The named service fail to start as below:
# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-09-16 06:07:49 UTC; 9s ago
Process: 134206 ExecStartPre=/usr/sbin/generate-rndc-key.sh (code=exited, status=1/FAILURE)
Sep 16 06:07:49 intel-x86-64 systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134206]: Generating /etc/bind/rndc.key:
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134207]: rndc-confgen: The -r option has been deprecated.
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134208]: chown: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134209]: chmod: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Failed with result 'exit-code'.
Sep 16 06:07:49 intel-x86-64 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
It is because fail to execute "/usr/sbin/generate-rndc-key.sh" as
-r is deprecated since bind 9.13.x and the random function changes
in [1], so remove -r option to fix the above issue.
DNSSEC validation is now active by default after bind upgrade to 9.16.x,
but it is not in 9.11.x. So disable DNSSEC validation explicitly to
silence below message.
Sep 18 03:21:37 intel-x86-64 named[23272]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
[1]: 3a4f820d62
(From OE-Core rev: 884cc4196c75b5107082a188cf5f7a4dee4fc5c3)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We are setting u-a for nslookup and it won't work unless we inherit this
class
(From OE-Core rev: 0cccb2ae6508c0b3d4a5362e61b24ee314c2fb02)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrey Zhizhikin <andrey.z@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed obsolete packageconfig options
License change to MPL-2.0
https://gitlab.isc.org/isc-projects/bind9/blob/master/LICENSE
Refreshed:
bind-ensure-searching-for-json-headers-searches-sysr.patch
0001-named-lwresd-V-and-start-log-hide-build-options.patch
bind-ensure-searching-for-json-headers-searches-sysr.patch
Drop obsolete patch: 0001-configure.in-remove-useless-L-use_openssl-lib.patch
RP: Dropped the multilib scripts handling as those scripts are no longer present
in this version.
(From OE-Core rev: d7cc84de47fad1dfbae68c32bb2165c708bec66b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop backports.
Drop 0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch and
0001-lib-dns-gen.c-fix-too-long-error.patch as problem is fixed
upstream.
(From OE-Core rev: 6965ec5c491e71d5951dfb58fc060bd0b717e33d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind.
CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the
other 6 patches are for CVE-2018-5743. And backport one more patch to
fix compile error on arm caused by these 6 commits.
(From OE-Core rev: 3c39d4158677b97253df63f23b74c3a9dd5539f6)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Nothing in the target installation actually needs it.
(From OE-Core rev: 0357b2d2cdcbcef89a346126969ec3e1856bda95)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If the PACKAGECONFIG item, python3, is enabled, we get the following
QA issue when multilib is enabled.
ERROR: bind-9.11.5-P4-r0 do_package: QA Issue: bind: Files/directories were installed but not shipped in any package:
/usr/lib
/usr/lib/python3.7
/usr/lib/python3.7/site-packages
/usr/lib/python3.7/site-packages/isc-2.0-py3.7.egg-info
/usr/lib/python3.7/site-packages/isc
/usr/lib/python3.7/site-packages/isc/policy.py
[snip]
The thing is, when --with-python is specified with a path instead of 'yes',
the --with-python-install-dir is in fact ignored.
Fix this issue by specifying the correct arguments.
(From OE-Core rev: 2c36b3e5c7caae07ffe0cfb816d37fad52d69fc9)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nslookup was undeprecated 15 years ago,
and installing bind-utils should replace the busybox version.
(From OE-Core rev: 6d594e2a466a75f88fe8ab454e58ae20e3bdee05)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a client tool that is usually not used one the same
machine as the DNS server.
(From OE-Core rev: 3f114fb51ca315db0f7cb73b450a508a0477ab88)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Commit "c37207d0aca5 bind: update to ESV version 9.11.3" dropped
0001-build-use-pkg-config-to-find-libxml2.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.
Cc: Armin Kuster <akuster808@gmail.com>
(From OE-Core rev: 6d624b57397fce4ac98b98e8f47cd95336e44122)
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The generated key file should try to have bind group so that if
the named daemon is started via '-u bind' option, which is the
default in OE core, we will not get startup failure because of
'permission denied' error.
(From OE-Core rev: fc4c4f40dbcf558a48058d944eef21e588d64aa0)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It adds ${libdir} to linker options in scripts bind9-config and
isc-config.sh. And then causes install file conflicts when install bind
andl ib32-bind both.
Inherit multilib_script.bbclass to fix this issue.
(From OE-Core rev: d3baeaf09d5d3e7548e5b2ea1b565880ea6ce994)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
with bind 9.11.2+ when the build host has lmdb installed, bind configure looks into
host headers and wrongly interprets that it should be enabling lmdb
disable lmdb to fix
| configure: error: found lmdb include but not library.
(From OE-Core rev: 8c00b32211f25e38c1601ec8de47e6d4729dd49e)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
LIC_FILES_CHKSUM changed do to updated year
removed:
dont-test-on-host.patch, no longer implemented
drop use-python3-and-fix-install-lib-path.patch, they added the ability to pass in lib dir loctions
drop bind-confgen-build-unix.o-once.patch, fix included in update
Refresh other patches:
add python3 flag for PACKAGECONFIG to pull in python
add new config option --with-eddsa=no (needs openssl support not released)
Python support is disaled by default now.
Acked-by: Martin Hundebøll <mnhu@prevas.dk>
(From OE-Core rev: c37207d0aca5ad1ec2b45813274931be458ee7ed)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In multiarch /usr/include and /usr/lib/<tuple/ are not on the same level anymore. This change will pass a correct includedir, but a wrong libdir, but the linker picks it up anyway.
Tested on multiarch and regular build.
(From OE-Core rev: 9a02cd981eee8b1cd488373659a8a610962309e3)
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ftp protocol is dated and problematic. Since https is available, lets
use that instead, making new users chances of successful builds higher.
(From OE-Core rev: f24a29fcba98ceff08c13b0f029be93995f1deed)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Security Fixes
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143. [RT #45383]
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141. [RT #45229]
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140. [RT #45181]
End of Life
The end of life for BIND 9.10 is yet to be determined but will not be
before BIND 9.12.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
more info see https://lists.isc.org/pipermail/bind-announce/2017-July/001063.html
(From OE-Core rev: 96e9adb60320b2e2f0bb7a04d9ed49ddc53649bb)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The scripts currently reference "python33", fix this so they reference
python3. The move the python3 likely broke these.
(From OE-Core rev: 1a734f037da37d14f780970a9532d1e2e3683bf8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade bind from 9.10.3-P3 to 9.10.5-P3
* Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT
* Remvoe mips1-not-support-opcode.diff which has been merged
* Remove CVE patches that there are backported from upstream
* Use python3 for build and make sure install .py files to right directory
(From OE-Core rev: 9ee6a0a6599d081767b63382a576e67aed12cf4d)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Build without threads for bind is inherited from legacy openembedded.
All libc's support proper threading on Linux now, so enable threads
support for bind.
It is also need to disable static library build which cause package dhcp
fail to build after enable bind threads support.
Options devpoll and epoll are configured to choose most preferable
multiplex method for unix socket. The priorities are: epoll > poll >
select. When set '--enable-epoll', it just defines a var and include
header file that is available for cross compile. So use epoll for bind.
Add PACKAGECONFIG 'urandom' that could use /dev/urandom as random device.
Update file/directory ownerships to fix daemon start failure.
(From OE-Core rev: 598e5da5a2af2bd93ad890687dd32009e348fc85)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enforce the correct tag names across all of oe-core for consistency.
(From OE-Core rev: 606a43dc38a00cc243f933722db657aea4129f8e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Duplicate EDNS COOKIE options in a response could trigger an
assertion failure: Fix with a backport.
bind as built with the oe-core recipe is not at risk: Only servers
which are built with DNS cookie support (--enable-sit) are vulnerable
to denial of service.
Fixes [YOCTO #9438]
(From OE-Core rev: da38a9840b32e80464e2938395db5c9167729f7e)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade bind from 9.10.2-P4 to 9.10.3-P2.
* update context of 0001-build-use-pkg-config-to-find-libxml2.patch
* add PACKAGECONFIGs readline and libedit. They provide same library, so
should not be set at same time.
(From OE-Core rev: b49751e7febd262b754043e4e523e6690bfbbfaa)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gen.c uses 512 as the path length which is a little short when build in
deep dir, and cause "too long" error, use PATH_MAX if defined.
(From OE-Core rev: 10e017fd3de3ff1ab0c1b32ac7a9610a04f8ff13)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.
(From OE-Core rev: bd220fe6ce8c3a0805f13a14706d3130ea872604)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix the building path is long, when building bind, we would meet the following
error.
".../long/path/to/bind/9.10.2-P3-r0/bind-9.10.2-P3/lib/dns" too long
This is because the in gen.c, DIRNAMESIZE is limited to 256. But in OE, the
path length limit is more than 400. So we change it to 512.
(From OE-Core rev: 2f22eb1ce8083afb929cce432b8dda84682520e8)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fixes two secruity issues:
CVE-2015-5722 and CVE-2015-5986.
see release notes for more information.
ftp://ftp.isc.org/isc/bind9/9.10.2-P4/RELEASE-NOTES.bind-9.10.2-P4.html
(From OE-Core rev: 0dab62934e69019557ebae392dc8cb25e37748c2)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
