+#ifdef WITH_LIBIDN
+ char utf8_str[MXNAME], utf8_name[MXNAME], ascii_name[MXNAME];
+#endif
-#ifdef WITH_IDN
+#if defined (WITH_IDN) || defined (WITH_LIBIDN)
result = dns_name_settotextfilter(lookup->idnout ?
output_filter : NULL);
check_result(result, "dns_name_settotextfilter");
@@ -2274,6 +2297,14 @@ setup_lookup(dig_lookup_t *lookup) {
mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
utf8_textname, sizeof(utf8_textname));
idn_check_result(mr, "convert textname to UTF-8");
+#elif defined (WITH_LIBIDN)
+ result = libidn_locale_to_utf8 (lookup->textname, utf8_str);
+ check_result (result, "convert textname to UTF-8");
+ len = strlen (utf8_str);
+ if (len < MXNAME)
+ (void) strcpy (utf8_name, utf8_str);
+ else
+ fatal ("Too long name");
#endif
/*
@@ -2286,15 +2317,11 @@ setup_lookup(dig_lookup_t *lookup) {
if (lookup->new_search) {
#ifdef WITH_IDN
if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
- lookup->origin = NULL; /* Force abs lookup */
- lookup->done_as_is = ISC_TRUE;
- lookup->need_search = usesearch;
- } else if (lookup->origin == NULL && usesearch) {
- lookup->origin = ISC_LIST_HEAD(search_list);
- lookup->need_search = ISC_FALSE;
- }
+#elif defined (WITH_LIBIDN)
+ if ((count_dots(utf8_name) >= ndots) || !usesearch) {
#else
if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
+#endif
lookup->origin = NULL; /* Force abs lookup */
lookup->done_as_is = ISC_TRUE;
lookup->need_search = usesearch;
@@ -2302,7 +2329,6 @@ setup_lookup(dig_lookup_t *lookup) {
lookup->origin = ISC_LIST_HEAD(search_list);
lookup->need_search = ISC_FALSE;
}
-#endif
}
#ifdef WITH_IDN
@@ -2319,6 +2345,20 @@ setup_lookup(dig_lookup_t *lookup) {
IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
idn_textname, sizeof(idn_textname));
idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
+#elif defined (WITH_LIBIDN)
+ if (lookup->origin != NULL) {
+ result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str);
+ check_result (result, "convert origin to UTF-8");
+ if (len > 0 && utf8_name[len - 1] != '.') {
+ utf8_name[len++] = '.';
+ if (len + strlen (utf8_str) < MXNAME)
+ (void) strcpy (utf8_name + len, utf8_str);
+ else
+ fatal ("Too long name + origin");
+ }
+ }
+
+ result = libidn_utf8_to_ascii (utf8_name, ascii_name);
#else
if (lookup->origin != NULL) {
debug("trying origin %s", lookup->origin->origin);
@@ -2389,6 +2429,13 @@ setup_lookup(dig_lookup_t *lookup) {
result = dns_name_fromtext(lookup->name, &b,
dns_rootname, 0,
&lookup->namebuf);
+#elif defined (WITH_LIBIDN)
+ len = strlen (ascii_name);
+ isc_buffer_init(&b, ascii_name, len);
+ isc_buffer_add(&b, len);
+ result = dns_name_fromtext(lookup->name, &b,
+ dns_rootname, 0,
+ &lookup->namebuf);
#else
len = (unsigned int) strlen(lookup->textname);
isc_buffer_init(&b, lookup->textname, len);
@@ -4377,7 +4424,7 @@ destroy_libs(void) {
void * ptr;
dig_message_t *chase_msg;
#endif
-#ifdef WITH_IDN
+#if defined (WITH_IDN) || defined (WITH_LIBIDN)
isc_result_t result;
#endif
@@ -4418,6 +4465,10 @@ destroy_libs(void) {
result = dns_name_settotextfilter(NULL);
check_result(result, "dns_name_settotextfilter");
#endif
+#ifdef WITH_LIBIDN
+ result = dns_name_settotextfilter (NULL);
+ check_result(result, "clearing dns_name_settotextfilter");
+#endif
dns_name_destroy();
if (commctx != NULL) {
@@ -4603,6 +4654,97 @@ idn_check_result(idn_result_t r, const char *msg) {
}
}
#endif /* WITH_IDN */
+#ifdef WITH_LIBIDN
+static isc_result_t
+libidn_locale_to_utf8 (const char *from, char *to) {
+ char *utf8_str;
+
+ debug ("libidn_locale_to_utf8");
+ utf8_str = stringprep_locale_to_utf8 (from);
+ if (utf8_str != NULL) {
+ (void) strcpy (to, utf8_str);
+ free (utf8_str);
+ return ISC_R_SUCCESS;
+ }
+
+ debug ("libidn_locale_to_utf8: failure");
+ return ISC_R_FAILURE;
+}
+static isc_result_t
+libidn_utf8_to_ascii (const char *from, char *to) {
+ char *ascii;
+ int iresult;
+
+ debug ("libidn_utf8_to_ascii");
+ iresult = idna_to_ascii_8z (from, &ascii, 0);
+ if (iresult != IDNA_SUCCESS) {
+ debug ("idna_to_ascii_8z: %s", idna_strerror (iresult));
+ return ISC_R_FAILURE;
+ }
+
+ (void) strcpy (to, ascii);
+ free (ascii);
+ return ISC_R_SUCCESS;
+}
+
+static isc_result_t
+output_filter (isc_buffer_t *buffer, unsigned int used_org,
+ isc_boolean_t absolute) {
+
+ char tmp1[MXNAME], *tmp2;
+ size_t fromlen, tolen;
+ isc_boolean_t end_with_dot;
+ int iresult;
+
+ debug ("output_filter");
+
+ fromlen = isc_buffer_usedlength (buffer) - used_org;
+ if (fromlen >= MXNAME)
+ return ISC_R_SUCCESS;
+ memcpy (tmp1, (char *) isc_buffer_base (buffer) + used_org, fromlen);
+ end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
+ if (absolute && !end_with_dot) {
+ fromlen++;
+ if (fromlen >= MXNAME)
+ return ISC_R_SUCCESS;
+ tmp1[fromlen - 1] = '.';
+ }
+ tmp1[fromlen] = '\0';
+
+ iresult = idna_to_unicode_8z8z (tmp1, &tmp2, 0);
+ if (iresult != IDNA_SUCCESS) {
+ debug ("output_filter: %s", idna_strerror (iresult));
+ return ISC_R_SUCCESS;
+ }
+
+ (void) strcpy (tmp1, tmp2);
+ free (tmp2);
+
+ tmp2 = stringprep_utf8_to_locale (tmp1);
+ if (tmp2 == NULL) {
+ debug ("output_filter: stringprep_utf8_to_locale failed");
+ return ISC_R_SUCCESS;
+ }
+
+ (void) strcpy (tmp1, tmp2);
+ free (tmp2);
+
+ tolen = strlen (tmp1);
+ if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
+ tolen--;
+
+ if (isc_buffer_length (buffer) < used_org + tolen)
+ return ISC_R_NOSPACE;
+
+ debug ("%s", tmp1);
+
+ isc_buffer_subtract (buffer, isc_buffer_usedlength (buffer) - used_org);
+ memcpy (isc_buffer_used (buffer), tmp1, tolen);
+ isc_buffer_add (buffer, tolen);
+
+ return ISC_R_SUCCESS;
+}
+#endif /* WITH_LIBIDN*/
#ifdef DIG_SIGCHASE
void

645
bind-CVE-2017-3135.patch
View File

@ -1,645 +0,0 @@
Index: bind-9.10.4-P5/bin/tests/system/dname/ans3/ans.pl
===================================================================
--- /dev/null
+++ bind-9.10.4-P5/bin/tests/system/dname/ans3/ans.pl
@@ -0,0 +1,95 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+use strict;
+use warnings;
+
+use IO::File;
+use Getopt::Long;
+use Net::DNS::Nameserver;
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $localaddr = "10.53.0.3";
+my $localport = 5300;
+my $verbose = 0;
+my $ttl = 60;
+my $zone = "example.broken";
+my $nsname = "ns3.$zone";
+my $synth = "synth-then-dname.$zone";
+my $synth2 = "synth2-then-dname.$zone";
+
+sub reply_handler {
+ my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_;
+ my ($rcode, @ans, @auth, @add);
+
+ print ("request: $qname/$qtype\n");
+ STDOUT->flush();
+
+ if ($qname eq "example.broken") {
+ if ($qtype eq "SOA") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0");
+ push @ans, $rr;
+ } elsif ($qtype eq "NS") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr");
+ push @add, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "cname-to-$synth2") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+ push @ans, $rr;
+ $rcode = "NOERROR";
+ } elsif ($qname eq "$synth" || $qname eq "$synth2") {
+ if ($qtype eq "DNAME") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME .");
+ push @ans, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "name.$synth") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$synth $ttl $qclass DNAME .");
+ push @ans, $rr;
+ $rcode = "NOERROR";
+ } elsif ($qname eq "name.$synth2") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+ push @ans, $rr;
+ $rcode = "NOERROR";
+ } else {
+ $rcode = "REFUSED";
+ }
+ return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+}
+
+GetOptions(
+ 'port=i' => \$localport,
+ 'verbose!' => \$verbose,
+);
+
+my $ns = Net::DNS::Nameserver->new(
+ LocalAddr => $localaddr,
+ LocalPort => $localport,
+ ReplyHandler => \&reply_handler,
+ Verbose => $verbose,
+);
+
+$ns->main_loop;
Index: bind-9.10.4-P5/bin/tests/system/dname/ns1/root.db
===================================================================
--- bind-9.10.4-P5.orig/bin/tests/system/dname/ns1/root.db
+++ bind-9.10.4-P5/bin/tests/system/dname/ns1/root.db
@@ -12,8 +12,6 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db,v 1.2 2011/03/18 21:14:19 fdupont Exp $
-
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
@@ -27,3 +25,6 @@ a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
ns2.example. A 10.53.0.2
+
+example.broken. NS ns3.example.broken.
+ns3.example.broken. A 10.53.0.3
Index: bind-9.10.4-P5/bin/tests/system/dname/tests.sh
===================================================================
--- bind-9.10.4-P5.orig/bin/tests/system/dname/tests.sh
+++ bind-9.10.4-P5/bin/tests/system/dname/tests.sh
@@ -20,6 +20,7 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
+n=0
echo "I:checking short dname from authoritative"
ret=0
@@ -81,6 +82,26 @@ grep '^a.target.example.' dig.out.ns4.cn
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-echo "I:exit status: $status"
+n=`expr $n + 1`
+echo "I:checking dname is returned with synthesized cname before dname ($n)"
+ret=0
+$DIG @10.53.0.4 -p 5300 name.synth-then-dname.example.broken A > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
+grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
-exit $status
+n=`expr $n + 1`
+echo "I:checking dname is returned with cname to synthesized cname before dname ($n)"
+ret=0
+$DIG @10.53.0.4 -p 5300 cname-to-synth2-then-dname.example.broken A > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1
+grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
+grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+[ $status -eq 0 ] || exit 1
Index: bind-9.10.4-P5/lib/dns/resolver.c
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/resolver.c
+++ bind-9.10.4-P5/lib/dns/resolver.c
@@ -6099,9 +6099,13 @@ cname_target(dns_rdataset_t *rdataset, d
return (ISC_R_SUCCESS);
}
+/*%
+ * Construct the synthesised CNAME from the existing QNAME and
+ * the DNAME RR and store it in 'target'.
+ */
static inline isc_result_t
dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
- unsigned int nlabels, dns_fixedname_t *fixeddname)
+ unsigned int nlabels, dns_name_t *target)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -6121,14 +6125,33 @@ dname_target(dns_rdataset_t *rdataset, d
dns_fixedname_init(&prefix);
dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
- dns_fixedname_init(fixeddname);
result = dns_name_concatenate(dns_fixedname_name(&prefix),
- &dname.dname,
- dns_fixedname_name(fixeddname), NULL);
+ &dname.dname, target, NULL);
dns_rdata_freestruct(&dname);
return (result);
}
+/*%
+ * Check if it was possible to construct 'qname' from 'lastcname'
+ * and 'rdataset'.
+ */
+static inline isc_result_t
+fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname,
+ unsigned int nlabels, const dns_name_t *qname)
+{
+ dns_fixedname_t fixed;
+ isc_result_t result;
+ dns_name_t *target;
+
+ dns_fixedname_init(&fixed);
+ target = dns_fixedname_name(&fixed);
+ result = dname_target(rdataset, lastcname, nlabels, target);
+ if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target))
+ return (ISC_R_NOTFOUND);
+
+ return (ISC_R_SUCCESS);
+}
+
static isc_boolean_t
is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
dns_rdataset_t *rdataset)
@@ -6745,12 +6768,12 @@ answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
- dns_name_t *cname = NULL;
+ dns_name_t *cname = NULL, *lastcname = NULL;
dns_rdataset_t *rdataset, *ns_rdataset;
- isc_boolean_t done, external, chaining, aa, found, want_chaining;
+ isc_boolean_t done, external, aa, found, want_chaining;
isc_boolean_t have_answer, found_cname, found_dname, found_type;
isc_boolean_t wanted_chaining;
- unsigned int aflag;
+ unsigned int aflag, chaining;
dns_rdatatype_t type;
dns_fixedname_t fdname, fqname;
dns_view_t *view;
@@ -6768,9 +6791,9 @@ answer_response(fetchctx_t *fctx) {
found_cname = ISC_FALSE;
found_dname = ISC_FALSE;
found_type = ISC_FALSE;
- chaining = ISC_FALSE;
have_answer = ISC_FALSE;
want_chaining = ISC_FALSE;
+ chaining = 0;
POST(want_chaining);
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
aa = ISC_TRUE;
@@ -6781,14 +6804,15 @@ answer_response(fetchctx_t *fctx) {
view = fctx->res->view;
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln;
- int order;
- unsigned int nlabels;
+ dns_namereln_t namereln, lastreln;
+ int order, lastorder;
+ unsigned int nlabels, lastnlabels;
name = NULL;
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+
if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6894,6 +6918,7 @@ answer_response(fetchctx_t *fctx) {
&fctx->domain)) {
return (DNS_R_SERVFAIL);
}
+ lastcname = name;
} else if (rdataset->type == dns_rdatatype_rrsig
&& rdataset->covers ==
dns_rdatatype_cname
@@ -6917,7 +6942,7 @@ answer_response(fetchctx_t *fctx) {
rdataset->attributes |=
DNS_RDATASETATTR_CACHE;
rdataset->trust = dns_trust_answer;
- if (!chaining) {
+ if (chaining == 0) {
/*
* This data is "the" answer
* to our question only if
@@ -6994,10 +7019,21 @@ answer_response(fetchctx_t *fctx) {
* cause us to ignore the signatures of
* CNAMEs.
*/
- if (wanted_chaining)
- chaining = ISC_TRUE;
+ if (wanted_chaining && chaining < 2U)
+ chaining++;
} else {
dns_rdataset_t *dnameset = NULL;
+ isc_boolean_t synthcname = ISC_FALSE;
+
+ if (lastcname != NULL) {
+ lastreln = dns_name_fullcompare(lastcname,
+ name,
+ &lastorder,
+ &lastnlabels);
+ if (lastreln == dns_namereln_subdomain &&
+ lastnlabels == dns_name_countlabels(name))
+ synthcname = ISC_TRUE;
+ }
/*
* Look for a DNAME (or its SIG). Anything else is
@@ -7026,7 +7062,7 @@ answer_response(fetchctx_t *fctx) {
* If we're not chaining, then the DNAME and
* its signature should not be external.
*/
- if (!chaining && external) {
+ if (chaining == 0 && external) {
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
@@ -7044,16 +7080,9 @@ answer_response(fetchctx_t *fctx) {
/*
* If DNAME + synthetic CNAME then the
* namereln is dns_namereln_subdomain.
- *
- * If synthetic CNAME + DNAME then the
- * namereln is dns_namereln_commonancestor
- * and the number of label must match the
- * DNAME. This order is not RFC compliant.
*/
-
if (namereln != dns_namereln_subdomain &&
- (namereln != dns_namereln_commonancestor ||
- nlabels != dns_name_countlabels(name)))
+ !synthcname)
{
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
@@ -7073,8 +7102,19 @@ answer_response(fetchctx_t *fctx) {
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(rdataset, qname,
- nlabels, &fdname);
+ dns_fixedname_init(&fdname);
+ dname = dns_fixedname_name(&fdname);
+ if (synthcname) {
+ result = fromdname(rdataset,
+ lastcname,
+ lastnlabels,
+ qname);
+ } else {
+ result = dname_target(rdataset,
+ qname,
+ nlabels,
+ dname);
+ }
if (result == ISC_R_NOSPACE) {
/*
* We can't construct the
@@ -7088,8 +7128,8 @@ answer_response(fetchctx_t *fctx) {
else
dnameset = rdataset;
- dname = dns_fixedname_name(&fdname);
- if (!is_answertarget_allowed(view,
+ if (!synthcname &&
+ !is_answertarget_allowed(view,
qname, rdataset->type,
dname, &fctx->domain))
{
@@ -7110,7 +7150,13 @@ answer_response(fetchctx_t *fctx) {
name->attributes |= DNS_NAMEATTR_CACHE;
rdataset->attributes |= DNS_RDATASETATTR_CACHE;
rdataset->trust = dns_trust_answer;
- if (!chaining) {
+ /*
+ * If we are not chaining or the first CNAME
+ * is a synthesised CNAME before the DNAME.
+ */
+ if ((chaining == 0) ||
+ (chaining == 1U && synthcname))
+ {
/*
* This data is "the" answer to
* our question only if we're
@@ -7120,9 +7166,12 @@ answer_response(fetchctx_t *fctx) {
if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
found_dname = ISC_TRUE;
- if (cname != NULL)
+ if (cname != NULL &&
+ synthcname)
+ {
cname->attributes &=
~DNS_NAMEATTR_ANSWER;
+ }
name->attributes |=
DNS_NAMEATTR_ANSWER;
}
@@ -7140,26 +7189,35 @@ answer_response(fetchctx_t *fctx) {
* DNAME chaining.
*/
if (dnameset != NULL) {
- /*
- * Copy the dname into the qname fixed name.
- *
- * Although we check for failure of the copy
- * operation, in practice it should never fail
- * since we already know that the result fits
- * in a fixedname.
- */
- dns_fixedname_init(&fqname);
- qname = dns_fixedname_name(&fqname);
- result = dns_name_copy(dname, qname, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
+ if (!synthcname) {
+ /*
+ * Copy the dname into the qname fixed
+ * name.
+ *
+ * Although we check for failure of the
+ * copy operation, in practice it
+ * should never fail since we already
+ * know that the result fits in a
+ * fixedname.
+ */
+ dns_fixedname_init(&fqname);
+ qname = dns_fixedname_name(&fqname);
+ result = dns_name_copy(dname, qname,
+ NULL);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ }
wanted_chaining = ISC_TRUE;
name->attributes |= DNS_NAMEATTR_CHAINING;
dnameset->attributes |=
DNS_RDATASETATTR_CHAINING;
}
- if (wanted_chaining)
- chaining = ISC_TRUE;
+ /*
+ * Ensure that we can't ever get chaining == 1
+ * above if we have processed a DNAME.
+ */
+ if (wanted_chaining && chaining < 2U)
+ chaining += 2;
}
result = dns_message_nextname(message, DNS_SECTION_ANSWER);
}
@@ -7184,7 +7242,7 @@ answer_response(fetchctx_t *fctx) {
/*
* Did chaining end before we got the final answer?
*/
- if (chaining) {
+ if (chaining != 0) {
/*
* Yes. This may be a negative reply, so hand off
* authority section processing to the noanswer code.
@@ -7233,7 +7291,7 @@ answer_response(fetchctx_t *fctx) {
DNS_NAMEATTR_CACHE;
rdataset->attributes |=
DNS_RDATASETATTR_CACHE;
- if (aa && !chaining)
+ if (aa && chaining == 0)
rdataset->trust =
dns_trust_authauthority;
else
Index: bind-9.10.4-P5/bin/named/query.c
===================================================================
--- bind-9.10.4-P5.orig/bin/named/query.c
+++ bind-9.10.4-P5/bin/named/query.c
@@ -6237,7 +6237,7 @@ query_find(ns_client_t *client, dns_fetc
dns_rpz_st_t *rpz_st;
isc_boolean_t resuming;
int line = -1;
- isc_boolean_t dns64_exclude, dns64;
+ isc_boolean_t dns64_exclude, dns64, rpz;
isc_boolean_t nxrewrite = ISC_FALSE;
isc_boolean_t redirected = ISC_FALSE;
dns_clientinfomethods_t cm;
@@ -6250,6 +6250,7 @@ query_find(ns_client_t *client, dns_fetc
char mbuf[BUFSIZ];
char qbuf[DNS_NAME_FORMATSIZE];
#endif
+ dns_name_t *rpzqname;
CTRACE(ISC_LOG_DEBUG(3), "query_find");
@@ -6275,7 +6276,7 @@ query_find(ns_client_t *client, dns_fetc
zone = NULL;
need_wildcardproof = ISC_FALSE;
empty_wild = ISC_FALSE;
- dns64_exclude = dns64 = ISC_FALSE;
+ dns64_exclude = dns64 = rpz = ISC_FALSE;
options = 0;
resuming = ISC_FALSE;
is_zone = ISC_FALSE;
@@ -6465,6 +6466,7 @@ query_find(ns_client_t *client, dns_fetc
authoritative = ISC_FALSE;
version = NULL;
need_wildcardproof = ISC_FALSE;
+ rpz = ISC_FALSE;
if (client->view->checknames &&
!dns_rdata_checkowner(client->query.qname,
@@ -6606,11 +6608,29 @@ query_find(ns_client_t *client, dns_fetc
}
/*
- * Now look for an answer in the database.
+ * Now look for an answer in the database. If this is a dns64
+ * AAAA lookup on a rpz database adjust the qname.
*/
- result = dns_db_findext(db, client->query.qname, version, type,
+ if (dns64 && rpz)
+ rpzqname = client->query.rpz_st->p_name;
+ else
+ rpzqname = client->query.qname;
+
+ result = dns_db_findext(db, rpzqname, version, type,
client->query.dboptions, client->now,
&node, fname, &cm, &ci, rdataset, sigrdataset);
+ /*
+ * Fixup fname and sigrdataset.
+ */
+ if (dns64 && rpz) {
+ isc_result_t rresult;
+
+ rresult = dns_name_copy(client->query.qname, fname, NULL);
+ RUNTIME_CHECK(rresult == ISC_R_SUCCESS);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ }
if (!is_zone)
dns_cache_updatestats(client->view->cache, result);
@@ -6840,10 +6860,12 @@ query_find(ns_client_t *client, dns_fetc
case DNS_RPZ_POLICY_NXDOMAIN:
result = DNS_R_NXDOMAIN;
nxrewrite = ISC_TRUE;
+ rpz = ISC_TRUE;
break;
case DNS_RPZ_POLICY_NODATA:
result = DNS_R_NXRRSET;
nxrewrite = ISC_TRUE;
+ rpz = ISC_TRUE;
break;
case DNS_RPZ_POLICY_RECORD:
result = rpz_st->m.result;
@@ -6863,6 +6885,7 @@ query_find(ns_client_t *client, dns_fetc
rdataset->ttl = ISC_MIN(rdataset->ttl,
rpz_st->m.ttl);
}
+ rpz = ISC_TRUE;
break;
case DNS_RPZ_POLICY_WILDCNAME:
result = dns_rdataset_first(rdataset);
@@ -6905,7 +6928,6 @@ query_find(ns_client_t *client, dns_fetc
NS_CLIENTATTR_WANTAD);
client->message->flags &= ~DNS_MESSAGEFLAG_AD;
query_putrdataset(client, &sigrdataset);
- rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
rpz_st->m.type, zone, rpz_st->p_name);
@@ -7289,15 +7311,6 @@ query_find(ns_client_t *client, dns_fetc
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL) {
- /*
- * Arrange for RPZ rewriting of any A records.
- */
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
- is_zone = rpz_st->q.is_zone;
- rpz_st_clear(client);
- }
dns64 = ISC_TRUE;
goto db_find;
}
@@ -7612,15 +7625,6 @@ query_find(ns_client_t *client, dns_fetc
sigrdataset = NULL;
fname = NULL;
type = qtype = dns_rdatatype_a;
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL) {
- /*
- * Arrange for RPZ rewriting of any A records.
- */
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
- is_zone = rpz_st->q.is_zone;
- rpz_st_clear(client);
- }
dns64 = ISC_TRUE;
goto db_find;
}
@@ -8154,15 +8158,6 @@ query_find(ns_client_t *client, dns_fetc
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL) {
- /*
- * Arrange for RPZ rewriting of any A records.
- */
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
- is_zone = rpz_st->q.is_zone;
- rpz_st_clear(client);
- }
dns64_exclude = dns64 = ISC_TRUE;
goto db_find;
}
Index: bind-9.10.4-P5/lib/dns/message.c
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/message.c
+++ bind-9.10.4-P5/lib/dns/message.c
@@ -1219,8 +1219,8 @@ getsection(isc_buffer_t *source, dns_mes
{
isc_region_t r;
unsigned int count, rdatalen;
- dns_name_t *name;
- dns_name_t *name2;
+ dns_name_t *name = NULL;
+ dns_name_t *name2 = NULL;
dns_offsets_t *offsets;
dns_rdataset_t *rdataset;
dns_rdatalist_t *rdatalist;
@@ -1230,7 +1230,7 @@ getsection(isc_buffer_t *source, dns_mes
dns_rdata_t *rdata;
dns_ttl_t ttl;
dns_namelist_t *section;
- isc_boolean_t free_name, free_rdataset;
+ isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE;
isc_boolean_t preserve_order, best_effort, seen_problem;
isc_boolean_t issigzero;
Index: bind-9.10.4-P5/lib/dns/rdataset.c
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/rdataset.c
+++ bind-9.10.4-P5/lib/dns/rdataset.c
@@ -338,6 +338,7 @@ towiresorted(dns_rdataset_t *rdataset, c
*/
REQUIRE(DNS_RDATASET_VALID(rdataset));
+ REQUIRE(rdataset->methods != NULL);
REQUIRE(countp != NULL);
REQUIRE((order == NULL) == (order_arg == NULL));
REQUIRE(cctx != NULL && cctx->mctx != NULL);

496
bind-CVE-2017-3142-and-3143.patch
View File

@ -1,496 +0,0 @@
Index: bind-9.10.4-P5/lib/dns/dnssec.c
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/dnssec.c
+++ bind-9.10.4-P5/lib/dns/dnssec.c
@@ -978,6 +978,8 @@ dns_dnssec_verifymessage(isc_buffer_t *s
mctx = msg->mctx;
msg->verify_attempted = 1;
+ msg->verified_sig = 0;
+ msg->sig0status = dns_tsigerror_badsig;
if (is_response(msg)) {
if (msg->query.base == NULL)
@@ -1073,6 +1075,7 @@ dns_dnssec_verifymessage(isc_buffer_t *s
}
msg->verified_sig = 1;
+ msg->sig0status = dns_rcode_noerror;
dst_context_destroy(&ctx);
dns_rdata_freestruct(&sig);
Index: bind-9.10.4-P5/lib/dns/message.c
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/message.c
+++ bind-9.10.4-P5/lib/dns/message.c
@@ -3055,12 +3055,19 @@ dns_message_signer(dns_message_t *msg, d
result = dns_rdata_tostruct(&rdata, &tsig, NULL);
INSIST(result == ISC_R_SUCCESS);
- if (msg->tsigstatus != dns_rcode_noerror)
+ if (msg->verified_sig &&
+ msg->tsigstatus == dns_rcode_noerror &&
+ tsig.error == dns_rcode_noerror)
+ {
+ result = ISC_R_SUCCESS;
+ } else if ((!msg->verified_sig) ||
+ (msg->tsigstatus != dns_rcode_noerror))
+ {
result = DNS_R_TSIGVERIFYFAILURE;
- else if (tsig.error != dns_rcode_noerror)
+ } else {
+ INSIST(tsig.error != dns_rcode_noerror);
result = DNS_R_TSIGERRORSET;
- else
- result = ISC_R_SUCCESS;
+ }
dns_rdata_freestruct(&tsig);
if (msg->tsigkey == NULL) {
Index: bind-9.10.4-P5/lib/dns/tsig.c
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/tsig.c
+++ bind-9.10.4-P5/lib/dns/tsig.c
@@ -942,11 +942,20 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_putuint48(&otherbuf, tsig.timesigned);
}
- if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
+ if ((key->key != NULL) &&
+ (tsig.error != dns_tsigerror_badsig) &&
+ (tsig.error != dns_tsigerror_badkey))
+ {
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_buffer_t headerbuf;
isc_uint16_t digestbits;
+ /*
+ * If it is a response, we assume that the request MAC
+ * has validated at this point. This is why we include a
+ * MAC length > 0 in the reply.
+ */
+
ret = dst_context_create3(key->key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_TRUE, &ctx);
@@ -954,7 +963,7 @@ dns_tsig_sign(dns_message_t *msg) {
return (ret);
/*
- * If this is a response, digest the query signature.
+ * If this is a response, digest the request's MAC.
*/
if (response) {
dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
@@ -1084,6 +1093,17 @@ dns_tsig_sign(dns_message_t *msg) {
dst_context_destroy(&ctx);
digestbits = dst_key_getbits(key->key);
if (digestbits != 0) {
+ /*
+ * XXXRAY: Is this correct? What is the
+ * expected behavior when digestbits is not an
+ * integral multiple of 8? It looks like bytes
+ * should either be (digestbits/8) or
+ * (digestbits+7)/8.
+ *
+ * In any case, for current algorithms,
+ * digestbits are an integral multiple of 8, so
+ * it has the same effect as (digestbits/8).
+ */
unsigned int bytes = (digestbits + 1) / 8;
if (response && bytes < querytsig.siglen)
bytes = querytsig.siglen;
@@ -1193,6 +1213,8 @@ dns_tsig_verify(isc_buffer_t *source, dn
REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
msg->verify_attempted = 1;
+ msg->verified_sig = 0;
+ msg->tsigstatus = dns_tsigerror_badsig;
if (msg->tcp_continuation) {
if (tsigkey == NULL || msg->querytsig == NULL)
@@ -1291,19 +1313,6 @@ dns_tsig_verify(isc_buffer_t *source, dn
key = tsigkey->key;
/*
- * Is the time ok?
- */
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature has expired");
- return (DNS_R_CLOCKSKEW);
- } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature is in the future");
- return (DNS_R_CLOCKSKEW);
- }
-
- /*
* Check digest length.
*/
alg = dst_key_alg(key);
@@ -1312,31 +1321,19 @@ dns_tsig_verify(isc_buffer_t *source, dn
return (ret);
if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
- alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
- isc_uint16_t digestbits = dst_key_getbits(key);
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+ {
if (tsig.siglen > siglen) {
tsig_log(msg->tsigkey, 2, "signature length too big");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 &&
- (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
+ (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
+ {
tsig_log(msg->tsigkey, 2,
"signature length below minimum");
return (DNS_R_FORMERR);
}
- if (tsig.siglen > 0 && digestbits != 0 &&
- tsig.siglen < ((digestbits + 1) / 8)) {
- msg->tsigstatus = dns_tsigerror_badtrunc;
- tsig_log(msg->tsigkey, 2,
- "truncated signature length too small");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
- if (tsig.siglen > 0 && digestbits == 0 &&
- tsig.siglen < siglen) {
- msg->tsigstatus = dns_tsigerror_badtrunc;
- tsig_log(msg->tsigkey, 2, "signature length too small");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
}
if (tsig.siglen > 0) {
@@ -1451,34 +1448,92 @@ dns_tsig_verify(isc_buffer_t *source, dn
ret = dst_context_verify(ctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
- msg->tsigstatus = dns_tsigerror_badsig;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(1)");
goto cleanup_context;
- } else if (ret != ISC_R_SUCCESS)
+ } else if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
-
- dst_context_destroy(&ctx);
+ }
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey) {
- msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
- msg->tsigstatus = dns_rcode_noerror;
+ /*
+ * Here at this point, the MAC has been verified. Even if any of
+ * the following code returns a TSIG error, the reply will be
+ * signed and WILL always include the request MAC in the digest
+ * computation.
+ */
+
+ /*
+ * Is the time ok?
+ */
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature has expired");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature is in the future");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ }
+
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+ {
+ isc_uint16_t digestbits = dst_key_getbits(key);
+
+ /*
+ * XXXRAY: Is this correct? What is the expected
+ * behavior when digestbits is not an integral multiple
+ * of 8? It looks like bytes should either be
+ * (digestbits/8) or (digestbits+7)/8.
+ *
+ * In any case, for current algorithms, digestbits are
+ * an integral multiple of 8, so it has the same effect
+ * as (digestbits/8).
+ */
+ if (tsig.siglen > 0 && digestbits != 0 &&
+ tsig.siglen < ((digestbits + 1) / 8))
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "truncated signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ if (tsig.siglen > 0 && digestbits == 0 &&
+ tsig.siglen < siglen)
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2, "signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ }
if (tsig.error != dns_rcode_noerror) {
+ msg->tsigstatus = tsig.error;
if (tsig.error == dns_tsigerror_badtime)
- return (DNS_R_CLOCKSKEW);
+ ret = DNS_R_CLOCKSKEW;
else
- return (DNS_R_TSIGERRORSET);
+ ret = DNS_R_TSIGERRORSET;
+ goto cleanup_context;
}
+ msg->tsigstatus = dns_rcode_noerror;
msg->verified_sig = 1;
-
- return (ISC_R_SUCCESS);
+ ret = ISC_R_SUCCESS;
cleanup_context:
if (ctx != NULL)
@@ -1503,6 +1558,8 @@ tsig_verify_tcp(isc_buffer_t *source, dn
isc_uint16_t addcount, id;
isc_boolean_t has_tsig = ISC_FALSE;
isc_mem_t *mctx;
+ unsigned int siglen;
+ unsigned int alg;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
@@ -1510,12 +1567,16 @@ tsig_verify_tcp(isc_buffer_t *source, dn
REQUIRE(msg->tcp_continuation == 1);
REQUIRE(msg->querytsig != NULL);
+ msg->verified_sig = 0;
+ msg->tsigstatus = dns_tsigerror_badsig;
+
if (!is_response(msg))
return (DNS_R_EXPECTEDRESPONSE);
mctx = msg->mctx;
tsigkey = dns_message_gettsigkey(msg);
+ key = tsigkey->key;
/*
* Extract and parse the previous TSIG
@@ -1548,7 +1609,8 @@ tsig_verify_tcp(isc_buffer_t *source, dn
* Do the key name and algorithm match that of the query?
*/
if (!dns_name_equal(keyname, &tsigkey->name) ||
- !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
+ !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
+ {
msg->tsigstatus = dns_tsigerror_badkey;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
@@ -1557,27 +1619,40 @@ tsig_verify_tcp(isc_buffer_t *source, dn
}
/*
- * Is the time ok?
+ * Check digest length.
*/
- isc_stdtime_get(&now);
-
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature has expired");
- ret = DNS_R_CLOCKSKEW;
- goto cleanup_querystruct;
- } else if (now + msg->timeadjust <
- tsig.timesigned - tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2,
- "signature is in the future");
- ret = DNS_R_CLOCKSKEW;
+ alg = dst_key_alg(key);
+ ret = dst_key_sigsize(key, &siglen);
+ if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+ alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 ||
+ alg == DST_ALG_HMACSHA512)
+ {
+ if (tsig.siglen > siglen) {
+ tsig_log(tsigkey, 2,
+ "signature length too big");
+ ret = DNS_R_FORMERR;
+ goto cleanup_querystruct;
+ }
+ if (tsig.siglen > 0 &&
+ (tsig.siglen < 10 ||
+ tsig.siglen < ((siglen + 1) / 2)))
+ {
+ tsig_log(tsigkey, 2,
+ "signature length below minimum");
+ ret = DNS_R_FORMERR;
+ goto cleanup_querystruct;
+ }
}
}
- key = tsigkey->key;
-
if (msg->tsigctx == NULL) {
ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
@@ -1673,10 +1748,12 @@ tsig_verify_tcp(isc_buffer_t *source, dn
sig_r.length = tsig.siglen;
if (tsig.siglen == 0) {
if (tsig.error != dns_rcode_noerror) {
- if (tsig.error == dns_tsigerror_badtime)
+ msg->tsigstatus = tsig.error;
+ if (tsig.error == dns_tsigerror_badtime) {
ret = DNS_R_CLOCKSKEW;
- else
+ } else {
ret = DNS_R_TSIGERRORSET;
+ }
} else {
tsig_log(msg->tsigkey, 2,
"signature is empty");
@@ -1687,29 +1764,111 @@ tsig_verify_tcp(isc_buffer_t *source, dn
ret = dst_context_verify(msg->tsigctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
- msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(2)");
ret = DNS_R_TSIGVERIFYFAILURE;
goto cleanup_context;
+ } else if (ret != ISC_R_SUCCESS) {
+ goto cleanup_context;
+ }
+
+ /*
+ * Here at this point, the MAC has been verified. Even
+ * if any of the following code returns a TSIG error,
+ * the reply will be signed and WILL always include the
+ * request MAC in the digest computation.
+ */
+
+ /*
+ * Is the time ok?
+ */
+ isc_stdtime_get(&now);
+
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature has expired");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ } else if (now + msg->timeadjust <
+ tsig.timesigned - tsig.fudge)
+ {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2,
+ "signature is in the future");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
}
- else if (ret != ISC_R_SUCCESS)
+
+ alg = dst_key_alg(key);
+ ret = dst_key_sigsize(key, &siglen);
+ if (ret != ISC_R_SUCCESS)
goto cleanup_context;
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+ alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 ||
+ alg == DST_ALG_HMACSHA512)
+ {
+ isc_uint16_t digestbits = dst_key_getbits(key);
- dst_context_destroy(&msg->tsigctx);
+ /*
+ * XXXRAY: Is this correct? What is the
+ * expected behavior when digestbits is not an
+ * integral multiple of 8? It looks like bytes
+ * should either be (digestbits/8) or
+ * (digestbits+7)/8.
+ *
+ * In any case, for current algorithms,
+ * digestbits are an integral multiple of 8, so
+ * it has the same effect as (digestbits/8).
+ */
+ if (tsig.siglen > 0 && digestbits != 0 &&
+ tsig.siglen < ((digestbits + 1) / 8))
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "truncated signature length "
+ "too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ if (tsig.siglen > 0 && digestbits == 0 &&
+ tsig.siglen < siglen)
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ }
+
+ if (tsig.error != dns_rcode_noerror) {
+ msg->tsigstatus = tsig.error;
+ if (tsig.error == dns_tsigerror_badtime)
+ ret = DNS_R_CLOCKSKEW;
+ else
+ ret = DNS_R_TSIGERRORSET;
+ goto cleanup_context;
+ }
}
msg->tsigstatus = dns_rcode_noerror;
- return (ISC_R_SUCCESS);
+ msg->verified_sig = 1;
+ ret = ISC_R_SUCCESS;
cleanup_context:
- dst_context_destroy(&msg->tsigctx);
+ if (msg->tsigctx != NULL)
+ dst_context_destroy(&msg->tsigctx);
cleanup_querystruct:
dns_rdata_freestruct(&querytsig);
return (ret);
-
}
isc_result_t

3458
bind-openssl11.patch
View File

File diff suppressed because it is too large Load Diff

89
bind.changes
View File

@ -1,3 +1,90 @@
-------------------------------------------------------------------
Wed Dec 6 13:35:59 UTC 2017 - vcizek@suse.com
- Use getent when adding user/group
- update changelog to mention removed options
-------------------------------------------------------------------
Sat Nov 25 15:31:18 UTC 2017 - meissner@suse.com
- license changed to MPL-2.0 according to legal.
-------------------------------------------------------------------
Thu Nov 23 13:38:07 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Wed Nov 22 13:13:26 UTC 2017 - vcizek@suse.com
- Add back init scripts, systemd units aren't ready yet
-------------------------------------------------------------------
Thu Nov 21 14:30:52 UTC 2017 - tchvatal@suse.com
- Add python3-bind subpackage to allow python bind interactions
-------------------------------------------------------------------
Thu Nov 21 13:41:38 UTC 2017 - tchvatal@suse.com
- Sync configure options with RH package and remove unused ones
* Enable python3
* Enable gssapi
* Enable dnssec scripts
* Remove no longer recognized --enable-rrl
-------------------------------------------------------------------
Thu Nov 21 12:54:35 UTC 2017 - tchvatal@suse.com
- Drop idnkit from the build, the bind uses libidn since 2007 to run
all the resolutions in dig/etc. bsc#1030306
- Add patch to make sure we build against system idn:
* bind-99-libidn.patch
- Refresh patch:
* pie_compile.diff
- Remove patches that are unused due to above:
* idnkit-powerpc-ltconfig.patch
* runidn.diff
-------------------------------------------------------------------
Thu Nov 21 12:11:08 UTC 2017 - vcizek@suse.com
- drop bind-openssl11.patch (merged upstream)
-------------------------------------------------------------------
Thu Nov 17 11:35:29 UTC 2017 - tchvatal@suse.com
- Remove systemd conditionals as we are not building on sle11 anyway
- Force the systemd to be base for the initscript deployment
-------------------------------------------------------------------
Tue Nov 15 08:43:05 UTC 2017 - vcizek@suse.com
- Bump up version of most of the libraries
- Rename the subpackages to match the version updates
- Add macros for easier handling of the library package names
- Drop more unneeded patches
* dns_dynamic_db.patch (upstream)
-------------------------------------------------------------------
Tue Nov 14 11:17:03 UTC 2017 - tchvatal@suse.com
- Update to 9.11.2 release:
* Many changes compared to 9.10 see the README file for in-depth listing
* For detailed changes with issues see CHANGES file
* Fixes for CVE-2017-3141 CVE-2017-3140 CVE-2017-3138 CVE-2017-3137
CVE-3136 CVE-2016-9778
* OpenSSL 1.1 support
- Remove support for some old distributions and cleanup the spec file
to require only what is really needed
- Switch to systemd (bsc#1053808)
- Remove german from the postinst messages
- Remove patches merged upstream:
* bind-CVE-2017-3135.patch
* bind-CVE-2017-3142-and-3143.patch
- Refresh named.root with another update
-------------------------------------------------------------------
Mon Nov 13 14:20:43 UTC 2017 - mpluskal@suse.com
@ -43,7 +130,7 @@ Fri Jun 30 07:12:50 UTC 2017 - sflees@suse.de
-------------------------------------------------------------------
Sat May 20 11:46:44 UTC 2017 - dimstar@opensuse.org
a- Fix named init script to dynamically find the location of the
- Fix named init script to dynamically find the location of the
openssl engines (boo#1040027).
-------------------------------------------------------------------

833
bind.spec
View File

File diff suppressed because it is too large Load Diff

753
dns_dynamic_db.patch
View File

@ -1,753 +0,0 @@
# The patch content was originally written by Tomas Hozza:
# From 9b40e9166ee28f2d00424248fe303045e42b1c93 Mon Sep 17 00:00:00 2001
# From: Tomas Hozza <thozza@redhat.com>
# Date: Tue, 29 Jul 2014 15:16:10 +0200
# Subject: [PATCH] Dynamic DB database for BIND 9.10
# Signed-off-by: Tomas Hozza <thozza@redhat.com>
#
# Based on the original patch, some minor adjustments to line numbers are made by Howard Guo <hguo@suse.com>.
Index: bind-9.10.4-P5/bin/named/main.c
===================================================================
--- bind-9.10.4-P5.orig/bin/named/main.c
+++ bind-9.10.4-P5/bin/named/main.c
@@ -43,6 +43,7 @@
#include <isccc/result.h>
#include <dns/dispatch.h>
+#include <dns/dynamic_db.h>
#include <dns/name.h>
#include <dns/result.h>
#include <dns/view.h>
Index: bind-9.10.4-P5/bin/named/server.c
===================================================================
--- bind-9.10.4-P5.orig/bin/named/server.c
+++ bind-9.10.4-P5/bin/named/server.c
@@ -68,6 +68,7 @@
#include <dns/db.h>
#include <dns/dispatch.h>
#include <dns/dlz.h>
+#include <dns/dynamic_db.h>
#include <dns/dns64.h>
#include <dns/forward.h>
#include <dns/journal.h>
@@ -1310,6 +1311,72 @@ configure_peer(const cfg_obj_t *cpeer, i
}
static isc_result_t
+configure_dynamic_db(const cfg_obj_t *dynamic_db, isc_mem_t *mctx,
+ const dns_dyndb_arguments_t *dyndb_args)
+{
+ isc_result_t result;
+ const cfg_obj_t *obj;
+ const cfg_obj_t *options;
+ const cfg_listelt_t *element;
+ const char *name;
+ const char *libname;
+ const char **argv = NULL;
+ unsigned int i;
+ unsigned int len;
+
+ /* Get the name of the database. */
+ obj = cfg_tuple_get(dynamic_db, "name");
+ name = cfg_obj_asstring(obj);
+
+ /* Get options. */
+ options = cfg_tuple_get(dynamic_db, "options");
+
+ /* Get library name. */
+ obj = NULL;
+ CHECK(cfg_map_get(options, "library", &obj));
+ libname = cfg_obj_asstring(obj);
+
+ /* Create a list of arguments. */
+ obj = NULL;
+ result = cfg_map_get(options, "arg", &obj);
+ if (result == ISC_R_NOTFOUND)
+ len = 0;
+ else if (result == ISC_R_SUCCESS)
+ len = cfg_list_length(obj, isc_boolean_false);
+ else
+ goto cleanup;
+
+ /* Account for the last terminating NULL. */
+ len++;
+
+ argv = isc_mem_allocate(mctx, len * sizeof(const char *));
+ if (argv == NULL) {
+ result = ISC_R_NOMEMORY;
+ goto cleanup;
+ }
+ for (element = cfg_list_first(obj), i = 0;
+ element != NULL;
+ element = cfg_list_next(element), i++)
+ {
+ REQUIRE(i < len);
+
+ obj = cfg_listelt_value(element);
+ argv[i] = cfg_obj_asstring(obj);
+ }
+ REQUIRE(i < len);
+ argv[i] = NULL;
+
+ CHECK(dns_dynamic_db_load(libname, name, mctx, argv, dyndb_args));
+
+cleanup:
+ if (argv != NULL)
+ isc_mem_free(mctx, argv);
+
+ return result;
+}
+
+
+static isc_result_t
disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
isc_result_t result;
const cfg_obj_t *algorithms;
@@ -2349,6 +2416,7 @@ configure_view(dns_view_t *view, dns_vie
const cfg_obj_t *dlz;
unsigned int dlzargc;
char **dlzargv;
+ const cfg_obj_t *dynamic_db_list;
const cfg_obj_t *disabled;
const cfg_obj_t *obj;
#ifdef ENABLE_FETCHLIMIT
@@ -2628,6 +2696,8 @@ configure_view(dns_view_t *view, dns_vie
}
}
+
+
/*
* Obtain configuration parameters that affect the decision of whether
* we can reuse/share an existing cache.
@@ -3704,6 +3774,37 @@ configure_view(dns_view_t *view, dns_vie
dns_view_setrootdelonly(view, ISC_FALSE);
/*
+ * Configure dynamic databases.
+ */
+ dynamic_db_list = NULL;
+ if (voptions != NULL)
+ (void)cfg_map_get(voptions, "dynamic-db", &dynamic_db_list);
+ else
+ (void)cfg_map_get(config, "dynamic-db", &dynamic_db_list);
+ element = cfg_list_first(dynamic_db_list);
+ if (element != NULL) {
+ dns_dyndb_arguments_t *args;
+
+ args = dns_dyndb_arguments_create(mctx);
+ if (args == NULL) {
+ result = ISC_R_NOMEMORY;
+ goto cleanup;
+ }
+ dns_dyndb_set_view(args, view);
+ dns_dyndb_set_zonemgr(args, ns_g_server->zonemgr);
+ dns_dyndb_set_task(args, ns_g_server->task);
+ dns_dyndb_set_timermgr(args, ns_g_timermgr);
+ while (element != NULL) {
+ obj = cfg_listelt_value(element);
+ CHECK(configure_dynamic_db(obj, mctx, args));
+
+ element = cfg_list_next(element);
+ }
+
+ dns_dyndb_arguments_destroy(mctx, args);
+ }
+
+ /*
* Setup automatic empty zones. If recursion is off then
* they are disabled by default.
*/
@@ -5457,6 +5558,7 @@ load_configuration(const char *filename,
cfg_aclconfctx_detach(&ns_g_aclconfctx);
CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx));
+ dns_dynamic_db_cleanup(ISC_FALSE);
/*
* Parse the global default pseudo-config file.
*/
@@ -6685,6 +6787,8 @@ shutdown_server(isc_task_t *task, isc_ev
dns_view_detach(&view);
}
+ dns_dynamic_db_cleanup(ISC_TRUE);
+
while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
ISC_LIST_UNLINK(server->cachelist, nsc, link);
dns_cache_detach(&nsc->cache);
Index: bind-9.10.4-P5/lib/dns/dynamic_db.c
===================================================================
--- /dev/null
+++ bind-9.10.4-P5/lib/dns/dynamic_db.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2008-2011 Red Hat, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/result.h>
+#include <isc/region.h>
+#include <isc/task.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dynamic_db.h>
+#include <dns/log.h>
+#include <dns/types.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <string.h>
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#ifndef DYNDB_LIBDIR
+#define DYNDB_LIBDIR ""
+#endif
+
+#define CHECK(op) \
+ do { result = (op); \
+ if (result != ISC_R_SUCCESS) goto cleanup; \
+ } while (0)
+
+
+typedef isc_result_t (*register_func_t)(isc_mem_t *mctx, const char *name,
+ const char * const *argv,
+ const dns_dyndb_arguments_t *dyndb_args);
+typedef void (*destroy_func_t)(void);
+
+typedef struct dyndb_implementation dyndb_implementation_t;
+
+struct dyndb_implementation {
+ isc_mem_t *mctx;
+ void *handle;
+ register_func_t register_function;
+ destroy_func_t destroy_function;
+ LINK(dyndb_implementation_t) link;
+};
+
+struct dns_dyndb_arguments {
+ dns_view_t *view;
+ dns_zonemgr_t *zmgr;
+ isc_task_t *task;
+ isc_timermgr_t *timermgr;
+};
+
+/* List of implementations. Locked by dyndb_lock. */
+static LIST(dyndb_implementation_t) dyndb_implementations;
+/* Locks dyndb_implementations. */
+static isc_mutex_t dyndb_lock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+dyndb_initialize(void) {
+ RUNTIME_CHECK(isc_mutex_init(&dyndb_lock) == ISC_R_SUCCESS);
+ INIT_LIST(dyndb_implementations);
+}
+
+
+#if HAVE_DLFCN_H
+static isc_result_t
+load_symbol(void *handle, const char *symbol_name, void **symbolp)
+{
+ const char *errmsg;
+ void *symbol;
+
+ REQUIRE(handle != NULL);
+ REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+ symbol = dlsym(handle, symbol_name);
+ if (symbol == NULL) {
+ errmsg = dlerror();
+ if (errmsg == NULL)
+ errmsg = "returned function pointer is NULL";
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+ DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+ "failed to lookup symbol %s: %s",
+ symbol_name, errmsg);
+ return ISC_R_FAILURE;
+ }
+ dlerror();
+
+ *symbolp = symbol;
+
+ return ISC_R_SUCCESS;
+}
+
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp)
+{
+ isc_result_t result;
+ size_t module_size;
+ isc_buffer_t *module_buf = NULL;
+ isc_region_t module_region;
+ void *handle = NULL;
+ dyndb_implementation_t *imp;
+ register_func_t register_function = NULL;
+ destroy_func_t destroy_function = NULL;
+
+ REQUIRE(impp != NULL && *impp == NULL);
+
+ /* Build up the full path. */
+ module_size = strlen(DYNDB_LIBDIR) + strlen(filename) + 1;
+ CHECK(isc_buffer_allocate(mctx, &module_buf, module_size));
+ isc_buffer_putstr(module_buf, DYNDB_LIBDIR);
+ isc_buffer_putstr(module_buf, filename);
+ isc_buffer_putuint8(module_buf, 0);
+ isc_buffer_region(module_buf, &module_region);
+
+ handle = dlopen((char *)module_region.base, RTLD_LAZY);
+ if (handle == NULL) {
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+ DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+ "failed to dynamically load driver '%s': %s",
+ filename, dlerror());
+ result = ISC_R_FAILURE;
+ goto cleanup;
+ }
+ dlerror();
+
+ CHECK(load_symbol(handle, "dynamic_driver_init",
+ (void **)&register_function));
+ CHECK(load_symbol(handle, "dynamic_driver_destroy",
+ (void **)&destroy_function));
+
+ imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t));
+ if (imp == NULL) {
+ result = ISC_R_NOMEMORY;
+ goto cleanup;
+ }
+
+ imp->mctx = NULL;
+ isc_mem_attach(mctx, &imp->mctx);
+ imp->handle = handle;
+ imp->register_function = register_function;
+ imp->destroy_function = destroy_function;
+ INIT_LINK(imp, link);
+
+ *impp = imp;
+
+cleanup:
+ if (result != ISC_R_SUCCESS && handle != NULL)
+ dlclose(handle);
+ if (module_buf != NULL)
+ isc_buffer_free(&module_buf);
+
+ return result;
+}
+
+static void
+unload_library(dyndb_implementation_t **impp)
+{
+ dyndb_implementation_t *imp;
+
+ REQUIRE(impp != NULL && *impp != NULL);
+
+ imp = *impp;
+
+ isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+
+ *impp = NULL;
+}
+
+#else /* HAVE_DLFCN_H */
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp)
+{
+ UNUSED(mctx);
+ UNUSED(filename);
+ UNUSED(impp);
+
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB,
+ ISC_LOG_ERROR,
+ "dynamic database support is not implemented")
+
+ return ISC_R_NOTIMPLEMENTED;
+}
+
+static void
+unload_library(dyndb_implementation_t **impp)
+{
+ dyndb_implementation_t *imp;
+
+ REQUIRE(impp != NULL && *impp != NULL);
+
+ imp = *impp;
+
+ isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+
+ *impp = NULL;
+}
+#endif /* HAVE_DLFCN_H */
+
+isc_result_t
+dns_dynamic_db_load(const char *libname, const char *name, isc_mem_t *mctx,
+ const char * const *argv,
+ const dns_dyndb_arguments_t *dyndb_args)
+{
+ isc_result_t result;
+ dyndb_implementation_t *implementation = NULL;
+
+ RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+ CHECK(load_library(mctx, libname, &implementation));
+ CHECK(implementation->register_function(mctx, name, argv, dyndb_args));
+
+ LOCK(&dyndb_lock);
+ APPEND(dyndb_implementations, implementation, link);
+ UNLOCK(&dyndb_lock);
+
+ return ISC_R_SUCCESS;
+
+cleanup:
+ if (implementation != NULL)
+ unload_library(&implementation);
+
+ return result;
+}
+
+void
+dns_dynamic_db_cleanup(isc_boolean_t exiting)
+{
+ dyndb_implementation_t *elem;
+ dyndb_implementation_t *prev;
+
+ RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+ LOCK(&dyndb_lock);
+ elem = TAIL(dyndb_implementations);
+ while (elem != NULL) {
+ prev = PREV(elem, link);
+ UNLINK(dyndb_implementations, elem, link);
+ elem->destroy_function();
+ unload_library(&elem);
+ elem = prev;
+ }
+ UNLOCK(&dyndb_lock);
+
+ if (exiting == ISC_TRUE)
+ isc_mutex_destroy(&dyndb_lock);
+}
+
+dns_dyndb_arguments_t *
+dns_dyndb_arguments_create(isc_mem_t *mctx)
+{
+ dns_dyndb_arguments_t *args;
+
+ args = isc_mem_get(mctx, sizeof(*args));
+ if (args != NULL)
+ memset(args, 0, sizeof(*args));
+
+ return args;
+}
+
+void
+dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args)
+{
+ REQUIRE(args != NULL);
+
+ dns_dyndb_set_view(args, NULL);
+ dns_dyndb_set_zonemgr(args, NULL);
+ dns_dyndb_set_task(args, NULL);
+ dns_dyndb_set_timermgr(args, NULL);
+
+ isc_mem_put(mctx, args, sizeof(*args));
+}
+
+void
+dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view)
+{
+ REQUIRE(args != NULL);
+
+ if (args->view != NULL)
+ dns_view_detach(&args->view);
+ if (view != NULL)
+ dns_view_attach(view, &args->view);
+}
+
+dns_view_t *
+dns_dyndb_get_view(dns_dyndb_arguments_t *args)
+{
+ REQUIRE(args != NULL);
+
+ return args->view;
+}
+
+void
+dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr)
+{
+ REQUIRE(args != NULL);
+
+ if (args->zmgr != NULL)
+ dns_zonemgr_detach(&args->zmgr);
+ if (zmgr != NULL)
+ dns_zonemgr_attach(zmgr, &args->zmgr);
+}
+
+dns_zonemgr_t *
+dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args)
+{
+ REQUIRE(args != NULL);
+
+ return args->zmgr;
+}
+
+void
+dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task)
+{
+ REQUIRE(args != NULL);
+
+ if (args->task != NULL)
+ isc_task_detach(&args->task);
+ if (task != NULL)
+ isc_task_attach(task, &args->task);
+}
+
+isc_task_t *
+dns_dyndb_get_task(dns_dyndb_arguments_t *args)
+{
+ REQUIRE(args != NULL);
+
+ return args->task;
+}
+
+void
+dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args, isc_timermgr_t *timermgr)
+{
+ REQUIRE(args != NULL);
+
+ args->timermgr = timermgr;
+}
+
+isc_timermgr_t *
+dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args)
+{
+ REQUIRE(args != NULL);
+
+ return args->timermgr;
+}
Index: bind-9.10.4-P5/lib/dns/include/dns/dynamic_db.h
===================================================================
--- /dev/null
+++ bind-9.10.4-P5/lib/dns/include/dns/dynamic_db.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008-2011 Red Hat, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef DYNAMIC_DB_H
+#define DYNAMIC_DB_H
+
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+/*
+ * TODO:
+ * Reformat the prototypes.
+ * Add annotated comments.
+ */
+
+isc_result_t dns_dynamic_db_load(const char *libname, const char *name,
+ isc_mem_t *mctx, const char * const *argv,
+ const dns_dyndb_arguments_t *dyndb_args);
+
+void dns_dynamic_db_cleanup(isc_boolean_t exiting);
+
+dns_dyndb_arguments_t *dns_dyndb_arguments_create(isc_mem_t *mctx);
+void dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args);
+
+void dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view);
+dns_view_t *dns_dyndb_get_view(dns_dyndb_arguments_t *args);
+void dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr);
+dns_zonemgr_t *dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args);
+void dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task);
+isc_task_t *dns_dyndb_get_task(dns_dyndb_arguments_t *args);
+void dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args,
+ isc_timermgr_t *timermgr);
+isc_timermgr_t *dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args);
+
+#endif
Index: bind-9.10.4-P5/lib/dns/include/dns/log.h
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/include/dns/log.h
+++ bind-9.10.4-P5/lib/dns/include/dns/log.h
@@ -78,6 +78,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodul
#define DNS_LOGMODULE_DNSSEC (&dns_modules[27])
#define DNS_LOGMODULE_CRYPTO (&dns_modules[28])
#define DNS_LOGMODULE_PACKETS (&dns_modules[29])
+#define DNS_LOGMODULE_DYNDB (&dns_modules[30])
ISC_LANG_BEGINDECLS
Index: bind-9.10.4-P5/lib/dns/include/dns/Makefile.in
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/include/dns/Makefile.in
+++ bind-9.10.4-P5/lib/dns/include/dns/Makefile.in
@@ -23,7 +23,7 @@ VERSION=@BIND9_VERSION@
HEADERS = acache.h acl.h adb.h bit.h byaddr.h cache.h callbacks.h cert.h \
client.h clientinfo.h compress.h \
- db.h dbiterator.h dbtable.h diff.h dispatch.h \
+ db.h dbiterator.h dbtable.h diff.h dispatch.h dynamic_db.h \
dlz.h dlz_dlopen.h dns64.h dnssec.h ds.h dsdigest.h \
ecdb.h events.h fixedname.h forward.h geoip.h iptable.h \
journal.h keydata.h keyflags.h keytable.h keyvalues.h \
Index: bind-9.10.4-P5/lib/dns/include/dns/types.h
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/include/dns/types.h
+++ bind-9.10.4-P5/lib/dns/include/dns/types.h
@@ -140,6 +140,7 @@ typedef struct dns_zone dns_zone_t;
typedef ISC_LIST(dns_zone_t) dns_zonelist_t;
typedef struct dns_zonemgr dns_zonemgr_t;
typedef struct dns_zt dns_zt_t;
+typedef struct dns_dyndb_arguments dns_dyndb_arguments_t;
/*
* If we are not using GSSAPI, define the types we use as opaque types here.
Index: bind-9.10.4-P5/lib/dns/log.c
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/log.c
+++ bind-9.10.4-P5/lib/dns/log.c
@@ -84,6 +84,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns
{ "dns/dnssec", 0 },
{ "dns/crypto", 0 },
{ "dns/packets", 0 },
+ { "dns/dynamic_db", 0 },
{ NULL, 0 }
};
Index: bind-9.10.4-P5/lib/dns/Makefile.in
===================================================================
--- bind-9.10.4-P5.orig/lib/dns/Makefile.in
+++ bind-9.10.4-P5/lib/dns/Makefile.in
@@ -65,7 +65,7 @@ GEOIPLINKOBJS = geoip.@O@
DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
cache.@O@ callbacks.@O@ clientinfo.@O@ compress.@O@ \
db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
- dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ \
+ dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ dynamic_db.@O@ forward.@O@ \
iptable.@O@ journal.@O@ keydata.@O@ keytable.@O@ \
lib.@O@ log.@O@ lookup.@O@ \
master.@O@ masterdump.@O@ message.@O@ \
@@ -103,7 +103,7 @@ GEOIOLINKSRCS = geoip.c
DNSSRCS = acache.c acl.c adb.c byaddr.c \
cache.c callbacks.c clientinfo.c compress.c \
db.c dbiterator.c dbtable.c diff.c dispatch.c \
- dlz.c dns64.c dnssec.c ds.c forward.c \
+ dlz.c dns64.c dnssec.c ds.c dynamic_db.c forward.c \
iptable.c journal.c keydata.c keytable.c lib.c log.c \
lookup.c master.c masterdump.c message.c \
name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
@@ -138,6 +138,11 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
+dynamic_db.@O@: dynamic_db.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DDYNDB_LIBDIR=\"/usr/lib/bind/\" \
+ -c ${srcdir}/dynamic_db.c
+
libdns.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
Index: bind-9.10.4-P5/lib/isccfg/namedconf.c
===================================================================
--- bind-9.10.4-P5.orig/lib/isccfg/namedconf.c
+++ bind-9.10.4-P5/lib/isccfg/namedconf.c
@@ -666,6 +666,40 @@ static cfg_type_t cfg_type_transferforma
&transferformat_enums
};
+/*
+ * Dynamic database clauses.
+ */
+
+static cfg_clausedef_t
+dynamic_db_clauses[] = {
+ { "library", &cfg_type_qstring, 0 },
+ { "arg", &cfg_type_qstring, CFG_CLAUSEFLAG_MULTI },
+ { NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+dynamic_db_clausesets[] = {
+ dynamic_db_clauses,
+ NULL
+};
+
+static cfg_type_t cfg_type_dynamic_db_opts = {
+ "dynamically_loadable_zones_opts", cfg_parse_map,
+ cfg_print_map, cfg_doc_map, &cfg_rep_map,
+ dynamic_db_clausesets
+};
+
+static cfg_tuplefielddef_t dynamic_db_fields[] = {
+ { "name", &cfg_type_astring, 0 },
+ { "options", &cfg_type_dynamic_db_opts, 0 },
+ { NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dynamic_db = {
+ "dynamic_db", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+ &cfg_rep_tuple, dynamic_db_fields
+};
+
/*%
* The special keyword "none", as used in the pid-file option.
*/
@@ -969,6 +1003,7 @@ namedconf_or_view_clauses[] = {
{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
{ "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI },
+ { "dynamic-db", &cfg_type_dynamic_db, CFG_CLAUSEFLAG_MULTI },
{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
@@ -2230,6 +2265,7 @@ static cfg_type_t cfg_type_dialuptype =
&cfg_rep_string, dialup_enums
};
+
static const char *notify_enums[] = { "explicit", "master-only", NULL };
static isc_result_t
parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
@@ -3335,3 +3371,4 @@ static cfg_type_t cfg_type_maxttl = {
"maxttl_no_default", parse_maxttl, cfg_print_ustring, doc_maxttl,
&cfg_rep_string, maxttl_enums
};
+

12
idnkit-powerpc-ltconfig.patch
View File

@ -1,12 +0,0 @@
Index: bind-9.10.1-P1/contrib/idn/idnkit-1.0-src/ltconfig
===================================================================
--- bind-9.10.1-P1.orig/contrib/idn/idnkit-1.0-src/ltconfig
+++ bind-9.10.1-P1/contrib/idn/idnkit-1.0-src/ltconfig
@@ -1999,7 +1999,6 @@ linux-gnu*)
else
# Only the GNU ld.so supports shared libraries on MkLinux.
case "$host_cpu" in
- powerpc*) dynamic_linker=no ;;
*) dynamic_linker='Linux ld.so' ;;
esac
fi

10
named-bootconf.diff
View File

@ -1,8 +1,8 @@
Index: contrib/named-bootconf/named-bootconf.sh
Index: contrib/scripts/named-bootconf.sh
===================================================================
--- contrib/scripts/named-bootconf.sh.orig
+++ contrib/scripts/named-bootconf.sh
@@ -47,7 +47,8 @@
--- contrib/scripts/named-bootconf.sh.orig 2017-08-15 13:08:41.636256254 +0200
+++ contrib/scripts/named-bootconf.sh 2017-08-15 13:08:42.516270950 +0200
@@ -38,7 +38,8 @@
# POSSIBILITY OF SUCH DAMAGE.
if [ ${OPTIONFILE-X} = X ]; then
@ -12,7 +12,7 @@ Index: contrib/named-bootconf/named-bootconf.sh
( umask 077 ; mkdir $WORKDIR ) || {
echo "unable to create work directory '$WORKDIR'" >&2
exit 1
@@ -301,7 +302,7 @@ if [ $DUMP -eq 1 ]; then
@@ -292,7 +293,7 @@ if [ $DUMP -eq 1 ]; then
cat $ZONEFILE $COMMENTFILE
rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE

50
named.root
View File

@ -1,92 +1,92 @@
; This file holds the information on root name servers needed to
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: June 01, 2017
; related version of root zone: 2017060102
;
; formerly NS.INTERNIC.NET
;
; last update: July 26, 2017
; related version of root zone: 2017072601
;
; FORMERLY NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
;
; FORMERLY C.PSI.NET
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file
; End of file

16
perl-path.diff
View File

@ -1,17 +1,17 @@
Index: bin/tests/t_api.pl
===================================================================
--- bin/tests/t_api.pl.orig
+++ bin/tests/t_api.pl
--- bin/tests/t_api.pl.orig 2017-07-24 07:36:50.000000000 +0200
+++ bin/tests/t_api.pl 2017-08-15 10:29:56.969817140 +0200
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
#
# Copyright (C) 2004, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1999-2001 Internet Software Consortium.
# Copyright (C) 1999-2001, 2004, 2007, 2012, 2016 Internet Systems Consortium, Inc. ("ISC")
#
Index: contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl
===================================================================
--- contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl.orig
+++ contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl
--- contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl.orig 2017-07-24 07:36:50.000000000 +0200
+++ contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl 2017-08-15 10:29:56.969817140 +0200
@@ -1,4 +1,4 @@
-#! /usr/local/bin/perl -w
+#! /usr/bin/perl -w
@ -20,8 +20,8 @@ Index: contrib/idn/idnkit-1.0-src/util/generate_nameprep_data.pl
# Copyright (c) 2001 Japan Network Information Center. All rights reserved.
Index: contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl
===================================================================
--- contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl.orig
+++ contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl
--- contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl.orig 2017-07-24 07:36:50.000000000 +0200
+++ contrib/idn/idnkit-1.0-src/util/generate_normalize_data.pl 2017-08-15 10:29:56.969817140 +0200
@@ -1,4 +1,4 @@
-#! /usr/local/bin/perl -w
+#! /usr/bin/perl -w

86
pie_compile.diff
View File

@ -1,8 +1,8 @@
Index: bin/check/Makefile.in
===================================================================
--- bin/check/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/check/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -57,8 +57,12 @@
--- bin/check/Makefile.in.orig
+++ bin/check/Makefile.in
@@ -48,8 +48,12 @@ HTMLPAGES = named-checkconf.html named-c
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -17,9 +17,9 @@ Index: bin/check/Makefile.in
-DVERSION=\"${VERSION}\" \
Index: bin/confgen/Makefile.in
===================================================================
--- bin/confgen/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/confgen/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -64,8 +64,12 @@
--- bin/confgen/Makefile.in.orig
+++ bin/confgen/Makefile.in
@@ -56,8 +56,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
UOBJS = unix/os.@O@
@ -34,9 +34,9 @@ Index: bin/confgen/Makefile.in
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
Index: bin/confgen/unix/Makefile.in
===================================================================
--- bin/confgen/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/confgen/unix/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -32,4 +32,8 @@
--- bin/confgen/unix/Makefile.in.orig
+++ bin/confgen/unix/Makefile.in
@@ -24,4 +24,8 @@ SRCS = os.c
TARGETS = ${OBJS}
@ -47,11 +47,11 @@ Index: bin/confgen/unix/Makefile.in
+LDFLAGS += -pie
Index: bin/dig/Makefile.in
===================================================================
--- bin/dig/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/dig/Makefile.in 2013-08-06 12:08:19.492457714 +0200
@@ -69,8 +69,12 @@ HTMLPAGES = dig.html host.html nslookup.
--- bin/dig/Makefile.in.orig
+++ bin/dig/Makefile.in
@@ -61,8 +61,12 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
MANOBJS = ${MANPAGES} ${HTMLPAGES}
EXT_CFLAGS = -DWITH_LIBIDN
+EXT_CFLAGS = -fPIE -static
+
@ -64,9 +64,9 @@ Index: bin/dig/Makefile.in
export LIBS0="${DNSLIBS}"; \
Index: bin/dnssec/Makefile.in
===================================================================
--- bin/dnssec/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/dnssec/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -65,8 +65,12 @@
--- bin/dnssec/Makefile.in.orig
+++ bin/dnssec/Makefile.in
@@ -56,8 +56,12 @@ HTMLPAGES = dnssec-dsfromkey.html dnssec
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -81,10 +81,10 @@ Index: bin/dnssec/Makefile.in
${FINALBUILDCMD}
Index: bin/Makefile.in
===================================================================
--- bin/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -23,4 +23,8 @@
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
--- bin/Makefile.in.orig
+++ bin/Makefile.in
@@ -14,4 +14,8 @@ SUBDIRS = named rndc dig delv dnssec too
check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
+EXT_CFLAGS = -fPIE -static
@ -94,9 +94,9 @@ Index: bin/Makefile.in
+LDFLAGS += -pie
Index: bin/named/Makefile.in
===================================================================
--- bin/named/Makefile.in.orig 2013-08-06 12:08:17.653432490 +0200
+++ bin/named/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -119,8 +119,12 @@
--- bin/named/Makefile.in.orig
+++ bin/named/Makefile.in
@@ -108,8 +108,12 @@ HTMLPAGES = named.html lwresd.html named
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -111,9 +111,9 @@ Index: bin/named/Makefile.in
-DVERSION=\"${VERSION}\" \
Index: bin/named/unix/Makefile.in
===================================================================
--- bin/named/unix/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/named/unix/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -34,4 +34,6 @@
--- bin/named/unix/Makefile.in.orig
+++ bin/named/unix/Makefile.in
@@ -25,4 +25,6 @@ SRCS = os.c dlz_dlopen_driver.c
TARGETS = ${OBJS}
@ -122,9 +122,9 @@ Index: bin/named/unix/Makefile.in
@BIND9_MAKE_RULES@
Index: bin/nsupdate/Makefile.in
===================================================================
--- bin/nsupdate/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/nsupdate/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -68,8 +68,12 @@
--- bin/nsupdate/Makefile.in.orig
+++ bin/nsupdate/Makefile.in
@@ -60,8 +60,12 @@ HTMLPAGES = nsupdate.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -139,9 +139,9 @@ Index: bin/nsupdate/Makefile.in
-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
Index: bin/rndc/Makefile.in
===================================================================
--- bin/rndc/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/rndc/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -59,8 +59,12 @@
--- bin/rndc/Makefile.in.orig
+++ bin/rndc/Makefile.in
@@ -50,8 +50,12 @@ HTMLPAGES = rndc.html rndc.conf.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@ -156,10 +156,10 @@ Index: bin/rndc/Makefile.in
-DVERSION=\"${VERSION}\" \
Index: bin/tools/Makefile.in
===================================================================
--- bin/tools/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ bin/tools/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -54,8 +54,12 @@ HTMLPAGES = arpaname.html named-journalp
nsec3hash.html genrandom.html isc-hmac-fixup.html
--- bin/tools/Makefile.in.orig
+++ bin/tools/Makefile.in
@@ -60,8 +60,12 @@ HTMLPAGES = arpaname.html dnstap-read.ht
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fPIE -static
@ -173,9 +173,9 @@ Index: bin/tools/Makefile.in
-o $@ arpaname.@O@ ${ISCLIBS} ${LIBS}
Index: contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in
===================================================================
--- contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in 2013-08-06 12:08:19.493457729 +0200
@@ -68,8 +68,8 @@
--- contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in.orig
+++ contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in
@@ -68,8 +68,8 @@ IDNLIB = ../../lib/libidnkit.la
INCS = -I$(srcdir) -I$(srcdir)/../../include -I../../include $(ICONVINC)
DEFS =
@ -186,11 +186,11 @@ Index: contrib/idn/idnkit-1.0-src/tools/idnconv/Makefile.in
SRCS = idnconv.c util.c selectiveencode.c
OBJS = idnconv.o util.o selectiveencode.o
Index: contrib/zkt/Makefile.in
Index: contrib/zkt-1.1.3/Makefile.in
===================================================================
--- contrib/zkt-1.1.3/Makefile.in.orig 2013-07-17 00:13:06.000000000 +0200
+++ contrib/zkt-1.1.3/Makefile.in 2013-08-06 12:08:19.494457743 +0200
@@ -13,11 +13,11 @@
--- contrib/zkt-1.1.3/Makefile.in.orig
+++ contrib/zkt-1.1.3/Makefile.in
@@ -13,11 +13,11 @@ PROFILE = # -pg
OPTIM = # -O3 -DNDEBUG
#CFLAGS ?= @CFLAGS@ @DEFS@ -I@top_srcdir@

34
runidn.diff
View File

@ -1,34 +0,0 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2014-10-01 19:52:10.339340849 +0200
We do not normally ship the .la files in openSUSE;
make runidn work without it.
And do it portably (\$LIB), too, which the original runidn can't.
---
contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in | 6 ++++++
1 file changed, 6 insertions(+)
Index: bind-9.9.5-P1/contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in
===================================================================
--- bind-9.9.5-P1.orig/contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in
+++ bind-9.9.5-P1/contrib/idn/idnkit-1.0-src/tools/runidn/runidn.in
@@ -79,6 +79,7 @@ if test "$iconv_file" != none; then
preload="$iconv_file@PRELOAD_SEP@"
fi
+if false; then
prefix=@prefix@
exec_prefix=@exec_prefix@
libdir=`echo @libdir@`
@@ -96,6 +97,11 @@ EOF
exit 1
fi
preload=$preload$libdir/$dlname
+else
+prefix=$(echo "@prefix@")
+exec_prefix=$(echo "@exec_prefix@")
+preload="$exec_prefix/\$LIB/libidnkitres.so.1"
+fi
# Set @PRELOAD_VAR@.
if [ X$@PRELOAD_VAR@ = X ]; then