mirror of
https://git.yoctoproject.org/poky
synced 2026-03-02 05:19:40 +01:00
eea8e56bed
Notes for BIND 9.18.19 Security Fixes Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341) ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. [GL #4152] A flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been fixed. (CVE-2023-4236) ISC would like to thank Robert Story from USC/ISI Root Server Operations for bringing this vulnerability to our attention. [GL #4242] Removed Features The dnssec-must-be-secure option has been deprecated and will be removed in a future release. [GL #4263] Feature Changes If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. [GL #1181] Bug Fixes The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). [GL #4124] This issue was reported independently by Eric Sesterhenn of X41 D-Sec GmbH and Cameron Whitehead. The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an assertion failure. [GL This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. Several memory leaks caused by not clearing the OpenSSL error stack were fixed. [GL #4159] This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH. The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies accidentally caused named to return SERVFAIL responses to deletion requests for non-existent PTR and SRV records. This has been fixed. [GL #4280] The stale-refresh-time feature was mistakenly disabled when the server cache was flushed by rndc flush. This has been fixed. [GL #4278] BIND’s memory consumption has been improved by implementing dedicated jemalloc memory arenas for sending buffers. This optimization ensures that memory usage is more efficient and better manages the return of memory pages to the operating system. [GL #4038] Previously, partial writes in the TLS DNS code were not accounted for correctly, which could have led to DNS message corruption. This has been fixed. [GL #4255] Known Issues There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch. Notes for BIND 9.18.18 Feature Changes When a primary server for a zone responds to an SOA query, but the subsequent TCP connection required to transfer the zone is refused, that server is marked as temporarily unreachable. This now also happens if the TCP connection attempt times out, preventing too many zones from queuing up on an unreachable server and allowing the refresh process to move on to the next configured primary more quickly. [GL #4215] The dialup and heartbeat-interval options have been deprecated and will be removed in a future BIND 9 release. [GL #3700] Bug Fixes Processing already-queued queries received over TCP could cause an assertion failure, when the server was reconfigured at the same time or the cache was being flushed. This has been fixed. [GL #4200] Setting dnssec-policy to insecure prevented zones containing resource records with a TTL value larger than 86400 seconds (1 day) from being loaded. This has been fixed by ignoring the TTL values in the zone and using a value of 604800 seconds (1 week) as the maximum zone TTL in key rollover timing calculations. [GL #4032] Known Issues There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch. Link to release notes: https://bind9.readthedocs.io/en/v9.18.19/notes.html#notes-for-bind-9-18-19 (From OE-Core rev: b88fe4581a48c1639764266380921d452a9b6132) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
331 lines
11 KiB
Diff
331 lines
11 KiB
Diff
Upstream-Status: Inappropriate [configuration]
|
|
|
|
the patch is imported from openembedded project
|
|
|
|
11/30/2010 - Qing He <qing.he@intel.com>
|
|
|
|
diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
|
|
--- bind-9.3.1.orig/conf/db.0 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/db.0 2005-07-10 22:14:00.000000000 +0200
|
|
@@ -0,0 +1,12 @@
|
|
+;
|
|
+; BIND reverse data file for broadcast zone
|
|
+;
|
|
+$TTL 604800
|
|
+@ IN SOA localhost. root.localhost. (
|
|
+ 1 ; Serial
|
|
+ 604800 ; Refresh
|
|
+ 86400 ; Retry
|
|
+ 2419200 ; Expire
|
|
+ 604800 ) ; Negative Cache TTL
|
|
+;
|
|
+@ IN NS localhost.
|
|
diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
|
|
--- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/db.127 2005-07-10 22:14:00.000000000 +0200
|
|
@@ -0,0 +1,13 @@
|
|
+;
|
|
+; BIND reverse data file for local loopback interface
|
|
+;
|
|
+$TTL 604800
|
|
+@ IN SOA localhost. root.localhost. (
|
|
+ 1 ; Serial
|
|
+ 604800 ; Refresh
|
|
+ 86400 ; Retry
|
|
+ 2419200 ; Expire
|
|
+ 604800 ) ; Negative Cache TTL
|
|
+;
|
|
+@ IN NS localhost.
|
|
+1.0.0 IN PTR localhost.
|
|
diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty
|
|
--- bind-9.3.1.orig/conf/db.empty 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/db.empty 2005-07-10 22:14:00.000000000 +0200
|
|
@@ -0,0 +1,14 @@
|
|
+; BIND reverse data file for empty rfc1918 zone
|
|
+;
|
|
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
|
|
+; Instead, copy it, edit named.conf, and use that copy.
|
|
+;
|
|
+$TTL 86400
|
|
+@ IN SOA localhost. root.localhost. (
|
|
+ 1 ; Serial
|
|
+ 604800 ; Refresh
|
|
+ 86400 ; Retry
|
|
+ 2419200 ; Expire
|
|
+ 86400 ) ; Negative Cache TTL
|
|
+;
|
|
+@ IN NS localhost.
|
|
diff -urN bind-9.3.1.orig/conf/db.255 bind-9.3.1/conf/db.255
|
|
--- bind-9.3.1.orig/conf/db.255 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/db.255 2005-07-10 22:14:00.000000000 +0200
|
|
@@ -0,0 +1,12 @@
|
|
+;
|
|
+; BIND reserve data file for broadcast zone
|
|
+;
|
|
+$TTL 604800
|
|
+@ IN SOA localhost. root.localhost. (
|
|
+ 1 ; Serial
|
|
+ 604800 ; Refresh
|
|
+ 86400 ; Retry
|
|
+ 2419200 ; Expire
|
|
+ 604800 ) ; Negative Cache TTL
|
|
+;
|
|
+@ IN NS localhost.
|
|
diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
|
|
--- bind-9.3.1.orig/conf/db.local 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/db.local 2005-07-10 22:14:00.000000000 +0200
|
|
@@ -0,0 +1,13 @@
|
|
+;
|
|
+; BIND data file for local loopback interface
|
|
+;
|
|
+$TTL 604800
|
|
+@ IN SOA localhost. root.localhost. (
|
|
+ 1 ; Serial
|
|
+ 604800 ; Refresh
|
|
+ 86400 ; Retry
|
|
+ 2419200 ; Expire
|
|
+ 604800 ) ; Negative Cache TTL
|
|
+;
|
|
+@ IN NS localhost.
|
|
+@ IN A 127.0.0.1
|
|
diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
|
|
--- bind-9.3.1.orig/conf/db.root 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/db.root 2005-07-10 22:14:00.000000000 +0200
|
|
@@ -0,0 +1,45 @@
|
|
+
|
|
+; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net.
|
|
+;; global options: printcmd
|
|
+;; Got answer:
|
|
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18944
|
|
+;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
|
|
+
|
|
+;; QUESTION SECTION:
|
|
+;. IN NS
|
|
+
|
|
+;; ANSWER SECTION:
|
|
+. 518400 IN NS A.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS B.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS C.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS D.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS E.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS F.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS G.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS H.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS I.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS J.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS K.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS L.ROOT-SERVERS.NET.
|
|
+. 518400 IN NS M.ROOT-SERVERS.NET.
|
|
+
|
|
+;; ADDITIONAL SECTION:
|
|
+A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
|
|
+B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
|
|
+C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
|
|
+D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
|
|
+E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
|
|
+F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
|
|
+G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
|
|
+H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
|
|
+I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
|
|
+J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
|
|
+K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
|
|
+L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12
|
|
+M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
|
|
+
|
|
+;; Query time: 81 msec
|
|
+;; SERVER: 198.41.0.4#53(a.root-servers.net.)
|
|
+;; WHEN: Sun Feb 1 11:27:14 2004
|
|
+;; MSG SIZE rcvd: 436
|
|
+
|
|
diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
|
|
--- bind-9.3.1.orig/conf/named.conf 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/named.conf 2005-07-10 22:33:46.000000000 +0200
|
|
@@ -0,0 +1,49 @@
|
|
+// This is the primary configuration file for the BIND DNS server named.
|
|
+//
|
|
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
|
|
+
|
|
+include "/etc/bind/named.conf.options";
|
|
+
|
|
+// prime the server with knowledge of the root servers
|
|
+zone "." {
|
|
+ type hint;
|
|
+ file "/etc/bind/db.root";
|
|
+};
|
|
+
|
|
+// be authoritative for the localhost forward and reverse zones, and for
|
|
+// broadcast zones as per RFC 1912
|
|
+
|
|
+zone "localhost" {
|
|
+ type master;
|
|
+ file "/etc/bind/db.local";
|
|
+};
|
|
+
|
|
+zone "127.in-addr.arpa" {
|
|
+ type master;
|
|
+ file "/etc/bind/db.127";
|
|
+};
|
|
+
|
|
+zone "0.in-addr.arpa" {
|
|
+ type master;
|
|
+ file "/etc/bind/db.0";
|
|
+};
|
|
+
|
|
+zone "255.in-addr.arpa" {
|
|
+ type master;
|
|
+ file "/etc/bind/db.255";
|
|
+};
|
|
+
|
|
+// zone "com" { type delegation-only; };
|
|
+// zone "net" { type delegation-only; };
|
|
+
|
|
+// From the release notes:
|
|
+// Because many of our users are uncomfortable receiving undelegated answers
|
|
+// from root or top level domains, other than a few for whom that behaviour
|
|
+// has been trusted and expected for quite some length of time, we have now
|
|
+// introduced the "root-delegations-only" feature which applies delegation-only
|
|
+// logic to all top level domains, and to the root domain. An exception list
|
|
+// should be specified, including "MUSEUM" and "DE", and any other top level
|
|
+// domains from whom undelegated responses are expected and trusted.
|
|
+// root-delegation-only exclude { "DE"; "MUSEUM"; };
|
|
+
|
|
+include "/etc/bind/named.conf.local";
|
|
diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
|
|
--- bind-9.3.1.orig/conf/named.conf.local 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/named.conf.local 2005-07-10 22:14:06.000000000 +0200
|
|
@@ -0,0 +1,8 @@
|
|
+//
|
|
+// Do any local configuration here
|
|
+//
|
|
+
|
|
+// Consider adding the 1918 zones here, if they are not used in your
|
|
+// organization
|
|
+//include "/etc/bind/zones.rfc1918";
|
|
+
|
|
diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options
|
|
--- bind-9.3.1.orig/conf/named.conf.options 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/named.conf.options 2005-07-10 22:14:06.000000000 +0200
|
|
@@ -0,0 +1,24 @@
|
|
+options {
|
|
+ directory "/var/cache/bind";
|
|
+
|
|
+ // If there is a firewall between you and nameservers you want
|
|
+ // to talk to, you might need to uncomment the query-source
|
|
+ // directive below. Previous versions of BIND always asked
|
|
+ // questions using port 53, but BIND 8.1 and later use an unprivileged
|
|
+ // port by default.
|
|
+
|
|
+ // query-source address * port 53;
|
|
+
|
|
+ // If your ISP provided one or more IP addresses for stable
|
|
+ // nameservers, you probably want to use them as forwarders.
|
|
+ // Uncomment the following block, and insert the addresses replacing
|
|
+ // the all-0's placeholder.
|
|
+
|
|
+ // forwarders {
|
|
+ // 0.0.0.0;
|
|
+ // };
|
|
+
|
|
+ auth-nxdomain no; # conform to RFC1035
|
|
+
|
|
+};
|
|
+
|
|
diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
|
|
--- bind-9.3.1.orig/conf/zones.rfc1918 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/conf/zones.rfc1918 2005-07-10 22:14:10.000000000 +0200
|
|
@@ -0,0 +1,20 @@
|
|
+zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+
|
|
+zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
+
|
|
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
|
|
diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
|
|
--- bind-9.3.1.orig/init.d 1970-01-01 01:00:00.000000000 +0100
|
|
+++ bind-9.3.1/init.d 2005-07-10 23:09:58.000000000 +0200
|
|
@@ -0,0 +1,70 @@
|
|
+#!/bin/sh
|
|
+
|
|
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
|
+
|
|
+# for a chrooted server: "-u bind -t /var/lib/named"
|
|
+# Don't modify this line, change or create /etc/default/bind9.
|
|
+OPTIONS=""
|
|
+
|
|
+test -f /etc/default/bind9 && . /etc/default/bind9
|
|
+
|
|
+test -x /usr/sbin/rndc || exit 0
|
|
+
|
|
+case "$1" in
|
|
+ start)
|
|
+ echo -n "Starting domain name service: named"
|
|
+
|
|
+ modprobe capability >/dev/null 2>&1 || true
|
|
+ if [ ! -f /etc/bind/rndc.key ]; then
|
|
+ /usr/sbin/rndc-confgen -a -b 512
|
|
+ chmod 0640 /etc/bind/rndc.key
|
|
+ fi
|
|
+ if [ -f /var/run/named/named.pid ]; then
|
|
+ ps `cat /var/run/named/named.pid` > /dev/null && exit 1
|
|
+ fi
|
|
+
|
|
+ # dirs under /var/run can go away on reboots.
|
|
+ mkdir -p /var/run/named
|
|
+ mkdir -p /var/cache/bind
|
|
+ chmod 775 /var/run/named
|
|
+ chown root:bind /var/run/named >/dev/null 2>&1 || true
|
|
+
|
|
+ if [ ! -x /usr/sbin/named ]; then
|
|
+ echo "named binary missing - not starting"
|
|
+ exit 1
|
|
+ fi
|
|
+ if start-stop-daemon --start --quiet --exec /usr/sbin/named \
|
|
+ --pidfile /var/run/named/named.pid -- $OPTIONS; then
|
|
+ if [ -x /sbin/resolvconf ] ; then
|
|
+ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo
|
|
+ fi
|
|
+ fi
|
|
+ echo "."
|
|
+ ;;
|
|
+
|
|
+ stop)
|
|
+ echo -n "Stopping domain name service: named"
|
|
+ if [ -x /sbin/resolvconf ]; then
|
|
+ /sbin/resolvconf -d lo
|
|
+ fi
|
|
+ /usr/sbin/rndc stop >/dev/null 2>&1
|
|
+ echo "."
|
|
+ ;;
|
|
+
|
|
+ reload)
|
|
+ /usr/sbin/rndc reload
|
|
+ ;;
|
|
+
|
|
+ restart|force-reload)
|
|
+ $0 stop
|
|
+ sleep 2
|
|
+ $0 start
|
|
+ ;;
|
|
+
|
|
+ *)
|
|
+ echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
|
|
+ exit 1
|
|
+ ;;
|
|
+esac
|
|
+
|
|
+exit 0
|