Accepting request 1287885 from network

- Upgrade to release 9.20.10
  New Features:
  * Implement a new notify-defer configuration option. This new
    option sets a delay (in seconds) to wait before sending a set
    of NOTIFY messages for a zone. Whenever a NOTIFY message is
    ready to be sent, sending is deferred for this duration. This
    option should not be confused with the notify-delay option. The
    default is 0 seconds.
  Removed Features:
  * Implement the systemd notification protocol manually to remove
    dependency on libsystemd.
  Bug Fixes:
  * A secondary zone could initiate a new zone transfer from the
    primary server after it had been already deleted from the
    secondary server, and before the internal garbage collection
    was activated to clean it up completely. This has been fixed.
  * A secondary zone could fail to further refresh with new
    versions of the zone from a primary server if named was
    reconfigured during the SOA request step of an ongoing zone
    transfer. This has been fixed.
- Clean up systemd BuildRequires

OBS-URL: https://build.opensuse.org/request/show/1287885
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=220

_service

@@ -0,0 +1,15 @@
+<services>
+  <service name="obs_scm" mode="manual">
+    <param name="scm">git</param>
+    <param name="url">https://gitlab.isc.org/isc-projects/dlz-modules.git</param>
+    <param name="revision">main</param>
+    <param name="versionformat">%h</param>
+    <param name="filename">dlz-modules</param>
+    <param name="package-meta">yes</param>
+  </service>
+  <service name="tar" mode="buildtime"/>
+  <service name="recompress" mode="buildtime">
+    <param name="file">*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+</services>

bind-9.20.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0
-size 5789604

bind-9.20.1.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAma987IACgkQGC4jV5Ri
-76r2Rg/9FnbrOwZrN4HWUeQ7ewyPq+ZaaHFZXXucXSwIXAkAAouW7lzhkMnUSSXV
-SjUTOyLJAsFtVPrizR1yR9OrrnBIUniQfE/oB9WEiKTsVfA2FuoHyKWRiOrUQ2XP
-8BjJD/hSbdQ7ByHENMcrjVpwK3r/QO+rroUgCIcV375hVfmcsYJI0pbxu2wEj5En
-0nqTjObLv3AdnGj65+/I4xwkC/GhIGFhhW2SHQGpTldeajag/ODouu4KuZA5BrLi
-whYkyTgC+rIQicF6EIyg8nGFDR28jUSPSGpSfYn/nMvtfU9Wl3Z4ug9TiMh5kdV3
-3b8MFJqvm0FYcCXgON1twLlO05XKlYLLU9+Y6CpWHTELTZRV01NPiUOEtLytMJTx
-DDY7C8bgR7iTv2gwgdxQlOI4Kkee9uB4nqZ468hy9flC29SYW8YKX46i8W+vV6wj
-BcoJBhKnJ/tSgF39gY2rCRU2jpRjw8oDMYpzBK6e0Ks4dtZYXvLto+aHQj8IS1Q4
-3Z2NhGowtqqeKfL6HGzmQHO8QLUgwgXUVELjO9ySiwxY7fMqbAK6CuP28dNlR0dU
-HhU0cnd383YoeEX0ph5zGRyCOifPPOzBXT8y70OkcqEPbyD4y16pvg41db73NX3V
-IOqEK7Bm5iPl4ygcFnGTfbG/VxVKnYiQBaBBuo33AeWLwtl6ugs=
-=wNju
------END PGP SIGNATURE-----

bind-9.20.10.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmhJQBwACgkQUQpkKgbF
+LOwz0hAAtF3Ekgvps+DwB9rruYBsMCGDCe+GoqX98h/RCtXzSQx64Vf101RY160F
+3gdstzcYqaNkwoVf2rDu4u7XdJ9rpr0KAgnjTaY3IelUrfZFgUGjr9Wi5O5krDlh
+vmUzb0/1dmp2YtLv/5A8iiTKZiwVbkQeptii4rL/KRHzhAa20DUv2POYifv+l6MN
+lgDBJoFpI/cygyt0HyYwOqTbCZrhqxSKHdoSoqaEUXrUiPfN7w9E7dqbubLnWujt
+mRURjKtxt1hA03Zb/K0GmtTPBiVxnn7LrSwgvK1wAXpce69fGtW91hd47+hbgLHS
+udG43ng3EzNNUIR8fn+Lop01apj5JdTmBydNAOYN23O6h9xZvNpiiVRsbdmJHq0w
+ZKBi11QzSGMC2rqfA5BU40pp4ixWWamgAIdSu74bbiEQc4QYAQVHmWwI3inRATA6
+03dck1enJ3MEZp+meuMyexvv7Mg32/Ds7AmhhQFS/atfCM1YCWhItJNsvxYj0X8p
+/9yWIw7EYwjJO0IJm982KUCKgfMohHWP0xrgrNjXeQ585Wkf+YflHfDZtv3uvuop
+IY5/GW/QDAcQfriMcWUgBGLORBcV7+8MbfjfVTciH75lR84nNFe5XqMM3TQZCeJx
+/0I0LAp9uPj+ROsMDudvgJ829nqdebEcZS0omZWeuLuRQVkJhTk=
+=PSlt
+-----END PGP SIGNATURE-----

bind.changes

@@ -1,3 +1,589 @@
+-------------------------------------------------------------------
+Mon Jun 23 08:59:18 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.10
+  New Features:
+  * Implement a new notify-defer configuration option. This new
+    option sets a delay (in seconds) to wait before sending a set
+    of NOTIFY messages for a zone. Whenever a NOTIFY message is
+    ready to be sent, sending is deferred for this duration. This
+    option should not be confused with the notify-delay option. The
+    default is 0 seconds.
+
+  Removed Features:
+  * Implement the systemd notification protocol manually to remove
+    dependency on libsystemd.
+
+  Bug Fixes:
+  * A secondary zone could initiate a new zone transfer from the
+    primary server after it had been already deleted from the
+    secondary server, and before the internal garbage collection
+    was activated to clean it up completely. This has been fixed.
+  * A secondary zone could fail to further refresh with new
+    versions of the zone from a primary server if named was
+    reconfigured during the SOA request step of an ongoing zone
+    transfer. This has been fixed.
+
+- Clean up systemd BuildRequires
+
+-------------------------------------------------------------------
+Tue May 20 13:39:21 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.9
+  Security Fixes:
+  * Prevent an assertion failure when processing TSIG algorithm.
+    (CVE-2025-40775)
+    [bsc#1243361]
+
+  Feature Changes:
+  * Return DNS COOKIE and NSID with BADVERS.
+  * Disable separate memory context for libxml2 memory allocations
+    on macOS.
+  * Use Jinja2 templates in system tests.
+
+  Bug Fixes:
+  * Revert NSEC3 closest encloser lookup improvements.
+  * Fix EDNS YAML output in dig.
+  * Fix RDATA checks for PRIVATEOID keys.
+  * Fix a serve-stale issue with a delegated zone.
+
+-------------------------------------------------------------------
+Thu Apr 17 10:51:44 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.8
+  New Features:
+  * Add support for EDE 20 (Not Authoritative)
+  * Add support for EDE 7 and EDE 8.
+  * `dig` can now display the received BADVERS message during
+    negotiation.
+  * Add an `rndc` command to reset some statistics counters.
+  
+  Bug Fixes:
+  * Restore NSEC3 closest-encloser lookup improvements.
+  * Stop caching lack of EDNS support.
+  * Fix resolver statistics counters for timed-out responses.
+  * Nested DNS validation could cause an assertion failure.
+  * Wait for memory reclamation to finish in `named-checkconf`.
+  * Ensure `max-clients-per-query` is at least `clients-per-query`.
+  * Fix write after free in validator code.
+  * Don't enforce NOAUTH/NOCONF flags in DNSKEYs.
+  * Fix several small DNSSEC timing issues.
+  * Fix inconsistency in CNAME/DNAME handling during resolution.
+
+-------------------------------------------------------------------
+Mon Mar 24 10:45:35 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.7
+  New Features:
+  * Implement the min-transfer-rate-in configuration option.
+    A new option min-transfer-rate-in has been added to the view
+    and zone configurations. It can abort incoming zone transfers
+    that run very slowly due to network-related issues, for
+    example. The default value is 10240 bytes in five minutes. [GL
+    #3914]
+  * Add HTTPS record query to host command line tool.
+    The host command was extended to also query for the HTTPS RR
+    type by default.
+  * Implement sig0key-checks-limit and sig0message-checks-limit.
+    Previously, a hard-coded limitation of a maximum of two key or
+    message verification checks was introduced when checking a
+    message’s SIG(0) signature, to protect against possible DoS
+    attacks. Two as a maximum was chosen so that more than a single
+    key should only be required during key rotations, and in that
+    case two keys are enough. It later became apparent that there
+    are other use cases where even more keys are required; see the
+    related GitLab issue for examples.
+    This change introduces two new configuration options for the
+    views: sig0key-checks-limit and sig0message-checks-limit. They
+    define how many keys can be checked to find a matching key, and
+    how many message verifications are allowed to take place once a
+    matching key has been found. The former provides slightly less
+    “expensive” key parsing operations and defaults to 16. The
+    latter protects against expensive cryptographic operations when
+    there are keys with colliding tags and algorithm numbers; the
+    default is 2. [GL #5050]
+  * Adds support for EDE code 1 and 2.
+    Support was added for EDE codes 1 and 2, which might occur
+    during DNSSEC validation in the case of an unsupported RRSIG
+    algorithm or DNSKEY digest. [GL #2715]
+  * Add an rndc command to toggle jemalloc profiling.
+    The new command is rndc memprof; the memory profiling status is
+    also reported inside rndc status. The status shows whether
+    named can toggle memory profiling, and whether the server is
+    built with jemalloc. [GL #4759]
+  * Add support for multiple extended DNS errors.
+    The Extended DNS Error (EDE) mechanism may raise errors during
+    a DNS resolution. named is now able to add up to three EDE
+    codes in a DNS response. If there are duplicate error codes,
+    only the first one is part of the DNS response. [GL #5085]
+  * Print the expiration time of stale records.
+    BIND now prints the expiration time of any stale RRsets in the
+    cache dump.
+
+  Bug Fixes:
+  * Fix dual-stack-servers configuration option.
+    The dual-stack-servers configuration option was not working as
+    expected; the specified servers were not being used when they
+    should have been, leading to resolution failures. This has been
+    fixed. [GL #5019]
+  * Fix a data race causing a permanent active client increase.
+    Previously, a data race could cause a newly created fetch
+    context for a new client to be used before it had been fully
+    initialized, which would cause the query to become stuck;
+    queries for the same data would be either paused indefinitely
+    or dropped because of the clients-per-query limit. This has
+    been fixed. [GL #5053]
+  * Fix deferred validation of unsigned DS and DNSKEY records.
+    When processing a query with the “checking disabled” bit set
+    (CD=1), named stores the invalidated result in the cache,
+    marked “pending”. When the same query is sent with CD=0, the
+    cached data is validated and either accepted as an answer, or
+    ejected from the cache as invalid. This deferred validation was
+    not attempted for DS and DNSKEY records if they had no cached
+    signatures, causing spurious validation failures. The deferred
+    validation is now completed in this scenario.
+    Also, if deferred validation fails, the data is now re-queried
+    to find out whether the zone has been corrected since the
+    invalid data was cached. [GL #5066]
+  * Fix RPZ race condition during a reconfiguration.
+    With RPZ in use, named could terminate unexpectedly because of
+    a race condition when a reconfiguration command was received
+    using rndc. This has been fixed. [GL #5146]
+  * “CNAME and other data check” not applied to all types.
+    An incorrect optimization caused “CNAME and other data” errors
+    not to be detected if certain types were at the same node as a
+    CNAME. This has been fixed. [GL #5150]
+  * Relax private DNSKEY and RRSIG constraints.
+    DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to
+    allow empty key and signature material after the algorithm
+    identifier for PRIVATEOID and PRIVATEDNS. It is arguable
+    whether this falls within the expected use of these types, as
+    no key material is shared and the signatures are ineffective,
+    but these are private algorithms and they can be totally
+    insecure. [GL #5167]
+  * Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
+    Previously, when parsing responses, named incorrectly rejected
+    responses without matching RRSIG records for NSEC/DS/NSEC3
+    records in the authority section. This rejection, if
+    appropriate, should have been left for the validator to
+    determine and has been fixed. [GL #5185]
+  * Fix TTL issue with ANY queries processed through RPZ
+    “passthru”.
+    Answers to an “ANY” query which were processed by the RPZ
+    “passthru” policy had the response-policy’s max-policy-ttl
+    value unexpectedly applied. This has been fixed. [GL #5187]
+  * dnssec-signzone needs to check for a NULL key when setting
+    offline.
+    dnssec-signzone could dereference a NULL key pointer when
+    resigning a zone. This has been fixed. [GL #5192]
+  * Fix a bug in the statistics channel when querying zone transfer
+    information.
+    When querying zone transfer information from the statistics
+    channel, there was a rare possibility that named could
+    terminate unexpectedly if a zone transfer was in a state when
+    transferring from all the available primary servers had failed
+    earlier. This has been fixed. [GL #5198]
+  * Fix assertion failure when dumping recursing clients.
+    Previously, if a new counter was added to the hash table while
+    dumping recursing clients via the rndc recursing command, and
+    fetches-per-zone was enabled, an assertion failure could occur.
+    This has been fixed. [GL #5200]
+  * Dump the active resolver fetches from
+    dns_resolver_dumpfetches()
+    Previously, active resolver fetches were only dumped when the
+    fetches-per-zone configuration option was enabled. Now, active
+    resolver fetches are dumped along with the number of
+    clients-per-query counters per resolver fetch.
+  * Recently expired records could be returned with a timestamp in
+    future.
+    Under rare circumstances, an RRSet that expired at the time of
+    the query could be returned with a TTL in the future. This has
+    been fixed.
+    As a side effect, the expiration time of expired RRSets is no
+    longer returned in a cache dump. [GL #5094]
+  * YAML string not terminated in negative response in delv.
+  * Fix a bug in dnssec-signzone related to keys being offline.
+    When dnssec-signzone was called on an already-signed zone and
+    the private key file was unavailable, a signature that needed
+    to be refreshed was dropped without being able to generate a
+    replacement. This has been fixed. [GL #5126]
+  * Apply the memory limit only to ADB database items.
+    Under heavy load, a resolver could exhaust the memory available
+    for storing the information in the Address Database (ADB),
+    effectively discarding previously stored information in the
+    ADB. The memory used to retrieve and provide information from
+    the ADB is no longer subject to the same memory limits that are
+    applied to the Address Database. [GL #5127]
+  * Avoid unnecessary locking in the zone/cache database.
+    Lock contention among many worker threads referring to the same
+    database node at the same time is now prevented. This improves
+    zone and cache database performance for any heavily contended
+    database nodes. [GL #5130]
+  * Fix reporting of Extended DNS Error 22 (No Reachable
+    Authority).
+    This error code was previously not reported in some applicable
+    situations. This has been fixed. [GL #5137]
+
+-------------------------------------------------------------------
+Thu Jan 30 11:44:58 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Upgrade to release 9.20.5
+  Security Fixes:
+  * DNS-over-HTTPS flooding fixes.
+    Fix DNS-over-HTTPS implementation issues that arise under heavy
+    query load. Optimize resource usage for named instances that
+    accept queries over DNS-over-HTTPS.
+    Previously, named processed all incoming HTTP/2 data at once,
+    which could overwhelm the server, especially when dealing with
+    clients that sent requests but did not wait for responses. That
+    has been fixed. Now, named handles HTTP/2 data in smaller
+    chunks and throttles reading until the remote side reads the
+    response data. It also throttles clients that send too many
+    requests at once.
+    In addition, named now evaluates excessive streams opened by
+    clients that include no DNS data, which is considered
+    “flooding.” It logs these clients and drops connections from
+    them.
+    In some cases, named could leave DNS-over-HTTPS connections in
+    the CLOSE_WAIT state indefinitely. That has also been fixed.
+    (CVE-2024-12705)
+    [bsc#1236597]
+  * Limit additional section processing for large RDATA sets.
+    When answering queries, don’t add data to the additional
+    section if the answer has more than 13 names in the RDATA. This
+    limits the number of lookups into the database(s) during a
+    single client query, reducing the query-processing load.
+    (CVE-2024-11187)
+    [bsc#1236596]
+
+  New Features:
+  * Add Extended DNS Error Code 22 - No Reachable Authority.
+    When the resolver is trying to query an authoritative server
+    and eventually times out, a SERVFAIL answer is given to the
+    client. Add the Extended DNS Error Code 22 - No Reachable
+    Authority to the response.
+  * Add a new option to configure the maximum number of outgoing
+    queries per client request.
+    The configuration option max-query-count sets how many outgoing
+    queries per client request are allowed. The existing
+    max-recursion-queries value is the number of permissible
+    queries for a single name and is reset on every CNAME
+    redirection. This new option is a global limit on the client
+    request. The default is 200.
+    The default for max-recursion-queries is changed from 32 to 50.
+    This allows named to send a few more queries while looking up a
+    single name.
+  * Use the Server Name Indication (SNI) extension for all outgoing
+    TLS connections.
+    This improves compatibility with other DNS server software.
+
+  Feature Changes:
+  * Performance optimization for NSEC3 lookups introduced in BIND
+    9.20.2 was reverted to avoid risks associated with a complex
+    code change.
+  * The configuration clauses parental-agents and primaries are
+    renamed to remote-servers.
+    The top blocks primaries and parental-agents are no longer
+    preferred and should be renamed to remote-servers. The zone
+    statements parental-agents and primaries are still used, and
+    may refer to any remote-servers top block.
+  * Add none parameter to query-source and query-source-v6 to
+    disable IPv4 or IPv6 upstream queries but allow listening to
+    queries from clients on IPv4 or IPv6.
+
+  Bug Fixes:
+  * Fix nsupdate hang when processing a large update.
+    To mitigate DNS flood attacks over a single TCP connection,
+    throttle the connection when the other side does not read the
+    data. Throttling should only occur on server-side sockets, but
+    erroneously also happened for nsupdate, which acts as a client.
+    When nsupdate started throttling the connection, it never
+    attempted to read again. This has been fixed.
+  * Fix possible assertion failure when reloading server while
+    processing update policy rules.
+  * Preserve cache across reconfig when using attach-cache.
+    When the attach-cache option is used in the options block with
+    an arbitrary name, it causes all views to use the same cache.
+    Previously, this configuration caused the cache to be deleted
+    and a new cache to be created every time the server was
+    reconfigured. This has been fixed.
+  * Resolve the spurious drops in performance due to glue cache.
+    For performance reasons, the returned glue records are cached
+    on the first use. The current implementation could randomly
+    cause a performance drop and increased memory use. This has
+    been fixed.
+  * Fix dnssec-signzone signing non-DNSKEY RRsets with revoked
+    keys.
+    dnssec-signzone was using revoked keys for signing RRsets other
+    than DNSKEY. This has been corrected.
+  * Fix improper handling of unknown directives in resolv.conf.
+    The line after an unknown directive in resolv.conf could
+    accidentally be skipped, potentially affecting dig, host,
+    nslookup, nsupdate, or delv. This has been fixed.
+  * Fix response policy zones and catalog zones with an $INCLUDE
+    statement defined.
+    Response policy zones (RPZ) and catalog zones were not working
+    correctly if they had an $INCLUDE statement defined. This has
+    been fixed
+
+- Remove desktop file and BuildRequires: update-desktop-files
+
+-------------------------------------------------------------------
+Tue Jan 21 00:37:45 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Explicitly BuildRequire sphinx_rtd_theme. 
+
+-------------------------------------------------------------------
+Thu Dec 12 12:38:04 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Add new dlz-modules source
+- Update to release 9.20.4
+  New Features:
+  * Update built-in bind.keys file with the new 2025 IANA root key.
+  * Add an initial-ds entry to bind.keys for the new root key, ID
+    38696, which is scheduled for publication in January 2025.
+
+  Removed Features:
+  * Move contributed DLZ modules into a separate repository. DLZ
+    modules should not be used except in testing.
+  * The DLZ modules were not maintained, the DLZ interface itself
+    is going to be scheduled for removal, and the DLZ interface is
+    blocking. Any module that blocks the query to the database
+    blocks the whole server.
+  * The DLZ modules now live in
+    https://gitlab.isc.org/isc-projects/dlz-modules repository.
+
+  Feature Changes:
+  * dnssec-ksr now supports KSK rollovers.
+  * The tool now allows for KSK generation, as well as planned KSK
+    rollovers. When signing a bundle from a Key Signing Request
+    (KSR), only the key that is active in that time frame is used
+    for signing. Also, the CDS and CDNSKEY records are now added
+    and removed at the correct time.
+  * Print RFC 7314: EXPIRE option in transfer summary.
+  * Emit more helpful log messages for exceeding
+    max-records-per-type.
+  * The new log message is emitted when adding or updating an RRset
+    fails due to exceeding the max-records-per-type limit. The log
+    includes the owner name and type, corresponding zone name, and
+    the limit value. It will be emitted on loading a zone file,
+    inbound zone transfer (both AXFR and IXFR), handling a DDNS
+    update, or updating a cache DB. It’s especially helpful in the
+    case of zone transfer, since the secondary side doesn’t have
+    direct access to the offending zone data.
+  * It could also be used for max-types-per-name, but this change
+    doesn’t implement it yet as it’s much less likely to happen in
+    practice.
+  * Harden key management when key files have become unavailable.
+  * Prior to doing key management, BIND 9 will check if the key
+    files on disk match the expected keys. If key files for
+    previously observed keys have become unavailable, this will
+    prevent the internal key manager from running.
+
+  Bug Fixes:
+  * Use TLS for notifies if configured to do so.
+  * Notifies configured to use TLS will now be sent over TLS,
+    instead of plain text UDP or TCP. Also, failing to load the TLS
+    configuration for notify now results in an error.
+  * {&dns} is as valid as {?dns} in a SVCB’s dohpath.
+  * dig failed to parse a valid SVCB record with a dohpath URI
+    template containing a {&dns}, like
+    dohpath=/some/path?key=value{&dns}”.
+  * Fix NSEC3 closest encloser lookup for names with empty
+    non-terminals.
+  * A previous performance optimization for finding the NSEC3
+    closest encloser when generating authoritative responses could
+    cause servers to return incorrect NSEC3 records in some cases.
+    This has been fixed.
+  * recursive-clients statement with value 0 triggered an assertion
+    failure.
+  * BIND 9.20.0 broke recursive-clients 0;. This has now been
+    fixed.
+  * Parsing of hostnames in rndc.conf was broken.
+  * When DSCP support was removed, parsing of hostnames in
+    rndc.conf was accidentally broken, resulting in an assertion
+    failure. This has been fixed.
+  * dig options of the form [+-]option=<value> failed to display
+    the value on the printed command line. This has been fixed.
+  * Provide more visibility into TLS configuration errors by
+    logging SSL_CTX_use_certificate_chain_file() and
+    SSL_CTX_use_PrivateKey_file() errors individually.
+  * Fix a race condition when canceling ADB find which could cause
+    an assertion failure.
+  * SERVFAIL cache memory cleaning is now more aggressive; it no
+    longer consumes a lot of memory if the server encounters many
+    SERVFAILs at once.
+  * Fix trying the next primary XoT server when the previous one
+    was marked as unreachable.
+  * In some cases named failed to try the next primary server in
+    the primaries list when the previous one was marked as
+    unreachable. This has been fixed.
+
+-------------------------------------------------------------------
+Thu Dec 12 09:54:08 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update root hints file to 2024-11-20 version (boo#1234406)
+
+-------------------------------------------------------------------
+Mon Oct 21 08:42:47 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 9.20.3
+  New Features:
+  * Log query response status to the query log.
+  * Log a query response summary using the new responses category.
+    Logging can be controlled via the responselog option and via
+    rndc responselog.
+  * Added WALLET type.
+  * Add the new record type WALLET (262). This provides a mapping
+    from a domain name to a cryptographic currency wallet. Multiple
+    mappings can exist if multiple records exist.
+
+  Feature Changes:
+  * Set logging category for notify/xfer-in-related messages.
+  * Some notify and xfer-in-related log messages were logged at the
+    “general” category level instead of their own category. This
+    has been fixed.
+  * Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
+  * This change allows fallback from an IXFR failure to AXFR when
+    the reason is DNS_R_TOOMANYRECORDS.
+
+  Bug Fixes:
+  * Fix a statistics channel counter bug when “forward only” zones
+    are used.
+  * When resolving a zone with a “forward only” policy, and finding
+    out that all the forwarders were marked as “bad”, the
+    “ServerQuota” counter of the statistics channel was incorrectly
+    increased. This has been fixed.
+  * Fix a bug in the static-stub implementation.
+  * Static-stub addresses and addresses from other sources were
+    being mixed together, resulting in static-stub queries going to
+    addresses not specified in the configuration, or alternatively,
+    static-stub addresses being used instead of the correct server
+    addresses.
+  * Don’t allow statistics-channels if libxml2 and libjson-c are
+    not configured.
+  * When BIND 9 is not configured with the libxml2 and libjson-c
+    libraries, the use of the statistics-channels option is a fatal
+    error.
+  * Separate DNSSEC validation from long-running tasks.
+  * Split CPU-intensive and long-running tasks into separate
+    threadpools in a way that the long-running tasks - like RPZ,
+    catalog zone processing, or zone file operations - don’t block
+    CPU-intensive operations like DNSSEC validations.
+  * Fix an assertion failure when processing access control lists.
+  * The named process could terminate unexpectedly when processing
+    ACLs. This has been fixed.
+  * Fix a bug in Offline KSK using a ZSK with an unlimited
+    lifetime.
+  * If the ZSK had an unlimited lifetime, the timing metadata
+    Inactive and Delete could not be found and were treated as an
+    error, preventing the zone from being signed. This has been
+    fixed.
+  * Limit the outgoing UDP send queue size.
+  * If the operating system UDP queue got full and the outgoing UDP
+    sending started to be delayed, BIND 9 could exhibit memory
+    spikes as it tried to enqueue all the outgoing UDP messages. It
+    now tries to deliver the outgoing UDP messages synchronously;
+    if that fails, it drops the outgoing DNS message that would get
+    queued up and then timeout on the client side.
+  * Do not set SO_INCOMING_CPU.
+  * Remove the SO_INCOMING_CPU setting as kernel scheduling
+    performs better without constraints.
+  * Fix the rndc dumpdb command’s error reporting.
+  * The rndc dumpdb command was not reporting errors that occurred
+    when named started up the database dump process. This has been
+    fixed.
+  * Fix long-running incoming transfers.
+  * Incoming transfers that took longer than 30 seconds would stop
+    reading from the TCP stream and the incoming transfer would be
+    indefinitely stuck, causing BIND 9 to hang during shutdown.
+  * This has been fixed, and the max-transfer-time-in and
+    max-transfer-idle-in timeouts are now honored.
+  * Fix an assertion failure when receiving DNS responses over TCP.
+  * When matching the received Query ID in the TCP connection, an
+    invalid Query ID could cause an assertion failure. This has
+    been fixed.
+
+-------------------------------------------------------------------
+Thu Sep 19 08:57:57 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 9.20.2
+  New Features:
+  * Support for Offline KSK implemented.
+  * Add a new configuration option offline-ksk to enable Offline
+    KSK key management. Signed Key Response (SKR) files created
+    with dnssec-ksr (or other programs) can now be imported into
+    named with the new rndc skr -import command. Rather than
+    creating new DNSKEY, CDS, and CDNSKEY records and generating
+    signatures covering these types, these records are loaded from
+    the currently active bundle from the imported SKR.
+  * The implementation is loosely based on
+    draft-icann-dnssec-keymgmt-01.txt.
+  * Print the full path of the working directory in startup log
+    messages.
+  * named now prints its initial working directory during startup,
+    and the changed working directory when loading or reloading its
+    configuration file, if it has a valid directory option defined.
+  * Support a restricted key tag range when generating new keys.
+  * When multiple signers are being used to sign a zone, it is
+    useful to be able to specify a restricted range of key tags to
+    be used by an operator to sign the zone. The range can be
+    specified with tag-range in dnssec-policy’s keys (for named and
+    dnssec-ksr) and with the new options dnssec-keyfromlabel -M and
+    dnssec-keygen -M.
+
+  Feature Changes:
+  * Exempt prefetches from the fetches-per-zone and
+    fetches-per-server quotas.
+  * Fetches generated automatically as a result of prefetch are now
+    exempt from the fetches-per-zone and fetches-per-server quotas.
+    This should help in maintaining the cache from which query
+    responses can be given.
+  * Follow the number of CPUs set by taskset/cpuset.
+  * Administrators may wish to constrain the set of cores that
+    named runs on via the taskset, cpuset, or numactl programs (or
+    equivalents on other OSes).
+  * If the admin has used taskset, named now automatically uses the
+    given number of CPUs rather than the system-wide count.
+
+  Bug Fixes:
+  * Delay the release of root privileges until after configuring
+    controls.
+  * Delay relinquishing root privileges until the control channel
+    has been configured, for the benefit of systems that require
+    root to use privileged port numbers. This mostly affects
+    systems without fine- grained privilege systems (i.e., other
+    than Linux).
+  * Fix a rare assertion failure when shutting down incoming
+    transfer.
+  * A very rare assertion failure could be triggered when the
+    incoming transfer was either forcefully shut down, or it
+    finished during the printing of the details about the
+    statistics channel. This has been fixed.
+  * Fix algorithm rollover bug when there are two keys with the
+    same keytag.
+  * If there was an algorithm rollover and two keys of different
+    algorithms shared the same keytags, there was the possibility
+    that the check of whether the key matched a specific state
+    could be performed against the wrong key. This has been fixed
+    by not only checking for the matching key tag but also the key
+    algorithm.
+  * Fix an assertion failure in validate_dnskey_dsset_done().
+  * Under rare circumstances, named could terminate unexpectedly
+    when validating a DNSKEY resource record if the validation had
+    been canceled in the meantime. This has been fixed.
+
+  Known Issues:
+  * Long-running tasks in offloaded threads (e.g. the loading of
+    RPZ zones or processing zone transfers) may block the
+    resolution of queries during these operations and cause the
+    queries to time out. To work around the issue, the
+    UV_THREADPOOL_SIZE environment variable can be set to a larger
+    value before starting named. The recommended value is the
+    number of RPZ zones (or number of transfers) plus the number of
+    threads BIND should use, which is typically the number of CPUs.
+
+
 -------------------------------------------------------------------
 Fri Aug 23 09:26:22 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

bind.spec

@@ -1,7 +1,8 @@
 #
 # spec file for package bind
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -51,12 +52,14 @@
 %define with_sfw2 0
 %endif
 
+%define dlz_modules_hash 5923650
+
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.20.1
+Version:        9.20.10
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@@ -67,7 +70,8 @@ Source1:        https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.t
 Source2:        vendor-files.tar.bz2
 # from http://www.isc.org/about/openpgp/ ... changes yearly apparently.
 Source3:        %{name}.keyring
-Source9:        ftp://ftp.internic.net/domain/named.root
+Source4:        dlz-modules-%{dlz_modules_hash}.tar.gz
+Source9:        https://www.internic.net/domain/named.root
 Source40:       dnszone-schema.txt
 Source60:       dlz-schema.txt
 # configuration file for systemd-tmpfiles
@@ -85,7 +89,7 @@ BuildRequires:  protobuf-c
 BuildRequires:  python3
 BuildRequires:  python3-Sphinx
 BuildRequires:  python3-ply
-BuildRequires:  update-desktop-files
+BuildRequires:  python3-sphinx_rtd_theme
 BuildRequires:  pkgconfig(jemalloc)
 BuildRequires:  pkgconfig(json)
 BuildRequires:  pkgconfig(krb5)
@@ -104,12 +108,7 @@ Provides:       dns_daemon
 Obsoletes:      bind8 < %{version}
 Obsoletes:      bind9 < %{version}
 %if %{with_systemd}
-BuildRequires:  systemd-rpm-macros
-BuildRequires:  sysuser-shadow
 BuildRequires:  sysuser-tools
-BuildRequires:  pkgconfig(libsystemd)
-BuildRequires:  pkgconfig(systemd)
-%{?systemd_ordering}
 %sysusers_requires
 %else
 Requires(post): %insserv_prereq
@@ -231,6 +230,7 @@ possible string of labels in the query name that matches the wildcard.
 
 %prep
 %autosetup -p1 -a2
+%setup -T -D -a4
 
 # use the year from source gzip header instead of current one to make reproducible rpms
 year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{SOURCE0})
@@ -307,7 +307,7 @@ done
 %sysusers_generate_pre %{SOURCE72} named named.conf
 %endif
 # special build for the plugins
-for d in contrib/dlz/modules/*; do
+for d in dlz-modules-%{dlz_modules_hash}/modules/*; do
        [ -e $d/Makefile ] && make -C $d
 done
 
@@ -339,25 +339,28 @@ rm -rf %{buildroot}%{_includedir}
 
 # Install the plugins
 mkdir -p %{buildroot}/%{_libdir}/bind-plugins
+pushd dlz-modules-%{dlz_modules_hash}/modules
 %if %{with_modules_perl}
-    install -m 0644 contrib/dlz/modules/perl/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 perl/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_mysql}
-    install -m 0644 contrib/dlz/modules/mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
-    install -m 0644 contrib/dlz/modules/mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_ldap}
-    install -m 0644 contrib/dlz/modules/ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_bdbhpt}
-    install -m 0644 contrib/dlz/modules/bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_sqlite3}
-    install -m 0644 contrib/dlz/modules/sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_generic}
-    install -m 0644 contrib/dlz/modules/{filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 {filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
+popd
+
 # remove useless .la files
 rm -f %{buildroot}/%{_libdir}/lib*.{la,a} %{buildroot}/%{_libdir}/bind/*.la
 mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir}
@@ -386,7 +389,6 @@ mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
 install -m 0644 %{_sourcedir}/named.root %{buildroot}%{_localstatedir}/lib/named/root.hint
 mv vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_localstatedir}/lib/named
 install -m 0755 vendor-files/tools/bind.genDDNSkey %{buildroot}/%{_bindir}/genDDNSkey
-cp -a vendor-files/docu/BIND.desktop %{buildroot}/%{_datadir}/susehelp/meta/Administration/System
 cp -p %{_sourcedir}/dnszone-schema.txt %{buildroot}/%{_sysconfdir}/openldap/schema/dnszone.schema
 cp -p "%{SOURCE60}" "%{buildroot}/%{_sysconfdir}/openldap/schema/dlz.schema"
 install -m 0754 vendor-files/tools/ldapdump %{buildroot}/%{_datadir}/bind

dlz-modules.obsinfo

@@ -0,0 +1,4 @@
+name: dlz-modules
+version: 5923650
+mtime: 1731483151
+commit: 5923650dbb69eac5006938218d0bc11ad9b41696

named.root

@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ;
-;       last update:     July 28, 2021
+;       last update:     December 18, 2024
-;       related version of root zone:     2021072802
+;       related version of root zone:     2024121801
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
@@ -21,8 +21,8 @@ A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
 ; FORMERLY NS1.ISI.EDU 
 ;
 .                        3600000      NS    B.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
+B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
-B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
+B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
 ; 
 ; FORMERLY C.PSI.NET 
 ;