BIND 9.18 is a stable branch, suitable for production use.
Notes for BIND 9.18.5
Feature Changes
The dnssec-signzone -H default value has been changed to 0 additional NSEC3
iterations. This change aligns the dnssec-signzone default with the default
used by the dnssec-policy feature. At the same time, documentation about
NSEC3 has been aligned with the Best Current Practice. [GL #3395]
Bug Fixes
- An assertion failure caused by a TCP connection closing between a connect
(or accept) and a read from a socket has been fixed. [GL #3400]
- When grafting non-delegated namespace onto delegated namespace,
synth-from-dnssec could incorrectly synthesize non-existence of records
within the non-delegated namespace using NSEC records from higher zones. [GL #3402]
- Previously, named immediately returned a SERVFAIL response to the client
when it received a FORMERR response from an authoritative server during
recursive resolution. This has been fixed: named acting as a resolver
now attempts to contact other authoritative servers for a given domain
when it receives a FORMERR response from one of them. [GL #3152]
- Previously, rndc reconfig did not pick up changes to endpoints statements
in http blocks. This has been fixed. [GL #3415]
- It was possible for a catalog zone consumer to process a catalog zone
member zone when there was a configured pre-existing forward-only forward
zone with the same name. This has been fixed. [GL #2506]
(From OE-Core rev: 75c4b8361ef2d3a39e192ed8318d1038a3ff0999)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0a419b730ca87daa4e07daf022a550fb4112b9b0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Python support was dropped upstream and removed in 8a9a5885995c ("bind:
update 9.16.26 -> 9.18.1"), clean up the remaining pieces of python3 in
the recipe.
(From OE-Core rev: acda23e0d985049ae83e9516315c33afae763ad9)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee4e4eb16a3729dcafad075c42aec1695b8ea15f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
[func] Don't try to process DNSSEC-related and ZONEMD records
in catz. [GL #3380]
[func] Add some more dnssec-policy checks to detect weird
policies. [GL #1611]
[test] Add new set of unit test macros and move the unit
tests under single namespace in /tests/. [GL !6243]
[func] Key timing options for 'dnssec-settime' and related
utilities now accept "UNSET" times as printed by
'dnssec-settime -p'. [GL #3361]
[bug] When the fetches-per-server quota was adjusted
because of an authoritative server timing out more
or less frequently, it was incorrectly set to 1
rather than the intended value. This has been
fixed. [GL #3327]
[bug] Only write key files if the dnssec-policy keymgr has
changed the metadata. [GL #3302]
[func] Key timing options for 'dnssec-keygen' and
'dnssec-settime' now accept times as printed by
'dnssec-settime -p'. [GL !2947]
(From OE-Core rev: 5bfb44bff5d296b8fd447acb7bdb29b544bd1c20)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d5a12d549209f01324d03963db96449ee43452eb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
[security]
Fix a crash in DNS-over-HTTPS (DoH) code caused by
premature TLS stream socket object deletion.
(CVE-2022-1183) [GL #3216]
[bug]
RPZ NSIP and NSDNAME rule processing didn't handle stub
and static-stub zones at or above the query name. This
has now been addressed. [GL #3232]
Fixed a deadlock that could occur if an rndc
connection arrived during the shutdown of network
interfaces. [GL #3272]
Refactor the fctx_done() function to set fctx to
NULL after detaching, so that reference counting
errors will be easier to avoid. [GL #2969]
udp_recv() in dispatch could trigger an INSIST when the
callback's result indicated success but the response
was canceled in the meantime. [GL #3300]
Work around a jemalloc quirk which could trigger an
out-of-memory condition in named over time. [GL #3287]
If there was a pending negative cache DS entry,
validations depending upon it could fail. [GL #3279]
dig returned a 0 exit status on UDP connection failure.
[GL #3235]
Fix an assertion failure when using dig with +nssearch
and +tcp options by starting the next query in the
send_done() callback (like in the UDP mode) instead
of doing that recursively in start_tcp(). Also
ensure that queries interrupted while connecting
are detached properly. [GL #3144]
Don't remove CDS/CDNSKEY DELETE records on zone sign
when using 'auto-dnssec maintain;'. [GL #2931]
[contrib]
Avoid name space collision in dlz modules by prefixing
functions with 'dlz_'. [GL !5778]
dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306]
[func]
Add new named command-line option -C to print built-in
defaults. [GL #1326]
Introduce the concept of broken catalog zones described
in the DNS catalog zones draft version 5 document.
[GL #3224]
Add DNS Extended Errors when stale answers are returned
from cache. [GL #2267]
Implement support for catalog zones change of ownership
(coo) mechanism described in the DNS catalog zones draft
version 5 document. [GL #3223]
Implement support for catalog zones options new syntax
based on catalog zones custom properties with "ext"
suffix described in the DNS catalog zones draft version
5 document. [GL #3222]
Implement reference counting for TLS contexts and
allow reloading of TLS certificates on reconfiguration
without destroying the underlying TCP listener sockets
for TLS-based DNS transports. [GL #3122]
Add support for remote TLS certificates
verification, both to BIND and dig, making it possible
to implement Strict and Mutual TLS authentication,
as described in RFC 9103, Section 9.3. [GL #3163]
[cleanup]
Remove use of exclusive mode in ns_interfacemgr in
favor of rwlocked access to localhost and localnets
members of dns_aclenv_t structure. [GL #3229]
Remove the task exclusive mode use in ns_clientmgr.
[GL #3230]
(From OE-Core rev: 1bbedc1c6f9b1d431a7d72b9e8e2871d0fe988f5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2ae8b85c71be2e9e332b1ef0a2d3083b30c63e6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to latest stable branch release
Bug Fixes
- Previously, zone maintenance DNS queries retried forever if the destination
server was unreachable. These queries included outgoing NOTIFY messages,
refresh SOA queries, parental DS checks, and stub zone NS queries. For example,
if a zone had any nameservers with IPv6 addresses and a secondary server without
IPv6 connectivity, that server would keep trying to send a growing amount of
NOTIFY traffic over IPv6. This futile traffic was not logged. This excessive
retry behavior has been fixed. [GL #3242]
- A number of crashes and hangs which could be triggered in dig were identified and
addressed. [GL #3020] [GL #3128] [GL #3145] [GL #3184] [GL #3205] [GL #3244] [GL #3248]
- Invalid dnssec-policy definitions, where the defined keys did not cover both KSK
and ZSK roles for a given algorithm, were being accepted. These are now checked,
and the dnssec-policy is rejected if both roles are not present for all algorithms
in use. [GL #3142]
- Handling of TCP write timeouts has been improved to track the timeout for each TCP
write separately, leading to a faster connection teardown in case the other party
is not reading the data. [GL #3200]
(From OE-Core rev: 297215735613b1c9512780580da2f84cf013a603)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5398263c8e070110a045a5f8999712ba4be628de)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop removed python/libtool options.
isc/platform.h is no longer installed.
Rewrite reproducibility patch to fix the problem at the source.
License-Update: copyright years
(From OE-Core rev: 8a9a5885995c77774cdafeb09f7522c50750a1e9)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
Log "quota reached" message when hard quota is reached when accepting a connection.
Add ECS support to the DLZ interface.
A failed view configuration during a named reconfiguration procedure could cause
inconsistencies in BIND internal structures, causing a crash or other unexpected errors.
rndc could crash when interrupted by a signal before receiving a response.
Correctly detect and enable UDP recvmmsg support in all versions of libuv that support it.
(From OE-Core rev: c47caa7c8ca77ff137988deaf2d2a8b381f5a3f8)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The -r option has been removed from rndc-confgen since bind 9.13[1].
Fix the bind startup error:
$ /etc/init.d/bind start
Starting domain name service: namedrndc-confgen: The -r option has been deprecated.
chmod: cannot access '/etc/bind/rndc.key': No such file or directory
[1]: 3a4f820d62
(From OE-Core rev: a5c5977bef44b7b014af590515ea1f93d7d51f46)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Repo-wide replacement to use newer variable to represent systemd
system unitdir directory.
(From OE-Core rev: 5ace3ada5c54500c71becc8e0c6eddeb8bc053e3)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
--- 9.16.19 released ---
5671. [bug] A race condition could occur where two threads were
competing for the same set of key file locks, leading to
a deadlock. This has been fixed. [GL #2786]
5670. [bug] create_keydata() created an invalid placeholder keydata
record upon a refresh failure, which prevented the
database of managed keys from subsequently being read
back. This has been fixed. [GL #2686]
5669. [func] KASP support was extended with the "check DS" feature.
Zones with "dnssec-policy" and "parental-agents"
configured now check for DS presence and can perform
automatic KSK rollovers. [GL #1126]
5668. [bug] Rescheduling a setnsec3param() task when a zone failed
to load on startup caused a hang on shutdown. This has
been fixed. [GL #2791]
5667. [bug] The configuration-checking code failed to account for
the inheritance rules of the "dnssec-policy" option.
This has been fixed. [GL #2780]
5666. [doc] The safe "edns-udp-size" value was tweaked to match the
probing value from BIND 9.16 for better compatibility.
[GL #2183]
5665. [bug] If nsupdate sends an SOA request and receives a REFUSED
response, it now fails over to the next available
server. [GL #2758]
5664. [func] For UDP messages larger than the path MTU, named now
sends an empty response with the TC (TrunCated) bit set.
In addition, setting the DF (Don't Fragment) flag on
outgoing UDP sockets was re-enabled. [GL #2790]
5662. [bug] Views with recursion disabled are now configured with a
default cache size of 2 MB unless "max-cache-size" is
explicitly set. This prevents cache RBT hash tables from
being needlessly preallocated for such views. [GL #2777]
5661. [bug] Change 5644 inadvertently introduced a deadlock: when
locking the key file mutex for each zone structure in a
different view, the "in-view" logic was not considered.
This has been fixed. [GL #2783]
5658. [bug] Increasing "max-cache-size" for a running named instance
(using "rndc reconfig") did not cause the hash tables
used by cache databases to be grown accordingly. This
has been fixed. [GL #2770]
5655. [bug] Signed, insecure delegation responses prepared by named
either lacked the necessary NSEC records or contained
duplicate NSEC records when both wildcard expansion and
CNAME chaining were required to prepare the response.
This has been fixed. [GL #2759]
5653. [bug] A bug that caused the NSEC3 salt to be changed on every
restart for zones using KASP has been fixed. [GL #2725]
(From OE-Core rev: 8afda7983aa6476eb5d44962e99992eb479eff1f)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
so the issue doesn't affect us.
(From OE-Core rev: 30106ae676124ba3c0e496a4f19c919c8418b59b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adjust library packaging (see link to commit in the recipe).
(From OE-Core rev: 4711c1f4fc003da594b2a230997012ad5dcc202f)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
(From OE-Core rev: ecf8922e6bb12a2facc59bbe794b575101fce1dc)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rename directory of patches
-License-Update: Copyright year updated to 2021.
(From OE-Core rev: 316f9602c633fdf52009b4567ccf598d1c716acd)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The named service fail to start as below:
# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-09-16 06:07:49 UTC; 9s ago
Process: 134206 ExecStartPre=/usr/sbin/generate-rndc-key.sh (code=exited, status=1/FAILURE)
Sep 16 06:07:49 intel-x86-64 systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134206]: Generating /etc/bind/rndc.key:
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134207]: rndc-confgen: The -r option has been deprecated.
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134208]: chown: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 generate-rndc-key.sh[134209]: chmod: cannot access '/etc/bind/rndc.key': No such file or directory
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Sep 16 06:07:49 intel-x86-64 systemd[1]: named.service: Failed with result 'exit-code'.
Sep 16 06:07:49 intel-x86-64 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
It is because fail to execute "/usr/sbin/generate-rndc-key.sh" as
-r is deprecated since bind 9.13.x and the random function changes
in [1], so remove -r option to fix the above issue.
DNSSEC validation is now active by default after bind upgrade to 9.16.x,
but it is not in 9.11.x. So disable DNSSEC validation explicitly to
silence below message.
Sep 18 03:21:37 intel-x86-64 named[23272]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
[1]: 3a4f820d62
(From OE-Core rev: 884cc4196c75b5107082a188cf5f7a4dee4fc5c3)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We are setting u-a for nslookup and it won't work unless we inherit this
class
(From OE-Core rev: 0cccb2ae6508c0b3d4a5362e61b24ee314c2fb02)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrey Zhizhikin <andrey.z@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed obsolete packageconfig options
License change to MPL-2.0
https://gitlab.isc.org/isc-projects/bind9/blob/master/LICENSE
Refreshed:
bind-ensure-searching-for-json-headers-searches-sysr.patch
0001-named-lwresd-V-and-start-log-hide-build-options.patch
bind-ensure-searching-for-json-headers-searches-sysr.patch
Drop obsolete patch: 0001-configure.in-remove-useless-L-use_openssl-lib.patch
RP: Dropped the multilib scripts handling as those scripts are no longer present
in this version.
(From OE-Core rev: d7cc84de47fad1dfbae68c32bb2165c708bec66b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop backports.
Drop 0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch and
0001-lib-dns-gen.c-fix-too-long-error.patch as problem is fixed
upstream.
(From OE-Core rev: 6965ec5c491e71d5951dfb58fc060bd0b717e33d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind.
CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the
other 6 patches are for CVE-2018-5743. And backport one more patch to
fix compile error on arm caused by these 6 commits.
(From OE-Core rev: 3c39d4158677b97253df63f23b74c3a9dd5539f6)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Nothing in the target installation actually needs it.
(From OE-Core rev: 0357b2d2cdcbcef89a346126969ec3e1856bda95)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If the PACKAGECONFIG item, python3, is enabled, we get the following
QA issue when multilib is enabled.
ERROR: bind-9.11.5-P4-r0 do_package: QA Issue: bind: Files/directories were installed but not shipped in any package:
/usr/lib
/usr/lib/python3.7
/usr/lib/python3.7/site-packages
/usr/lib/python3.7/site-packages/isc-2.0-py3.7.egg-info
/usr/lib/python3.7/site-packages/isc
/usr/lib/python3.7/site-packages/isc/policy.py
[snip]
The thing is, when --with-python is specified with a path instead of 'yes',
the --with-python-install-dir is in fact ignored.
Fix this issue by specifying the correct arguments.
(From OE-Core rev: 2c36b3e5c7caae07ffe0cfb816d37fad52d69fc9)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
