9 Commits

Author SHA256 Message Date
AutoGits PR Review Bot
17610e933e Merge commit '89c42ea3bb40cb2dd621c9099028590d0e4ac3906cc1be7eeabd9b7118acbc2e' into slfo-main 2026-01-28 01:37:25 +01:00
89c42ea3bb Accepting request 1328514 from network
- Upgrade to release 9.20.18
  (CVE-2025-13878)
  [bsc#1256997]

OBS-URL: https://build.opensuse.org/request/show/1328514
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=226
2026-01-22 14:12:19 +00:00
6fea36da26 Accepting request 1328116 from network
- Remove packaging support for releases prior to SLES 15 SP4/Leap 15.4.
  - The builds have dependencies that are no longer met by these older
    releases.
- Fix Sphinx processing of documentation on SLES/Leap 15.

OBS-URL: https://build.opensuse.org/request/show/1328116
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=225
2026-01-21 13:11:10 +00:00
a91f43ebe7 Merge branch 'factory' into slfo-main 2025-11-26 16:22:27 +01:00
bacd1752c7 Accepting request 1313051 from network
- Upgrade to release 9.20.15
  [CVE-2025-8677, bsc#1252378]
  [CVE-2025-40778, bsc#1252379]
  [CVE-2025-40780, bsc#1252380]

OBS-URL: https://build.opensuse.org/request/show/1313051
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=224
2025-10-23 16:31:35 +00:00
2d9e3ed24f Accepting request 1304066 from network
- Upgrade to release 9.20.13
  New Features:
  * Add a new option `manual-mode` to dnssec-policy.
  * Add a new option `servfail-until-ready` to response-policy
    zones.
  * Support for parsing HHIT and BRID records has been added.
  Removed Features:
  * Deprecate the `tkey-gssapi-credential` statement.
  * Obsolete the `tkey-domain` statement.
  Bug Fixes:
  * Prevent spurious SERVFAILs for certain 0-TTL resource records.
  * Fix unexpected termination if catalog-zones had undefined
    `default-primaries`.

OBS-URL: https://build.opensuse.org/request/show/1304066
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=223
2025-09-12 19:09:04 +00:00
bfa4772131 Accepting request 1300729 from network
- Upgrade to release 9.20.12
  New Features:
  * Support for parsing DSYNC records has been added.
  Feature Changes:
  * Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
    digest type 1.
  Bug Fixes:
  * Stale RRsets in a CNAME chain were not always refreshed.
  * Add RPZ extended DNS error for zones with a CNAME override
    policy configured.
  * Fix dig +keepopen option.
  * Log dropped or slipped responses in the query-errors category.
  * Fix synth-from-dnssec not working in some scenarios.
  * Clean enough memory when adding new ADB names/entries under
    memory pressure.
  * Prevent spurious validation failures.

OBS-URL: https://build.opensuse.org/request/show/1300729
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=222
2025-08-22 15:46:54 +00:00
6e7d2efcdb Accepting request 1294176 from network
- Upgrade to release 9.20.11
  Security Fixes:
  * Fix a possible assertion failure when
    stale-answer-client-timeout is set to 0. In specific
    circumstances the named resolver process could exit with an
    assertion failure when stale answers were enabled and the
    stale-answer-client-timeout configuration option was set to 0.
    (CVE-2025-40777)
    [bsc#1246548]
  New Features:
  * Add support for the CO flag to dig.
  Bug Fixes:
  * Correct the default interface-interval from 60s to 60m.
  * Fix a purge-keys bug when using multiple views of a zone.
  * Use IPv6 queries in delv +ns.

OBS-URL: https://build.opensuse.org/request/show/1294176
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=221
2025-07-18 13:57:39 +00:00
OBS User buildservice-autocommit
46c05310fc Updating link to change in openSUSE:Factory/bind revision 221
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=a5caf20515f529078b9af27372ae9eaf
2025-07-18 13:57:39 +00:00
6 changed files with 159 additions and 118 deletions

Binary file not shown.

View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmhrokkACgkQGC4jV5Ri
76pkhBAAr2uwXELHq6q2SCyoc46zEmGRv5Wzv99oh+ohESW+OTcDMhWgQxsbVO0m
7FphbaVjv+Aj5HMb6txRFcrRG/XWgsTmhPXdYftmdOTd4wXPIgm54j+Ee5JSHbuq
wAcfb+19HBpoP9wrPdCV5W3fqDJZtEJbo/yoQbxUOm30nMKQrEKENpZ8R0A5Qsxc
FLAlfv+Wmkb2b0l9kk6NRFKSjPGkJXU/sjtOUejry4n90c7EgOSHixgujl2jwqy0
ktuJD4LOA3wP7sUiyoShko3Z/Lhsoa51VbFt/5iki0oMFSDZ2lgFUWxcvZPD5zIf
UHPfZ3F6DH0BotuDYyk57s2fo203M7b30kPjQBYRWGYlEbQXHX+iiJWtJKiFt/D0
bNPo8V0fE8CZeqCgaX+RTgMC97aFVuLC76EkLfNLQygqAb09dqQhKH1b2HgUfMoQ
/9pZQnxiONbW0Yvi2x7JJzVhFEyxkTDMmkyq/fJFtwXWr8ukq9dLCO7AeDww3Iww
CksttE2UbgTx4j0eLjVFK63/bxsK5vH/2m37xpnx5li5Q2uSQg+q0Aww35+10KgX
g54wywTDjqh6qDpRv26mIjQaT2xhU/9CcQo3c/WbiYKstjtlkxggivm46PRIl2pu
M7Mbz98T+PajUEsMhbDfOZV6n3rAWl+D73IRUVeRBR677Kl0UIo=
=TXeA
-----END PGP SIGNATURE-----

BIN
bind-9.20.18.tar.xz LFS Normal file

Binary file not shown.

16
bind-9.20.18.tar.xz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmlky8sACgkQGC4jV5Ri
76qe7BAAhslROp6BoZFFYFnF2f3EmbXCVhHv85CIBtvzmMHp0N8zdZMHeco6aeqg
zQgmq/fXaidkL+7sRbflwyPYYVV3lXafF2BEBX2VYVtijJNjHQ8nxTJC2K4B6jgE
Jekxi7usd/sbgP/3PZLB1csEu+8Dm1qCkC/gMZD5sE/Kfl3o8ryvUa49Tt15wbo7
sXvJ1WNwJTuZhcd3kcpePn+E7Y0NK8jetGslJc9qrTNXXxM5JYVaNj+bj8+bh5ey
IJGY9isds/tx2qsZGL7M3VEZMsEmeKijpF9fl6w+nTiqmbK/TdeqcdPfZdHn66Hj
IuJqgq5MJ/i4Bm0LBMS69rH4lfqSrrIxDGWA4U5fO7jx2rS1WBHYz9kcUeAqf52u
N4bdjVWJuIrWcmiVDyaAFH8bJifzzTHXUQOgaxMOGXXcroOs5bAC1kULIbYirTnk
JzxzkoEdj8x906UKWo7G0PW/qbDziY4Oc3Mmzd94ni7CDcRIwHbTaYcJx+AkGU0E
gnbcFJGqxqz0ATI3QyHaCA/++3psDZ5L701fSx5dBiAjg1EazmXbRX3msgawR0uP
PTQSHQKtyl6OYjtgbDOmqFxpi719N6hm9/A7oUifZq7w4R7rFN8rxe0LTwfzjuW4
2YSuIbOEOB9Qqz0RvI5X3xWhNti25CcD5Z5xfVGLO6aR91TqWbY=
=GQYe
-----END PGP SIGNATURE-----

View File

@@ -1,3 +1,115 @@
-------------------------------------------------------------------
Wed Jan 21 13:03:10 UTC 2026 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.18
Security Fixes:
* Fix incorrect length checks for BRID and HHIT records.
(CVE-2025-13878)
[bsc#1256997]
Feature Changes:
* Add more information to the rndc recursing output about
fetches.
* Reduce the number of outgoing queries.
* Provide more information when memory allocation fails.
Bug Fixes:
* Make DNSSEC key rollovers more robust.
* Fix a catalog zone issue, where member zones could fail to
load.
* Allow glue in delegations with QTYPE=ANY.
* Fix slow speed when signing a large delegation zone with NSEC3
opt-out.
* Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to
be invalid.
* Fix a possible catalog zone issue during reconfiguration.
* Fix the charts in the statistics channel.
* Adding NSEC3 opt-out records could leave invalid records in
chain.
* Fix spurious timeouts while resolving names.
* Fix bug where zone switches from NSEC3 to NSEC after
retransfer.
* AMTRELAY type 0 presentation format handling was wrong.
* Fix parsing bug in remote-servers with key or TLS.
* Fix DoT reconfigure/reload bug in the resolver.
* Skip unsupported algorithms when looking for a signing key.
* Fix dnssec-keygen key collision checking for KEY RRtype keys.
* dnssec-verify now uses exit code 1 when failing due to illegal
options.
* Prevent assertion failures of dig when a server is specified
before the -b option.
* Skip buffer allocations if not logging.
-------------------------------------------------------------------
Wed Dec 17 00:30:28 UTC 2025 - Jeff Mahoney <jeffm@suse.com>
- Remove packaging support for releases prior to SLES 15 SP4/Leap 15.4.
- The builds have dependencies that are no longer met by these older
releases.
- Fix Sphinx processing of documentation on SLES/Leap 15.
-------------------------------------------------------------------
Wed Oct 22 14:14:38 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.15
Security Fixes:
* DNSSEC validation fails if matching but invalid DNSKEY is found.
[CVE-2025-8677, bsc#1252378]
* Address various spoofing attacks.
[CVE-2025-40778, bsc#1252379]
* Cache-poisoning due to weak pseudo-random number generator.
[CVE-2025-40780, bsc#1252380]
New Features:
* Add dnssec-policy keys configuration check to named-checkconf.
Bug Fixes:
* Missing DNSSEC information when CD bit is set in query.
* rndc sign during ZSK rollover will now replace signatures.
* Use signer name when disabling DNSSEC algorithms.
* Preserve cache when reload fails and reload the server again.
-------------------------------------------------------------------
Thu Sep 11 09:17:09 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.13
New Features:
* Add a new option `manual-mode` to dnssec-policy.
* Add a new option `servfail-until-ready` to response-policy
zones.
* Support for parsing HHIT and BRID records has been added.
Removed Features:
* Deprecate the `tkey-gssapi-credential` statement.
* Obsolete the `tkey-domain` statement.
Bug Fixes:
* Prevent spurious SERVFAILs for certain 0-TTL resource records.
* Fix unexpected termination if catalog-zones had undefined
`default-primaries`.
-------------------------------------------------------------------
Thu Aug 21 08:57:20 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.12
New Features:
* Support for parsing DSYNC records has been added.
Feature Changes:
* Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
digest type 1.
Bug Fixes:
* Stale RRsets in a CNAME chain were not always refreshed.
* Add RPZ extended DNS error for zones with a CNAME override
policy configured.
* Fix dig +keepopen option.
* Log dropped or slipped responses in the query-errors category.
* Fix synth-from-dnssec not working in some scenarios.
* Clean enough memory when adding new ADB names/entries under
memory pressure.
* Prevent spurious validation failures.
-------------------------------------------------------------------
Tue Jul 15 13:56:33 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>

127
bind.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package bind
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2026 SUSE LLC and contributors
# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
#
# All modifications and additions to the file contributed by third parties
@@ -30,36 +30,11 @@
# end DLZ modules
%define VENDOR SUSE
%if 0%{?suse_version} >= 1500
%define with_systemd 1
%else
%define with_systemd 0
# Defines for user and group add
%define NAMED_UID 44
%define NAMED_UID_NAME named
%define NAMED_GID 44
%define NAMED_GID_NAME named
%define NAMED_COMMENT Name server daemon
%define NAMED_HOMEDIR %{_localstatedir}/lib/named
%define NAMED_SHELL /bin/false
%define GROUPADD_NAMED getent group %{NAMED_GID_NAME} >/dev/null || %{_sbindir}/groupadd -g %{NAMED_GID} -o -r %{NAMED_GID_NAME}
%define USERADD_NAMED getent passwd %{NAMED_UID_NAME} >/dev/null || %{_sbindir}/useradd -r -o -g %{NAMED_GID_NAME} -u %{NAMED_UID} -s %{NAMED_SHELL} -c "%{NAMED_COMMENT}" -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME}
%define USERMOD_NAMED getent passwd %{NAMED_UID_NAME} >/dev/null || %{_sbindir}/usermod -s %{NAMED_SHELL} -d %{NAMED_HOMEDIR} %{NAMED_UID_NAME}
%endif
%if 0%{?suse_version} < 1315
%define with_sfw2 1
%else
%define with_sfw2 0
%endif
%define dlz_modules_hash 5923650
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
Version: 9.20.11
Version: 9.20.18
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
@@ -107,13 +82,8 @@ Provides: bind9 = %{version}
Provides: dns_daemon
Obsoletes: bind8 < %{version}
Obsoletes: bind9 < %{version}
%if %{with_systemd}
BuildRequires: sysuser-tools
%sysusers_requires
%else
Requires(post): %insserv_prereq
Requires(pre): shadow
%endif
%description
Berkeley Internet Name Domain (BIND) is an implementation of the Domain
@@ -252,8 +222,22 @@ for file in docu/README* config/{README,named.conf} sysconfig/named-named; do
done
popd
%if 0%{?sle_version} >= 150000 && 0%{?sle_version} <= 150400
# the Administration Reference Manual doesn't build with Leap/SLES due to an way too old Sphinx package
%if 0%{?suse_version} == 1500
# Sphinx in SLE15 doesn't allow :option:`+option` or :option:`cmd +option` so we
# replace it with :code:
sed -i -E 's#:option:(`[^`]*)\+([[:alnum:]_-]+)#:code:\1\+\2#g' bin/delv/delv.rst bin/dig/dig.rst bin/tools/mdig.rst doc/notes/notes-9.20.0.rst
# Liberal use of :any: confuses the version of Sphinx in SLES/Leap 15. Converting it to :code:
# will at least make it readable.
awk '
/^\.\. namedconf:statement::/ { in_stmt=1; print; next }
in_stmt && /^[^[:space:]]/ && $0 !~ /^$/ { in_stmt=0 }
in_stmt && /^[[:space:]]/ {
$0 = gensub(/:any:`([^`]+)`/, ":code:`\\1`", "g")
}
{ print }
' doc/arm/reference.rst > doc/arm/reference.rst.new && mv doc/arm/reference.rst.new doc/arm/reference.rst
# the Administration Reference Manual doesn't build with Leap/SLES 15 due to an way too old Sphinx package
# that is missing sphinx.util.docutils.ReferenceRole.
# patch68 disables this extension, and here, we're removing the :gl: tags in the notes
sed -i 's|:gl:||g' doc/notes/notes*.rst
@@ -286,9 +270,7 @@ export LDFLAGS="-pie"
--enable-fixed-rrset \
--enable-filter-aaaa \
--enable-dnstap \
%if %{with_systemd}
--with-systemd \
%endif
%if %{with check}
--enable-querytrace \
%endif
@@ -303,9 +285,7 @@ sed -i '
for d in arm; do
make -C doc/${d} SPHINXBUILD=sphinx-build doc
done
%if %{with_systemd}
%sysusers_generate_pre %{SOURCE72} named named.conf
%endif
# special build for the plugins
for d in dlz-modules-%{dlz_modules_hash}/modules/*; do
[ -e $d/Makefile ] && make -C $d
@@ -330,9 +310,6 @@ mkdir -p \
%{buildroot}/%{_rundir} \
%{buildroot}%{_includedir}/bind/dns \
%{buildroot}%{_libexecdir}/bind
%if %{with_sfw2}
mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
%endif
%make_install
# remove useless .h files
rm -rf %{buildroot}%{_includedir}
@@ -369,23 +346,16 @@ mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d
%endif
mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
%if %{with_systemd}
for file in named; do
install -D -m 0644 vendor-files/system/${file}.service %{buildroot}%{_unitdir}/${file}.service
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
done
install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint
install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d
%else
for file in named; do
install -m 0754 vendor-files/init/${file} %{buildroot}%{_initddir}/${file}
ln -sf %{_initddir}/${file} %{buildroot}%{_sbindir}/rc${file}
done
%endif
for file in named; do
install -D -m 0644 vendor-files/system/${file}.service %{buildroot}%{_unitdir}/${file}.service
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" -i %{buildroot}%{_unitdir}/${file}.service
install -m 0755 vendor-files/system/${file}.prep %{buildroot}%{_libexecdir}/bind/${file}.prep
ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
done
install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint
install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d
install -m 0644 %{_sourcedir}/named.root %{buildroot}%{_localstatedir}/lib/named/root.hint
mv vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_localstatedir}/lib/named
install -m 0755 vendor-files/tools/bind.genDDNSkey %{buildroot}/%{_bindir}/genDDNSkey
@@ -396,9 +366,6 @@ find %{buildroot}/%{_libdir} -type f -name '*.so*' -exec chmod 0755 {} +
for file in named-named; do
install -m 0644 vendor-files/sysconfig/${file} %{buildroot}%{_fillupdir}/sysconfig.${file}
done
%if %{with_sfw2}
install -m 644 vendor-files/sysconfig/SuSEFirewall.named %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind
%endif
%if ! %{with check}
# Cleanup doc
rm doc/misc/Makefile*
@@ -424,24 +391,13 @@ done
# ---------------------------------------------------------------------------
# remove useless Makefiles and Makefile skeletons
find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} +
%if %{with_systemd}
mkdir -p %{buildroot}%{_sysusersdir}
install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
%endif
find %{buildroot}/usr/share/doc/packages/bind -name cfg_test* -exec rm {} \;
rm -rf %{buildroot}/usr/share/doc/packages/bind/misc/.libs
%if %{with_systemd}
%pre -f named.pre
%service_add_pre named.service
%else
%pre
%{GROUPADD_NAMED}
%{USERADD_NAMED}
# Might be an update.
%{USERMOD_NAMED}
%endif
%if %{with check}
%check
@@ -450,35 +406,15 @@ make test
%endif
%preun
%if %{with_systemd}
%service_del_preun named.service
%else
%stop_on_removal named
%endif
%post
%if %{with_systemd}
%{fillup_only -nsa named named}
%service_add_post named.service
%tmpfiles_create bind.conf
%else
%{fillup_and_insserv -nf named}
if [ -x %{_bindir}/systemctl ]; then
# make sure systemctl knows about the service
# Without this, systemctl status named would return
# Unit named.service could not be found.
# until systemctl daemon-reload has been executed
%{_bindir}/systemctl daemon-reload || :
fi
%endif
%postun
%if %{with_systemd}
%service_del_postun named.service
%else
%restart_on_update named
%insserv_cleanup
%endif
%post -n bind-utils -p /sbin/ldconfig
%postun -n bind-utils -p /sbin/ldconfig
@@ -490,18 +426,11 @@ fi
%dir %{_sysconfdir}/slp.reg.d
%attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg
%endif
%if %{with_systemd}
%{_unitdir}/named.service
%dir %{_unitdir}/named.service.d
%{_prefix}/lib/tmpfiles.d/bind.conf
%{_sysusersdir}/named.conf
%{_datadir}/factory
%else
%config /%{_sysconfdir}/init.d/named
%endif
%if %{with_sfw2}
%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind
%endif
%dir %{_sysconfdir}/crypto-policies
%dir %{_sysconfdir}/crypto-policies/back-ends
%{_bindir}/named-rrchecker