SHA256
1
0
forked from pool/bind

Compare commits

...

4 Commits

10 changed files with 316 additions and 35 deletions

15
_service Normal file
View File

@ -0,0 +1,15 @@
<services>
<service name="obs_scm" mode="manual">
<param name="scm">git</param>
<param name="url">https://gitlab.isc.org/isc-projects/dlz-modules.git</param>
<param name="revision">main</param>
<param name="versionformat">%h</param>
<param name="filename">dlz-modules</param>
<param name="package-meta">yes</param>
</service>
<service name="tar" mode="buildtime"/>
<service name="recompress" mode="buildtime">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
</services>

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0
size 5789604

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAma987IACgkQGC4jV5Ri
76r2Rg/9FnbrOwZrN4HWUeQ7ewyPq+ZaaHFZXXucXSwIXAkAAouW7lzhkMnUSSXV
SjUTOyLJAsFtVPrizR1yR9OrrnBIUniQfE/oB9WEiKTsVfA2FuoHyKWRiOrUQ2XP
8BjJD/hSbdQ7ByHENMcrjVpwK3r/QO+rroUgCIcV375hVfmcsYJI0pbxu2wEj5En
0nqTjObLv3AdnGj65+/I4xwkC/GhIGFhhW2SHQGpTldeajag/ODouu4KuZA5BrLi
whYkyTgC+rIQicF6EIyg8nGFDR28jUSPSGpSfYn/nMvtfU9Wl3Z4ug9TiMh5kdV3
3b8MFJqvm0FYcCXgON1twLlO05XKlYLLU9+Y6CpWHTELTZRV01NPiUOEtLytMJTx
DDY7C8bgR7iTv2gwgdxQlOI4Kkee9uB4nqZ468hy9flC29SYW8YKX46i8W+vV6wj
BcoJBhKnJ/tSgF39gY2rCRU2jpRjw8oDMYpzBK6e0Ks4dtZYXvLto+aHQj8IS1Q4
3Z2NhGowtqqeKfL6HGzmQHO8QLUgwgXUVELjO9ySiwxY7fMqbAK6CuP28dNlR0dU
HhU0cnd383YoeEX0ph5zGRyCOifPPOzBXT8y70OkcqEPbyD4y16pvg41db73NX3V
IOqEK7Bm5iPl4ygcFnGTfbG/VxVKnYiQBaBBuo33AeWLwtl6ugs=
=wNju
-----END PGP SIGNATURE-----

3
bind-9.20.4.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3a8e1a05e00e3e9bc02bdffded7862faf7726ba76ba997f42ab487777bd8210b
size 5620536

16
bind-9.20.4.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmdW77UACgkQGC4jV5Ri
76pE3BAAxOXpxdb0MRWRDBIA4rMw8oscMy9e76h4B8MGsn25SEa7nJ5lFgp29HZ0
vVZQu6dTd7chGHEi97wZjbsgvu2wwVQOANRpA349UY+UqPtXZOJi1d9OMNxZqJnU
UZcNr9jCX+CvEfmmsIfMuOdL1rDJcD2qaeXVmFmwYiQdmG80RURqOXnSDhftSCYd
o1mYryg+Sgyhlg8vo9RvVAPTwak9agnauDzaOXHhLvJYsmow40l6MSG70glep5Qs
s9ekveQlXX8I/6IDSLtOk+BQVnn0EKL5GTa4/xq/skYDFZQ4id53/XG8yXmnAGK7
gWbgr8Dh0P2h8caNP8nSDSiog1pFdIo9+W0pHWNICTKGbC2xP+oumUaPjK+XK4vI
dvVpSTOYB/tHXl4SBq4Day4Sfa0DAhtPkKAkfK+g3L4QJrZLbjLpYLZCZv5vnr3a
QE0fwrUiguElgWLs1Qx9yI09AYDSfCVwAsiS8GdgwvqJ0LM7kYVyR6AkSdHZTt/X
/dQMRBK1Hx4HaGeX8/8EeXyFyiOp8ds36jJM+lYkVVe3AV1q2xa4+X7YJvI7XmmG
QeqZ4KR3pxxBaoFcWlTXLqRJZZSy4yjaBxO5aQvErJ1wlY5FMbgqB9jdw9FOQj6w
+voFX+yyb7HfO2hAr7NEfNcDNJNWSh7BS3ZZk3EZR3fkVEEnrn8=
=xbdk
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,254 @@
-------------------------------------------------------------------
Thu Dec 12 12:38:04 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Add new dlz-modules source
- Update to release 9.20.4
New Features:
* Update built-in bind.keys file with the new 2025 IANA root key.
* Add an initial-ds entry to bind.keys for the new root key, ID
38696, which is scheduled for publication in January 2025.
Removed Features:
* Move contributed DLZ modules into a separate repository. DLZ
modules should not be used except in testing.
* The DLZ modules were not maintained, the DLZ interface itself
is going to be scheduled for removal, and the DLZ interface is
blocking. Any module that blocks the query to the database
blocks the whole server.
* The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
Feature Changes:
* dnssec-ksr now supports KSK rollovers.
* The tool now allows for KSK generation, as well as planned KSK
rollovers. When signing a bundle from a Key Signing Request
(KSR), only the key that is active in that time frame is used
for signing. Also, the CDS and CDNSKEY records are now added
and removed at the correct time.
* Print RFC 7314: EXPIRE option in transfer summary.
* Emit more helpful log messages for exceeding
max-records-per-type.
* The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log
includes the owner name and type, corresponding zone name, and
the limit value. It will be emitted on loading a zone file,
inbound zone transfer (both AXFR and IXFR), handling a DDNS
update, or updating a cache DB. Its especially helpful in the
case of zone transfer, since the secondary side doesnt have
direct access to the offending zone data.
* It could also be used for max-types-per-name, but this change
doesnt implement it yet as its much less likely to happen in
practice.
* Harden key management when key files have become unavailable.
* Prior to doing key management, BIND 9 will check if the key
files on disk match the expected keys. If key files for
previously observed keys have become unavailable, this will
prevent the internal key manager from running.
Bug Fixes:
* Use TLS for notifies if configured to do so.
* Notifies configured to use TLS will now be sent over TLS,
instead of plain text UDP or TCP. Also, failing to load the TLS
configuration for notify now results in an error.
* {&dns} is as valid as {?dns} in a SVCBs dohpath.
* dig failed to parse a valid SVCB record with a dohpath URI
template containing a {&dns}, like
dohpath=/some/path?key=value{&dns}”.
* Fix NSEC3 closest encloser lookup for names with empty
non-terminals.
* A previous performance optimization for finding the NSEC3
closest encloser when generating authoritative responses could
cause servers to return incorrect NSEC3 records in some cases.
This has been fixed.
* recursive-clients statement with value 0 triggered an assertion
failure.
* BIND 9.20.0 broke recursive-clients 0;. This has now been
fixed.
* Parsing of hostnames in rndc.conf was broken.
* When DSCP support was removed, parsing of hostnames in
rndc.conf was accidentally broken, resulting in an assertion
failure. This has been fixed.
* dig options of the form [+-]option=<value> failed to display
the value on the printed command line. This has been fixed.
* Provide more visibility into TLS configuration errors by
logging SSL_CTX_use_certificate_chain_file() and
SSL_CTX_use_PrivateKey_file() errors individually.
* Fix a race condition when canceling ADB find which could cause
an assertion failure.
* SERVFAIL cache memory cleaning is now more aggressive; it no
longer consumes a lot of memory if the server encounters many
SERVFAILs at once.
* Fix trying the next primary XoT server when the previous one
was marked as unreachable.
* In some cases named failed to try the next primary server in
the primaries list when the previous one was marked as
unreachable. This has been fixed.
-------------------------------------------------------------------
Thu Dec 12 09:54:08 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
- update root hints file to 2024-11-20 version (boo#1234406)
-------------------------------------------------------------------
Mon Oct 21 08:42:47 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.3
New Features:
* Log query response status to the query log.
* Log a query response summary using the new responses category.
Logging can be controlled via the responselog option and via
rndc responselog.
* Added WALLET type.
* Add the new record type WALLET (262). This provides a mapping
from a domain name to a cryptographic currency wallet. Multiple
mappings can exist if multiple records exist.
Feature Changes:
* Set logging category for notify/xfer-in-related messages.
* Some notify and xfer-in-related log messages were logged at the
“general” category level instead of their own category. This
has been fixed.
* Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
* This change allows fallback from an IXFR failure to AXFR when
the reason is DNS_R_TOOMANYRECORDS.
Bug Fixes:
* Fix a statistics channel counter bug when “forward only” zones
are used.
* When resolving a zone with a “forward only” policy, and finding
out that all the forwarders were marked as “bad”, the
“ServerQuota” counter of the statistics channel was incorrectly
increased. This has been fixed.
* Fix a bug in the static-stub implementation.
* Static-stub addresses and addresses from other sources were
being mixed together, resulting in static-stub queries going to
addresses not specified in the configuration, or alternatively,
static-stub addresses being used instead of the correct server
addresses.
* Dont allow statistics-channels if libxml2 and libjson-c are
not configured.
* When BIND 9 is not configured with the libxml2 and libjson-c
libraries, the use of the statistics-channels option is a fatal
error.
* Separate DNSSEC validation from long-running tasks.
* Split CPU-intensive and long-running tasks into separate
threadpools in a way that the long-running tasks - like RPZ,
catalog zone processing, or zone file operations - dont block
CPU-intensive operations like DNSSEC validations.
* Fix an assertion failure when processing access control lists.
* The named process could terminate unexpectedly when processing
ACLs. This has been fixed.
* Fix a bug in Offline KSK using a ZSK with an unlimited
lifetime.
* If the ZSK had an unlimited lifetime, the timing metadata
Inactive and Delete could not be found and were treated as an
error, preventing the zone from being signed. This has been
fixed.
* Limit the outgoing UDP send queue size.
* If the operating system UDP queue got full and the outgoing UDP
sending started to be delayed, BIND 9 could exhibit memory
spikes as it tried to enqueue all the outgoing UDP messages. It
now tries to deliver the outgoing UDP messages synchronously;
if that fails, it drops the outgoing DNS message that would get
queued up and then timeout on the client side.
* Do not set SO_INCOMING_CPU.
* Remove the SO_INCOMING_CPU setting as kernel scheduling
performs better without constraints.
* Fix the rndc dumpdb commands error reporting.
* The rndc dumpdb command was not reporting errors that occurred
when named started up the database dump process. This has been
fixed.
* Fix long-running incoming transfers.
* Incoming transfers that took longer than 30 seconds would stop
reading from the TCP stream and the incoming transfer would be
indefinitely stuck, causing BIND 9 to hang during shutdown.
* This has been fixed, and the max-transfer-time-in and
max-transfer-idle-in timeouts are now honored.
* Fix an assertion failure when receiving DNS responses over TCP.
* When matching the received Query ID in the TCP connection, an
invalid Query ID could cause an assertion failure. This has
been fixed.
-------------------------------------------------------------------
Thu Sep 19 08:57:57 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.2
New Features:
* Support for Offline KSK implemented.
* Add a new configuration option offline-ksk to enable Offline
KSK key management. Signed Key Response (SKR) files created
with dnssec-ksr (or other programs) can now be imported into
named with the new rndc skr -import command. Rather than
creating new DNSKEY, CDS, and CDNSKEY records and generating
signatures covering these types, these records are loaded from
the currently active bundle from the imported SKR.
* The implementation is loosely based on
draft-icann-dnssec-keymgmt-01.txt.
* Print the full path of the working directory in startup log
messages.
* named now prints its initial working directory during startup,
and the changed working directory when loading or reloading its
configuration file, if it has a valid directory option defined.
* Support a restricted key tag range when generating new keys.
* When multiple signers are being used to sign a zone, it is
useful to be able to specify a restricted range of key tags to
be used by an operator to sign the zone. The range can be
specified with tag-range in dnssec-policys keys (for named and
dnssec-ksr) and with the new options dnssec-keyfromlabel -M and
dnssec-keygen -M.
Feature Changes:
* Exempt prefetches from the fetches-per-zone and
fetches-per-server quotas.
* Fetches generated automatically as a result of prefetch are now
exempt from the fetches-per-zone and fetches-per-server quotas.
This should help in maintaining the cache from which query
responses can be given.
* Follow the number of CPUs set by taskset/cpuset.
* Administrators may wish to constrain the set of cores that
named runs on via the taskset, cpuset, or numactl programs (or
equivalents on other OSes).
* If the admin has used taskset, named now automatically uses the
given number of CPUs rather than the system-wide count.
Bug Fixes:
* Delay the release of root privileges until after configuring
controls.
* Delay relinquishing root privileges until the control channel
has been configured, for the benefit of systems that require
root to use privileged port numbers. This mostly affects
systems without fine- grained privilege systems (i.e., other
than Linux).
* Fix a rare assertion failure when shutting down incoming
transfer.
* A very rare assertion failure could be triggered when the
incoming transfer was either forcefully shut down, or it
finished during the printing of the details about the
statistics channel. This has been fixed.
* Fix algorithm rollover bug when there are two keys with the
same keytag.
* If there was an algorithm rollover and two keys of different
algorithms shared the same keytags, there was the possibility
that the check of whether the key matched a specific state
could be performed against the wrong key. This has been fixed
by not only checking for the matching key tag but also the key
algorithm.
* Fix an assertion failure in validate_dnskey_dsset_done().
* Under rare circumstances, named could terminate unexpectedly
when validating a DNSKEY resource record if the validation had
been canceled in the meantime. This has been fixed.
Known Issues:
* Long-running tasks in offloaded threads (e.g. the loading of
RPZ zones or processing zone transfers) may block the
resolution of queries during these operations and cause the
queries to time out. To work around the issue, the
UV_THREADPOOL_SIZE environment variable can be set to a larger
value before starting named. The recommended value is the
number of RPZ zones (or number of transfers) plus the number of
threads BIND should use, which is typically the number of CPUs.
-------------------------------------------------------------------
Fri Aug 23 09:26:22 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>

View File

@ -1,7 +1,8 @@
#
# spec file for package bind
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -51,12 +52,14 @@
%define with_sfw2 0
%endif
%define dlz_modules_hash 5923650
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
Version: 9.20.1
Version: 9.20.4
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
@ -67,7 +70,8 @@ Source1: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.t
Source2: vendor-files.tar.bz2
# from http://www.isc.org/about/openpgp/ ... changes yearly apparently.
Source3: %{name}.keyring
Source9: ftp://ftp.internic.net/domain/named.root
Source4: dlz-modules-%{dlz_modules_hash}.tar.gz
Source9: https://www.internic.net/domain/named.root
Source40: dnszone-schema.txt
Source60: dlz-schema.txt
# configuration file for systemd-tmpfiles
@ -231,6 +235,7 @@ possible string of labels in the query name that matches the wildcard.
%prep
%autosetup -p1 -a2
%setup -T -D -a4
# use the year from source gzip header instead of current one to make reproducible rpms
year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{SOURCE0})
@ -307,8 +312,8 @@ done
%sysusers_generate_pre %{SOURCE72} named named.conf
%endif
# special build for the plugins
for d in contrib/dlz/modules/*; do
[ -e $d/Makefile ] && make -C $d
for d in dlz-modules-%{dlz_modules_hash}/modules/*; do
[ -e $d/Makefile ] && make -C $d
done
%install
@ -339,25 +344,28 @@ rm -rf %{buildroot}%{_includedir}
# Install the plugins
mkdir -p %{buildroot}/%{_libdir}/bind-plugins
pushd dlz-modules-%{dlz_modules_hash}/modules
%if %{with_modules_perl}
install -m 0644 contrib/dlz/modules/perl/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 perl/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_mysql}
install -m 0644 contrib/dlz/modules/mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 contrib/dlz/modules/mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_ldap}
install -m 0644 contrib/dlz/modules/ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_bdbhpt}
install -m 0644 contrib/dlz/modules/bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_sqlite3}
install -m 0644 contrib/dlz/modules/sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
%if %{with_modules_generic}
install -m 0644 contrib/dlz/modules/{filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
install -m 0644 {filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
%endif
popd
# remove useless .la files
rm -f %{buildroot}/%{_libdir}/lib*.{la,a} %{buildroot}/%{_libdir}/bind/*.la
mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir}

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4c5e9ce87c314852fc1844bd930ac3ba2d5ed80e3a52cfcc0b58443d0ac98d5a
size 478731

4
dlz-modules.obsinfo Normal file
View File

@ -0,0 +1,4 @@
name: dlz-modules
version: 5923650
mtime: 1731483151
commit: 5923650dbb69eac5006938218d0bc11ad9b41696

View File

@ -9,8 +9,8 @@
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: July 28, 2021
; related version of root zone: 2021072802
; last update: December 18, 2024
; related version of root zone: 2024121801
;
; FORMERLY NS.INTERNIC.NET
;
@ -21,8 +21,8 @@ A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2
B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b
;
; FORMERLY C.PSI.NET
;