- Fix typo in contrib/dlz/modules/{mysql,mysqldyn} that references
LDAP_LIBS instead of MYSQL_LIBS.
[bsc#1202149, bind.spec, bind-fix-mysql-bindings.patch]
- Update to bind release 9.18.6
Bug Fixes:
* When running as a validating resolver forwarding all queries
to another resolver, named could crash with an assertion failure.
These crashes occurred when the configured forwarder sent
a broken DS response and named failed its attempts to find
a proper one instead. This has been fixed.
* Non-dynamic zones that inherit dnssec-policy from the view
or options blocks were not marked as inline-signed
and therefore never scheduled to be re-signed. This has been fixed.
* The old max-zone-ttl zone option was meant to be superseded
by the max-zone-ttl option in dnssec-policy; however,
the latter option was not fully effective. This has been corrected:
zones no longer load if they contain TTLs greater than the limit
configured in dnssec-policy. For zones with both the old
max-zone-ttl option and dnssec-policy configured,
the old option is ignored, and a warning is generated.
* rndc dumpdb -expired was fixed to include expired RRsets,
even if stale-cache-enable is set to no and the cache-cleaning
time window has passed.
For a complete list of changes, see
* Bind Release Notes
https://downloads.isc.org/isc/bind9/9.18.6/doc/arm/html/notes.html
* The CHANGES file in the source RPM
[bind.spec bind-9.18.6.tar.xz bind-9.18.6.tar.xz.sha512.asc]
OBS-URL: https://build.opensuse.org/request/show/998005
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=355
- When enabling query_logging by un-commenting an example in
bind.conf, named attempts to create a file in /var/log which
fails due to missing credentials. This also applies to the
"dump-file" and the "statistics-file".
This is solved by having systemd-tmpfiles create a subdirectory
"/var/log/named" owned by named:named and changing the file
paths accordingly:
/var/log/named_querylog -> /var/log/named/querylog
/var/log/named_dump.db -> /var/log/named/dump.db
/var/log/named.stats -> /var/log/named/stats
Also, in "named.service", the ReadWritePath was changed to
include "/var/log/named" rather than just "var/log".
[bsc#1200685, bind.conf, vendor-files/config/named.conf,
vendor-files/system/named.service]
OBS-URL: https://build.opensuse.org/request/show/992780
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=353
- Update to 9.16.19
* A race condition could occur where two threads were
competing for the same set of key file locks, leading to
a deadlock. This has been fixed. [GL #2786]
* create_keydata() created an invalid placeholder keydata
record upon a refresh failure, which prevented the
database of managed keys from subsequently being read
back. This has been fixed. [GL #2686]
* KASP support was extended with the "check DS" feature.
Zones with "dnssec-policy" and "parental-agents"
configured now check for DS presence and can perform
automatic KSK rollovers. [GL #1126]
* Rescheduling a setnsec3param() task when a zone failed
to load on startup caused a hang on shutdown. This has
been fixed. [GL #2791]
* The configuration-checking code failed to account for
the inheritance rules of the "dnssec-policy" option.
This has been fixed. [GL #2780]
* If nsupdate sends an SOA request and receives a REFUSED
response, it now fails over to the next available
server. [GL #2758]
* For UDP messages larger than the path MTU, named now
sends an empty response with the TC (TrunCated) bit set.
In addition, setting the DF (Don't Fragment) flag on
outgoing UDP sockets was re-enabled. [GL #2790]
* Views with recursion disabled are now configured with a
default cache size of 2 MB unless "max-cache-size" is
explicitly set. This prevents cache RBT hash tables from
being needlessly preallocated for such views. [GL #2777]
* Change 5644 inadvertently introduced a deadlock: when
locking the key file mutex for each zone structure in a
different view, the "in-view" logic was not considered.
This has been fixed. [GL #2783]
* Increasing "max-cache-size" for a running named instance
(using "rndc reconfig") did not cause the hash tables
used by cache databases to be grown accordingly. This
has been fixed. [GL #2770]
* Signed, insecure delegation responses prepared by named
either lacked the necessary NSEC records or contained
duplicate NSEC records when both wildcard expansion and
CNAME chaining were required to prepare the response.
This has been fixed. [GL #2759]
* A bug that caused the NSEC3 salt to be changed on every
restart for zones using KASP has been fixed. [GL #2725]
OBS-URL: https://build.opensuse.org/request/show/909186
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=326
Hi,
here's an attempt to build the current bind with SLES/LEAP.
I tried to come up with something mode decent (replacement of
sphinx.util.docutils.ReferenceRole), but run out of time.
With these admittedly ugly fixes, bind does build at least,
including the ARM, but that is missing the clickable issues
in the version specific notes and being redirected to GitLab.
- Add patch bind-fix-build-with-older-sphinx.patch and sed fix
in order to build with older distributions.
OBS-URL: https://build.opensuse.org/request/show/901768
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=324
- update to 9.16.10:
New Features:
* NSEC3 support was added to KASP. A new option for dnssec-policy,
nsec3param, can be used to set the desired NSEC3 parameters. NSEC3 salt
collisions are automatically prevented during resalting. [GL #1620]
* A new configuration option, stale-refresh-time, has been introduced. It allows
a stale RRset to be served directly from cache for a period of time after a
failed lookup, before a new attempt to refresh it is made. [GL #2066]
Feature Changes:
* The default value of max-recursion-queries was increased from 75 to 100.
Since the queries sent towards root and TLD servers are now included in the
count (as a result of the fix for CVE-2020-8616), max-recursion-queries has
a higher chance of being exceeded by non-attack queries, which is the main
reason for increasing its default value. [GL #2305]
The default value of nocookie-udp-size was restored back to 4096 bytes. Since
max-udp-size is the upper bound for nocookie-udp-size, this change relieves the
operator from having to change nocookie-udp-size together with max-udp-size in
order to increase the default EDNS buffer size limit. nocookie-udp-size can
still be set to a value lower than max-udp-size, if desired. [GL #2250]
Bug Fixes:
Handling of missing DNS COOKIE responses over UDP was tightened by falling
back to TCP. [GL #2275]
The CNAME synthesized from a DNAME was incorrectly followed when the QTYPE was
CNAME or ANY. [GL #2280]
Building with native PKCS#11 support for AEP Keyper has been broken since BIND
9.16.6. This has been fixed. [GL #2315]
named could crash with an assertion failure if a TCP connection were closed
while a request was still being processed. [GL #2227]
named acting as a resolver could incorrectly treat signed zones with no DS
record at the parent as bogus. Such zones should be treated as insecure. This
OBS-URL: https://build.opensuse.org/request/show/859291
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=306
