- update to 9.16.10:
New Features:
* NSEC3 support was added to KASP. A new option for dnssec-policy,
nsec3param, can be used to set the desired NSEC3 parameters. NSEC3 salt
collisions are automatically prevented during resalting. [GL #1620]
* A new configuration option, stale-refresh-time, has been introduced. It allows
a stale RRset to be served directly from cache for a period of time after a
failed lookup, before a new attempt to refresh it is made. [GL #2066]
Feature Changes:
* The default value of max-recursion-queries was increased from 75 to 100.
Since the queries sent towards root and TLD servers are now included in the
count (as a result of the fix for CVE-2020-8616), max-recursion-queries has
a higher chance of being exceeded by non-attack queries, which is the main
reason for increasing its default value. [GL #2305]
The default value of nocookie-udp-size was restored back to 4096 bytes. Since
max-udp-size is the upper bound for nocookie-udp-size, this change relieves the
operator from having to change nocookie-udp-size together with max-udp-size in
order to increase the default EDNS buffer size limit. nocookie-udp-size can
still be set to a value lower than max-udp-size, if desired. [GL #2250]
Bug Fixes:
Handling of missing DNS COOKIE responses over UDP was tightened by falling
back to TCP. [GL #2275]
The CNAME synthesized from a DNAME was incorrectly followed when the QTYPE was
CNAME or ANY. [GL #2280]
Building with native PKCS#11 support for AEP Keyper has been broken since BIND
9.16.6. This has been fixed. [GL #2315]
named could crash with an assertion failure if a TCP connection were closed
while a request was still being processed. [GL #2227]
named acting as a resolver could incorrectly treat signed zones with no DS
record at the parent as bogus. Such zones should be treated as insecure. This
OBS-URL: https://build.opensuse.org/request/show/859291
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=306
- Add back init scripts, systemd units aren't ready yet
- Add python3-bind subpackage to allow python bind interactions
- Sync configure options with RH package and remove unused ones
* Enable python3
* Enable gssapi
* Enable dnssec scripts
- Drop idnkit from the build, the bind uses libidn since 2007 to run
all the resolutions in dig/etc. bsc#1030306
- Add patch to make sure we build against system idn:
* bind-99-libidn.patch
- Refresh patch:
* pie_compile.diff
- Remove patches that are unused due to above:
* idnkit-powerpc-ltconfig.patch
* runidn.diff
- drop bind-openssl11.patch (merged upstream)
- Remove systemd conditionals as we are not building on sle11 anyway
- Force the systemd to be base for the initscript deployment
- Bump up version of most of the libraries
- Rename the subpackages to match the version updates
- Add macros for easier handling of the library package names
- Drop more unneeded patches
* dns_dynamic_db.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/545259
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=224
- An uninitialized value in validator.c could result in an assertion failure.
(CVE-2015-4620) [RT #39795]
- Update to version 9.10.2-P1
- Include client-ip rules when logging the number of RPZ rules of each type.
[RT #39670]
- Addressed further problems with reloading RPZ zones. [RT #39649]
- Addressed a regression introduced in change #4121. [RT #39611]
- The server could match a shorter prefix than what was available in
CLIENT-IP policy triggers, and so, an unexpected action could be taken.
This has been corrected. [RT #39481]
- On servers with one or more policy zones configured as slaves, if a policy
zone updated during regular operation (rather than at startup) using a full
zone reload, such as via AXFR, a bug could allow the RPZ summary data to
fall out of sync, potentially leading to an assertion failure in rpz.c when
further incremental updates were made to the zone, such as via IXFR.
[RT #39567]
- A bug in RPZ could cause the server to crash if policy zones were updated
while recursion was pending for RPZ processing of an active query.
[RT #39415]
- Fix a bug in RPZ that could cause some policy zones that did not
specifically require recursion to be treated as if they did; consequently,
setting qname-wait-recurse no; was sometimes ineffective. [RT #39229]
- Asynchronous zone loads were not handled correctly when the zone load was
already in progress; this could trigger a crash in zt.c. [RT #37573]
- Fix an out-of-bounds read in RPZ code. If the read succeeded, it doesn't
result in a bug during operation. If the read failed, named could segfault.
[RT #38559]
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=172
- Handle timeout in legacy system test. [RT #38573]
- dns_rdata_freestruct could be called on a uninitialised structure when
handling a error. [RT #38568]
- Addressed valgrind warnings. [RT #38549]
- UDP dispatches could use the wrong pseudorandom
number generator context. [RT #38578]
- Fixed several small bugs in automatic trust anchor management, including a
memory leak and a possible loss of key state information. [RT #38458]
- 'dnssec-dsfromkey -T 0' failed to add ttl field. [RT #38565]
- Revoking a managed trust anchor and supplying an untrusted replacement
could cause named to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
- Fix a leak of query fetchlock. [RT #38454]
- Fix a leak of pthread_mutexattr_t. [RT #38454]
- RPZ could send spurious SERVFAILs in response
to duplicate queries. [RT #38510]
- CDS and CDNSKEY had the wrong attributes. [RT #38491]
- adb hash table was not being grown. [RT #38470]
- Update bind.keyring
- Update baselibs.conf due to updates to libdns160 and libisc148
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=166
- Add a versioned dependency when obsoleting packages.
- Remove superfluous obsoletes *-64bit in the ifarch ppc64 case; (bnc#437293).
- Fix gssapi_krb configure time header detection.
- Update root zone (dated Nov 5, 2014).
- Update to version 9.10.1
- This release addresses the security flaws described in CVE-2014-3214 and
CVE-2014-3859.
- Update to version 9.10.0
- Update to version 9.9.6
Cf the bind changes file for all the details of 9.9.6 till 9.10.1.
- Remove merged rpz2+rl-9.9.5.patch and obsoleted rpz2+rl-9.9.5.patch
- Update baselibs.conf (added libirs and library interface version updates).
OBS-URL: https://build.opensuse.org/request/show/264083
OBS-URL: https://build.opensuse.org/package/show/network/bind?expand=0&rev=153
