diff options
55 files changed, 10876 insertions, 0 deletions
@@ -0,0 +1 @@ +/bind-9.16.23.tar.xz diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch new file mode 100644 index 0000000..85ece30 --- /dev/null +++ b/bind-9.10-dist-native-pkcs11.patch @@ -0,0 +1,550 @@ +From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Thu, 21 Jan 2021 10:46:20 +0100 +Subject: [PATCH] Enable custom pkcs11 native build + +Share common parts like libisc, libcc and others. But provide native +pkcs11 libraries as a new copy of libdns and libns. +--- + bin/Makefile.in | 2 +- + bin/confgen/Makefile.in | 2 +- + bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++--------------- + bin/named-pkcs11/Makefile.in | 33 ++++++++++++++------------- + configure.ac | 19 ++++++++++++++++ + lib/Makefile.in | 2 +- + lib/dns-pkcs11/Makefile.in | 22 +++++++++--------- + lib/dns-pkcs11/tests/Makefile.in | 8 +++---- + lib/ns-pkcs11/Makefile.in | 26 ++++++++++----------- + lib/ns-pkcs11/tests/Makefile.in | 12 +++++----- + make/includes.in | 7 ++++++ + 11 files changed, 101 insertions(+), 71 deletions(-) + +diff --git a/bin/Makefile.in b/bin/Makefile.in +index 9ad7f62..094775a 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in +@@ -11,7 +11,7 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ ++SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \ + @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests + TARGETS = + +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index c126bf3..1b7512d 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} + +-CDEFINES = @USE_PKCS11@ ++CDEFINES = + CWARNINGS = + + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in +index ace0e5a..e0f6a00 100644 +--- a/bin/dnssec-pkcs11/Makefile.in ++++ b/bin/dnssec-pkcs11/Makefile.in +@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ ++CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ + ${OPENSSL_CFLAGS} + +-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" ++CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1 + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + +@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ + + NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@ + ++# Add suffix to all targets ++EXEEXT = -pkcs11@EXEEXT@ ++ + # Alphabetically +-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ +- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \ +- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \ +- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ +- dnssec-verify@EXEEXT@ ++TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \ ++ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ ++ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ ++ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ ++ dnssec-verify${EXEEXT} + + OBJS = dnssectool.@O@ + +@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ + + @BIND9_MAKE_RULES@ + +-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} ++dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-signzone.c + +-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} ++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-verify.c + +-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} ++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} ++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-revoke.@O@ ${OBJS} ${LIBS} + +-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} ++dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-settime.@O@ ${OBJS} ${LIBS} + +-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-importkey.@O@ ${OBJS} ${LIBS} + +diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in +index 98125dd..518a75f 100644 +--- a/bin/named-pkcs11/Makefile.in ++++ b/bin/named-pkcs11/Makefile.in +@@ -37,13 +37,14 @@ DBDRIVER_LIBS = + + DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ +-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ +-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ +-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ ++# Skip building on PKCS11 variant ++DLZDRIVER_OBJS = ++DLZDRIVER_SRCS = ++DLZDRIVER_INCLUDES = ++DLZDRIVER_LIBS = + + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ +- ${NS_INCLUDES} ${DNS_INCLUDES} \ ++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \ + ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ + ${DBDRIVER_INCLUDES} \ +@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${LIBXML2_CFLAGS} \ + ${MAXMINDDB_CFLAGS} + +-CDEFINES = @CONTRIB_DLZ@ ++CDEFINES = + + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCLIBS = ../../lib/isccc/libisccc.@A@ + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ + BIND9LIBS = ../../lib/bind9/libbind9.@A@ +-NSLIBS = ../../lib/ns/libns.@A@ ++NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ +-NSDEPLIBS = ../../lib/ns/libns.@A@ ++NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ + + DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} +@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ feature-test@EXEEXT@ ++TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@ + + GEOIP2LINKOBJS = geoip.@O@ + +@@ -151,7 +152,7 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + +-named@EXEEXT@: ${OBJS} ${DEPLIBS} ++named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} +@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -c ${top_srcdir}/bin/tests/system/feature-test.c + +-feature-test@EXEEXT@: feature-test.@O@ ++feature-test-pkcs11@EXEEXT@: feature-test.@O@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ + -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} + +@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + +-install:: named@EXEEXT@ installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} ++install:: named-pkcs11@EXEEXT@ installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ + + @DLZ_DRIVER_RULES@ + +diff --git a/configure.ac b/configure.ac +index 032228b..64e3da0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) + AC_SUBST(DST_GSSAPI_INC) + AC_SUBST(DNS_GSSAPI_LIBS) + DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" + + # + # Applications linking with libdns also need to link with these libraries. + # + + AC_SUBST(DNS_CRYPTO_LIBS) ++AC_SUBST(DNS_CRYPTO_PK11_LIBS) + + # + # was --with-lmdb specified? +@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) + AC_SUBST(BIND9_NS_BUILDINCLUDE) + AC_SUBST(BIND9_BIND9_BUILDINCLUDE) + AC_SUBST(BIND9_IRS_BUILDINCLUDE) ++AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE) ++AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE) + if test "X$srcdir" != "X"; then + BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" + BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" +@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then + BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" + BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" + BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" ++ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include" ++ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include" + else + BIND9_ISC_BUILDINCLUDE="" + BIND9_ISCCC_BUILDINCLUDE="" +@@ -2343,6 +2349,8 @@ else + BIND9_NS_BUILDINCLUDE="" + BIND9_BIND9_BUILDINCLUDE="" + BIND9_IRS_BUILDINCLUDE="" ++ BIND9_DNS_PKCS11_BUILDINCLUDE="" ++ BIND9_NS_PKCS11_BUILDINCLUDE="" + fi + + AC_SUBST_FILE(BIND9_MAKE_INCLUDES) +@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([ + bin/delv/Makefile + bin/dig/Makefile + bin/dnssec/Makefile ++ bin/dnssec-pkcs11/Makefile + bin/named/Makefile + bin/named/unix/Makefile ++ bin/named-pkcs11/Makefile ++ bin/named-pkcs11/unix/Makefile + bin/nsupdate/Makefile + bin/pkcs11/Makefile + bin/plugins/Makefile +@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([ + lib/dns/include/dns/Makefile + lib/dns/include/dst/Makefile + lib/dns/tests/Makefile ++ lib/dns-pkcs11/Makefile ++ lib/dns-pkcs11/include/Makefile ++ lib/dns-pkcs11/include/dns/Makefile ++ lib/dns-pkcs11/include/dst/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([ + lib/ns/include/Makefile + lib/ns/include/ns/Makefile + lib/ns/tests/Makefile ++ lib/ns-pkcs11/Makefile ++ lib/ns-pkcs11/include/Makefile ++ lib/ns-pkcs11/include/ns/Makefile ++ lib/ns-pkcs11/tests/Makefile + make/Makefile + make/mkdep + unit/unittest.sh +diff --git a/lib/Makefile.in b/lib/Makefile.in +index 833964e..058ba2f 100644 +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ + # Attempt to disable parallel processing. + .NOTPARALLEL: + .NO_PARALLEL: +-SUBDIRS = isc isccc dns ns isccfg bind9 irs ++SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in +index 58bda3c..d6a45df 100644 +--- a/lib/dns-pkcs11/Makefile.in ++++ b/lib/dns-pkcs11/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ ++CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ + ${ISC_INCLUDES} \ + ${FSTRM_CFLAGS} \ + ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ +@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ + ${LMDB_CFLAGS} \ + ${MAXMINDDB_CFLAGS} + +-CDEFINES = @USE_GSSAPI@ ++CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ + + CWARNINGS = + +@@ -135,15 +135,15 @@ version.@O@: version.c + -DMAPAPI=\"${MAPAPI}\" \ + -c ${srcdir}/version.c + +-libdns.@SA@: ${OBJS} ++libdns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libdns.la: ${OBJS} ++libdns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ + -release "${VERSION}" \ +- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + + include: gen + ${MAKE} include/dns/enumtype.h +@@ -174,22 +174,22 @@ gen: gen.c + ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ + ${BUILD_LIBS} ${LFS_LIBS} + +-timestamp: include libdns.@A@ ++timestamp: include libdns-pkcs11.@A@ + touch timestamp + +-testdirs: libdns.@A@ ++testdirs: libdns-pkcs11.@A@ + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ + + clean distclean:: +- rm -f libdns.@A@ timestamp ++ rm -f libdns-pkcs11.@A@ timestamp + rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h + rm -f include/dns/rdatastruct.h + rm -f dnstap.pb-c.c dnstap.pb-c.h +diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in +index 3bb5e01..c96fe7d 100644 +--- a/lib/dns-pkcs11/tests/Makefile.in ++++ b/lib/dns-pkcs11/tests/Makefile.in +@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ + ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ +-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" ++CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" + + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +-DNSDEPLIBS = ../libdns.@A@ ++DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSDEPLIBS = ../libdns-pkcs11.@A@ + + LIBS = @LIBS@ @CMOCKA_LIBS@ + +diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in +index bc683ce..7a9d2f2 100644 +--- a/lib/ns-pkcs11/Makefile.in ++++ b/lib/ns-pkcs11/Makefile.in +@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ +- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \ ++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ + ${FSTRM_CFLAGS} + +-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\" ++CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\" + + CWARNINGS = + +@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ + + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + + LIBS = @LIBS@ + +@@ -60,28 +60,28 @@ version.@O@: version.c + -DMAJOR=\"${MAJOR}\" \ + -c ${srcdir}/version.c + +-libns.@SA@: ${OBJS} ++libns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libns.la: ${OBJS} ++libns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ + -release "${VERSION}" \ +- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + +-timestamp: libns.@A@ ++timestamp: libns-pkcs11.@A@ + touch timestamp + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \ ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \ + ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@ + + clean distclean:: +- rm -f libns.@A@ timestamp ++ rm -f libns-pkcs11.@A@ timestamp +diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in +index 4c3e694..c1b6d99 100644 +--- a/lib/ns-pkcs11/tests/Makefile.in ++++ b/lib/ns-pkcs11/tests/Makefile.in +@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@ + + WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach + +-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} \ + @CMOCKA_CFLAGS@ +-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" ++CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ + + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +-DNSDEPLIBS = ../../dns/libdns.@A@ +-NSLIBS = ../libns.@A@ +-NSDEPLIBS = ../libns.@A@ ++DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ ++NSLIBS = ../libns-pkcs11.@A@ ++NSDEPLIBS = ../libns-pkcs11.@A@ + + LIBS = @LIBS@ @CMOCKA_LIBS@ + +diff --git a/make/includes.in b/make/includes.in +index b8317d3..b73b0c4 100644 +--- a/make/includes.in ++++ b/make/includes.in +@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ + + TEST_INCLUDES = \ + -I${top_srcdir}/lib/tests/include ++ ++DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/dns-pkcs11/include ++ ++NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/ns-pkcs11/include ++ +-- +2.26.3 + diff --git a/bind-9.11-feature-test-named.patch b/bind-9.11-feature-test-named.patch new file mode 100644 index 0000000..9af8d73 --- /dev/null +++ b/bind-9.11-feature-test-named.patch @@ -0,0 +1,59 @@ +From e645046202006750f87531e21e3ff7c26fba3466 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Wed, 30 Jan 2019 14:37:17 +0100 +Subject: [PATCH] Create feature-test in source directory + +Feature-test tool is used in system tests to test compiled in changes. +Because we build more variants of named with different configuration, +compile feature-test for each of them this way. +--- + bin/named/Makefile.in | 12 +++++++++++- + bin/tests/system/conf.sh.in | 2 +- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index 37053a7..ed9add2 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -91,7 +91,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ ++TARGETS = named@EXEEXT@ feature-test@EXEEXT@ + + GEOIP2LINKOBJS = geoip.@O@ + +@@ -154,6 +154,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS} + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} + ++# Bit of hack, do not produce intermediate .o object for featuretest ++feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c ++ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ ++ -c ${top_srcdir}/bin/tests/system/feature-test.c ++ ++feature-test@EXEEXT@: feature-test.@O@ ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ ++ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} ++ ++ + clean distclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index 7934930..e84fde2 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -37,7 +37,7 @@ DELV=$TOP/bin/delv/delv + DIG=$TOP/bin/dig/dig + DNSTAPREAD=$TOP/bin/tools/dnstap-read + DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +-FEATURETEST=$TOP/bin/tests/system/feature-test ++FEATURETEST=$TOP/bin/named/feature-test + FSTRM_CAPTURE=@FSTRM_CAPTURE@ + HOST=$TOP/bin/dig/host + IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey +-- +2.26.2 + diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch new file mode 100644 index 0000000..51927a4 --- /dev/null +++ b/bind-9.11-fips-tests.patch @@ -0,0 +1,959 @@ +From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Thu, 2 Aug 2018 23:46:45 +0200 +Subject: [PATCH] FIPS tests changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Squashed commit of the following: + +commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 20:35:13 2018 +0100 + + Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. + +commit ab303db70082db76ecf36493d0b82ef3e8750cad +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 18:11:10 2018 +0100 + + Changed root key to be RSASHA256 + + Change bad trusted key to be the same algorithm. + +commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 16:56:17 2018 +0100 + + Change used key to not use hmac-md5 + + Fix upforwd test, do not use hmac-md5 + +commit aec891571626f053acfb4d0a247240cbc21a84e9 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 15:54:11 2018 +0100 + + Increase bitsize of DSA key to pass FIPS 140-2 mode. + +commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 15:41:08 2018 +0100 + + Fix tsig and rndc tests for disabled md5 + + Use hmac-sha256 instead of hmac-md5. + +commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 13:21:00 2018 +0100 + + Add md5 availability detection to featuretest + +commit f389a918803e2853e4b55fed62765dc4a492e34f +Author: Petr Menšík <pemensik@redhat.com> +Date: Wed Mar 7 10:44:23 2018 +0100 + + Change tests to not use hmac-md5 algorithms if not required + + Use hmac-sha256 instead of default hmac-md5 for allow-query +--- + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 ++++----- + .../system/allow-query/ns2/named10.conf.in | 2 +- + .../system/allow-query/ns2/named11.conf.in | 4 +- + .../system/allow-query/ns2/named12.conf.in | 2 +- + .../system/allow-query/ns2/named30.conf.in | 2 +- + .../system/allow-query/ns2/named31.conf.in | 4 +- + .../system/allow-query/ns2/named32.conf.in | 2 +- + .../system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 ++--- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/feature-test.c | 14 ++++ + bin/tests/system/notify/ns5/named.conf.in | 6 +- + bin/tests/system/notify/tests.sh | 6 +- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 6 +- + bin/tests/system/nsupdate/tests.sh | 15 +++-- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++--- + bin/tests/system/tsig/ns1/named.conf.in | 10 +-- + bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ + bin/tests/system/tsig/setup.sh | 5 ++ + bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + 33 files changed, 162 insertions(+), 108 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + +diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in +index 60f22e1..249f672 100644 +--- a/bin/tests/system/acl/ns2/named1.conf.in ++++ b/bin/tests/system/acl/ns2/named1.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in +index ada97bc..f82d858 100644 +--- a/bin/tests/system/acl/ns2/named2.conf.in ++++ b/bin/tests/system/acl/ns2/named2.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in +index 97684e4..de6a2e9 100644 +--- a/bin/tests/system/acl/ns2/named3.conf.in ++++ b/bin/tests/system/acl/ns2/named3.conf.in +@@ -33,17 +33,17 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key three { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in +index 462b3fa..994b35c 100644 +--- a/bin/tests/system/acl/ns2/named4.conf.in ++++ b/bin/tests/system/acl/ns2/named4.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index 728da58..8f00d09 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -35,12 +35,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh +index be59d64..13d5bdc 100644 +--- a/bin/tests/system/acl/tests.sh ++++ b/bin/tests/system/acl/tests.sh +@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" + # key "one" should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + + # any other key should be fine + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + copy_setports ns2/named2.conf.in ns2/named.conf +@@ -39,18 +39,18 @@ sleep 5 + # prefix 10/8 should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # any other address should work, as long as it sends key "one" + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + echo_i "testing nested ACL processing" +@@ -62,31 +62,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # but only one or the other should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` +@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 + # and other values? right out + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +@@ -108,31 +108,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + echo_i "testing allow-query-on ACL processing" +diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in +index 7d43e36..f7b25f9 100644 +--- a/bin/tests/system/allow-query/ns2/named10.conf.in ++++ b/bin/tests/system/allow-query/ns2/named10.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in +index 2952518..121557e 100644 +--- a/bin/tests/system/allow-query/ns2/named11.conf.in ++++ b/bin/tests/system/allow-query/ns2/named11.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in +index 0c01071..ceabbb5 100644 +--- a/bin/tests/system/allow-query/ns2/named12.conf.in ++++ b/bin/tests/system/allow-query/ns2/named12.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in +index 4c17292..9cd9d1f 100644 +--- a/bin/tests/system/allow-query/ns2/named30.conf.in ++++ b/bin/tests/system/allow-query/ns2/named30.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in +index a2690a4..f488730 100644 +--- a/bin/tests/system/allow-query/ns2/named31.conf.in ++++ b/bin/tests/system/allow-query/ns2/named31.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in +index a0708c8..51fa457 100644 +--- a/bin/tests/system/allow-query/ns2/named32.conf.in ++++ b/bin/tests/system/allow-query/ns2/named32.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in +index 687768e..d24d6d2 100644 +--- a/bin/tests/system/allow-query/ns2/named40.conf.in ++++ b/bin/tests/system/allow-query/ns2/named40.conf.in +@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; + acl badaccept { 10.53.0.1; }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh +index fe40635..543c663 100644 +--- a/bin/tests/system/allow-query/tests.sh ++++ b/bin/tests/system/allow-query/tests.sh +@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -500,7 +500,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -510,7 +510,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -520,7 +520,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in +index 1218669..e62715e 100644 +--- a/bin/tests/system/catz/ns1/named.conf.in ++++ b/bin/tests/system/catz/ns1/named.conf.in +@@ -61,5 +61,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in +index 30333e6..4005152 100644 +--- a/bin/tests/system/catz/ns2/named.conf.in ++++ b/bin/tests/system/catz/ns2/named.conf.in +@@ -70,5 +70,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf +index 21be03e..e57c308 100644 +--- a/bin/tests/system/checkconf/bad-tsig.conf ++++ b/bin/tests/system/checkconf/bad-tsig.conf +@@ -11,7 +11,7 @@ + + /* Bad secret */ + key "badtsig" { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "jEdD+BPKg=="; + }; + +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index e09b9e8..2e824b3 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -210,6 +210,6 @@ dyndb "name" "library.so" { + system; + }; + key "mykey" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "qwertyuiopasdfgh"; + }; +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 877504f..577660a 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -14,6 +14,7 @@ + #include <string.h> + #include <unistd.h> + ++#include <isc/md.h> + #include <isc/net.h> + #include <isc/print.h> + #include <isc/util.h> +@@ -186,6 +187,19 @@ main(int argc, char **argv) { + #endif /* ifdef DLZ_FILESYSTEM */ + } + ++ if (strcmp(argv[1], "--md5") == 0) { ++ unsigned char digest[ISC_MAX_MD_SIZE]; ++ const unsigned char test[] = "test"; ++ unsigned int size = sizeof(digest); ++ ++ if (isc_md(ISC_MD_MD5, test, sizeof(test), ++ digest, &size) == ISC_R_SUCCESS) { ++ return (0); ++ } else { ++ return (1); ++ } ++ } ++ + if (strcmp(argv[1], "--with-idn") == 0) { + #ifdef HAVE_LIBIDN2 + return (0); +diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in +index 1ee8df4..2b75d9a 100644 +--- a/bin/tests/system/notify/ns5/named.conf.in ++++ b/bin/tests/system/notify/ns5/named.conf.in +@@ -10,17 +10,17 @@ + */ + + key "a" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "aaaaaaaaaaaaaaaaaaaa"; + }; + + key "b" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "bbbbbbbbbbbbbbbbbbbb"; + }; + + key "c" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "cccccccccccccccccccc"; + }; + +diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh +index 3d7e0b7..ec4d9a7 100644 +--- a/bin/tests/system/notify/tests.sh ++++ b/bin/tests/system/notify/tests.sh +@@ -212,16 +212,16 @@ ret=0 + $NSUPDATE << EOF + server 10.53.0.5 ${PORT} + zone x21 +-key a aaaaaaaaaaaaaaaaaaaa ++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa + update add added.x21 0 in txt "test string" + send + EOF + + for i in 1 2 3 4 5 6 7 8 9 + do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index b51e700..436c97d 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -37,7 +37,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index da6b3b4..c547e47 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh +index c055da3..4e1242b 100644 +--- a/bin/tests/system/nsupdate/setup.sh ++++ b/bin/tests/system/nsupdate/setup.sh +@@ -56,7 +56,11 @@ EOF + + $DDNSCONFGEN -q -z example.nil > ns1/ddns.key + +-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++if $FEATURETEST --md5; then ++ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++else ++ echo -n > ns1/md5.key ++fi + $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index b35d797..41c128e 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -797,7 +797,14 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++if $FEATURETEST --md5 ++then ++ ALGS="md5 sha1 sha224 sha256 sha384 sha512" ++else ++ ALGS="sha1 sha224 sha256 sha384 sha512" ++ echo_i "skipping disabled md5 algorithm" ++fi ++for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 + server 10.53.0.1 ${PORT} + update add ${alg}.keytests.nil. 600 A 10.10.10.3 +@@ -805,7 +812,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +@@ -816,7 +823,7 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -y) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1 + server 10.53.0.1 ${PORT} +@@ -825,7 +832,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh +index b59e7a7..04d5f5a 100644 +--- a/bin/tests/system/rndc/setup.sh ++++ b/bin/tests/system/rndc/setup.sh +@@ -33,7 +33,7 @@ make_key () { + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf + } + +-make_key 1 ${EXTRAPORT1} hmac-md5 ++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 + make_key 2 ${EXTRAPORT2} hmac-sha1 + make_key 3 ${EXTRAPORT3} hmac-sha224 + make_key 4 ${EXTRAPORT4} hmac-sha256 +diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh +index 9fd84ed..d0b188f 100644 +--- a/bin/tests/system/rndc/tests.sh ++++ b/bin/tests/system/rndc/tests.sh +@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` +-echo_i "testing rndc with hmac-md5 ($n)" +-ret=0 +-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 +-for i in 2 3 4 5 6 +-do +- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +-done +-if [ $ret != 0 ]; then echo_i "failed"; fi +-status=`expr $status + $ret` ++if $FEATURETEST --md5 ++then ++ echo_i "testing rndc with hmac-md5 ($n)" ++ ret=0 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 ++ for i in 2 3 4 5 6 ++ do ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=`expr $status + $ret` ++else ++ echo_i "skipping rndc with hmac-md5 ($n)" ++fi + + n=`expr $n + 1` + echo_i "testing rndc with hmac-sha1 ($n)" +diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in +index 3470c4f..cf539cd 100644 +--- a/bin/tests/system/tsig/ns1/named.conf.in ++++ b/bin/tests/system/tsig/ns1/named.conf.in +@@ -21,10 +21,7 @@ options { + notify no; + }; + +-key "md5" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5; +-}; ++# md5 key appended by setup.sh at the end + + key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +@@ -51,10 +48,7 @@ key "sha512" { + algorithm hmac-sha512; + }; + +-key "md5-trunc" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5-80; +-}; ++# md5-trunc key appended by setup.sh at the end + + key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000..0682194 +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,10 @@ ++# Conditionally included when support for MD5 is available ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; +diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh +index e3b4a45..ae21d04 100644 +--- a/bin/tests/system/tsig/setup.sh ++++ b/bin/tests/system/tsig/setup.sh +@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. + $SHELL clean.sh + + copy_setports ns1/named.conf.in ns1/named.conf ++ ++if $FEATURETEST --md5 ++then ++ cat ns1/rndc5.conf.in >> ns1/named.conf ++fi +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index 38d842a..668aa6f 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f + + status=0 + +-echo_i "fetching using hmac-md5 (old form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +-fi ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (old form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi + +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++ echo_i "fetching using hmac-md5 (new form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5" + fi + + echo_i "fetching using hmac-sha1" +@@ -87,12 +92,17 @@ fi + # Truncated TSIG + # + # +-echo_i "fetching using hmac-md5 (trunc)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (trunc)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 ++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5 (trunc)" + fi + + echo_i "fetching using hmac-sha1 (trunc)" +@@ -141,12 +151,17 @@ fi + # Check for bad truncation. + # + # +-echo_i "fetching using hmac-md5-80 (BADTRUNC)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5-80 (BADTRUNC)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 ++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5-80 (BADTRUNC)" + fi + + echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in +index 3873c7c..b359a5a 100644 +--- a/bin/tests/system/upforwd/ns1/named.conf.in ++++ b/bin/tests/system/upforwd/ns1/named.conf.in +@@ -10,7 +10,7 @@ + */ + + key "update.example." { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + }; + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index a50c896..8062d68 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + + echo_i "updating zone (signed) ($n)" + ret=0 +-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 ++$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 + server 10.53.0.3 ${PORT} + update add updated.example. 600 A 10.10.10.1 + update add updated.example. 600 TXT Foo +-- +2.26.2 + diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch new file mode 100644 index 0000000..ea9a51a --- /dev/null +++ b/bind-9.11-kyua-pkcs11.patch @@ -0,0 +1,58 @@ +From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Tue, 2 Jan 2018 18:13:07 +0100 +Subject: [PATCH] Fix pkcs11 variants atf tests + +Add dns-pkcs11 tests Makefile to configure + +Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode +--- + configure.ac | 1 + + lib/Kyuafile | 2 ++ + lib/dns-pkcs11/tests/dh_test.c | 3 ++- + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index d80ae31..0fb9328 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([ + lib/dns-pkcs11/include/Makefile + lib/dns-pkcs11/include/dns/Makefile + lib/dns-pkcs11/include/dst/Makefile ++ lib/dns-pkcs11/tests/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +diff --git a/lib/Kyuafile b/lib/Kyuafile +index 39ce986..037e5ef 100644 +--- a/lib/Kyuafile ++++ b/lib/Kyuafile +@@ -2,8 +2,10 @@ syntax(2) + test_suite('bind9') + + include('dns/Kyuafile') ++include('dns-pkcs11/Kyuafile') + include('irs/Kyuafile') + include('isc/Kyuafile') + include('isccc/Kyuafile') + include('isccfg/Kyuafile') + include('ns/Kyuafile') ++include('ns-pkcs11/Kyuafile') +diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c +index 934e8fd..658d1af 100644 +--- a/lib/dns-pkcs11/tests/dh_test.c ++++ b/lib/dns-pkcs11/tests/dh_test.c +@@ -87,7 +87,8 @@ dh_computesecret(void **state) { + result = dst_key_computesecret(key, key, &buf); + assert_int_equal(result, DST_R_NOTPRIVATEKEY); + result = key->func->computesecret(key, key, &buf); +- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); ++ /* PKCS11 variant gives different result, accept both */ ++ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY); + + dst_key_free(&key); + } +-- +2.20.1 + diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch new file mode 100644 index 0000000..7429999 --- /dev/null +++ b/bind-9.11-rh1666814.patch @@ -0,0 +1,29 @@ +From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Wed, 16 Jan 2019 16:27:33 +0100 +Subject: [PATCH] Fix possible crash when loading corrupted file + +Some values passes internal triggers by coincidence. Fix the check and +check also first_node_offset before even passing it further. +--- + lib/dns/rbt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c +index 5aee5f6..7f2c2d2 100644 +--- a/lib/dns/rbt.c ++++ b/lib/dns/rbt.c +@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, + rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset + + header->first_node_offset); + +- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { ++ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize ++ || header->first_node_offset > filesize) { ++ + result = ISC_R_INVALIDFILE; + goto cleanup; + } +-- +2.31.1 + diff --git a/bind-9.11-tests-variants.patch b/bind-9.11-tests-variants.patch new file mode 100644 index 0000000..807a4a0 --- /dev/null +++ b/bind-9.11-tests-variants.patch @@ -0,0 +1,65 @@ +From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Fri, 1 Mar 2019 15:48:20 +0100 +Subject: [PATCH] Make alternative named builds testable in system tests + +Red Hat has alternative variant builds of named, which are not ever +tested by system tests. New variables make it relatively easy to test +alternative variants. + +For sdb variant use: +export NAMED_VARIANT=-sdb DNSSEC_VARIANT= + +For pkcs variant use: +export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11 +--- + bin/tests/system/conf.sh.in | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index d859909..9152f07 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen + DELV=$TOP/bin/delv/delv + DIG=$TOP/bin/dig/dig + DNSTAPREAD=$TOP/bin/tools/dnstap-read +-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +-FEATURETEST=$TOP/bin/named/feature-test ++DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT} ++FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT} + FSTRM_CAPTURE=@FSTRM_CAPTURE@ + HOST=$TOP/bin/dig/host +-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey ++IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT} + JOURNALPRINT=$TOP/bin/tools/named-journalprint +-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel +-KEYGEN=$TOP/bin/dnssec/dnssec-keygen ++KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT} ++KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT} + KEYMGR=$TOP/bin/python/dnssec-keymgr + MDIG=$TOP/bin/tools/mdig +-NAMED=$TOP/bin/named/named ++NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT} + NSEC3HASH=$TOP/bin/tools/nsec3hash + NSLOOKUP=$TOP/bin/dig/nslookup + NSUPDATE=$TOP/bin/nsupdate/nsupdate +@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" + PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" + PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" + RESOLVE=$TOP/bin/tests/system/resolve +-REVOKE=$TOP/bin/dnssec/dnssec-revoke ++REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT} + RNDC=$TOP/bin/rndc/rndc + RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen + RRCHECKER=$TOP/bin/tools/named-rrchecker +-SETTIME=$TOP/bin/dnssec/dnssec-settime +-SIGNER=$TOP/bin/dnssec/dnssec-signzone ++SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT} ++SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT} + TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen + VERIFY=$TOP/bin/dnssec/dnssec-verify + WIRETEST=$TOP/bin/tests/wire_test +-- +2.26.3 + diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch new file mode 100644 index 0000000..0d62df6 --- /dev/null +++ b/bind-9.14-config-pkcs11.patch @@ -0,0 +1,83 @@ +From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Fri, 18 Oct 2019 21:30:52 +0200 +Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h + +Building two variants with the same common code requires to unset +USE_PKCS11 on part of build. That is not possible with config.h value. +Move it as normal define to CDEFINES. +--- + bin/confgen/Makefile.in | 2 +- + configure.ac | 8 ++++++-- + lib/dns/dst_internal.h | 12 +++++++++--- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index 1b7512d..c126bf3 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} + +-CDEFINES = ++CDEFINES = @USE_PKCS11@ + CWARNINGS = + + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +diff --git a/configure.ac b/configure.ac +index f5483fe..08a7d8a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) + AC_SUBST([PKCS11_TOOLS]) + AC_SUBST([PKCS11_MANS]) + ++USE_PKCS11='-DUSE_PKCS11=0' ++USE_OPENSSL='-DUSE_OPENSSL=0' + AC_SUBST([CRYPTO]) + AS_CASE([$CRYPTO], +- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], +- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) ++ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'], ++ [USE_OPENSSL='-DUSE_OPENSSL=1']) ++AC_SUBST(USE_PKCS11) ++AC_SUBST(USE_OPENSSL) + + # preparation for automake + # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 2c3b4a3..55e9dc4 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -38,6 +38,13 @@ + #include <isc/stdtime.h> + #include <isc/types.h> + ++#ifndef USE_PKCS11 ++#define USE_PKCS11 0 ++#endif ++#ifndef USE_OPENSSL ++#define USE_OPENSSL (! USE_PKCS11) ++#endif ++ + #if USE_PKCS11 + #include <pk11/pk11.h> + #include <pk11/site.h> +@@ -116,11 +123,10 @@ struct dst_key { + void *generic; + dns_gss_ctx_id_t gssctx; + DH *dh; +-#if USE_OPENSSL +- EVP_PKEY *pkey; +-#endif /* if USE_OPENSSL */ + #if USE_PKCS11 + pk11_object_t *pkey; ++#else ++ EVP_PKEY *pkey; + #endif /* if USE_PKCS11 */ + dst_hmac_key_t *hmac_key; + } keydata; /*%< pointer to key in crypto pkg fmt */ +-- +2.26.2 + diff --git a/bind-9.16-CVE-2021-25220-test.patch b/bind-9.16-CVE-2021-25220-test.patch new file mode 100644 index 0000000..150aa87 --- /dev/null +++ b/bind-9.16-CVE-2021-25220-test.patch @@ -0,0 +1,1144 @@ +From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Tue, 18 Jan 2022 00:19:47 +1100 +Subject: [PATCH] Add tests for forwarder cache poisoning scenarios + +- Check that an NS in an authority section returned from a forwarder + which is above the name in a configured "forward first" or "forward + only" zone (i.e., net/NS in a response from a forwarder configured for + local.net) is not cached. +- Test that a DNAME for a parent domain will not be cached when sent + in a response from a forwarder configured to answer for a child. +- Check that glue is rejected if its name falls below that of zone + configured locally. +- Check that an extra out-of-bailiwick data in the answer section is + not cached (this was already working correctly, but was not explicitly + tested before). + +(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) +(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739) +--- + bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ + bin/tests/system/forward/clean.sh | 2 + + bin/tests/system/forward/ns1/diditwork.net.db | 22 +++ + bin/tests/system/forward/ns1/named.conf.in | 20 +++ + bin/tests/system/forward/ns1/net.example.lll | 15 ++ + bin/tests/system/forward/ns1/spoofed.net.db | 22 +++ + bin/tests/system/forward/ns1/sub.local.net.db | 22 +++ + bin/tests/system/forward/ns10/fakenet.zone | 17 +++ + bin/tests/system/forward/ns10/fakenet2.zone | 15 ++ + .../system/forward/ns10/fakesublocalnet.zone | 15 ++ + .../system/forward/ns10/fakesublocaltld.zone | 15 ++ + bin/tests/system/forward/ns10/named.conf.in | 53 +++++++ + bin/tests/system/forward/ns10/net.example.lll | 15 ++ + bin/tests/system/forward/ns10/spoofednet.zone | 16 +++ + bin/tests/system/forward/ns2/tld.db | 6 + + bin/tests/system/forward/ns4/named.conf.in | 5 + + bin/tests/system/forward/ns4/sibling.tld.db | 22 +++ + bin/tests/system/forward/ns8/named.conf.in | 5 + + bin/tests/system/forward/ns8/sub.local.tld.db | 15 ++ + bin/tests/system/forward/ns9/local.net.db | 16 +++ + bin/tests/system/forward/ns9/local.tld.db | 15 ++ + bin/tests/system/forward/ns9/named1.conf.in | 67 +++++++++ + bin/tests/system/forward/ns9/named2.conf.in | 70 +++++++++ + bin/tests/system/forward/ns9/named3.conf.in | 50 +++++++ + bin/tests/system/forward/ns9/named4.conf.in | 47 ++++++ + bin/tests/system/forward/ns9/root.db | 13 ++ + bin/tests/system/forward/setup.sh | 2 + + bin/tests/system/forward/tests.sh | 122 ++++++++++++++++ + bin/tests/system/ifconfig.sh | 8 +- + 29 files changed, 844 insertions(+), 4 deletions(-) + create mode 100644 bin/tests/system/forward/ans11/ans.py + create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db + create mode 100644 bin/tests/system/forward/ns1/net.example.lll + create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db + create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db + create mode 100644 bin/tests/system/forward/ns10/fakenet.zone + create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone + create mode 100644 bin/tests/system/forward/ns10/named.conf.in + create mode 100644 bin/tests/system/forward/ns10/net.example.lll + create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone + create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db + create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db + create mode 100644 bin/tests/system/forward/ns9/local.net.db + create mode 100644 bin/tests/system/forward/ns9/local.tld.db + create mode 100644 bin/tests/system/forward/ns9/named1.conf.in + create mode 100644 bin/tests/system/forward/ns9/named2.conf.in + create mode 100644 bin/tests/system/forward/ns9/named3.conf.in + create mode 100644 bin/tests/system/forward/ns9/named4.conf.in + create mode 100644 bin/tests/system/forward/ns9/root.db + +diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py +new file mode 100644 +index 0000000000..1d35b3d3f1 +--- /dev/null ++++ b/bin/tests/system/forward/ans11/ans.py +@@ -0,0 +1,136 @@ ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# SPDX-License-Identifier: MPL-2.0 ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++from __future__ import print_function ++import os ++import sys ++import signal ++import socket ++import select ++from datetime import datetime, timedelta ++import time ++import functools ++ ++import dns, dns.message, dns.query, dns.flags ++from dns.rdatatype import * ++from dns.rdataclass import * ++from dns.rcode import * ++from dns.name import * ++ ++# Log query to file ++def logquery(type, qname): ++ with open("qlog", "a") as f: ++ f.write("%s %s\n", type, qname) ++ ++############################################################################ ++# Respond to a DNS query. ++############################################################################ ++def create_response(msg): ++ m = dns.message.from_wire(msg) ++ qname = m.question[0].name.to_text() ++ rrtype = m.question[0].rdtype ++ typename = dns.rdatatype.to_text(rrtype) ++ ++ with open("query.log", "a") as f: ++ f.write("%s %s\n" % (typename, qname)) ++ print("%s %s" % (typename, qname), end=" ") ++ ++ r = dns.message.make_response(m) ++ r.set_rcode(NOERROR) ++ if rrtype == A: ++ tld=qname.split('.')[-2] + '.' ++ ns="local." + tld ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) ++ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) ++ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) ++ elif rrtype == NS: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) ++ elif rrtype == SOA: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ else: ++ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ r.flags |= dns.flags.AA ++ return r ++ ++def sigterm(signum, frame): ++ print ("Shutting down now...") ++ os.remove('ans.pid') ++ running = False ++ sys.exit(0) ++ ++############################################################################ ++# Main ++# ++# Set up responder and control channel, open the pid file, and start ++# the main loop, listening for queries on the query channel or commands ++# on the control channel and acting on them. ++############################################################################ ++ip4 = "10.53.0.11" ++ip6 = "fd92:7065:b8e:ffff::11" ++ ++try: port=int(os.environ['PORT']) ++except: port=5300 ++ ++query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++query4_socket.bind((ip4, port)) ++havev6 = True ++try: ++ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) ++ try: ++ query6_socket.bind((ip6, port)) ++ except: ++ query6_socket.close() ++ havev6 = False ++except: ++ havev6 = False ++signal.signal(signal.SIGTERM, sigterm) ++ ++f = open('ans.pid', 'w') ++pid = os.getpid() ++print (pid, file=f) ++f.close() ++ ++running = True ++ ++print ("Listening on %s port %d" % (ip4, port)) ++if havev6: ++ print ("Listening on %s port %d" % (ip6, port)) ++print ("Ctrl-c to quit") ++ ++if havev6: ++ input = [query4_socket, query6_socket] ++else: ++ input = [query4_socket] ++ ++while running: ++ try: ++ inputready, outputready, exceptready = select.select(input, [], []) ++ except select.error as e: ++ break ++ except socket.error as e: ++ break ++ except KeyboardInterrupt: ++ break ++ ++ for s in inputready: ++ if s == query4_socket or s == query6_socket: ++ print ("Query received on %s" % ++ (ip4 if s == query4_socket else ip6), end=" ") ++ # Handle incoming queries ++ msg = s.recvfrom(65535) ++ rsp = create_response(msg[0]) ++ if rsp: ++ print(dns.rcode.to_text(rsp.rcode())) ++ s.sendto(rsp.to_wire(), msg[1]) ++ else: ++ print("NO RESPONSE") ++ if not running: ++ break +diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh +index bc04eadb2c..b65b092680 100644 +--- a/bin/tests/system/forward/clean.sh ++++ b/bin/tests/system/forward/clean.sh +@@ -10,10 +10,12 @@ + # + # Clean up after forward tests. + # ++rm -f ./ans11/query.log + rm -f ./dig.out.* + rm -f ./*/named.conf + rm -f ./*/named.memstats + rm -f ./*/named.run ./*/named.run.prev ++rm -f ./*/named_dump.db + rm -f ./ns*/named.lock + rm -f ./ns*/managed-keys.bind* + rm -f ./ns1/root.db ./ns1/root.db.signed +diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db +new file mode 100644 +index 0000000000..fd9a46eb0c +--- /dev/null ++++ b/bin/tests/system/forward/ns1/diditwork.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in +index 4aef4e55e5..c5fb2eb172 100644 +--- a/bin/tests/system/forward/ns1/named.conf.in ++++ b/bin/tests/system/forward/ns1/named.conf.in +@@ -63,3 +63,23 @@ zone "sld.tld" { + zone "example6" { + type forward; + }; ++ ++zone "diditwork.net" { ++ type primary; ++ file "diditwork.net.db"; ++}; ++ ++zone "spoofed.net" { ++ type primary; ++ file "spoofed.net.db"; ++}; ++ ++zone "sub.local.net" { ++ type primary; ++ file "sub.local.net.db"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; +diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll +new file mode 100644 +index 0000000000..ba0804fd75 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/net.example.lll +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db +new file mode 100644 +index 0000000000..eedc46f5c0 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/spoofed.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ns A 10.53.0.1 ++sub TXT "recursed" +diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db +new file mode 100644 +index 0000000000..fd9a46eb0c +--- /dev/null ++++ b/bin/tests/system/forward/ns1/sub.local.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone +new file mode 100644 +index 0000000000..b655a32459 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet.zone +@@ -0,0 +1,17 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net. SOA . . 0 0 0 0 0 ++net. NS attackSecureDomain.net. ++attackSecureDomain.net. A 10.53.0.10 ++didItWork.net. TXT "if you can see this record the attack worked" ++ns.spoofed.net. A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone +new file mode 100644 +index 0000000000..cd1e6e9944 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet2.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net2. SOA . . 0 0 0 0 0 ++net2. NS attackSecureDomain.net. ++net2. DNAME net.example.lll. +diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone +new file mode 100644 +index 0000000000..160b5332b2 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++sub.local.net. SOA . . 0 0 0 0 0 ++sub.local.net. NS ns.spoofed.net. ++sub.local.net. TXT "if you see this attacker overrode local delegation" +diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone +new file mode 100644 +index 0000000000..f78cbc77f6 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT bad ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in +new file mode 100644 +index 0000000000..1f318dd867 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/named.conf.in +@@ -0,0 +1,53 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.10; ++ notify-source 10.53.0.10; ++ transfer-source 10.53.0.10; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.10; }; ++ listen-on-v6 { none; }; ++ minimal-responses no; ++}; ++ ++zone "net." { ++ type master; ++ file "fakenet.zone"; ++}; ++ ++zone "spoofed.net." { ++ type master; ++ file "spoofednet.zone"; ++}; ++ ++zone "sub.local.net." { ++ type master; ++ file "fakesublocalnet.zone"; ++}; ++ ++zone "net2" { ++ type master; ++ file "fakenet2.zone"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; ++ ++zone "sub.local.tld." { ++ type master; ++ file "fakesublocaltld.zone"; ++}; +diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll +new file mode 100644 +index 0000000000..ba0804fd75 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/net.example.lll +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone +new file mode 100644 +index 0000000000..fb70a4372b +--- /dev/null ++++ b/bin/tests/system/forward/ns10/spoofednet.zone +@@ -0,0 +1,16 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++spoofed.net. SOA . . 0 0 0 0 0 ++spoofed.net. NS ns.spoofed.net. ++ns.spoofed.net. A 10.53.0.10 ++spoofed.net. TXT "this record is clearly spoofed" +diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db +index 61b6569b07..819210dc05 100644 +--- a/bin/tests/system/forward/ns2/tld.db ++++ b/bin/tests/system/forward/ns2/tld.db +@@ -10,3 +10,9 @@ $TTL 300 ; 5 minutes + ns A 10.53.0.2 + sld NS ns.sld + ns.sld A 10.53.0.1 ++local NS ns.local ++ns.local A 10.53.0.9 ++sibling NS ns.sibling ++ns.sibling A 10.53.0.4 ++sibling NS ns.sub.local ++ns.sub.local A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in +index 855b4bfb82..85349aa97e 100644 +--- a/bin/tests/system/forward/ns4/named.conf.in ++++ b/bin/tests/system/forward/ns4/named.conf.in +@@ -60,3 +60,8 @@ zone "malicious." { + type primary; + file "malicious.db"; + }; ++ ++zone "sibling.tld" { ++ type primary; ++ file "sibling.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db +new file mode 100644 +index 0000000000..fe080ae974 +--- /dev/null ++++ b/bin/tests/system/forward/ns4/sibling.tld.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++@ IN SOA malicious. admin.malicious. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++ ++@ IN NS ns ++ ++ns IN A 10.53.0.4 +diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in +index 531ff59ece..f752eae885 100644 +--- a/bin/tests/system/forward/ns8/named.conf.in ++++ b/bin/tests/system/forward/ns8/named.conf.in +@@ -26,3 +26,8 @@ zone "." { + type hint; + file "root.db"; + }; ++ ++zone "sub.local.tld" { ++ type primary; ++ file "sub.local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db +new file mode 100644 +index 0000000000..f2234c754e +--- /dev/null ++++ b/bin/tests/system/forward/ns8/sub.local.tld.db +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT good ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db +new file mode 100644 +index 0000000000..af0d2a5a67 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.net.db +@@ -0,0 +1,16 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.net. 3600 IN SOA . . 0 0 0 0 0 ++local.net. 3600 IN NS localhost. ++ns.local.net. 3600 IN A 10.53.0.9 ++txt.local.net. 3600 IN TXT "something in the local auth zone" ++sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this +diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db +new file mode 100644 +index 0000000000..876a9139da +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.tld.db +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.tld. 3600 IN SOA . . 0 0 0 0 0 ++local.tld. 3600 IN NS localhost. ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in +new file mode 100644 +index 0000000000..be9a43842f +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named1.conf.in +@@ -0,0 +1,67 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in +new file mode 100644 +index 0000000000..2c40b42a0c +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named2.conf.in +@@ -0,0 +1,70 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in +new file mode 100644 +index 0000000000..576f57c10b +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named3.conf.in +@@ -0,0 +1,50 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in +new file mode 100644 +index 0000000000..5cd7d84109 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named4.conf.in +@@ -0,0 +1,47 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.tld." { ++ type primary; ++ file "local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db +new file mode 100644 +index 0000000000..2cbdff5977 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/root.db +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 +diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh +index 21cf67b782..a56dd3c03f 100644 +--- a/bin/tests/system/forward/setup.sh ++++ b/bin/tests/system/forward/setup.sh +@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf + copy_setports ns5/named.conf.in ns5/named.conf + copy_setports ns7/named.conf.in ns7/named.conf + copy_setports ns8/named.conf.in ns8/named.conf ++copy_setports ns9/named1.conf.in ns9/named.conf ++copy_setports ns10/named.conf.in ns10/named.conf + + ( + cd ns1 +diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh +index 6096b06ca7..dfbaf887f7 100644 +--- a/bin/tests/system/forward/tests.sh ++++ b/bin/tests/system/forward/tests.sh +@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + ++# ++# Check various spoofed response scenarios. The same tests will be ++# run twice, with "forward first" and "forward only" configurations. ++# ++run_spooftests () { ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++ # check 'net' is not poisoned. ++ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 ++ # check 'sub.local.net' is not poisoned. ++ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++ # check that net2/DNAME is not cached ++ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 ++ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 3 - extra answer ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 ++ # check extra net3 records are not cached ++ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i ++ for try in 1 2 3 4 5; do ++ lines=$(grep "net3" ns9/named_dump.db | wc -l) ++ if [ ${lines} -eq 0 ]; then ++ sleep 1 ++ continue ++ fi ++ [ ${lines} -eq 1 ] || ret=1 ++ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 ++ grep -q '^local.net3' ns9/named_dump.db && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++} ++ ++echo_i "checking spoofed response scenarios with forward first zones" ++run_spooftests ++ ++copy_setports ns9/named2.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++echo_i "rechecking spoofed response scenarios with forward only zones" ++run_spooftests ++ ++# ++# This scenario expects the spoofed response to succeed. The tests are ++# similar to the ones above, but not identical. ++# ++echo_i "rechecking spoofed response scenarios with 'forward only' set globally" ++copy_setports ns9/named3.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++# check 'net' is poisoned. ++dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 ++# check 'sub.local.net' is poisoned. ++dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++# check that net2/DNAME is cached ++dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 ++grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++# ++# This test doesn't use any forwarder clauses but is here because it ++# is similar to forwarders, as the set of servers that can populate ++# the namespace is defined by the zone content. ++# ++echo_i "rechecking spoofed response scenarios glue below local zone" ++copy_setports ns9/named4.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking sibling glue below zone ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 ++# check for glue A record for sub.local.tld is not used ++dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 ++grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 ++grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh +index e078f3313b..2a4d955caf 100755 +--- a/bin/tests/system/ifconfig.sh ++++ b/bin/tests/system/ifconfig.sh +@@ -12,10 +12,10 @@ + # + # Set up interface aliases for bind9 system tests. + # +-# IPv4: 10.53.0.{1..10} RFC 1918 ++# IPv4: 10.53.0.{1..11} RFC 1918 + # 10.53.1.{1..2} + # 10.53.2.{1..2} +-# IPv6: fd92:7065:b8e:ffff::{1..10} ULA ++# IPv6: fd92:7065:b8e:ffff::{1..11} ULA + # fd92:7065:b8e:99ff::{1..2} + # fd92:7065:b8e:ff::{1..2} + # +@@ -55,7 +55,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 1 2 3 4 5 6 7 8 9 10 ++ for ns in 1 2 3 4 5 6 7 8 9 10 11 + do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=`expr $i \* 10 + $ns` +@@ -160,7 +160,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 10 9 8 7 6 5 4 3 2 1 ++ for ns in 11 10 9 8 7 6 5 4 3 2 1 + do + [ $i -gt 0 -a $ns -gt 2 ] && continue + int=`expr $i \* 10 + $ns - 1` +-- +2.34.1 + diff --git a/bind-9.16-CVE-2021-25220.patch b/bind-9.16-CVE-2021-25220.patch new file mode 100644 index 0000000..de75ab8 --- /dev/null +++ b/bind-9.16-CVE-2021-25220.patch @@ -0,0 +1,251 @@ +From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 19 Jan 2022 17:38:18 +1100 +Subject: [PATCH] Add additional name checks when using a forwarder + +When using a forwarder, check that the owner name of response +records are within the bailiwick of the forwarded name space. + +(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b) + +Check that the forward declaration is unchanged and not overridden + +If we are using a fowarder, in addition to checking that names to +be cached are subdomains of the forwarded namespace, we must also +check that there are no subsidiary forwarded namespaces which would +take precedence. To be safe, we don't cache any responses if the +forwarding configuration has changed since the query was sent. + +(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3) + +Check cached names for possible "forward only" clause + +When caching additional and glue data *not* from a forwarder, we must +check that there is no "forward only" clause covering the owner name +that would take precedence. Such names would normally be allowed by +baliwick rules, but a "forward only" zone introduces a new baliwick +scope. + +(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78) + +Look for zones deeper than the current domain or forward name + +When caching glue, we need to ensure that there is no closer +source of truth for the name. If the owner name for the glue +record would be answered by a locally configured zone, do not +cache. + +(cherry picked from commit 71b24210542730355149130770deea3e58d8527a) +--- + lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 123 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index a7bc661bb7..7603a07b7b 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -63,6 +63,8 @@ + #include <dns/stats.h> + #include <dns/tsig.h> + #include <dns/validator.h> ++#include <dns/zone.h> ++ + #ifdef WANT_QUERYTRACE + #define RTRACE(m) \ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \ +@@ -337,6 +339,8 @@ struct fetchctx { + dns_fetch_t *qminfetch; + dns_rdataset_t qminrrset; + dns_name_t qmindcname; ++ dns_fixedname_t fwdfname; ++ dns_name_t *fwdname; + + /*% + * The number of events we're waiting for. +@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (result == ISC_R_SUCCESS) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copynf(domain, fctx->fwdname); + if (fctx->fwdpolicy == dns_fwdpolicy_only && + isstrictsubdomain(domain, &fctx->domain)) + { +@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, + fctx->restarts = 0; + fctx->querysent = 0; + fctx->referrals = 0; ++ ++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); ++ + TIME_NOW(&fctx->start); + fctx->timeouts = 0; + fctx->lamecount = 0; +@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, + fname, &forwarders); + if (result == ISC_R_SUCCESS) { + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copynf(fname, fctx->fwdname); + } + + if (fctx->fwdpolicy != dns_fwdpolicy_only) { +@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external, + } + } + ++/* ++ * Returns true if 'name' is external to the namespace for which ++ * the server being queried can answer, either because it's not a ++ * subdomain or because it's below a forward declaration or a ++ * locally served zone. ++ */ ++static inline bool ++name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { ++ isc_result_t result; ++ dns_forwarders_t *forwarders = NULL; ++ dns_fixedname_t fixed, zfixed; ++ dns_name_t *fname = dns_fixedname_initname(&fixed); ++ dns_name_t *zfname = dns_fixedname_initname(&zfixed); ++ dns_name_t *apex = NULL; ++ dns_name_t suffix; ++ dns_zone_t *zone = NULL; ++ unsigned int labels; ++ dns_namereln_t rel; ++ ++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; ++ ++ /* ++ * The name is outside the queried namespace. ++ */ ++ rel = dns_name_fullcompare(name, apex, &(int){ 0 }, ++ &(unsigned int){ 0U }); ++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { ++ return (true); ++ } ++ ++ /* ++ * If the record lives in the parent zone, adjust the name so we ++ * look for the correct zone or forward clause. ++ */ ++ labels = dns_name_countlabels(name); ++ if (dns_rdatatype_atparent(type) && labels > 1U) { ++ dns_name_init(&suffix, NULL); ++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); ++ name = &suffix; ++ } else if (rel == dns_namereln_equal) { ++ /* If 'name' is 'apex', no further checking is needed. */ ++ return (false); ++ } ++ ++ /* ++ * If there is a locally served zone between 'apex' and 'name' ++ * then don't cache. ++ */ ++ LOCK(&fctx->res->view->lock); ++ if (fctx->res->view->zonetable != NULL) { ++ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR; ++ result = dns_zt_find(fctx->res->view->zonetable, name, options, ++ zfname, &zone); ++ if (zone != NULL) { ++ dns_zone_detach(&zone); ++ } ++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { ++ if (dns_name_fullcompare(zfname, apex, &(int){ 0 }, ++ &(unsigned int){ 0U }) == ++ dns_namereln_subdomain) ++ { ++ UNLOCK(&fctx->res->view->lock); ++ return (true); ++ } ++ } ++ } ++ UNLOCK(&fctx->res->view->lock); ++ ++ /* ++ * Look for a forward declaration below 'name'. ++ */ ++ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname, ++ &forwarders); ++ ++ if (ISFORWARDER(fctx->addrinfo)) { ++ /* ++ * See if the forwarder declaration is better. ++ */ ++ if (result == ISC_R_SUCCESS) { ++ return (!dns_name_equal(fname, fctx->fwdname)); ++ } ++ ++ /* ++ * If the lookup failed, the configuration must have ++ * changed: play it safe and don't cache. ++ */ ++ return (true); ++ } else if (result == ISC_R_SUCCESS && ++ forwarders->fwdpolicy == dns_fwdpolicy_only && ++ !ISC_LIST_EMPTY(forwarders->fwdrs)) ++ { ++ /* ++ * If 'name' is covered by a 'forward only' clause then we ++ * can't cache this repsonse. ++ */ ++ return (true); ++ } ++ ++ return (false); ++} ++ + static isc_result_t + check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, + dns_section_t section) { +@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, + result = dns_message_findname(rctx->query->rmessage, section, addname, + dns_rdatatype_any, 0, &name, NULL); + if (result == ISC_R_SUCCESS) { +- external = !dns_name_issubdomain(name, &fctx->domain); ++ external = name_external(name, type, fctx); + if (type == dns_rdatatype_a) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) { + break; + + case dns_namereln_subdomain: ++ /* ++ * Don't accept DNAME from parent namespace. ++ */ ++ if (name_external(name, dns_rdatatype_dname, fctx)) { ++ continue; ++ } ++ + /* + * In-scope DNAME records must have at least + * as many labels as the domain being queried. +@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) { + DNS_SECTION_AUTHORITY); + while (!done && result == ISC_R_SUCCESS) { + dns_name_t *name = NULL; +- bool external; + + dns_message_currentname(rctx->query->rmessage, + DNS_SECTION_AUTHORITY, &name); +- external = !dns_name_issubdomain(name, &fctx->domain); + +- if (!external) { ++ if (!name_external(name, dns_rdatatype_ns, fctx)) { + dns_rdataset_t *rdataset = NULL; + + /* +@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) { + } + + if (!dns_name_issubdomain(name, &fctx->domain)) { +- /* Invalid name found; preserve it for logging later */ ++ /* ++ * Invalid name found; preserve it for logging ++ * later. ++ */ + rctx->found_name = name; + rctx->found_type = ISC_LIST_HEAD(name->list)->type; + continue; +-- +2.34.1 + diff --git a/bind-9.16-CVE-2022-0396.patch b/bind-9.16-CVE-2022-0396.patch new file mode 100644 index 0000000..5a374f1 --- /dev/null +++ b/bind-9.16-CVE-2022-0396.patch @@ -0,0 +1,81 @@ +From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> +Date: Tue, 8 Feb 2022 12:42:34 +0100 +Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb() + +When sock->closehandle_cb is set, we need to run nmhandle_detach_cb() +asynchronously to ensure correct order of multiple packets processing in +the isc__nm_process_sock_buffer(). When not run asynchronously, it +would cause: + + a) out-of-order processing of the return codes from processbuffer(); + + b) stack growth because the next TCP DNS message read callback will + be called from within the current TCP DNS message read callback. + +The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP +sockets which calls isc__nm_process_sock_buffer(). If the read callback +(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't +attach to the nmhandle (f.e. because it wants to drop the processing or +we send the response directly via uv_try_write()), the +isc__nm_resume_processing() (via .closehandle_cb) would call +isc__nm_process_sock_buffer() recursively. + +The below shortened code path shows how the stack can grow: + + 1: ns__client_request(handle, ...); + 2: isc_nm_tcpdns_sequential(handle); + 3: ns_query_start(client, handle); + 4: query_lookup(qctx); + 5: query_send(qctcx->client); + 6: isc__nmhandle_detach(&client->reqhandle); + 7: nmhandle_detach_cb(&handle); + 8: sock->closehandle_cb(sock); // isc__nm_resume_processing + 9: isc__nm_process_sock_buffer(sock); +10: processbuffer(sock); // isc__nm_tcpdns_processbuffer +11: isc_nmhandle_attach(req->handle, &handle); +12: isc__nm_readcb(sock, req, ISC_R_SUCCESS); +13: isc__nm_async_readcb(NULL, ...); +14: uvreq->cb.recv(...); // ns__client_request + +Instead, if 'sock->closehandle_cb' is set, we need to run detach the +handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in +the code flow above does not start this recursion. This ensures the +correct order when processing multiple packets in the function +'isc__nm_process_sock_buffer()' and prevents the stack growth. + +When not run asynchronously, the out-of-order processing leaves the +first TCP socket open until all requests on the stream have been +processed. + +If the pipelining is disabled on the TCP via `keep-response-order` +configuration option, named would keep the first socket in lingering +CLOSE_WAIT state when the client sends an incomplete packet and then +closes the connection from the client side. + +(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17) +--- + lib/isc/netmgr/netmgr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 3283eb6e4f..0ed3182fb6 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) { + handle = *handlep; + *handlep = NULL; + ++ /* ++ * If the closehandle_cb is set, it needs to run asynchronously to ++ * ensure correct ordering of the isc__nm_process_sock_buffer(). ++ */ + sock = handle->sock; +- if (sock->tid == isc_nm_tid()) { ++ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) { + nmhandle_detach_cb(&handle FLARG_PASS); + } else { + isc__netievent_detach_t *event = +-- +2.34.1 + diff --git a/bind-9.16-CVE-2022-2795.patch b/bind-9.16-CVE-2022-2795.patch new file mode 100644 index 0000000..b67c8e9 --- /dev/null +++ b/bind-9.16-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8..73a0ee9f77 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.37.3 + diff --git a/bind-9.16-CVE-2022-3080.patch b/bind-9.16-CVE-2022-3080.patch new file mode 100644 index 0000000..998ddf4 --- /dev/null +++ b/bind-9.16-CVE-2022-3080.patch @@ -0,0 +1,116 @@ +From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Tue, 20 Sep 2022 11:34:42 +0200 +Subject: [PATCH 2/4] Fix CVE-2022-3080 + +5960. [security] Fix serve-stale crash that could happen when + stale-answer-client-timeout was set to 0 and there was + a stale CNAME in the cache for an incoming query. + (CVE-2022-3080) [GL #3517] +--- + lib/ns/include/ns/query.h | 1 + + lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- + 2 files changed, 27 insertions(+), 16 deletions(-) + +diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h +index 4d48cf6..34b3070 100644 +--- a/lib/ns/include/ns/query.h ++++ b/lib/ns/include/ns/query.h +@@ -145,6 +145,7 @@ struct query_ctx { + bool authoritative; /* authoritative query? */ + bool want_restart; /* CNAME chain or other + * restart needed */ ++ bool refresh_rrset; /* stale RRset refresh needed */ + bool need_wildcardproof; /* wildcard proof needed */ + bool nxrewrite; /* negative answer from RPZ */ + bool findcoveringnsec; /* lookup covering NSEC */ +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 249321c..a450cb7 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) { + bool dbfind_stale = false; + bool stale_timeout = false; + bool stale_found = false; +- bool refresh_rrset = false; + bool stale_refresh_window = false; + + CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); +@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) { + "%s stale answer used, an attempt to " + "refresh the RRset will still be made", + namebuf); +- refresh_rrset = STALE(qctx->rdataset); +- qctx->client->nodetach = refresh_rrset; ++ qctx->refresh_rrset = STALE(qctx->rdataset); + } + } else { + /* +@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) { + + result = query_gotanswer(qctx, result); + +- if (refresh_rrset) { +- /* +- * If we reached this point then it means that we have found a +- * stale RRset entry in cache and BIND is configured to allow +- * queries to be answered with stale data if no active RRset +- * is available, i.e. "stale-anwer-client-timeout 0". But, we +- * still need to refresh the RRset. +- */ +- query_refresh_rrset(qctx); +- } +- + cleanup: + return (result); + } +@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) { + + /* + * On normal lookups, clear any rdatasets that were added on a +- * lookup due to stale-answer-client-timeout. ++ * lookup due to stale-answer-client-timeout. Do not clear if we ++ * are going to refresh the RRset, because the stale contents are ++ * prioritized. + */ + if (QUERY_STALEOK(&qctx->client->query) && +- !QUERY_STALETIMEOUT(&qctx->client->query)) ++ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) + { ++ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); + query_clear_stale(qctx->client); + /* + * We can clear the attribute to prevent redundant clearing +@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) { + /* + * Client may have been detached after query_send(), so + * we test and store the flag state here, for safety. ++ * If we are refreshing the RRSet, we must not detach from the client ++ * in the query_send(), so we need to override the flag. + */ ++ if (qctx->refresh_rrset) { ++ qctx->client->nodetach = true; ++ } + nodetach = qctx->client->nodetach; + query_send(qctx->client); ++ ++ if (qctx->refresh_rrset) { ++ /* ++ * If we reached this point then it means that we have found a ++ * stale RRset entry in cache and BIND is configured to allow ++ * queries to be answered with stale data if no active RRset ++ * is available, i.e. "stale-anwer-client-timeout 0". But, we ++ * still need to refresh the RRset. To prevent adding duplicate ++ * RRsets, clear the RRsets from the message before doing the ++ * refresh. ++ */ ++ message_clearrdataset(qctx->client->message, 0); ++ query_refresh_rrset(qctx); ++ } ++ + if (!nodetach) { + qctx->detach_client = true; + } +-- +2.37.3 + diff --git a/bind-9.16-CVE-2022-3094-1.patch b/bind-9.16-CVE-2022-3094-1.patch new file mode 100644 index 0000000..53f6629 --- /dev/null +++ b/bind-9.16-CVE-2022-3094-1.patch @@ -0,0 +1,241 @@ +From 0c0dc08d3ef26b7411cfe089e8144454831e8af5 Mon Sep 17 00:00:00 2001 +From: Evan Hunt <each@isc.org> +Date: Thu, 1 Sep 2022 16:05:04 -0700 +Subject: [PATCH] add an update quota + +limit the number of simultaneous DNS UPDATE events that can be +processed by adding a quota for update and update forwarding. +this quota currently, arbitrarily, defaults to 100. + +also add a statistics counter to record when the update quota +has been exceeded. + +(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826) +--- + bin/named/bind9.xsl | 4 +++- + bin/named/bind9.xsl.h | 6 +++++- + bin/named/statschannel.c | 5 +++-- + doc/arm/reference.rst | 5 +++++ + lib/ns/include/ns/server.h | 1 + + lib/ns/include/ns/stats.h | 4 +++- + lib/ns/server.c | 2 ++ + lib/ns/update.c | 38 +++++++++++++++++++++++++++++++++++++- + 8 files changed, 59 insertions(+), 6 deletions(-) + +diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl +index 5078115..194625b 100644 +--- a/bin/named/bind9.xsl ++++ b/bin/named/bind9.xsl +@@ -12,7 +12,9 @@ + + <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0"> + <xsl:output method="html" indent="yes" version="4.0"/> +- <xsl:template match="statistics[@version="3.11"]"> ++ <!-- the version number **below** must match version in bin/named/statschannel.c --> ++ <!-- don't forget to update "/xml/v<STATS_XML_VERSION_MAJOR>" in the HTTP endpoints listed below --> ++ <xsl:template match="statistics[@version="3.11.1"]"> + <html> + <head> + <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script> +diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h +index e30f7f5..b182742 100644 +--- a/bin/named/bind9.xsl.h ++++ b/bin/named/bind9.xsl.h +@@ -20,7 +20,11 @@ static char xslmsg[] = + "<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" " + "xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n" + " <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n" +- " <xsl:template match=\"statistics[@version="3.11"]\">\n" ++ " <!-- the version number **below** must match version in " ++ "bin/named/statschannel.c -->\n" ++ " <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in " ++ "the HTTP endpoints listed below -->\n" ++ " <xsl:template match=\"statistics[@version="3.11.1"]\">\n" + " <html>\n" + " <head>\n" + " <script type=\"text/javascript\" " +diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c +index 832ce93..7361ead 100644 +--- a/bin/named/statschannel.c ++++ b/bin/named/statschannel.c +@@ -335,6 +335,7 @@ init_desc(void) { + SET_NSSTATDESC(reclimitdropped, + "queries dropped due to recursive client limit", + "RecLimitDropped"); ++ SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota"); + + INSIST(i == ns_statscounter_max); + +@@ -2007,7 +2008,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, + "href=\"/bind9.xsl\"")); + TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics")); + TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version", +- ISC_XMLCHAR "3.11")); ++ ISC_XMLCHAR "3.11.1")); + + /* Set common fields for statistics dump */ + dumparg.type = isc_statsformat_xml; +@@ -2876,7 +2877,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, + /* + * These statistics are included no matter which URL we use. + */ +- obj = json_object_new_string("1.5"); ++ obj = json_object_new_string("1.5.1"); + CHECKMEM(obj); + json_object_object_add(bindstats, "json-stats-version", obj); + +diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst +index 2d05aec..25c20d7 100644 +--- a/doc/arm/reference.rst ++++ b/doc/arm/reference.rst +@@ -6705,6 +6705,11 @@ Name Server Statistics Counters + ``UpdateBadPrereq`` + This indicates the number of dynamic updates rejected due to a prerequisite failure. + ++``UpdateQuota`` ++ This indicates the number of times a dynamic update or update ++ forwarding request was rejected because the number of pending ++ requests exceeded the update quota. ++ + ``RateDropped`` + This indicates the number of responses dropped due to rate limits. + +diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h +index 6a1f345..0abb579 100644 +--- a/lib/ns/include/ns/server.h ++++ b/lib/ns/include/ns/server.h +@@ -84,6 +84,7 @@ struct ns_server { + isc_quota_t recursionquota; + isc_quota_t tcpquota; + isc_quota_t xfroutquota; ++ isc_quota_t updquota; + + /*% Test options and other configurables */ + uint32_t options; +diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h +index 3c08799..95b15d0 100644 +--- a/lib/ns/include/ns/stats.h ++++ b/lib/ns/include/ns/stats.h +@@ -106,7 +106,9 @@ enum { + + ns_statscounter_reclimitdropped = 66, + +- ns_statscounter_max = 67, ++ ns_statscounter_updatequota = 67, ++ ++ ns_statscounter_max = 68, + }; + + void +diff --git a/lib/ns/server.c b/lib/ns/server.c +index a970a28..540bc2e 100644 +--- a/lib/ns/server.c ++++ b/lib/ns/server.c +@@ -52,6 +52,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview, + isc_quota_init(&sctx->xfroutquota, 10); + isc_quota_init(&sctx->tcpquota, 10); + isc_quota_init(&sctx->recursionquota, 100); ++ isc_quota_init(&sctx->updquota, 100); + + CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx)); + +@@ -131,6 +132,7 @@ ns_server_detach(ns_server_t **sctxp) { + isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret)); + } + ++ isc_quota_destroy(&sctx->updquota); + isc_quota_destroy(&sctx->recursionquota); + isc_quota_destroy(&sctx->tcpquota); + isc_quota_destroy(&sctx->xfroutquota); +diff --git a/lib/ns/update.c b/lib/ns/update.c +index 546b70a..9a8c309 100644 +--- a/lib/ns/update.c ++++ b/lib/ns/update.c +@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) { + update_event_t *event = NULL; + isc_task_t *zonetask = NULL; + ++ result = isc_quota_attach(&client->manager->sctx->updquota, ++ &(isc_quota_t *){ NULL }); ++ if (result != ISC_R_SUCCESS) { ++ update_log(client, zone, LOGLEVEL_PROTOCOL, ++ "update failed: too many DNS UPDATEs queued (%s)", ++ isc_result_totext(result)); ++ ns_stats_increment(client->manager->sctx->nsstats, ++ ns_statscounter_updatequota); ++ ns_client_drop(client, result); ++ isc_nmhandle_detach(&client->reqhandle); ++ return (DNS_R_DROP); ++ } ++ + event = (update_event_t *)isc_event_allocate( + client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL, + sizeof(*event)); +@@ -1676,12 +1689,19 @@ failure: + dns_zone_gettype(zone) == dns_zone_mirror); + inc_stats(client, zone, ns_statscounter_updaterej); + } ++ + /* + * We failed without having sent an update event to the zone. + * We are still in the client task context, so we can + * simply give an error response without switching tasks. + */ +- respond(client, result); ++ if (result == DNS_R_DROP) { ++ ns_client_drop(client, result); ++ isc_nmhandle_detach(&client->reqhandle); ++ } else { ++ respond(client, result); ++ } ++ + if (zone != NULL) { + dns_zone_detach(&zone); + } +@@ -3489,6 +3509,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) { + + respond(client, uev->result); + ++ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota }); + isc_event_free(&event); + isc_nmhandle_detach(&client->updatehandle); + } +@@ -3505,6 +3526,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) { + INSIST(client->nupdates > 0); + client->nupdates--; + respond(client, DNS_R_SERVFAIL); ++ ++ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota }); + isc_event_free(&event); + isc_nmhandle_detach(&client->updatehandle); + } +@@ -3542,6 +3565,8 @@ forward_done(isc_task_t *task, isc_event_t *event) { + client->nupdates--; + ns_client_sendraw(client, uev->answer); + dns_message_detach(&uev->answer); ++ ++ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota }); + isc_event_free(&event); + isc_nmhandle_detach(&client->updatehandle); + } +@@ -3576,6 +3601,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) { + update_event_t *event = NULL; + isc_task_t *zonetask = NULL; + ++ result = isc_quota_attach(&client->manager->sctx->updquota, ++ &(isc_quota_t *){ NULL }); ++ if (result != ISC_R_SUCCESS) { ++ update_log(client, zone, LOGLEVEL_PROTOCOL, ++ "update failed: too many DNS UPDATEs queued (%s)", ++ isc_result_totext(result)); ++ ns_stats_increment(client->manager->sctx->nsstats, ++ ns_statscounter_updatequota); ++ return (DNS_R_DROP); ++ } ++ + event = (update_event_t *)isc_event_allocate( + client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL, + sizeof(*event)); +-- +2.39.1 + diff --git a/bind-9.16-CVE-2022-3094-2.patch b/bind-9.16-CVE-2022-3094-2.patch new file mode 100644 index 0000000..fe6fb92 --- /dev/null +++ b/bind-9.16-CVE-2022-3094-2.patch @@ -0,0 +1,266 @@ +From 7fe2204a2e8952bf892e4a70fea2ef5167e1f509 Mon Sep 17 00:00:00 2001 +From: Evan Hunt <each@isc.org> +Date: Thu, 1 Sep 2022 16:22:46 -0700 +Subject: [PATCH] add a configuration option for the update quota + +add an "update-quota" option to configure the update quota. + +(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19) +--- + bin/named/config.c | 1 + + bin/named/named.conf.rst | 9 +++++---- + bin/named/server.c | 1 + + bin/tests/system/checkconf/good.conf | 1 + + doc/arm/reference.rst | 7 ++++++- + doc/man/named.conf.5in | 9 +++++---- + doc/misc/master.zoneopt.rst | 2 +- + doc/misc/options | 1 + + doc/misc/options.active | 1 + + doc/misc/options.grammar.rst | 3 ++- + doc/misc/slave.zoneopt.rst | 2 +- + lib/isccfg/namedconf.c | 1 + + 12 files changed, 26 insertions(+), 12 deletions(-) + +diff --git a/bin/named/config.c b/bin/named/config.c +index 5fedee84d9..494147015f 100644 +--- a/bin/named/config.c ++++ b/bin/named/config.c +@@ -130,6 +130,7 @@ options {\n\ + transfers-out 10;\n\ + transfers-per-ns 2;\n\ + trust-anchor-telemetry yes;\n\ ++ update-quota 100;\n\ + \n\ + /* view */\n\ + allow-new-zones no;\n\ +diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst +index 27eed5ca3e..4c9f9a7370 100644 +--- a/bin/named/named.conf.rst ++++ b/bin/named/named.conf.rst +@@ -179,7 +179,7 @@ OPTIONS + answer-cookie boolean; + attach-cache string; + auth-nxdomain boolean; // default changed +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + automatic-interface-scan boolean; + avoid-v4-udp-ports { portrange; ... }; + avoid-v6-udp-ports { portrange; ... }; +@@ -446,6 +446,7 @@ OPTIONS + trust-anchor-telemetry boolean; // experimental + try-tcp-refresh boolean; + update-check-ksk boolean; ++ update-quota integer; + use-alt-transfer-source boolean; + use-v4-udp-ports { portrange; ... }; + use-v6-udp-ports { portrange; ... }; +@@ -584,7 +585,7 @@ VIEW + * ) ] [ dscp integer ]; + attach-cache string; + auth-nxdomain boolean; // default changed +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + cache-file quoted_string;// deprecated + catalog-zones { zone string [ default-masters [ port integer ] + [ dscp integer ] { ( remote-servers | ipv4_address [ port +@@ -859,7 +860,7 @@ VIEW + integer | * ) ] [ dscp integer ]; + alt-transfer-source-v6 ( ipv6_address | * ) [ port ( + integer | * ) ] [ dscp integer ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + check-dup-records ( fail | warn | ignore ); + check-integrity boolean; + check-mx ( fail | warn | ignore ); +@@ -977,7 +978,7 @@ ZONE + ] [ dscp integer ]; + alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | + * ) ] [ dscp integer ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off );// deprecated + check-dup-records ( fail | warn | ignore ); + check-integrity boolean; + check-mx ( fail | warn | ignore ); +diff --git a/bin/named/server.c b/bin/named/server.c +index 20443ff8a9..78a21d62a2 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -8542,6 +8542,7 @@ load_configuration(const char *filename, named_server_t *server, + configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota); + configure_server_quota(maps, "recursive-clients", + &server->sctx->recursionquota); ++ configure_server_quota(maps, "update-quota", &server->sctx->updquota); + + max = isc_quota_getmax(&server->sctx->recursionquota); + if (max > 1000) { +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index b1f7059acf..0ecdb68e95 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -75,6 +75,7 @@ options { + recursive-clients 3000; + serial-query-rate 100; + server-id none; ++ update-quota 200; + check-names primary warn; + check-names secondary ignore; + max-cache-size 20000000000000; +diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst +index 2603d60251..703663d0ba 100644 +--- a/doc/arm/reference.rst ++++ b/doc/arm/reference.rst +@@ -3151,6 +3151,11 @@ system. + value as ``tcp-keepalive-timeout``. This value can be updated at + runtime by using ``rndc tcp-timeouts``. + ++``update-quota`` ++ This is the maximum number of simultaneous DNS UPDATE messages that ++ the server will accept for updating local authoritiative zones or ++ forwarding to a primary server. The default is ``100``. ++ + .. _intervals: + + Periodic Task Intervals +@@ -6840,7 +6845,7 @@ Name Server Statistics Counters + ``UpdateQuota`` + This indicates the number of times a dynamic update or update + forwarding request was rejected because the number of pending +- requests exceeded the update quota. ++ requests exceeded ``update-quota``. + + ``RateDropped`` + This indicates the number of responses dropped due to rate limits. +diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in +index 4c46f47592..c87afa2881 100644 +--- a/doc/man/named.conf.5in ++++ b/doc/man/named.conf.5in +@@ -231,7 +231,7 @@ options { + answer\-cookie boolean; + attach\-cache string; + auth\-nxdomain boolean; // default changed +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + automatic\-interface\-scan boolean; + avoid\-v4\-udp\-ports { portrange; ... }; + avoid\-v6\-udp\-ports { portrange; ... }; +@@ -498,6 +498,7 @@ options { + trust\-anchor\-telemetry boolean; // experimental + try\-tcp\-refresh boolean; + update\-check\-ksk boolean; ++ update\-quota integer; + use\-alt\-transfer\-source boolean; + use\-v4\-udp\-ports { portrange; ... }; + use\-v6\-udp\-ports { portrange; ... }; +@@ -668,7 +669,7 @@ view string [ class ] { + * ) ] [ dscp integer ]; + attach\-cache string; + auth\-nxdomain boolean; // default changed +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + cache\-file quoted_string;// deprecated + catalog\-zones { zone string [ default\-masters [ port integer ] + [ dscp integer ] { ( remote\-servers | ipv4_address [ port +@@ -943,7 +944,7 @@ view string [ class ] { + integer | * ) ] [ dscp integer ]; + alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( + integer | * ) ] [ dscp integer ]; +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + check\-dup\-records ( fail | warn | ignore ); + check\-integrity boolean; + check\-mx ( fail | warn | ignore ); +@@ -1065,7 +1066,7 @@ zone string [ class ] { + ] [ dscp integer ]; + alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer | + * ) ] [ dscp integer ]; +- auto\-dnssec ( allow | maintain | off ); ++ auto\-dnssec ( allow | maintain | off );// deprecated + check\-dup\-records ( fail | warn | ignore ); + check\-integrity boolean; + check\-mx ( fail | warn | ignore ); +diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst +index 8fc7e1b4f0..346d59813e 100644 +--- a/doc/misc/master.zoneopt.rst ++++ b/doc/misc/master.zoneopt.rst +@@ -20,7 +20,7 @@ + also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off ); // deprecated + check-dup-records ( fail | warn | ignore ); + check-integrity <boolean>; + check-mx ( fail | warn | ignore ); +diff --git a/doc/misc/options b/doc/misc/options +index f57399499a..0dbcf101e1 100644 +--- a/doc/misc/options ++++ b/doc/misc/options +@@ -404,6 +404,7 @@ options { + trust-anchor-telemetry <boolean>; // experimental + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; ++ update-quota <integer>; + use-alt-transfer-source <boolean>; + use-id-pool <boolean>; // ancient + use-ixfr <boolean>; // obsolete +diff --git a/doc/misc/options.active b/doc/misc/options.active +index 5fc1ab29f4..eb75a86eae 100644 +--- a/doc/misc/options.active ++++ b/doc/misc/options.active +@@ -363,6 +363,7 @@ options { + trust-anchor-telemetry <boolean>; // experimental + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; ++ update-quota <integer>; + use-alt-transfer-source <boolean>; + use-v4-udp-ports { <portrange>; ... }; + use-v6-udp-ports { <portrange>; ... }; +diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst +index 438072c95c..beef35341a 100644 +--- a/doc/misc/options.grammar.rst ++++ b/doc/misc/options.grammar.rst +@@ -33,7 +33,7 @@ + answer-cookie <boolean>; + attach-cache <string>; + auth-nxdomain <boolean>; // default changed +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off ); // deprecated + automatic-interface-scan <boolean>; + avoid-v4-udp-ports { <portrange>; ... }; + avoid-v6-udp-ports { <portrange>; ... }; +@@ -300,6 +300,7 @@ + trust-anchor-telemetry <boolean>; // experimental + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; ++ update-quota <integer>; + use-alt-transfer-source <boolean>; + use-v4-udp-ports { <portrange>; ... }; + use-v6-udp-ports { <portrange>; ... }; +diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst +index cc72dcbf67..468a7f4d9a 100644 +--- a/doc/misc/slave.zoneopt.rst ++++ b/doc/misc/slave.zoneopt.rst +@@ -21,7 +21,7 @@ + also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; +- auto-dnssec ( allow | maintain | off ); ++ auto-dnssec ( allow | maintain | off ); // deprecated + check-names ( fail | warn | ignore ); + database <string>; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); +diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c +index 45de0196bf..6e63d86816 100644 +--- a/lib/isccfg/namedconf.c ++++ b/lib/isccfg/namedconf.c +@@ -1267,6 +1267,7 @@ static cfg_clausedef_t options_clauses[] = { + { "transfers-out", &cfg_type_uint32, 0 }, + { "transfers-per-ns", &cfg_type_uint32, 0 }, + { "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT }, ++ { "update-quota", &cfg_type_uint32, 0 }, + { "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT }, + { "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, + { "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 }, +-- +2.39.1 + diff --git a/bind-9.16-CVE-2022-3094-3.patch b/bind-9.16-CVE-2022-3094-3.patch new file mode 100644 index 0000000..7b84749 --- /dev/null +++ b/bind-9.16-CVE-2022-3094-3.patch @@ -0,0 +1,470 @@ +From 93b8bd39145566053ad8b22cef597146e9175ea4 Mon Sep 17 00:00:00 2001 +From: Evan Hunt <each@isc.org> +Date: Tue, 8 Nov 2022 17:32:41 -0800 +Subject: [PATCH] move update ACL and update-policy checks before quota + +check allow-update, update-policy, and allow-update-forwarding before +consuming quota slots, so that unauthorized clients can't fill the +quota. + +(this moves the access check before the prerequisite check, which +violates the precise wording of RFC 2136. however, RFC co-author Paul +Vixie has stated that the RFC is mistaken on this point; it should have +said that access checking must happen *no later than* the completion of +prerequisite checks, not that it must happen exactly then.) + +(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d) +--- + lib/ns/update.c | 335 ++++++++++++++++++++++++++---------------------- + 1 file changed, 181 insertions(+), 154 deletions(-) + +diff --git a/lib/ns/update.c b/lib/ns/update.c +index 9a8c309..036184b 100644 +--- a/lib/ns/update.c ++++ b/lib/ns/update.c +@@ -261,6 +261,9 @@ static void + forward_done(isc_task_t *task, isc_event_t *event); + static isc_result_t + add_rr_prepare_action(void *data, rr_t *rr); ++static isc_result_t ++rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, ++ const dns_rdata_t *rdata, bool *flag); + + /**************************************************************************/ + +@@ -333,25 +336,26 @@ inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) { + static isc_result_t + checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename, + dns_acl_t *updateacl, dns_ssutable_t *ssutable) { ++ isc_result_t result; + char namebuf[DNS_NAME_FORMATSIZE]; + char classbuf[DNS_RDATACLASS_FORMATSIZE]; +- int level; +- isc_result_t result; ++ bool update_possible = ++ ((updateacl != NULL && !dns_acl_isnone(updateacl)) || ++ ssutable != NULL); + + result = ns_client_checkaclsilent(client, NULL, queryacl, true); + if (result != ISC_R_SUCCESS) { ++ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO; ++ + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, + sizeof(classbuf)); + +- level = (updateacl == NULL && ssutable == NULL) ? ISC_LOG_INFO +- : ISC_LOG_ERROR; +- + ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, + NS_LOGMODULE_UPDATE, level, + "update '%s/%s' denied due to allow-query", + namebuf, classbuf); +- } else if (updateacl == NULL && ssutable == NULL) { ++ } else if (!update_possible) { + dns_name_format(zonename, namebuf, sizeof(namebuf)); + dns_rdataclass_format(client->view->rdclass, classbuf, + sizeof(classbuf)); +@@ -1543,6 +1547,156 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) { + isc_result_t result = ISC_R_SUCCESS; + update_event_t *event = NULL; + isc_task_t *zonetask = NULL; ++ dns_ssutable_t *ssutable = NULL; ++ dns_message_t *request = client->message; ++ dns_aclenv_t *env = ++ ns_interfacemgr_getaclenv(client->manager->interface->mgr); ++ dns_rdataclass_t zoneclass; ++ dns_rdatatype_t covers; ++ dns_name_t *zonename = NULL; ++ dns_db_t *db = NULL; ++ dns_dbversion_t *ver = NULL; ++ ++ CHECK(dns_zone_getdb(zone, &db)); ++ zonename = dns_db_origin(db); ++ zoneclass = dns_db_class(db); ++ dns_zone_getssutable(zone, &ssutable); ++ dns_db_currentversion(db, &ver); ++ ++ /* ++ * Update message processing can leak record existence information ++ * so check that we are allowed to query this zone. Additionally, ++ * if we would refuse all updates for this zone, we bail out here. ++ */ ++ CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), ++ dns_zone_getorigin(zone), ++ dns_zone_getupdateacl(zone), ssutable)); ++ ++ /* ++ * Check requestor's permissions. ++ */ ++ if (ssutable == NULL) { ++ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), ++ "update", dns_zone_getorigin(zone), false, ++ false)); ++ } else if (client->signer == NULL && !TCPCLIENT(client)) { ++ CHECK(checkupdateacl(client, NULL, "update", ++ dns_zone_getorigin(zone), false, true)); ++ } ++ ++ if (dns_zone_getupdatedisabled(zone)) { ++ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled " ++ "because the zone is frozen. Use " ++ "'rndc thaw' to re-enable updates."); ++ } ++ ++ /* ++ * Prescan the update section, checking for updates that ++ * are illegal or violate policy. ++ */ ++ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); ++ result == ISC_R_SUCCESS; ++ result = dns_message_nextname(request, DNS_SECTION_UPDATE)) ++ { ++ dns_name_t *name = NULL; ++ dns_rdata_t rdata = DNS_RDATA_INIT; ++ dns_ttl_t ttl; ++ dns_rdataclass_t update_class; ++ ++ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name, ++ &rdata, &covers, &ttl, &update_class); ++ ++ if (!dns_name_issubdomain(name, zonename)) { ++ FAILC(DNS_R_NOTZONE, "update RR is outside zone"); ++ } ++ if (update_class == zoneclass) { ++ /* ++ * Check for meta-RRs. The RFC2136 pseudocode says ++ * check for ANY|AXFR|MAILA|MAILB, but the text adds ++ * "or any other QUERY metatype" ++ */ ++ if (dns_rdatatype_ismeta(rdata.type)) { ++ FAILC(DNS_R_FORMERR, "meta-RR in update"); ++ } ++ result = dns_zone_checknames(zone, name, &rdata); ++ if (result != ISC_R_SUCCESS) { ++ FAIL(DNS_R_REFUSED); ++ } ++ } else if (update_class == dns_rdataclass_any) { ++ if (ttl != 0 || rdata.length != 0 || ++ (dns_rdatatype_ismeta(rdata.type) && ++ rdata.type != dns_rdatatype_any)) ++ { ++ FAILC(DNS_R_FORMERR, "meta-RR in update"); ++ } ++ } else if (update_class == dns_rdataclass_none) { ++ if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) { ++ FAILC(DNS_R_FORMERR, "meta-RR in update"); ++ } ++ } else { ++ update_log(client, zone, ISC_LOG_WARNING, ++ "update RR has incorrect class %d", ++ update_class); ++ FAIL(DNS_R_FORMERR); ++ } ++ ++ /* ++ * draft-ietf-dnsind-simple-secure-update-01 says ++ * "Unlike traditional dynamic update, the client ++ * is forbidden from updating NSEC records." ++ */ ++ if (rdata.type == dns_rdatatype_nsec3) { ++ FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not " ++ "allowed " ++ "in secure zones"); ++ } else if (rdata.type == dns_rdatatype_nsec) { ++ FAILC(DNS_R_REFUSED, "explicit NSEC updates are not " ++ "allowed " ++ "in secure zones"); ++ } else if (rdata.type == dns_rdatatype_rrsig && ++ !dns_name_equal(name, zonename)) ++ { ++ FAILC(DNS_R_REFUSED, "explicit RRSIG updates are " ++ "currently " ++ "not supported in secure zones " ++ "except " ++ "at the apex"); ++ } ++ ++ if (ssutable != NULL) { ++ isc_netaddr_t netaddr; ++ dst_key_t *tsigkey = NULL; ++ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); ++ ++ if (client->message->tsigkey != NULL) { ++ tsigkey = client->message->tsigkey->key; ++ } ++ ++ if (rdata.type != dns_rdatatype_any) { ++ if (!dns_ssutable_checkrules( ++ ssutable, client->signer, name, ++ &netaddr, TCPCLIENT(client), env, ++ rdata.type, tsigkey)) ++ { ++ FAILC(DNS_R_REFUSED, "rejected by " ++ "secure update"); ++ } ++ } else { ++ if (!ssu_checkall(db, ver, name, ssutable, ++ client->signer, &netaddr, env, ++ TCPCLIENT(client), tsigkey)) ++ { ++ FAILC(DNS_R_REFUSED, "rejected by " ++ "secure update"); ++ } ++ } ++ } ++ } ++ if (result != ISC_R_NOMORE) { ++ FAIL(result); ++ } ++ ++ update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK"); + + result = isc_quota_attach(&client->manager->sctx->updquota, + &(isc_quota_t *){ NULL }); +@@ -1552,9 +1706,7 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) { + isc_result_totext(result)); + ns_stats_increment(client->manager->sctx->nsstats, + ns_statscounter_updatequota); +- ns_client_drop(client, result); +- isc_nmhandle_detach(&client->reqhandle); +- return (DNS_R_DROP); ++ CHECK(DNS_R_DROP); + } + + event = (update_event_t *)isc_event_allocate( +@@ -1571,6 +1723,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) { + dns_zone_gettask(zone, &zonetask); + isc_task_send(zonetask, ISC_EVENT_PTR(&event)); + ++failure: ++ if (db != NULL) { ++ dns_db_closeversion(db, &ver, false); ++ dns_db_detach(&db); ++ } ++ ++ if (ssutable != NULL) { ++ dns_ssutable_detach(&ssutable); ++ } ++ + return (result); + } + +@@ -1671,9 +1833,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle, + break; + case dns_zone_secondary: + case dns_zone_mirror: +- CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), +- "update forwarding", zonename, true, +- false)); + CHECK(send_forward_event(client, zone)); + break; + default: +@@ -1685,8 +1844,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle, + + failure: + if (result == DNS_R_REFUSED) { +- INSIST(dns_zone_gettype(zone) == dns_zone_secondary || +- dns_zone_gettype(zone) == dns_zone_mirror); + inc_stats(client, zone, ns_statscounter_updaterej); + } + +@@ -2578,7 +2735,7 @@ update_action(isc_task_t *task, isc_event_t *event) { + dns_rdatatype_t covers; + dns_message_t *request = client->message; + dns_rdataclass_t zoneclass; +- dns_name_t *zonename; ++ dns_name_t *zonename = NULL; + dns_ssutable_t *ssutable = NULL; + dns_fixedname_t tmpnamefixed; + dns_name_t *tmpname = NULL; +@@ -2590,8 +2747,6 @@ update_action(isc_task_t *task, isc_event_t *event) { + dns_ttl_t maxttl = 0; + uint32_t maxrecords; + uint64_t records; +- dns_aclenv_t *env = +- ns_interfacemgr_getaclenv(client->manager->interface->mgr); + + INSIST(event->ev_type == DNS_EVENT_UPDATE); + +@@ -2602,14 +2757,7 @@ update_action(isc_task_t *task, isc_event_t *event) { + zonename = dns_db_origin(db); + zoneclass = dns_db_class(db); + dns_zone_getssutable(zone, &ssutable); +- +- /* +- * Update message processing can leak record existence information +- * so check that we are allowed to query this zone. Additionally +- * if we would refuse all updates for this zone we bail out here. +- */ +- CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename, +- dns_zone_getupdateacl(zone), ssutable)); ++ options = dns_zone_getoptions(zone); + + /* + * Get old and new versions now that queryacl has been checked. +@@ -2745,135 +2893,10 @@ update_action(isc_task_t *task, isc_event_t *event) { + + update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK"); + +- /* +- * Check Requestor's Permissions. It seems a bit silly to do this +- * only after prerequisite testing, but that is what RFC2136 says. +- */ +- if (ssutable == NULL) { +- CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone), +- "update", zonename, false, false)); +- } else if (client->signer == NULL && !TCPCLIENT(client)) { +- CHECK(checkupdateacl(client, NULL, "update", zonename, false, +- true)); +- } +- +- if (dns_zone_getupdatedisabled(zone)) { +- FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled " +- "because the zone is frozen. Use " +- "'rndc thaw' to re-enable updates."); +- } +- +- /* +- * Perform the Update Section Prescan. +- */ +- +- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); +- result == ISC_R_SUCCESS; +- result = dns_message_nextname(request, DNS_SECTION_UPDATE)) +- { +- dns_name_t *name = NULL; +- dns_rdata_t rdata = DNS_RDATA_INIT; +- dns_ttl_t ttl; +- dns_rdataclass_t update_class; +- get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name, +- &rdata, &covers, &ttl, &update_class); +- +- if (!dns_name_issubdomain(name, zonename)) { +- FAILC(DNS_R_NOTZONE, "update RR is outside zone"); +- } +- if (update_class == zoneclass) { +- /* +- * Check for meta-RRs. The RFC2136 pseudocode says +- * check for ANY|AXFR|MAILA|MAILB, but the text adds +- * "or any other QUERY metatype" +- */ +- if (dns_rdatatype_ismeta(rdata.type)) { +- FAILC(DNS_R_FORMERR, "meta-RR in update"); +- } +- result = dns_zone_checknames(zone, name, &rdata); +- if (result != ISC_R_SUCCESS) { +- FAIL(DNS_R_REFUSED); +- } +- } else if (update_class == dns_rdataclass_any) { +- if (ttl != 0 || rdata.length != 0 || +- (dns_rdatatype_ismeta(rdata.type) && +- rdata.type != dns_rdatatype_any)) +- { +- FAILC(DNS_R_FORMERR, "meta-RR in update"); +- } +- } else if (update_class == dns_rdataclass_none) { +- if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) { +- FAILC(DNS_R_FORMERR, "meta-RR in update"); +- } +- } else { +- update_log(client, zone, ISC_LOG_WARNING, +- "update RR has incorrect class %d", +- update_class); +- FAIL(DNS_R_FORMERR); +- } +- +- /* +- * draft-ietf-dnsind-simple-secure-update-01 says +- * "Unlike traditional dynamic update, the client +- * is forbidden from updating NSEC records." +- */ +- if (rdata.type == dns_rdatatype_nsec3) { +- FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not " +- "allowed " +- "in secure zones"); +- } else if (rdata.type == dns_rdatatype_nsec) { +- FAILC(DNS_R_REFUSED, "explicit NSEC updates are not " +- "allowed " +- "in secure zones"); +- } else if (rdata.type == dns_rdatatype_rrsig && +- !dns_name_equal(name, zonename)) { +- FAILC(DNS_R_REFUSED, "explicit RRSIG updates are " +- "currently " +- "not supported in secure zones " +- "except " +- "at the apex"); +- } +- +- if (ssutable != NULL) { +- isc_netaddr_t netaddr; +- dst_key_t *tsigkey = NULL; +- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); +- +- if (client->message->tsigkey != NULL) { +- tsigkey = client->message->tsigkey->key; +- } +- +- if (rdata.type != dns_rdatatype_any) { +- if (!dns_ssutable_checkrules( +- ssutable, client->signer, name, +- &netaddr, TCPCLIENT(client), env, +- rdata.type, tsigkey)) +- { +- FAILC(DNS_R_REFUSED, "rejected by " +- "secure update"); +- } +- } else { +- if (!ssu_checkall(db, ver, name, ssutable, +- client->signer, &netaddr, env, +- TCPCLIENT(client), tsigkey)) +- { +- FAILC(DNS_R_REFUSED, "rejected by " +- "secure update"); +- } +- } +- } +- } +- if (result != ISC_R_NOMORE) { +- FAIL(result); +- } +- +- update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK"); +- + /* + * Process the Update Section. + */ + +- options = dns_zone_getoptions(zone); + for (result = dns_message_firstname(request, DNS_SECTION_UPDATE); + result == ISC_R_SUCCESS; + result = dns_message_nextname(request, DNS_SECTION_UPDATE)) +@@ -3307,10 +3330,7 @@ update_action(isc_task_t *task, isc_event_t *event) { + if (result == ISC_R_SUCCESS && records > maxrecords) { + update_log(client, zone, ISC_LOG_ERROR, + "records in zone (%" PRIu64 ") " +- "exceeds" +- " max-" +- "records" +- " (%u)", ++ "exceeds max-records (%u)", + records, maxrecords); + result = DNS_R_TOOMANYRECORDS; + goto failure; +@@ -3601,6 +3621,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) { + update_event_t *event = NULL; + isc_task_t *zonetask = NULL; + ++ result = checkupdateacl(client, dns_zone_getforwardacl(zone), ++ "update forwarding", dns_zone_getorigin(zone), ++ true, false); ++ if (result != ISC_R_SUCCESS) { ++ return (result); ++ } ++ + result = isc_quota_attach(&client->manager->sctx->updquota, + &(isc_quota_t *){ NULL }); + if (result != ISC_R_SUCCESS) { +-- +2.39.1 + diff --git a/bind-9.16-CVE-2022-3094-test.patch b/bind-9.16-CVE-2022-3094-test.patch new file mode 100644 index 0000000..37b64de --- /dev/null +++ b/bind-9.16-CVE-2022-3094-test.patch @@ -0,0 +1,272 @@ +From 630529ea7d4587703008de1465021bdde2a3a971 Mon Sep 17 00:00:00 2001 +From: Evan Hunt <each@isc.org> +Date: Wed, 9 Nov 2022 21:56:16 -0800 +Subject: [PATCH] test failure conditions + +verify that updates are refused when the client is disallowed by +allow-query, and update forwarding is refused when the client is +is disallowed by update-forwarding. + +verify that "too many DNS UPDATEs" appears in the log file when too +many simultaneous updates are processing. + +(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0) +--- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 + + bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++ + bin/tests/system/upforwd/clean.sh | 2 + + .../ns3/{named.conf.in => named1.conf.in} | 13 ++++-- + bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++ + bin/tests/system/upforwd/setup.sh | 2 +- + bin/tests/system/upforwd/tests.sh | 39 ++++++++++++++++++ + 7 files changed, 123 insertions(+), 4 deletions(-) + rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%) + create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in + +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index 436c97d..83fe884 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -21,6 +21,7 @@ options { + recursion no; + notify yes; + minimal-responses no; ++ update-quota 1; + }; + + acl named-acl { +@@ -81,6 +82,7 @@ zone "other.nil" { + check-integrity no; + check-mx warn; + update-policy local; ++ allow-query { !10.53.0.2; any; }; + allow-query-on { 10.53.0.1; 127.0.0.1; }; + allow-transfer { any; }; + }; +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index b5f562f..13ba577 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -1268,6 +1268,34 @@ END + grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + ++n=$((n + 1)) ++ret=0 ++echo_i "check that update is rejected if query is not allowed ($n)" ++{ ++ $NSUPDATE -d <<END ++ local 10.53.0.2 ++ server 10.53.0.1 ${PORT} ++ update add reject.other.nil 3600 IN TXT Whatever ++ send ++END ++} > nsupdate.out.test$n 2>&1 ++grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ ++n=$((n + 1)) ++ret=0 ++echo_i "check that update is rejected if quota is exceeded ($n)" ++for loop in 1 2 3 4 5 6 7 8 9 10; do ++{ ++ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END ++ update add txt-$loop.other.nil 3600 IN TXT Whatever ++ send ++END ++} & ++done ++wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ + if ! $FEATURETEST --gssapi ; then + echo_i "SKIPPED: GSSAPI tests" + else +diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh +index 2025252..12311df 100644 +--- a/bin/tests/system/upforwd/clean.sh ++++ b/bin/tests/system/upforwd/clean.sh +@@ -29,3 +29,5 @@ rm -f keyname keyname.err + rm -f ns*/named.lock + rm -f ns1/example2.db + rm -f ns*/managed-keys.bind* ++rm -f nsupdate.out.* ++rm -f ns*/named.run.prev +diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in +similarity index 78% +rename from bin/tests/system/upforwd/ns3/named.conf.in +rename to bin/tests/system/upforwd/ns3/named1.conf.in +index 7bd13d3..2f690ff 100644 +--- a/bin/tests/system/upforwd/ns3/named.conf.in ++++ b/bin/tests/system/upforwd/ns3/named1.conf.in +@@ -28,20 +28,27 @@ key rndc_key { + }; + + controls { +- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; + }; + + zone "example" { + type secondary; + file "example.bk"; +- allow-update-forwarding { any; }; ++ allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; + }; + + zone "example2" { + type secondary; + file "example2.bk"; +- allow-update-forwarding { any; }; ++ allow-update-forwarding { 10.53.0.1; }; ++ primaries { 10.53.0.1; }; ++}; ++ ++zone "example3" { ++ type secondary; ++ file "example3.bk"; ++ allow-update-forwarding { 10.53.0.1; }; + primaries { 10.53.0.1; }; + }; + +diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in +new file mode 100644 +index 0000000..86d7469 +--- /dev/null ++++ b/bin/tests/system/upforwd/ns3/named2.conf.in +@@ -0,0 +1,41 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.3; ++ notify-source 10.53.0.3; ++ transfer-source 10.53.0.3; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.3; }; ++ listen-on-v6 { none; }; ++ recursion no; ++ notify yes; ++ update-quota 1; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm @DEFAULT_HMAC@; ++}; ++ ++controls { ++ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++zone "example" { ++ type secondary; ++ file "example.bk"; ++ allow-update-forwarding { any; }; ++ primaries { 10.53.0.1; }; ++}; +diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh +index e748078..88ab28d 100644 +--- a/bin/tests/system/upforwd/setup.sh ++++ b/bin/tests/system/upforwd/setup.sh +@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db + + copy_setports ns1/named.conf.in ns1/named.conf + copy_setports ns2/named.conf.in ns2/named.conf +-copy_setports ns3/named.conf.in ns3/named.conf ++copy_setports ns3/named1.conf.in ns3/named.conf + + if $FEATURETEST --enable-dnstap + then +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index 8062d68..20fc46f 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + echo_i "updating zone (signed) ($n)" + ret=0 + $NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1 ++local 10.53.0.1 + server 10.53.0.3 ${PORT} + update add updated.example. 600 A 10.10.10.1 + update add updated.example. 600 TXT Foo +@@ -138,6 +139,7 @@ fi + echo_i "updating zone (unsigned) ($n)" + ret=0 + $NSUPDATE -- - <<EOF || ret=1 ++local 10.53.0.1 + server 10.53.0.3 ${PORT} + update add unsigned.example. 600 A 10.10.10.1 + update add unsigned.example. 600 TXT Foo +@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ] + do + ( + $NSUPDATE -- - <<EOF ++local 10.53.0.1 + server 10.53.0.3 ${PORT} + zone nomaster + update add unsigned.nomaster. 600 A 10.10.10.1 +@@ -225,6 +228,7 @@ then + ret=0 + keyname=`cat keyname` + $NSUPDATE -k $keyname.private -- - <<EOF ++ local 10.53.0.1 + server 10.53.0.3 ${PORT} + zone example2 + update add unsigned.example2. 600 A 10.10.10.1 +@@ -249,5 +253,40 @@ EOF + fi + fi + ++echo_i "attempting an update that should be rejected by ACL ($n)" ++ret=0 ++{ ++ $NSUPDATE -- - << EOF ++ local 10.53.0.2 ++ server 10.53.0.3 ${PORT} ++ update add another.unsigned.example. 600 A 10.10.10.2 ++ update add another.unsigned.example. 600 TXT Bar ++ send ++EOF ++} > nsupdate.out.$n 2>&1 ++grep REFUSED nsupdate.out.$n > /dev/null || ret=1 ++if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi ++n=`expr $n + 1` ++ ++n=$((n + 1)) ++ret=0 ++echo_i "attempting updates that should exceed quota ($n)" ++# lower the update quota to 1. ++copy_setports ns3/named2.conf.in ns3/named.conf ++rndc_reconfig ns3 10.53.0.3 ++nextpart ns3/named.run > /dev/null ++for loop in 1 2 3 4 5 6 7 8 9 10; do ++{ ++ $NSUPDATE -- - > /dev/null 2>&1 <<END ++ local 10.53.0.1 ++ server 10.53.0.3 ${PORT} ++ update add txt-$loop.unsigned.example 300 IN TXT Whatever ++ send ++END ++} & ++done ++wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1 ++[ $ret = 0 ] || { echo_i "failed"; status=1; } ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +-- +2.39.1 + diff --git a/bind-9.16-CVE-2022-3736.patch b/bind-9.16-CVE-2022-3736.patch new file mode 100644 index 0000000..606c22f --- /dev/null +++ b/bind-9.16-CVE-2022-3736.patch @@ -0,0 +1,53 @@ +From 1b6590eafce064cbf70f5afc2fe4d6f1bfdc3804 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Thu, 27 Oct 2022 13:22:11 +1100 +Subject: [PATCH] Move the mapping of SIG and RRSIG to ANY + +dns_db_findext() asserts if RRSIG is passed to it and +query_lookup_stale() failed to map RRSIG to ANY to prevent this. To +avoid cases like this in the future, move the mapping of SIG and RRSIG +to ANY for qctx->type to qctx_init(). + +(cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6) +--- + lib/ns/query.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index a450cb7..f66bab4 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5103,6 +5103,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, + qctx->result = ISC_R_SUCCESS; + qctx->findcoveringnsec = qctx->view->synthfromdnssec; + ++ /* ++ * If it's an RRSIG or SIG query, we'll iterate the node. ++ */ ++ if (qctx->qtype == dns_rdatatype_rrsig || ++ qctx->qtype == dns_rdatatype_sig) ++ { ++ qctx->type = dns_rdatatype_any; ++ } ++ + CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx); + } + +@@ -5243,14 +5252,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) { + + CALL_HOOK(NS_QUERY_SETUP, &qctx); + +- /* +- * If it's a SIG query, we'll iterate the node. +- */ +- if (qctx.qtype == dns_rdatatype_rrsig || +- qctx.qtype == dns_rdatatype_sig) { +- qctx.type = dns_rdatatype_any; +- } +- + /* + * Check SERVFAIL cache + */ +-- +2.39.1 + diff --git a/bind-9.16-CVE-2022-38177.patch b/bind-9.16-CVE-2022-38177.patch new file mode 100644 index 0000000..e510079 --- /dev/null +++ b/bind-9.16-CVE-2022-38177.patch @@ -0,0 +1,27 @@ +From df8222fb189708199a185f73543b6e0602c1c72f Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Tue, 20 Sep 2022 11:21:45 +0200 +Subject: [PATCH 3/4] Fix CVE-2022-38177 + +5961. [security] Fix memory leak in ECDSA verify processing. + (CVE-2022-38177) [GL #3487] +--- + lib/dns/opensslecdsa_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index ce4c8c4..3847896 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -228,7 +228,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + } + + if (sig->length != siglen) { +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + } + + if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) { +-- +2.37.3 + diff --git a/bind-9.16-CVE-2022-38178.patch b/bind-9.16-CVE-2022-38178.patch new file mode 100644 index 0000000..fecd526 --- /dev/null +++ b/bind-9.16-CVE-2022-38178.patch @@ -0,0 +1,32 @@ +From 132ef295b8407f91e6922f4dfc4f30f1790b61c5 Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Tue, 20 Sep 2022 11:22:47 +0200 +Subject: [PATCH 4/4] Fix CVE-2022-38178 + +5962. [security] Fix memory leak in EdDSA verify processing. + (CVE-2022-38178) [GL #3487] +--- + lib/dns/openssleddsa_link.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c +index 6a6a74d..3157011 100644 +--- a/lib/dns/openssleddsa_link.c ++++ b/lib/dns/openssleddsa_link.c +@@ -234,11 +234,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + } + #endif /* if HAVE_OPENSSL_ED448 */ + if (siglen == 0) { +- return (ISC_R_NOTIMPLEMENTED); ++ DST_RET(ISC_R_NOTIMPLEMENTED); + } + + if (sig->length != siglen) { +- return (DST_R_VERIFYFAILURE); ++ DST_RET(DST_R_VERIFYFAILURE); + } + + isc_buffer_usedregion(buf, &tbsreg); +-- +2.37.3 + diff --git a/bind-9.16-CVE-2022-3924.patch b/bind-9.16-CVE-2022-3924.patch new file mode 100644 index 0000000..5a7d879 --- /dev/null +++ b/bind-9.16-CVE-2022-3924.patch @@ -0,0 +1,128 @@ +From 20424b3bfe8d3fae92c11a30e79aeffd26dc2891 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan <aram@isc.org> +Date: Mon, 14 Nov 2022 12:18:06 +0000 +Subject: [PATCH] Cancel all fetch events in dns_resolver_cancelfetch() + +Although 'dns_fetch_t' fetch can have two associated events, one for +each of 'DNS_EVENT_FETCHDONE' and 'DNS_EVENT_TRYSTALE' types, the +dns_resolver_cancelfetch() function is designed in a way that it +expects only one existing event, which it must cancel, and when it +happens so that 'stale-answer-client-timeout' is enabled and there +are two events, only one of them is canceled, and it results in an +assertion in dns_resolver_destroyfetch(), when it finds a dangling +event. + +Change the logic of dns_resolver_cancelfetch() function so that it +cancels both the events (if they exist), and in the right order. + +(cherry picked from commit ec2098ca35039e4f81fd0aa7c525eb960b8f47bf) +--- + lib/dns/resolver.c | 53 +++++++++++++++++++++++++++++++++++----------- + lib/ns/query.c | 4 +++- + 2 files changed, 44 insertions(+), 13 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 18585b5..7cbfbb2 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -11254,8 +11254,9 @@ void + dns_resolver_cancelfetch(dns_fetch_t *fetch) { + fetchctx_t *fctx; + dns_resolver_t *res; +- dns_fetchevent_t *event, *next_event; +- isc_task_t *etask; ++ dns_fetchevent_t *event = NULL; ++ dns_fetchevent_t *event_trystale = NULL; ++ dns_fetchevent_t *event_fetchdone = NULL; + + REQUIRE(DNS_FETCH_VALID(fetch)); + fctx = fetch->private; +@@ -11267,32 +11268,60 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) { + LOCK(&res->buckets[fctx->bucketnum].lock); + + /* +- * Find the completion event for this fetch (as opposed ++ * Find the events for this fetch (as opposed + * to those for other fetches that have joined the same +- * fctx) and send it with result = ISC_R_CANCELED. ++ * fctx) and send them with result = ISC_R_CANCELED. + */ +- event = NULL; + if (fctx->state != fetchstate_done) { ++ dns_fetchevent_t *next_event = NULL; + for (event = ISC_LIST_HEAD(fctx->events); event != NULL; + event = next_event) { + next_event = ISC_LIST_NEXT(event, ev_link); + if (event->fetch == fetch) { + ISC_LIST_UNLINK(fctx->events, event, ev_link); +- break; ++ switch (event->ev_type) { ++ case DNS_EVENT_TRYSTALE: ++ INSIST(event_trystale == NULL); ++ event_trystale = event; ++ break; ++ case DNS_EVENT_FETCHDONE: ++ INSIST(event_fetchdone == NULL); ++ event_fetchdone = event; ++ break; ++ default: ++ ISC_UNREACHABLE(); ++ } ++ if (event_trystale != NULL && ++ event_fetchdone != NULL) ++ { ++ break; ++ } + } + } + } +- if (event != NULL) { +- etask = event->ev_sender; +- event->ev_sender = fctx; +- event->result = ISC_R_CANCELED; +- isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event)); ++ ++ /* ++ * The "trystale" event must be sent before the "fetchdone" event, ++ * because the latter clears the "recursing" query attribute, which is ++ * required by both events (handled by the same callback function). ++ */ ++ if (event_trystale != NULL) { ++ isc_task_t *etask = event_trystale->ev_sender; ++ event_trystale->ev_sender = fctx; ++ event_trystale->result = ISC_R_CANCELED; ++ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_trystale)); + } ++ if (event_fetchdone != NULL) { ++ isc_task_t *etask = event_fetchdone->ev_sender; ++ event_fetchdone->ev_sender = fctx; ++ event_fetchdone->result = ISC_R_CANCELED; ++ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_fetchdone)); ++ } ++ + /* + * The fctx continues running even if no fetches remain; + * the answer is still cached. + */ +- + UNLOCK(&res->buckets[fctx->bucketnum].lock); + } + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index f66bab4..4f61374 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -6021,7 +6021,9 @@ fetch_callback(isc_task_t *task, isc_event_t *event) { + CTRACE(ISC_LOG_DEBUG(3), "fetch_callback"); + + if (event->ev_type == DNS_EVENT_TRYSTALE) { +- query_lookup_stale(client); ++ if (devent->result != ISC_R_CANCELED) { ++ query_lookup_stale(client); ++ } + isc_event_free(ISC_EVENT_PTR(&event)); + return; + } +-- +2.39.1 + diff --git a/bind-9.16-redhat_doc.patch b/bind-9.16-redhat_doc.patch new file mode 100644 index 0000000..ef76e16 --- /dev/null +++ b/bind-9.16-redhat_doc.patch @@ -0,0 +1,60 @@ +From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001 +From: Petr Mensik <pemensik@redhat.com> +Date: Wed, 17 Jun 2020 23:17:13 +0200 +Subject: [PATCH] Update man named with Red Hat specifics + +This is almost unmodified text and requires revalidation. Some of those +statements are no longer correct. +--- + bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/bin/named/named.rst b/bin/named/named.rst +index 6fd8f87..3cd6350 100644 +--- a/bin/named/named.rst ++++ b/bin/named/named.rst +@@ -228,6 +228,41 @@ Files + ``/var/run/named/named.pid`` + The default process-id file. + ++Notes ++~~~~~ ++ ++**Red Hat SELinux BIND Security Profile:** ++ ++By default, Red Hat ships BIND with the most secure SELinux policy ++that will not prevent normal BIND operation and will prevent exploitation ++of all known BIND security vulnerabilities. See the selinux(8) man page ++for information about SElinux. ++ ++It is not necessary to run named in a chroot environment if the Red Hat ++SELinux policy for named is enabled. When enabled, this policy is far ++more secure than a chroot environment. Users are recommended to enable ++SELinux and remove the bind-chroot package. ++ ++*With this extra security comes some restrictions:* ++ ++By default, the SELinux policy does not allow named to write outside directory ++/var/named. That directory used to be read-only for named, but write access is ++enabled by default now. ++ ++The "named" group must be granted read privelege to ++these files in order for named to be enabled to read them. ++Any file updated by named must be writeable by named user or named group. ++ ++Any file created in the zone database file directory is automatically assigned ++the SELinux file context *named_zone_t* . ++ ++The Red Hat BIND distribution and SELinux policy creates three directories where ++named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* ++*/var/named/data*. The service is able to write and file under */var/named* with appropriate ++permissions. They are used for better organisation of zones and backward compatibility. ++Files in these directories are automatically assigned the '*named_cache_t*' ++file context, which SELinux always allows named to write. ++ + See Also + ~~~~~~~~ + +-- +2.26.2 + diff --git a/bind-9.16-rh2101712.patch b/bind-9.16-rh2101712.patch new file mode 100644 index 0000000..4ad2c6b --- /dev/null +++ b/bind-9.16-rh2101712.patch @@ -0,0 +1,194 @@ +From 37ba012cf603f126f31ff7647d6ee4f6fe708e8f Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 24 Aug 2022 12:21:50 +1000 +Subject: [PATCH] Have dns_zt_apply lock the zone table + +There where a number of places where the zone table should have +been locked, but wasn't, when dns_zt_apply was called. + +Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted +all calls to using it. Removed locks in callers. + +Modified upstream commit for v9_16 +--- + bin/named/server.c | 12 +++++++----- + bin/named/statschannel.c | 12 +++++++----- + lib/dns/include/dns/zt.h | 3 ++- + lib/dns/tests/zt_test.c | 4 ++-- + lib/dns/view.c | 3 ++- + lib/dns/zt.c | 21 ++++++++++----------- + 6 files changed, 30 insertions(+), 25 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 860ccae..c2a5887 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -9458,7 +9458,8 @@ cleanup: + if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) + { + dns_view_setviewrevert(view); +- (void)dns_zt_apply(view->zonetable, false, NULL, ++ (void)dns_zt_apply(view->zonetable, ++ isc_rwlocktype_read, false, NULL, + removed, view); + } + dns_view_detach(&view); +@@ -10901,8 +10902,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) { + ISC_LIST_INIT(vle->zonelist); + ISC_LIST_APPEND(dctx->viewlist, vle, link); + if (dctx->dumpzones) { +- result = dns_zt_apply(view->zonetable, true, NULL, +- add_zone_tolist, dctx); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, ++ true, NULL, add_zone_tolist, dctx); + } + return (result); + } +@@ -12248,8 +12249,9 @@ named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) { + for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; + view = ISC_LIST_NEXT(view, link)) + { +- result = dns_zt_apply(view->zonetable, false, NULL, +- synczone, &cleanup); ++ result = dns_zt_apply(view->zonetable, ++ isc_rwlocktype_none, false, ++ NULL, synczone, &cleanup); + if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS) + { + tresult = result; +diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c +index 8ff2567..832ce93 100644 +--- a/bin/named/statschannel.c ++++ b/bin/named/statschannel.c +@@ -2296,8 +2296,9 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen, + if ((flags & STATS_XML_ZONES) != 0) { + TRY0(xmlTextWriterStartElement(writer, + ISC_XMLCHAR "zones")); +- result = dns_zt_apply(view->zonetable, true, NULL, +- zone_xmlrender, writer); ++ result = dns_zt_apply(view->zonetable, ++ isc_rwlocktype_read, true, ++ NULL, zone_xmlrender, writer); + if (result != ISC_R_SUCCESS) { + goto error; + } +@@ -3069,9 +3070,10 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg, + CHECKMEM(za); + + if ((flags & STATS_JSON_ZONES) != 0) { +- result = dns_zt_apply(view->zonetable, true, +- NULL, zone_jsonrender, +- za); ++ result = dns_zt_apply(view->zonetable, ++ isc_rwlocktype_read, ++ true, NULL, ++ zone_jsonrender, za); + if (result != ISC_R_SUCCESS) { + goto error; + } +diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h +index 4a1b263..1c6c789 100644 +--- a/lib/dns/include/dns/zt.h ++++ b/lib/dns/include/dns/zt.h +@@ -168,7 +168,8 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze); + */ + + isc_result_t +-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub, ++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, ++ isc_result_t *sub, + isc_result_t (*action)(dns_zone_t *, void *), void *uap); + /*%< + * Apply a given 'action' to all zone zones in the table. +diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c +index 7945a0b..bfacb94 100644 +--- a/lib/dns/tests/zt_test.c ++++ b/lib/dns/tests/zt_test.c +@@ -136,8 +136,8 @@ apply(void **state) { + assert_non_null(view->zonetable); + + assert_int_equal(nzones, 0); +- result = dns_zt_apply(view->zonetable, false, NULL, count_zone, +- &nzones); ++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, false, ++ NULL, count_zone, &nzones); + assert_int_equal(result, ISC_R_SUCCESS); + assert_int_equal(nzones, 1); + +diff --git a/lib/dns/view.c b/lib/dns/view.c +index 8c7e40a..dcb0f18 100644 +--- a/lib/dns/view.c ++++ b/lib/dns/view.c +@@ -704,7 +704,8 @@ dns_view_dialup(dns_view_t *view) { + REQUIRE(DNS_VIEW_VALID(view)); + REQUIRE(view->zonetable != NULL); + +- (void)dns_zt_apply(view->zonetable, false, NULL, dialup, NULL); ++ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read, false, ++ NULL, dialup, NULL); + } + + void +diff --git a/lib/dns/zt.c b/lib/dns/zt.c +index 8ca9cd6..cb90950 100644 +--- a/lib/dns/zt.c ++++ b/lib/dns/zt.c +@@ -223,7 +223,8 @@ flush(dns_zone_t *zone, void *uap) { + static void + zt_destroy(dns_zt_t *zt) { + if (atomic_load_acquire(&zt->flush)) { +- (void)dns_zt_apply(zt, false, NULL, flush, NULL); ++ (void)dns_zt_apply(zt, isc_rwlocktype_none, false, NULL, ++ flush, NULL); + } + dns_rbt_destroy(&zt->table); + isc_rwlock_destroy(&zt->rwlock); +@@ -265,9 +266,8 @@ dns_zt_load(dns_zt_t *zt, bool stop, bool newonly) { + struct zt_load_params params; + REQUIRE(VALID_ZT(zt)); + params.newonly = newonly; +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply(zt, stop, NULL, load, ¶ms); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, NULL, load, ++ ¶ms); + return (result); + } + +@@ -338,9 +338,8 @@ dns_zt_asyncload(dns_zt_t *zt, bool newonly, dns_zt_allloaded_t alldone, + zt->loaddone = alldone; + zt->loaddone_arg = arg; + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply(zt, false, NULL, asyncload, zt); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply(zt, isc_rwlocktype_read, false, NULL, ++ asyncload, zt); + + /* + * Have all the loads completed? +@@ -386,9 +385,8 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze) { + + REQUIRE(VALID_ZT(zt)); + +- RWLOCK(&zt->rwlock, isc_rwlocktype_read); +- result = dns_zt_apply(zt, false, &tresult, freezezones, ¶ms); +- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read); ++ result = dns_zt_apply(zt, isc_rwlocktype_read, false, &tresult, ++ freezezones, ¶ms); + if (tresult == ISC_R_NOTFOUND) { + tresult = ISC_R_SUCCESS; + } +@@ -522,7 +520,8 @@ dns_zt_setviewrevert(dns_zt_t *zt) { + } + + isc_result_t +-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub, ++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, ++ isc_result_t *sub, + isc_result_t (*action)(dns_zone_t *, void *), void *uap) { + dns_rbtnode_t *node; + dns_rbtnodechain_t chain; +-- +2.38.1 + diff --git a/bind-9.16-rh2133889.patch b/bind-9.16-rh2133889.patch new file mode 100644 index 0000000..710bf53 --- /dev/null +++ b/bind-9.16-rh2133889.patch @@ -0,0 +1,31 @@ +From 606fc6d4aa8e8884f53f53e72dc1bd7babf37a47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> +Date: Mon, 16 Jan 2023 11:06:48 +0000 +Subject: [PATCH] Merge branch 'feature/main/zt-rwlock.h' into 'main' + +Include isc_rwlocktype_t type definition in zt.h + +See merge request isc-projects/bind9!7376 + +(cherry picked from commit d7bcdf8bd6c5395726f708535120ce9a97eaa935) + +395d6fca Include isc_rwlocktype_t type definition in zt.h +--- + lib/dns/include/dns/zt.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h +index 189092bc3b..2964fc971f 100644 +--- a/lib/dns/include/dns/zt.h ++++ b/lib/dns/include/dns/zt.h +@@ -19,6 +19,7 @@ + #include <stdbool.h> + + #include <isc/lang.h> ++#include <isc/rwlock.h> + + #include <dns/types.h> + +-- +2.39.0 + diff --git a/bind-9.16.23.tar.xz.asc b/bind-9.16.23.tar.xz.asc new file mode 100644 index 0000000..d48514d --- /dev/null +++ b/bind-9.16.23.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABAgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMcACgkQxbTukxqf +nf1EbQ//YXsBbMtyI3c0MoleSi5zwzcpCTZTWTFHqH5WUiruLMDF453j/Fn2zaSC +WuaUnhN61dR+BVtX+D2Y8GiVQFICo5X1nJj0jb/TcflXFq7YLWUAO0NPwPkBL1J4 +/PA0YCp1zYcvBXIxTKaU7AcBxlKmcGLdZcgCyGU6NSKaOJSxHOWXM460uD/crskB +iSPEbMevN9TTJs9webztJNKH/3BuNkOD9SFb6JlUIQqwKx1v8rosgdI7BvgGMZqy +s+10+GlIRFFvsX2XkX8BnjDlQ1QdzDOAoyCU+Se9rXDqu+zZf1VN4ReUCSDuPYf9 +z+GW1EbMxuZzEKrEIJvhnVNNiHqtKVaK6IIUX5bHqgPLEx87HxJMOPmbyBc1kDAe +0WCmsITaq62WvKOG8Ho8wLrlG4AAO5+A7xit4bJ4XUtLiqyt+9FUIeEFY9nZb/6O +OXK9eBMZHZ++r52RtA+GYZllkNRpzwnULOdR/9svVQuc10/MjnRoFqInzLlqwfwm +2q6r372oWn8+MUvjQVBgzprn5BvY+HDo2gNEYEi5QyR3ql2dX/Qz7iUdUfhRvMNL +FdPt3B3kktfOV98p/imrIwLwVVWwKBlphntkRxLtSZBs3nbo27F/ND54fixC2eCa +epB6FF5IquzQ/MOiz4uql3YexNDQQ+7N2IGPJVMwO2ILAyZDNOQ= +=pVtf +-----END PGP SIGNATURE----- diff --git a/bind-9.5-PIE.patch b/bind-9.5-PIE.patch new file mode 100644 index 0000000..d3c73ee --- /dev/null +++ b/bind-9.5-PIE.patch @@ -0,0 +1,30 @@ +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index eb622d1..37053a7 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \ + tkeyconf.c tsigconf.c zoneconf.c \ + ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} + ++EXT_CFLAGS = -fpie ++ + @BIND9_MAKE_RULES@ + ++LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack ++ + main.@O@: main.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -DVERSION=\"${VERSION}\" \ +diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in +index fd9ca8d..f1c102c 100644 +--- a/bin/named/unix/Makefile.in ++++ b/bin/named/unix/Makefile.in +@@ -11,6 +11,8 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + ++EXT_CFLAGS = -fpie ++ + @BIND9_MAKE_INCLUDES@ + + CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ diff --git a/bind-9.5-dlz-64bit.patch b/bind-9.5-dlz-64bit.patch new file mode 100644 index 0000000..ec064c6 --- /dev/null +++ b/bind-9.5-dlz-64bit.patch @@ -0,0 +1,53 @@ +diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in +index 47525af..eefe3c3 100644 +--- a/contrib/dlz/config.dlz.in ++++ b/contrib/dlz/config.dlz.in +@@ -17,6 +17,13 @@ + # + dlzdir='${DLZ_DRIVER_DIR}' + ++AC_MSG_CHECKING([for target libdir]) ++AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}], ++ [target_lib=lib64], ++ [target_lib=lib], ++) ++AC_MSG_RESULT(["$target_lib"]) ++ + # + # Private autoconf macro to simplify configuring drivers: + # +@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in + then + break + fi +- elif test -f "$dd/lib/lib${d}.so" ++ elif test -f "$dd/${target_lib}/lib${d}.so" + then +- dlz_bdb_libs="-L${dd}/lib -l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" + break + fi + done +@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in + *) + DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver, + [-I$use_dlz_ldap/include], +- [-L$use_dlz_ldap/lib -lldap -llber]) ++ [-L$use_dlz_ldap/${target_lib} -lldap -llber]) + + AC_MSG_RESULT( + [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include]) +@@ -432,11 +439,11 @@ then + odbcdirs="/usr /usr/local /usr/pkg" + for d in $odbcdirs + do +- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a ++ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a + then + use_dlz_odbc=$d + dlz_odbc_include="-I$use_dlz_odbc/include" +- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" ++ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" + break + fi + done diff --git a/bind-9.9.1-P2-dlz-libdb.patch b/bind-9.9.1-P2-dlz-libdb.patch new file mode 100644 index 0000000..866ed8f --- /dev/null +++ b/bind-9.9.1-P2-dlz-libdb.patch @@ -0,0 +1,31 @@ +diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in +--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200 ++++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200 +@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in + # Check other locations for includes. + # Order is important (sigh). + +- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" ++ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" + # include a blank element first + for d in "" $bdb_incdirs + do +@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in + bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" + for d in $bdb_libnames + do +- if test "$dd" = "/usr" ++ if test -f "$dd/${target_lib}/lib${d}.so" + then +- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}") +- if test $dlz_bdb_libs != "yes" +- then +- break +- fi +- elif test -f "$dd/${target_lib}/lib${d}.so" +- then +- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" ++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" + break + fi + done diff --git a/bind.spec b/bind.spec new file mode 100644 index 0000000..5bf7d83 --- /dev/null +++ b/bind.spec @@ -0,0 +1,4025 @@ +# +# Red Hat BIND9 package .spec file +# +# vim:expandtab ts=2: + +# bcond_without is built by default, unless --without X is passed +# bcond_with is built only when --with X is passed to build +%bcond_with SYSTEMTEST +%bcond_without GSSTSIG +# it is not possible to build the package without PKCS11 sub-package +# due to extensive changes to Makefiles +%bcond_with PKCS11 +%bcond_without JSON +%bcond_with DLZ +# New MaxMind GeoLite support +%bcond_without GEOIP2 +# kyua no longer in buildroot in RHEL9 +%bcond_with UNITTEST +%bcond_without DNSTAP +%bcond_without LMDB +%bcond_without DOC +# Because of issues with PDF rebuild, include only HTML pages +%bcond_with DOCPDF +%bcond_with TSAN + +%{?!bind_uid: %global bind_uid 25} +%{?!bind_gid: %global bind_gid 25} +%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} +%global bind_dir /var/named +%global chroot_prefix %{bind_dir}/chroot +%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\ + %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\ + %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4 + +%global selinuxbooleans named_write_master_zones=1 +## The order of libs is important. See lib/Makefile.in for details +%define bind_export_libs isc dns isccfg irs +%{!?_export_dir:%global _export_dir /bind9-export/} +# libisc-nosym requires to be linked with unresolved symbols +# When libisc-nosym linking is fixed, it can be defined to 1 +# Visit https://bugzilla.redhat.com/show_bug.cgi?id=1540300 +%undefine _strict_symbol_defs_build +# +# significant changes: +# no more isc-config.sh and bind9-config +# lib*.so.X versions of selected libraries no longer provided, +# lib*-%%{version}-RH.so is provided as an internal implementation detail + + +Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server +Name: bind +License: MPLv2.0 +Version: 9.16.23 +Release: 9%{?dist} +Epoch: 32 +Url: https://www.isc.org/downloads/bind/ +# +Source0: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz +Source1: named.sysconfig +Source2: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.asc +Source3: named.logrotate +Source4: https://downloads.isc.org/isc/pgpkeys/codesign2021.txt +Source16: named.conf +# Refresh by command: dig @a.root-servers.net. +tcp +norec +# or from URL +Source17: https://www.internic.net/domain/named.root +Source18: named.localhost +Source19: named.loopback +Source20: named.empty +Source23: named.rfc1912.zones +Source25: named.conf.sample +Source27: named.root.key +Source35: bind.tmpfiles.d +Source36: trusted-key.key +Source37: named.service +Source38: named-chroot.service +Source41: setup-named-chroot.sh +Source42: generate-rndc-key.sh +Source43: named.rwtab +Source44: named-chroot-setup.service +Source46: named-setup-rndc.service +Source47: named-pkcs11.service +Source48: setup-named-softhsm.sh +Source49: named-chroot.files + +# Common patches +Patch10: bind-9.5-PIE.patch +Patch16: bind-9.16-redhat_doc.patch +Patch72: bind-9.5-dlz-64bit.patch +Patch106:bind93-rh490837.patch +Patch112:bind97-rh645544.patch +Patch130:bind-9.9.1-P2-dlz-libdb.patch +# Make PKCS11 used only for pkcs11 parts +Patch135:bind-9.14-config-pkcs11.patch +# Fedora specific patch to distribute native-pkcs#11 functionality +Patch136:bind-9.10-dist-native-pkcs11.patch +# Do not use isc-pkcs11. +Patch149:bind-9.11-kyua-pkcs11.patch + +Patch157:bind-9.11-fips-tests.patch +Patch164:bind-9.11-rh1666814.patch +Patch170:bind-9.11-feature-test-named.patch +Patch171:bind-9.11-tests-variants.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987 +Patch172:bind-9.16-CVE-2022-0396.patch +Patch173:bind-9.16-CVE-2021-25220.patch +Patch174:bind-9.16-CVE-2021-25220-test.patch +Patch175:bind-9.16-CVE-2022-3080.patch +Patch176:bind-9.16-CVE-2022-38177.patch +Patch177:bind-9.16-CVE-2022-38178.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6793 +# https://gitlab.isc.org/isc-projects/bind9/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8 +Patch178:bind-9.16-CVE-2022-2795.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695 +Patch179:bind-9.16-rh2101712.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376 +Patch181:bind-9.16-rh2133889.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/82185f4f80d2fa39a4569f6740cb360ffff8f5c4 +Patch182: bind-9.16-CVE-2022-3094-1.patch +Patch183: bind-9.16-CVE-2022-3094-2.patch +Patch184: bind-9.16-CVE-2022-3094-3.patch +Patch185: bind-9.16-CVE-2022-3094-test.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/ea79385990c564eb478c286c089ea7ed15520690 +Patch186: bind-9.16-CVE-2022-3736.patch +# https://gitlab.isc.org/isc-projects/bind9/commit/b4a65aaea19762a3712932aa2270e8a833fbde22 +Patch187: bind-9.16-CVE-2022-3924.patch + +%{?systemd_ordering} +Requires: coreutils +Requires(pre): shadow-utils +Requires(post): shadow-utils +Requires(post): glibc-common +Requires(post): grep +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +# This wild require should satisfy %%selinux_set_boolean macro only +# in case it needs to be used +Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls)) +Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls)) +Recommends: bind-utils bind-dnssec-utils +BuildRequires: gcc, make +BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel +BuildRequires: libidn2-devel, libxml2-devel +BuildRequires: systemd-rpm-macros +BuildRequires: selinux-policy +# needed for %%{__python3} macro +BuildRequires: python3-devel +BuildRequires: python3-ply +BuildRequires: findutils sed +%if 0%{?fedora} +BuildRequires: gnupg2 +%endif +BuildRequires: libuv-devel +%if %{with DLZ} +BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-devel +%endif +%if %{with UNITTEST} +# make unit dependencies +BuildRequires: libcmocka-devel kyua +%endif +%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) +BuildRequires: softhsm +%endif +%if %{with SYSTEMTEST} +# bin/tests/system dependencies +BuildRequires: perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long) +# manual configuration requires this tool +BuildRequires: iproute +%endif +%if %{with GSSTSIG} +BuildRequires: krb5-devel +%endif +%if %{with LMDB} +BuildRequires: lmdb-devel +%endif +%if %{with JSON} +BuildRequires: json-c-devel +%endif +%if %{with GEOIP2} +BuildRequires: libmaxminddb-devel +%endif +%if %{with DNSTAP} +BuildRequires: fstrm-devel protobuf-c-devel +%endif +# Needed to regenerate dig.1 manpage +%if %{with DOC} +BuildRequires: python3-sphinx python3-sphinx_rtd_theme +BuildRequires: doxygen +%endif +%if %{with DOCPDF} +# Because remaining issues with COPR, allow turning off PDF (re)generation +BuildRequires: python3-sphinx-latex latexmk texlive-xetex texlive-xindy +%endif +%if %{with TSAN} +BuildRequires: libtsan +%endif + +%description +BIND (Berkeley Internet Name Domain) is an implementation of the DNS +(Domain Name System) protocols. BIND includes a DNS server (named), +which resolves host names to IP addresses; a resolver library +(routines for applications to use when interfacing with DNS); and +tools for verifying that the DNS server is operating properly. + +%if %{with PKCS11} +%package pkcs11 +Summary: Bind with native PKCS#11 functionality for crypto +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +Recommends: softhsm + +%description pkcs11 +This is a version of BIND server built with native PKCS#11 functionality. +It is important to have SoftHSM v2+ installed and some token initialized. +For other supported HSM modules please check the BIND documentation. + +%package pkcs11-utils +Summary: Bind tools with native PKCS#11 for using DNSSEC +Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2 +Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} + +%description pkcs11-utils +This is a set of PKCS#11 utilities that when used together create rsa +keys in a PKCS11 keystore. Also utilities for working with DNSSEC +compiled with native PKCS#11 functionality are included. + +%package pkcs11-libs +Summary: Bind libraries compiled with native PKCS#11 +Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} + +%description pkcs11-libs +This is a set of BIND libraries (dns, isc) compiled with native PKCS#11 +functionality. + +%package pkcs11-devel +Summary: Development files for Bind libraries compiled with native PKCS#11 +Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-devel%{?_isa} = %{epoch}:%{version}-%{release} + +%description pkcs11-devel +This a set of development files for BIND libraries (dns, isc) compiled +with native PKCS#11 functionality. +%endif + +%package libs +Summary: Libraries used by the BIND DNS packages +Requires: bind-license = %{epoch}:%{version}-%{release} +Provides: bind-libs-lite = %{epoch}:%{version}-%{release} +Obsoletes: bind-libs-lite < 32:9.16.13 + +%description libs +Contains heavyweight version of BIND suite libraries used by both named DNS +server and utilities in bind-utils package. + +%package license +Summary: License of the BIND DNS suite +BuildArch:noarch + +%description license +Contains license of the BIND DNS suite. + +%package utils +Summary: Utilities for querying DNS name servers +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +# For compatibility with Debian package +Provides: dnsutils = %{epoch}:%{version}-%{release} + +%description utils +Bind-utils contains a collection of utilities for querying DNS (Domain +Name System) name servers to find out information about Internet +hosts. These tools will provide you with the IP addresses for given +host names, as well as other information about registered domains and +network addresses. + +You should install bind-utils if you need to get information from DNS name +servers. + +%package dnssec-utils +Summary: DNSSEC keys and zones management utilities +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Recommends: bind-utils +Requires: python3-bind = %{epoch}:%{version}-%{release} +Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} + +%description dnssec-utils +Bind-dnssec-utils contains a collection of utilities for editing +DNSSEC keys and BIND zone files. These tools provide generation, +revocation and verification of keys and DNSSEC signatures in zone files. + +You should install bind-dnssec-utils if you need to sign a DNS zone +or maintain keys for it. + +%package dnssec-doc +Summary: Manual pages of DNSSEC utilities +Requires: bind-license = %{epoch}:%{version}-%{release} +BuildArch:noarch + +%description dnssec-doc +Bind-dnssec-doc contains manual pages for bind-dnssec-utils. + +%package devel +Summary: Header files and libraries needed for bind-dyndb-ldap +Provides: bind-lite-devel = %{epoch}:%{version}-%{release} +Obsoletes: bind-lite-devel < 32:9.16.6-3 +Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} +Requires: libcap-devel%{?_isa} +%if %{with GSSTSIG} +Requires: krb5-devel%{?_isa} +%endif +%if %{with LMDB} +Requires: lmdb-devel%{?_isa} +%endif +%if %{with JSON} +Requires: json-c-devel%{?_isa} +%endif +%if %{with DNSTAP} +Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa} +%endif +%if %{with GEOIP2} +Requires: libmaxminddb-devel%{?_isa} + +%description devel +The bind-devel package contains full version of the header files and libraries +required for building bind-dyndb-ldap. Upstream no longer supports nor recommends +bind libraries for third party applications. +%endif + +%package chroot +Summary: A chroot runtime environment for the ISC BIND DNS server, named(8) +Prefix: %{chroot_prefix} +# grep is required due to setup-named-chroot.sh script +Requires: grep +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description chroot +This package contains a tree of files which can be used as a +chroot(2) jail for the named(8) program from the BIND package. +Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz> + + +%if %{with DLZ} +%package dlz-filesystem +Summary: BIND server filesystem DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-filesystem +Dynamic Loadable Zones filesystem module for BIND server. + +%package dlz-ldap +Summary: BIND server ldap DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-ldap +Dynamic Loadable Zones LDAP module for BIND server. + +%package dlz-mysql +Summary: BIND server mysql and mysqldyn DLZ modules +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3 + +%description dlz-mysql +Dynamic Loadable Zones MySQL module for BIND server. +Contains also mysqldyn module with dynamic DNS updates (DDNS) support. + +%package dlz-sqlite3 +Summary: BIND server sqlite3 DLZ module +Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} + +%description dlz-sqlite3 +Dynamic Loadable Zones sqlite3 module for BIND server. +%endif + + +%package -n python3-bind +Summary: A module allowing rndc commands to be sent from Python programs +Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: python3 python3-ply %{?py3_dist:%py3_dist ply} +BuildArch: noarch +%{?python_provide:%python_provide python3-bind} +%{?python_provide:%python_provide python3-isc} + +%description -n python3-bind +This package provides a module which allows commands to be sent to rndc directly from Python programs. + +%if %{with DOC} +%package doc +Summary: BIND 9 Administrator Reference Manual +Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: python3-sphinx_rtd_theme +BuildArch: noarch + +%description doc +BIND (Berkeley Internet Name Domain) is an implementation of the DNS +(Domain Name System) protocols. BIND includes a DNS server (named), +which resolves host names to IP addresses; a resolver library +(routines for applications to use when interfacing with DNS); and +tools for verifying that the DNS server is operating properly. + +This package contains BIND 9 Administrator Reference Manual +in HTML and PDF format. +%end + +%endif + +%prep +%if 0%{?fedora} +# RHEL does not yet support this verification +%{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}' +%endif +%setup -q + +# Common patches +%patch10 -p1 -b .PIE +%patch16 -p1 -b .redhat_doc +%patch72 -p1 -b .64bit +%patch106 -p1 -b .rh490837 +%patch112 -p1 -b .rh645544 +%patch130 -p1 -b .libdb +%patch157 -p1 -b .fips-tests +%patch164 -p1 -b .rh1666814 +%patch170 -p1 -b .featuretest-named +%patch171 -p1 -b .test-variant +%patch172 -p1 -b .CVE-2022-0396 +%patch173 -p1 -b .CVE-2021-25220 +%patch174 -p1 -b .CVE-2021-25220-test +%patch175 -p1 -b .CVE-2022-3080 +%patch176 -p1 -b .CVE-2022-38177 +%patch177 -p1 -b .CVE-2022-38178 +%patch178 -p1 -b .CVE-2022-2795 +%patch179 -p1 -b .rh2101712 +%patch181 -p1 -b .rh2133889 +%patch182 -p1 -b .CVE-2022-3094 +%patch183 -p1 -b .CVE-2022-3094 +%patch184 -p1 -b .CVE-2022-3094 +%patch185 -p1 -b .CVE-2022-3094-test +%patch186 -p1 -b .CVE-2022-3736 +%patch187 -p1 -b .CVE-2022-3924 + +%if %{with PKCS11} +%patch135 -p1 -b .config-pkcs11 +cp -r bin/named{,-pkcs11} +cp -r bin/dnssec{,-pkcs11} +cp -r lib/dns{,-pkcs11} +cp -r lib/ns{,-pkcs11} +%patch136 -p1 -b .dist_pkcs11 +%patch149 -p1 -b .kyua-pkcs11 +%endif + +# Sparc and s390 arches need to use -fPIE +%ifarch sparcv9 sparc64 s390 s390x +for i in bin/named/{,unix}/Makefile.in; do + sed -i 's|fpie|fPIE|g' $i +done +%endif + +sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh +:; + + +%build +## We use out of tree configure/build for export libs +%define _configure "../configure" + +# normal and pkcs11 unit tests +%define unit_prepare_build() \ + cp -uv Kyuafile "%{1}/" \ + find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \ + find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ + find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ + +%define systemtest_prepare_build() \ + cp -Tuav bin/tests "%{1}/bin/tests/" \ + cp -uv version "%{1}" \ + +CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +%if %{with TSAN} + CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie" +%endif +export CFLAGS +export STD_CDEFINES="$CPPFLAGS" + + +sed -i -e \ +'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \ +version + +libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f + +mkdir build + +%if %{with DLZ} +# DLZ modules do not support oot builds. Copy files into build +mkdir -p build/contrib/dlz +cp -frp contrib/dlz/modules build/contrib/dlz/modules +%endif + +pushd build +LIBDIR_SUFFIX= +export LIBDIR_SUFFIX +%configure \ + --with-python=%{__python3} \ + --with-libtool \ + --localstatedir=%{_var} \ + --with-pic \ + --disable-static \ + --includedir=%{_includedir}/bind9 \ + --with-tuning=large \ + --with-libidn2 \ +%if %{with GEOIP2} + --with-maxminddb \ +%endif +%if %{with PKCS11} + --enable-native-pkcs11 \ + --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ +%endif + --with-dlopen=yes \ +%if %{with GSSTSIG} + --with-gssapi=yes \ +%endif +%if %{with LMDB} + --with-lmdb=yes \ +%else + --with-lmdb=no \ +%endif +%if %{with JSON} + --without-libjson --with-json-c \ +%endif +%if %{with DNSTAP} + --enable-dnstap \ +%endif +%if %{with UNITTEST} + --with-cmocka \ +%endif + --enable-fixed-rrset \ + --enable-full-report \ +; +%if %{with DNSTAP} + pushd lib + SRCLIB="../../../lib" + (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto) +%if %{with PKCS11} + (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto) +%endif + popd +%endif + +%if %{with DOCPDF} +# avoid using home for pdf latex files +export TEXMFVAR="`pwd`" +export TEXMFCONFIG="`pwd`" +fmtutil-user --listcfg || : +fmtutil-user --missing || : +%endif + +%make_build + +# Regenerate dig.1 manpage +pushd bin/dig +make man +popd +pushd bin/python +make man +popd + +%if %{with DOC} + make doc +%endif + +%if %{with DLZ} + pushd contrib/dlz/modules + for DIR in mysql mysqldyn; do + sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \ + -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \ + $DIR/Makefile.in > $DIR/Makefile + done + for DIR in filesystem ldap mysql mysqldyn sqlite3; do + make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS" + done + popd +%endif +popd # build + +%unit_prepare_build build +%systemtest_prepare_build build + +%check +%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) + # Tests require initialization of pkcs11 token + eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")" +%endif + +%if %{with TSAN} +export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0" +%endif + +%if %{with UNITTEST} + pushd build + CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l) + if [ "$CPUS" -gt 16 ]; then + ORIGFILES=$(ulimit -n) + ulimit -n 4096 || : # Requires on some machines with many cores + fi + make unit + e=$? + if [ "$e" -ne 0 ]; then + echo "ERROR: this build of BIND failed 'make unit'. Aborting." + exit $e; + fi; + [ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || : + popd +## End of UNITTEST +%endif + +%if %{with SYSTEMTEST} +# Runs system test if ip addresses are already configured +# or it is able to configure them +if perl bin/tests/system/testsock.pl +then + CONFIGURED=already +else + CONFIGURED= + sh bin/tests/system/ifconfig.sh up + perl bin/tests/system/testsock.pl && CONFIGURED=build +fi +if [ -n "$CONFIGURED" ] +then + set -e + pushd build/bin/tests + chown -R ${USER} . # Can be unknown user + %make_build test 2>&1 | tee test.log + e=$? + popd + [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down + if [ "$e" -ne 0 ]; then + echo "ERROR: this build of BIND failed 'make test'. Aborting." + exit $e; + fi; +else + echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.' +fi +%endif +: + +%install +# Build directory hierarchy +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d +mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/{bind,named} +mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic} +mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8} +mkdir -p ${RPM_BUILD_ROOT}/run/named +mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log + +#chroot +for D in %{chroot_create_directories} +do + mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D} +done + +# create symlink as it is on real filesystem +pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var +ln -s ../run run +popd + +# these are required to prevent them being erased during upgrade of previous +touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf +#end chroot + +pushd build +%make_install +popd + +# Remove unwanted files +rm -f ${RPM_BUILD_ROOT}/etc/bind.keys + +# Systemd unit files +mkdir -p ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} +install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} + +%if %{with PKCS11} +install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir} +%else +# Not packaged without PKCS11 +find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \ + -name '*.h' \! -name site.h -delete + +%endif + +mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} +install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh +install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh + +%if %{with PKCS11} +install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh +%endif + +install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig +install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named +install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files + +%if %{with DLZ} + pushd build + pushd contrib/dlz/modules + for DIR in filesystem ldap mysql mysqldyn sqlite3; do + %make_install -C $DIR libdir=%{_libdir}/named + done + pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind + cp -s ../named/dlz_*.so . + popd + mkdir -p doc/{mysql,mysqldyn} + cp -p mysqldyn/testing/README doc/mysqldyn/README.testing + cp -p mysqldyn/testing/* doc/mysqldyn + cp -p mysql/testing/* doc/mysql + popd + popd +%endif + +# Install isc/errno2result.h header +install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc + +# Remove libtool .la files: +find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; + +# PKCS11 versions manpages +%if %{with PKCS11} +pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 +ln -s named.8.gz named-pkcs11.8.gz +ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz +ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz +ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz +ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz +ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz +ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz +ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz +ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz +ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz +popd +%endif + +# 9.16.4 installs even manual pages for tools not generated +%if %{without DNSTAP} +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true +%endif +%if %{without LMDB} +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true +%endif + +pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 +ln -s ddns-confgen.8.gz tsig-keygen.8.gz +ln -s named-checkzone.8.gz named-compilezone.8.gz +popd + +%if %{with DOC} +mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir} +cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir} +rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees} +# Backward compatible link to 9.11 documentation +(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html) +# Share static data from original sphinx package +for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/* +do + BASE=$(basename -- "$DIR") + BINDTHEMEDIR="${RPM_BUILD_ROOT}%{_pkgdocdir}/html/_static/$BASE" + if [ -d "$BINDTHEMEDIR" ]; then + rm -rf "$BINDTHEMEDIR" + ln -s "$DIR" "$BINDTHEMEDIR" + fi +done +%endif +%if %{with DOCPDF} +cp -a build/doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir} +%endif + +# Ghost config files: +touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log + +# configuration files: +install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf +touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf} +install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key +install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named + +# data files: +mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named +install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca +install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost +install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback +install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty +install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones + +# sample bind configuration files for %%doc: +mkdir -p sample/etc sample/var/named/{data,slaves} +install -m 644 %{SOURCE25} sample/etc/named.conf +# Copy default configuration to %%doc to make it usable from system-config-bind +install -m 644 %{SOURCE16} named.conf.default +install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones +install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named +install -m 644 %{SOURCE17} sample/var/named/named.ca +for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do + echo '@ in soa localhost. root 1 3H 15M 1W 1D + ns localhost.' > sample/var/named/$f; +done +:; + +mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir} +install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf + +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d +install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named + +%pre +if [ "$1" -eq 1 ]; then + /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; + /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :; +fi; +:; + +%post +%?ldconfig +if [ -e "%{_sysconfdir}/selinux/config" ]; then + %selinux_set_booleans -s targeted %{selinuxbooleans} + %selinux_set_booleans -s mls %{selinuxbooleans} +fi +if [ "$1" -eq 1 ]; then + # Initial installation + [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; + # rndc.key has to have correct perms and ownership, CVE-2007-6283 + [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key + [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key +else + # Upgrade, use invalid shell + if getent passwd named | grep ':/bin/false$' >/dev/null; then + /sbin/usermod -s /sbin/nologin named + fi + # Checkconf will parse out comments + if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key + then + echo "Replacing obsolete named.iscdlv.key with named.root.key..." + if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then + sed -e 's/named\.iscdlv\.key/named.root.key/' \ + /etc/named.conf.rpmbackup > /etc/named.conf || \ + mv /etc/named.conf.rpmbackup /etc/named.conf + fi + fi +fi +%systemd_post named.service +:; + +%preun +# Package removal, not upgrade +%systemd_preun named.service + +%postun +%?ldconfig +# Package upgrade, not uninstall +%systemd_postun_with_restart named.service +if [ -e "%{_sysconfdir}/selinux/config" ]; then + %selinux_unset_booleans -s targeted %{selinuxbooleans} + %selinux_unset_booleans -s mls %{selinuxbooleans} +fi + +%if %{with PKCS11} +%post pkcs11 +# Initial installation +%systemd_post named-pkcs11.service + +%preun pkcs11 +# Package removal, not upgrade +%systemd_preun named-pkcs11.service + +%postun pkcs11 +# Package upgrade, not uninstall +%systemd_postun_with_restart named-pkcs11.service +%endif + +# Fix permissions on existing device files on upgrade +%define chroot_fix_devices() \ +if [ $1 -gt 1 ]; then \ + for DEV in "%{1}/dev"/{null,random,zero}; do \ + if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; \ + then \ + /bin/chmod 0664 "$DEV" \ + /bin/chgrp named "$DEV" \ + fi \ + done \ +fi + +%triggerun -- bind < 32:9.9.0-0.6.rc1 +/sbin/chkconfig --del named >/dev/null 2>&1 || : +/bin/systemctl try-restart named.service >/dev/null 2>&1 || : + +%ldconfig_scriptlets libs + +%if %{with PKCS11} +%ldconfig_scriptlets pkcs11-libs +%endif + +%post chroot +%systemd_post named-chroot.service +%chroot_fix_devices %{chroot_prefix} +:; + +%posttrans chroot +if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1; +fi; + +%preun chroot +# wait for stop of both named-chroot and named-chroot-setup services +# on uninstall +%systemd_preun named-chroot.service named-chroot-setup.service +:; + +%postun chroot +# Package upgrade, not uninstall +%systemd_postun_with_restart named-chroot.service + + +%files +# TODO: Move from lib/bind to lib/named, as used by upstream +%dir %{_libdir}/bind +%dir %{_libdir}/named +%{_libdir}/named/*.so +%exclude %{_libdir}/named/dlz_*.so +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named +%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key +%config(noreplace) %{_sysconfdir}/logrotate.d/named +%{_tmpfilesdir}/named.conf +%{_sysconfdir}/rwtab.d/named +%{_unitdir}/named.service +%{_unitdir}/named-setup-rndc.service +%{_sbindir}/named-journalprint +%{_sbindir}/named-checkconf +%{_bindir}/named-rrchecker +%{_bindir}/mdig +%{_sbindir}/named +%{_sbindir}/rndc* +%{_libexecdir}/generate-rndc-key.sh +%{_mandir}/man1/mdig.1* +%{_mandir}/man1/named-rrchecker.1* +%{_mandir}/man5/named.conf.5* +%{_mandir}/man5/rndc.conf.5* +%{_mandir}/man8/rndc.8* +%{_mandir}/man8/named.8* +%{_mandir}/man8/named-checkconf.8* +%{_mandir}/man8/rndc-confgen.8* +%{_mandir}/man8/named-journalprint.8* +%{_mandir}/man8/filter-aaaa.8.gz +%doc CHANGES README named.conf.default +%doc sample/ + +# Hide configuration +%defattr(0640,root,named,0750) +%dir %{_sysconfdir}/named +%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf +%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones +%defattr(0660,root,named,01770) +%dir %{_localstatedir}/named +%defattr(0660,named,named,0770) +%dir %{_localstatedir}/named/slaves +%dir %{_localstatedir}/named/data +%dir %{_localstatedir}/named/dynamic +%ghost %{_localstatedir}/log/named.log +%defattr(0640,root,named,0750) +%config %verify(not link) %{_localstatedir}/named/named.ca +%config %verify(not link) %{_localstatedir}/named/named.localhost +%config %verify(not link) %{_localstatedir}/named/named.loopback +%config %verify(not link) %{_localstatedir}/named/named.empty +%ghost %config(noreplace) %{_sysconfdir}/rndc.key +# ^- rndc.key now created on first install only if it does not exist +%ghost %config(noreplace) %{_sysconfdir}/rndc.conf +# ^- The default rndc.conf which uses rndc.key is in named's default internal config - +# so rndc.conf is not necessary. +%defattr(-,named,named,-) +%dir /run/named + +%files libs +%{_libdir}/libbind9-%{version}*.so +%{_libdir}/libisccc-%{version}*.so +%{_libdir}/libns-%{version}*.so +%{_libdir}/libdns-%{version}*.so +%{_libdir}/libirs-%{version}*.so +%{_libdir}/libisc-%{version}*.so +%{_libdir}/libisccfg-%{version}*.so + +%files license +%{!?_licensedir:%global license %%doc} +%license COPYRIGHT + +%files utils +%{_bindir}/dig +%{_bindir}/delv +%{_bindir}/host +%{_bindir}/nslookup +%{_bindir}/nsupdate +%{_bindir}/arpaname +%{_sbindir}/ddns-confgen +%{_sbindir}/tsig-keygen +%{_sbindir}/nsec3hash +%{_sbindir}/named-checkzone +%{_sbindir}/named-compilezone +%if %{with DNSTAP} +%{_bindir}/dnstap-read +%{_mandir}/man1/dnstap-read.1* +%endif +%if %{with LMDB} +%{_sbindir}/named-nzd2nzf +%{_mandir}/man8/named-nzd2nzf.8* +%endif +%{_mandir}/man1/host.1* +%{_mandir}/man1/nsupdate.1* +%{_mandir}/man1/dig.1* +%{_mandir}/man1/delv.1* +%{_mandir}/man1/nslookup.1* +%{_mandir}/man1/arpaname.1* +%{_mandir}/man8/ddns-confgen.8* +%{_mandir}/man8/tsig-keygen.8* +%{_mandir}/man8/nsec3hash.8* +%{_mandir}/man8/named-checkzone.8* +%{_mandir}/man8/named-compilezone.8* +%{_sysconfdir}/trusted-key.key + +%files dnssec-utils +%{_sbindir}/dnssec* +%if %{with PKCS11} +%exclude %{_sbindir}/dnssec*pkcs11 +%endif + +%files dnssec-doc +%{_mandir}/man8/dnssec*.8* +%if %{with PKCS11} +%exclude %{_mandir}/man8/dnssec*-pkcs11.8* +%endif + +%files devel +%{_libdir}/libbind9.so +%{_libdir}/libisccc.so +%{_libdir}/libns.so +%{_libdir}/libdns.so +%{_libdir}/libirs.so +%{_libdir}/libisc.so +%{_libdir}/libisccfg.so +%dir %{_includedir}/bind9 +%{_includedir}/bind9/bind9 +%{_includedir}/bind9/isccc +%{_includedir}/bind9/ns +%{_includedir}/bind9/dns +%{_includedir}/bind9/dst +%{_includedir}/bind9/irs +%{_includedir}/bind9/isc +%dir %{_includedir}/bind9/pk11 +%{_includedir}/bind9/pk11/site.h +%{_includedir}/bind9/isccfg + +%files chroot +%config(noreplace) %{_sysconfdir}/named-chroot.files +%{_unitdir}/named-chroot.service +%{_unitdir}/named-chroot-setup.service +%{_libexecdir}/setup-named-chroot.sh +%defattr(0664,root,named,-) +%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null +%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random +%ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom +%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero +%defattr(0640,root,named,0750) +%dir %{chroot_prefix} +%dir %{chroot_prefix}/dev +%dir %{chroot_prefix}%{_sysconfdir} +%dir %{chroot_prefix}%{_sysconfdir}/named +%dir %{chroot_prefix}%{_sysconfdir}/pki +%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys +%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies +%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends +%dir %{chroot_prefix}%{_localstatedir} +%dir %{chroot_prefix}/run +%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf +%defattr(-,root,root,-) +%dir %{chroot_prefix}/usr +%dir %{chroot_prefix}/%{_libdir} +%dir %{chroot_prefix}/%{_libdir}/bind +%dir %{chroot_prefix}/%{_libdir}/named +%dir %{chroot_prefix}/%{_datadir}/GeoIP +%{chroot_prefix}/proc +%defattr(0660,root,named,01770) +%dir %{chroot_prefix}%{_localstatedir}/named +%defattr(0660,named,named,0770) +%dir %{chroot_prefix}%{_localstatedir}/tmp +%dir %{chroot_prefix}%{_localstatedir}/log +%defattr(-,named,named,-) +%dir %{chroot_prefix}/run/named +%{chroot_prefix}%{_localstatedir}/run + +%if %{with PKCS11} +%files pkcs11 +%{_sbindir}/named-pkcs11 +%{_unitdir}/named-pkcs11.service +%{_mandir}/man8/named-pkcs11.8* +%{_libexecdir}/setup-named-softhsm.sh + +%files pkcs11-utils +%{_sbindir}/dnssec*pkcs11 +%{_sbindir}/pkcs11-destroy +%{_sbindir}/pkcs11-keygen +%{_sbindir}/pkcs11-list +%{_sbindir}/pkcs11-tokens +%{_mandir}/man8/pkcs11*.8* +%{_mandir}/man8/dnssec*-pkcs11.8* + +%files pkcs11-libs +%{_libdir}/libdns-pkcs11-%{version}*.so +%{_libdir}/libns-pkcs11-%{version}*.so + +%files pkcs11-devel +%{_includedir}/bind9/pk11/*.h +%exclude %{_includedir}/bind9/pk11/site.h +%{_includedir}/bind9/pkcs11 +%{_libdir}/libdns-pkcs11.so +%{_libdir}/libns-pkcs11.so +%endif + +%if %{with DLZ} +%files dlz-filesystem +%{_libdir}/{named,bind}/dlz_filesystem_dynamic.so + +%files dlz-mysql +%{_libdir}/{named,bind}/dlz_mysql_dynamic.so +%doc build/contrib/dlz/modules/doc/mysql +%{_libdir}/{named,bind}/dlz_mysqldyn_mod.so +%doc build/contrib/dlz/modules/doc/mysqldyn + +%files dlz-ldap +%{_libdir}/{named,bind}/dlz_ldap_dynamic.so +%doc contrib/dlz/modules/ldap/testing/* + +%files dlz-sqlite3 +%{_libdir}/{named,bind}/dlz_sqlite3_dynamic.so +%doc contrib/dlz/modules/sqlite3/testing/* + +%endif + +%files -n python3-bind +%{python3_sitelib}/*.egg-info +%{python3_sitelib}/isc/ + +%if %{with DOC} +%files doc +%dir %{_pkgdocdir} +%doc %{_pkgdocdir}/Bv9ARM.html +%doc %{_pkgdocdir}/html +%endif +%if %{with DOCPDF} +%doc %{_pkgdocdir}/Bv9ARM.pdf +%endif + +%changelog +* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-9 +- Prevent flooding with UPDATE requests (CVE-2022-3094) +- Handle RRSIG queries when server-stale is active (CVE-2022-3736) +- Fix crash when soft-quota is reached and serve-stale is active (CVE-2022-3924) + +* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-8 +- Correct regression preventing bind-dyndb-ldap build (#2162795) + +* Tue Oct 04 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-7 +- Prevent freeing zone during statistics rendering (#2101712) + +* Tue Oct 04 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-6 +- Bound the amount of work performed for delegations (CVE-2022-2795) +- Add %_libdir/named to bind-chroot (#2129466) + +* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-5 +- Fix possible serve-stale related crash (CVE-2022-3080) +- Fix memory leak in ECDSA verify processing (CVE-2022-38177) +- Fix memory leak in EdDSA verify processing (CVE-2022-38178) + +* Thu Jul 14 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-4 +- Export bind-doc package (#2104863) + +* Mon Apr 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-3 +- Tighten cache protection against record from forwarders (CVE-2021-25220) +- Include test of forwarders + +* Fri Mar 25 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-2 +- TCP connections with 'keep-response-order' are properly close in all cases + (CVE-2022-0396) + +* Fri Nov 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-1 +- Update to 9.16.23 (#2024210) + +* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-5 +- Propagate ephemeral port ranges to chroot (#2013595) + +* Tue Oct 12 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-4 +- Fixes listening on TCP in some race conditions (#1999691) + +* Tue Oct 12 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-3 +- Include documentation of dig return codes (#1989909) + +* Thu Aug 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-2 +- Fix map file format incompatibility +- Actually enable LMDB support + +* Tue Aug 17 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-1 +- Update to 9.16.20 + +* Mon Aug 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-4 +- Do not depend on systemd package + +* Mon Aug 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-3 +- Include backward compatible html symlink in doc subpackage + +* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 32:9.16.19-2 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-1 +- Update to 9.16.19 (#1956777) + +* Thu Jun 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.16-1 +- Update to 9.16.16 (#1956777) + +* Thu Jun 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.15-3 +- Disable building of DLZ and PKCS11 +- Build HTML documentation into separate bind-doc subpackage +- Enable DNSTAP feature (#1975268) +- Enable LMDB support (#1975775) + +* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 32:9.16.15-2 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Thu Apr 29 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.15-1 +- Update to 9.16.15 + +* Thu Apr 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.13-1 +- Update to 9.16.13 +- Changed displayed version just to include -RH suffix, not release +- Version is now part of library names, soname versions are no longer provided +- Removed bind-libs-lite subpackage + +* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 32:9.16.11-6 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Fri Feb 26 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-5 +- Make logrotate.d world-readable (#1917061) + +* Mon Feb 22 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-4 +- Fix off-by-one bug in ISC SPNEGO implementation (#1929965) + +* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 32:9.16.11-3 +- rebuild for libpq ABI fix rhbz#1908268 + +* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Jan 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-1 +- Update to 9.16.11 (#1827602) +- Avoid unit test failures on machines with many cores + +* Thu Jan 14 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.10-2 +- Update to 9.16.10 +- Remove bind-sdb package +- https://fedoraproject.org/wiki/Changes/BIND9.16 + +* Wed Jan 13 08:55:11 CET 2021 Adrian Reber <adrian@lisas.de> - 32:9.11.26-3 +- Rebuilt for protobuf 3.14 + +* Wed Jan 06 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-2 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Mon Jan 04 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-1 +- Update to 9.11.26 + +* Mon Nov 30 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.25-2 +- Regenerate all manual pages on build + +* Thu Nov 26 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.25-1 +- Update to 9.11.25 + +* Wed Nov 04 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.24-2 +- Fix crash on NTA recheck failure (#1893761) + +* Fri Oct 23 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.24-1 +- Update to 9.11.24 + +* Wed Sep 23 2020 Adrian Reber <adrian@lisas.de> - 32:9.11.23-2 +- Rebuilt for protobuf 3.13 + +* Thu Sep 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.23-1 +- Update to 9.11.23 +- Merge bind-lite-devel into devel package + +* Tue Sep 01 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.22-2 +- Require libcap from devel package + +* Thu Aug 20 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.22-1 +- Update to 9.11.22 + +* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.21-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.21-1 +- Update to 9.11.21 + +* Tue Jun 23 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-3 +- Move documentation to separate bind-doc package + +* Sat Jun 20 2020 Adrian Reber <adrian@lisas.de> - 32:9.11.20-2 +- Rebuilt for protobuf 3.12 + +* Wed Jun 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-1 +- Update to 9.11.20 + +* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.19-2 +- Rebuilt for Python 3.9 + +* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-1 +- Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617) +- Make initscripts just optional dependency + +* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 32:9.11.18-2 +- Rebuild (json-c) + +* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.18-1 +- Update to 9.11.18 + +* Tue Mar 31 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.17-1 +- Update to 9.11.17 + +* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.14-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + + * Wed Jan 08 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-4 +- Remove libmaxminddb-devel from devel package dependencies + +* Fri Jan 03 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-3 +- Preserve symlinks to named.conf on iscdlv modification (#1786626) + +* Thu Dec 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-2 +- Include more Thread Sanitizer detected changes (#1736762) + +* Thu Dec 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-1 +- Update to 9.11.14 + +* Tue Dec 03 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-4 +- Disable Berkeley DB support (#1779190) + +* Mon Dec 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-3 +- Backport few thread safety related fixed from upstream (#1736762) + +* Tue Nov 26 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-2 +- Complete explicit disabling of RSAMD5 in FIPS mode (#1709553) + +* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-1 +- Update to 9.11.13 + +* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-6 +- Report failures on systemctl reload + +* Tue Nov 12 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-5 +- Fix binary compatibility after serve-stale patch (#1770492) + +* Wed Nov 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-4 +- Backported serve-stale feature + +* Wed Nov 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-3 +- Fix wrong default GeoIP directory (#1768258) + +* Mon Nov 04 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-2 +- Move data files outside config archive +- Specify geoip data directory in config file (#1768258) + +* Mon Oct 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-1 +- Update to 9.11.12 (#1557762) + +* Wed Sep 25 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.11-1 +- Update to 9.11.11 + +* Wed Sep 04 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.10-3 +- Share pkcs11-utils and dnssec-utils manuals instead of recommend + +* Tue Sep 03 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.10-2 +- Move some administration utilities back to bind-utils (#1720380) +- Add GeoIP to bind-chroot (#1497646) +- Recommend bind-dnssec-utils from bind-pkcs11-utils + +* Tue Aug 27 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.10-1 +- Update to 9.11.10 + +* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.9-4 +- Rebuilt for Python 3.8 + +* Fri Aug 09 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-3 +- Display errors from rndc reload (#1739441) + +* Thu Aug 08 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-2 +- Permit explicit disabling of RSAMD5 in FIPS mode (#1709553) + +* Wed Jul 24 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-1 +- Update to 9.11.9 +- Add GeoLite2 support +- Disable export-libs + +* Wed Jul 24 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.8-2 +- Use monotonic time in export library (#1732883) + +* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jul 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.8-1 +- Update to 9.11.8 + +* Mon Jun 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.7-2 +- Fix OpenSSL random generator initialization + +* Mon Jun 10 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.7-1 +- Update to 9.11.7 + +* Mon May 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-5.P1 +- Fix also postun script + +* Mon May 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-4.P1 +- Fix error in scriptlet condition + +* Thu May 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-3.P1 +- Fix inefective limit of TCP clients (CVE-2018-5743) + +* Thu Mar 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-2 +- Fix dnstap and timer issues in unit test +- Enable DLZ modules + +* Tue Mar 05 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-1 +- Update to 9.11.6 + +* Fri Mar 01 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-15.P4 +- Support testing of named variants + +* Thu Feb 28 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-14.P4 +- Modify feature-test detection of dlz-filesystem + +* Fri Feb 22 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-13.P4 +- Update to 9.11.5-P4 + +* Fri Feb 22 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-12.P1 +- Enable DNSTAP support (#1564776) +- Enable LMDB support for rndc addzone +- Enable json format in statistics-channel + +* Thu Feb 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-11.P1 +- Disable often failing unit test random_test + +* Thu Feb 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-10.P1 +- Disable autodetected eddsa algorithm ED448 + +* Thu Jan 31 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-9.P1 +- dig prints ASCII name instead of failure (#1647829) +- disable IDN output from scripts +- Update project URL +- Removed revoked KSK 19164 from trusted keys + +* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.5-8.P1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Jan 27 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-7.P1 +- Update to 9.11.5-P1 + +* Wed Jan 23 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-6 +- Reenable crypto rand for DHCP, disable just entropy check (#1663318) + +* Thu Jan 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-5 +- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398) + +* Wed Jan 16 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-4 +- Reject invalid binary file (#1666814) + +* Mon Jan 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-3 +- Disable crypto rand for DHCP (#1663318) + +* Thu Oct 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-2 +- Add optional support for JSON statistics +- Add optional DNSTAP support (#1564776), new dnstap-read tool + +* Wed Oct 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-1 +- Update to 9.11.5 + +* Tue Oct 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-12.P2 +- Add Requires to devel packages referenced by bind-devel + +* Sat Sep 29 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 32:9.11.4-11.P2 +- Fix export-libs macro & scriptlet + +* Wed Sep 26 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-10.P2 +- Reenable IDN output but allow turning it off (#1580200) + +* Thu Sep 20 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-9.P2 +- Update to bind-9.11.4-P2 +- Add /dev/urandom to chroot (#1631515) + +* Fri Aug 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-8.P1 +- Replace unoptimized code by OpenSSL counterparts +- Fix multilib conflicts of devel package +- Add versioned depends to all library subpackages + +* Fri Aug 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-7.P1 +- Add support for OpenSSL provided random data + +* Mon Aug 13 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-6.P1 +- Fix sdb-chroot devices upgrade (#1592873) +- Automatically replace obsoleted ISC DLV key with root key (#1595782) + +* Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-5.P1 +- Update to 9.11.4-P1 +- Adds root key sentinel support +- Large IXFR zone transfers are rejected to prevent journal corruption + +* Thu Aug 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-4 +- Support unavailable MD5 in FIPS mode + +* Thu Aug 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-3 +- Use OpenSSL for digest operations (#1611537) + +* Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-2 +- Install generated manual pages + +* Thu Jul 12 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-1 +- Update to 9.11.4 +- Use kyua instead of kyua-cli for unit tests + +* Thu Jul 12 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-15 +- Use new config file named-chroot.files for chroot setup (#1429656) +- Fix chroot devices file verification (#1592873) +- Prevent errors on bind-chroot uninstall when running (#1600583) + +* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.3-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.3-13 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-12 +- Require utils instead of library + +* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-11 +- Remove named.iscdlv.key file (#1595782) +- Fix CVE-2018-5738 + +* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.3-10 +- Rebuilt for Python 3.7 + +* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-9 +- Make named home writeable (#1422680) +- Change named shell to /bin/false + +* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-8 +- Require C++ on build when shipped atf library is used + +* Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-7 +- Run tests also without kyua + +* Thu Apr 05 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-6 +- Do not link libidn2 to all libraries (#1098783) +- Update named.ca + +* Tue Apr 03 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-5 +- Enable libidn2 support (#1098783) +- Make +noidnout default +- Compile export libs without GSSAPI + +* Wed Mar 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-4 +- Rebase to 9.11.3 +- Add dig support for libidn2 (#1098783) + +* Wed Mar 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-3.b1 +- Fix build with disabled unittest +- Recommend softhsm from pkcs11 variant + +* Thu Feb 22 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-2.b1 +- Require openssl-devel and libcap-devel from bind-export-devel +- Conflict with bind99-devel +- Change spec globals to rpmbuild --with feature + +* Thu Feb 15 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-1.b1 +- Rebase to 9.11.3b1 + +* Wed Feb 07 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-11.P1 +- Use versioned provides +- Fix starting of unit tests +- Forward export libs path to isc-config +- Rename export devel subpackage to bind-export-devel + +* Wed Feb 07 2018 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.2-10.P1 +- Add obsoletes/provides tags for smooth update + +* Wed Feb 07 2018 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.2-9.P1 +- Build devel package for export-libs + +* Wed Feb 07 2018 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.2-8.P1 +- Build export libraries with disabled threads and selects + +* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.2-7.P1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 30 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-6.P1 +- Remove ldconfig calls where possible +- Note -z defs cannot be enabled until more work + +* Tue Jan 16 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-5.P1 +- Fix CVE-2017-3145, rebase to 9.11.2-P1 + +* Tue Jan 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-4 +- Enable unit tests with kyua tool (#1532694) +- Provide internal tool to prepare softhsm token storage +- Proper fix for python3-bind subpackage directory ownership (#1522944) + +* Fri Dec 15 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-3 +- Own python3-bind isc directory (#1522944) +- Make tsstsig system test pass again (#1500017) + +* Mon Oct 23 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-2 +- Build against mariadb-connector-c-devel (#1493615) +- Include DNSKEY 20326 also in trusted-key.key (#1505476) +- Fix dynamic symbols conflict with ldap (#1205168) +- Use hmac-sha256 for new RNDC keys (#1508003) +- Include protocols and services in chroot + +* Wed Aug 02 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-1 +- Update to 9.11.2 +- Add recursing and secroots file into default and sample config +- Fix nsupdate GSSAPI auth against AD server (#1484451) + +* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.1-6.P3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.1-5.P3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 14 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-4.P3 +- Simplify change of default configuration file path + +* Thu Jul 13 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-3.P3 +- Use mysql_config for SDB variant, build against mariadb-devel + +* Mon Jul 10 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-2.P3 +- Update to 9.11.1-P3 + +* Fri Jun 30 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-2.P2 +- Update to 9.11.1-P2 + +* Thu Jun 29 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-2.P1 +- dnssec-checkds and dnssec-coverage requires python module (#1466183) + +* Thu Jun 15 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-1.P1 +- Update to 9.11.1-P1 + +* Fri Apr 21 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-8.P5 +- Fix queries for TKEY in nsupdate, when using GSSAPI (#1236087) + +* Thu Apr 13 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-7.P5 +- Update to 9.11.0-P5 +- Use BINDVERSION for upstream version + +* Fri Feb 10 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-7.P3 +- Update to 9.11.0-P3 + +* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.0-7.P2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-6.P2 +- RTLD_DEEPBIND conflicts with pkcs11 libraries, skip it for dyndb (#1410433) +- Fix some rpm warnings + +* Mon Jan 16 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-5.P2 +- Fix manual pages generated by recent docbook-style-xsl (#1397186) + +* Thu Jan 12 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-4.P2 +- Update to 9.11.0-P2 + +* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.0-4.P1 +- Rebuild for Python 3.6 + +* Tue Nov 22 2016 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-3.P1 +- Split pk11 includes, include real functions only in pkcs11 variant + +* Wed Nov 16 2016 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-2.P1 +- Do not change lib permissions in chroot + +* Wed Nov 16 2016 Michal Ruprich <mruprich@redhat.com> - 32:9.11.0-1.P1 +- Update to 9.11.0-P1 + +* Tue Nov 08 2016 Petr Menšík <pemensik@redhat.com> - 32:9.10.4-3.P4 +- Build with OpenSSL 1.1 + +* Thu Nov 03 2016 Petr Menšík <pemensik@redhat.com> - 32:9.10.4-2.P4 +- Update to 9.10.4-P4 + +* Thu Sep 29 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.4-2.P3 +- Update to 9.10.4-P3 + +* Wed Jul 20 2016 Michal Ruprich <mruprich@redhat.com> - 32:9.10.4-1.P2 +- Update to 9.10.4-P2 + +* Thu May 26 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.4-1.P1 +- Update to 9.10.4-P1 + +* Fri May 20 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-14.P4 +- (un)mount /var/named in -chroot packages as the last directory (Related: #1279188) + +* Thu May 12 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-13.P4 +- Remove NM dispatcher script, since it is not needed any more (#1277257) +- Replaced After=network-online.target with After=network.target in all unit files + +* Fri Mar 11 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-12.P4 +- Update to 9.10.3-P4 due to CVE-2016-1285 CVE-2016-1286 CVE-2016-2088 + +* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.10.3-11.P3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 21 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-10.P3 +- Update to 9.10.3-P3 due to CVE-2015-8704 and CVE-2015-8705 (#1300051) + +* Wed Jan 06 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-9.P2 +- Commented out bindkeys-file statement in default configuration (#1223365#c3) +- Removed unrecognized configure option --enable-developer +- Added configure option --enable-full-report to get report on enabled features + +* Sat Dec 26 2015 Robert Scheck <robert@fedoraproject.org> - 32:9.10.3-8.P2 +- Remove unrecognized build options for %%configure +- Own %%{_includedir}/bind9 directory in -lite-devel +- Fixed building without (optional) PKCS#11 support + +* Wed Dec 16 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-7.P2 +- bump release to maintain update path + +* Wed Dec 16 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-4.P2 +- Update to 9.10.3-P2 + +* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.10.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Wed Nov 04 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-2 +- Fixed named-checkconf call in *-chroot.service files (#1277820) + +* Thu Sep 17 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-1 +- Update to 9.10.3 stable + +* Thu Sep 03 2015 Tomas Hozza <thozza@redhat.com> +- Update to 9.10.3rc1 + +* Wed Jul 29 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-9.P3 +- Update to 9.10.2-P3 to fix CVE-2015-5477 + +* Thu Jul 09 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-8.P2 +- Update to 9.10.2-P2 + +* Mon Jun 29 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-7.P1 +- Reintroduce the DISABLE_ZONE_CHECKING into /etc/sysconfig/named + +* Fri Jun 19 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-6.P1 +- Update to 9.10.2-P1 + +* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.10.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed May 27 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-4 +- Don't copy /etc/localtime on -chroot package installation + +* Fri May 22 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-3 +- Don't use ISC's DLV by default (#1223365) +- Utilize system-wide crypto-policies (#1179925) + +* Thu May 21 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-2 +- enable tuning for large systems - increases hardcoded internal limits +- enable GeoIP access control feature + +* Thu Feb 26 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-1 +- update to 9.10.2 stable +- remove parallel-build patch after discussion with upstream [ISC-Bugs #38739] + +* Wed Feb 25 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-0.3.rc1 +- update to 9.10.2rc2 +- call ldconfig for pkcs11-libs +- Use Python3 by default (#1186791) + +* Sat Feb 21 2015 Till Maas <opensource@till.name> - 32:9.10.2-0.2.rc1 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Mon Feb 02 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-0.1.rc1 +- update to 9.10.2rc1 +- fix nsupdate server auto-detection (#1184151) +- drop merged patch bind99-rh985918.patch + +* Fri Jan 16 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.1-2.P1 +- Install config for tmpfiles under %%{_tmpfilesdir} (#1181020) + +* Tue Jan 13 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.1-1.P1 +- Update to 9.10.1-P1 stable + +* Fri Dec 12 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-6.P1 +- Drop downstream patch for nslookup/host rejected by upstream + +* Tue Dec 09 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-5.P1 +- Update to 9.9.6-P1 (CVE-2014-8500) + +* Fri Nov 14 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-4 +- Fixed systemctl path in logrotate configuration (#1148360) +- drop engine_pkcs11 dependency, since we use native PKCS#11 implementation + +* Wed Oct 22 2014 Petr Spacek <pspacek@redhat.com> - 32:9.9.6-3 +- Fix crash during GSS-TSIG processing (#1155334, #1155127) + introduced in 32:9.9.6-2 + +* Tue Oct 14 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-2 +- Added native PKCS#11 functionality (#1097752) +- bind-sdb now requires bind due to configuration and other utilities +- bind-pkcs11 now requires bind due to configuration and other utilities + +* Thu Oct 02 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-1 +- Update to 9.9.6 +- drop merged patches and rebase some of existing patches +- Add architecture specific dependencies. +- Fix assert in dig when using +sigchase (#985918) + +* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.5-9.P1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 18 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-8.P1 +- Use network-online.target instead of network.target (#1117086) + +* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> 32:9.9.5-7.P1 +- fix license handling + +* Thu Jun 12 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-6.P1 +- Update to 9.9.5-P1 + +* Mon Jun 09 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-5 +- Use /dev/urandom for generation of rndc.key (#1079799) + +* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Apr 22 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-3 +- configure bind with --with-dlopen=yes to support dynamically loadable DLZ drivers + +* Wed Mar 05 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-2 +- dlz_dlopen driver could return the wrong error leading to a segfault (#1052781) +- Fix race condition when freeing fetch object (ISC-Bugs #35385) + +* Thu Feb 13 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-1 +- Update to 9.9.5 stable + +* Sun Jan 26 2014 Rex Dieter <rdieter@fedoraproject.org> 32:9.9.5-0.5.rc2 +- -libs, -libs-lite: track sonames, so abi bumps aren't a surprise + +* Fri Jan 24 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.4.rc2 +- update to 9.9.5rc2 +- merged patches dropped +- some patches rebased to the new version + +* Wed Jan 15 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.3.b1 +- non-existance of resolv.conf should not be fatal (#1052343) + +* Tue Jan 14 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.2.b1 +- Fix CVE-2014-0591 + +* Mon Jan 06 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.1.b1 +- Update to bind-9.9.5b1 +- Build bind-sdb against libdb instead of libdb4 + +* Wed Dec 18 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-11 +- Fix crash in rbtdb after two sucessive getoriginnode() calls + +* Tue Dec 17 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-10 +- Split chroot package for named and named-sdb +- Extract setting-up/destroying of chroot to a separate systemd service (#997030) + +* Thu Nov 28 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-9 +- Fixed memory leak in nsupdate if 'realm' was used multiple times (#984687) + +* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-8 +- Install configuration for rwtab and fix chroot setup script + +* Thu Oct 31 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-7 +- Correct the upstream patch for #794940 + +* Thu Oct 31 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-6 +- use --enable-filter-aaaa when building bind to enable use of filter-aaaa-on-v4 option + +* Wed Oct 30 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-5 +- Create symlink /var/named/chroot/var/run -> /var/named/chroot/run +- Added session-keyfile statement into default named.conf since we use /run/named + +* Tue Oct 29 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-4 +- Use upstream version of patch for previously fixed #794940 + +* Fri Oct 18 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-3 +- Fix race condition on send buffers in dighost.c (#794940) + +* Tue Oct 08 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-2 +- install isc/errno2result.h header + +* Fri Sep 20 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-1 +- Update to bind-9.9.4 stable + +* Tue Sep 10 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.9.rc2 +- Fix [ISC-Bugs #34738] dns_journal_open() returns a pointer to stack + +* Mon Sep 09 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.8.rc2 +- update to bind-9.9.4rc2 + +* Tue Aug 20 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.7.rc1 +- Move named-checkzone and named-compilezone to bind-utils package + +* Tue Aug 20 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.6.rc1 +- Move tools that don't need the server to run, from main package to bind-utils (#964313) + +* Fri Aug 16 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.5.rc1 +- Don't generate rndc.key if there exists rndc.conf + +* Fri Aug 16 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.4.rc1 +- don't install named-sdb.service if SDB macro is defined to zero + +* Mon Aug 05 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.3.rc1 +- Fix setup-named-chroot.sh to mount/umount everything successfully +- update to bind-9.9.4rc1 + +* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.4-0.2.b1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.1.b1 +- update to bind-9.9.4b1 +- drop merged RRL patch +- drop merged stat.h patch + +* Wed Jun 05 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-3.P1 +- update to 9.9.3-P1 (fix for CVE-2013-3919) +- update RRL patch to 9.9.3-P1-rl.156.01 + +* Mon Jun 03 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-2 +- bump release to prevent update path issues + +* Mon Jun 03 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-1 +- update to 9.9.3 +- install dns/update.h header +- update RRL patch to the latest version 9.9.3-rl.150.20 + +* Fri May 17 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.7.rc2 +- Fix segfault in host/nslookup (#878139) + +* Mon May 13 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.6.rc2 +- update to 9.9.3rc2 +- part of bind97-exportlib.patch not needed any more +- bind-9.9.1-P2-multlib-conflict.patch modified to reflect latest source +- rl-9.9.3rc1.patch -> rl-9.9.3rc2.patch +- bind99-opts.patch merged + +* Fri May 03 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.5.rc1 +- Include recursion Warning in named.conf and named.conf.sample (#740894) +- Include managed-keys-directory statement in named.conf.sample (#948026) + +* Thu May 02 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.4.rc1 +- Fix zone2sqlite to quote table names when creating/dropping/inserting (#919417) + +* Fri Apr 19 2013 Adam Tkac <atkac redhat com> 32:9.9.3-0.3.rc1 +- fix crash in nsupdate when processing "-r" parameter (#949544) + +* Tue Apr 16 2013 Adam Tkac <atkac redhat com> 32:9.9.3-0.2.rc1 +- ship dns/rrl.h in -devel subpkg + +* Tue Apr 16 2013 Adam Tkac <atkac redhat com> 32:9.9.3-0.1.rc1 +- update to 9.9.3rc1 +- bind-96-libtool2.patch has been merged +- fix bind tmpfiles.d for named.pid /run migration (#920713) + +* Wed Mar 27 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.2-12.P2 +- New upstream patch version fixing CVE-2013-2266 (#928032) + +* Tue Mar 19 2013 Adam Tkac <atkac redhat com> 32:9.9.2-11.P1 +- move pidfile to /run/named/named.pid + +* Wed Mar 06 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.2-10.P1 +- Fix Makefile.in to include header added by rate limiting patch (#918330) + +* Tue Mar 05 2013 Adam Tkac <atkac redhat com> 32:9.9.2-9.P1 +- drop some developer-only documentation and move ARM to %%docdir + +* Mon Feb 18 2013 Adam Tkac <atkac redhat com> 32:9.9.2-8.P1 +- include rate limiting patch + +* Tue Jan 29 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.2-7.P1 +- Corrected IP addresses in named.ca (#901741) +- mount/umount /var/named in setup-named-chroot.sh as the last one (#904666) + +* Thu Dec 20 2012 Adam Tkac <atkac redhat com> 32:9.9.2-6.P1 +- generate /etc/rndc.key during named service startup if doesn't exist +- increase startup timeout in systemd units to 90sec (default) +- fix IDN related statement in dig.1 manpage + +* Wed Dec 05 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.2-5.P1 +- update to bind-9.9.2-P1 + +* Mon Nov 12 2012 Adam Tkac <atkac redhat com> 32:9.9.2-4 +- document dig exit codes in manpage +- ignore empty "search" options in resolv.conf + +* Mon Nov 12 2012 Adam Tkac <atkac redhat com> 32:9.9.2-3 +- drop PKCS11 support on rhel + +* Thu Oct 11 2012 Adam Tkac <atkac redhat com> 32:9.9.2-2 +- install isc/stat.h + +* Thu Oct 11 2012 Adam Tkac <atkac redhat com> 32:9.9.2-1 +- update to 9.9.2 +- bind97-rh714049.patch has been dropped +- patches merged + - bind98-rh816164.patch + +* Thu Sep 13 2012 Adam Tkac <atkac redhat com> 32:9.9.1-10.P3 +- update to bind-9.9.1-P3 + +* Wed Aug 22 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-9.P2 +- fixed SPEC file so it comply with new systemd-rpm macros guidelines (#850045) +- changed %%define macros to %%global and fixed several rpmlint warnings + +* Wed Aug 08 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-8.P2 +- Changed PrivateTmp to "false" in *-chroot.service unit files (#825869) + +* Wed Aug 01 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-7.P2 +- Fixed bind-devel multilib conflict (#478718) + +* Mon Jul 30 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-6.P2 +- Fixed bad path to systemctl in /etc/NetworkManager/dispatcher.d/13-named (#844047) +- Fixed path to libdb.so in config.dlz.in + +* Thu Jul 26 2012 Adam Tkac <atkac redhat com> 32:9.9.1-5.P2 +- update to 9.9.1-P2 + +* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.1-4.P1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 Ville Skyttä <ville.skytta@iki.fi> - 32:9.9.1-3.P1 +- Avoid shell invocation and dep for -libs-lite %%postun. + +* Mon Jun 04 2012 Adam Tkac <atkac redhat com> 32:9.9.1-2.P1 +- update to 9.9.1-P1 (CVE-2012-1667) + +* Thu May 24 2012 Adam Tkac <atkac redhat com> 32:9.9.1-1 +- update to 9.9.1 +- bind99-coverity.patch merged +- bind-9.5-overflow.patch merged + +* Mon May 07 2012 Adam Tkac <atkac redhat com> 32:9.9.0-6 +- nslookup: return non-zero exit code when fail to get answer (#816164) + +* Thu Apr 26 2012 Adam Tkac <atkac redhat com> 32:9.9.0-5 +- initscript: don't umount /var/named when didn't mount it + +* Tue Apr 24 2012 Adam Tkac <atkac redhat com> 32:9.9.0-4 +- apply all non-SDB patches before SDB ones (#804475) +- enable Berkeley DB DLZ backend (#804478) + +* Thu Apr 12 2012 Adam Tkac <atkac redhat com> 32:9.9.0-3 +- bind97-rh699951.patch is no longer needed (different fix is in 9.9.0) + +* Mon Mar 26 2012 Adam Tkac <atkac redhat com> 32:9.9.0-2 +- remove unneeded bind99-v6only.patch + +* Mon Mar 05 2012 Adam Tkac <atkac redhat com> 32:9.9.0-1 +- update to 9.9.0 +- load dynamic DBs later (and update dyndb patch) +- fix memory leak in named during processing of rndc command +- don't call `rndc-confgen -a` in "post" section +- fix some packaging bugs in bind-chroot + +* Wed Feb 15 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.8.rc2 +- build with "--enable-fixed-rrset" + +* Wed Feb 01 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.7.rc2 +- update to 9.9.0rc2 +- doc/rfc and doc/draft are no longer shipped in tarball + +* Mon Jan 30 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.6.rc1 +- retire initscript in favour of systemd unit files (#719419) + +* Thu Jan 12 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.5.rc1 +- update to 9.9.0rc1 + +* Wed Dec 07 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.4.b2 +- ship dns/forward.h in -devel subpkg + +* Tue Nov 22 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.3.b2 +- update to 9.9.0b2 (CVE-2011-4313) +- patches merged + - bind97-rh700097.patch + - bind99-cinfo.patch + +* Mon Nov 14 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.2.b1 +- ship dns/clientinfo.h in bind-devel + +* Fri Nov 11 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.1.b1 +- update to 9.9.0b1 +- bind98-dlz_buildfix.patch merged + +* Fri Oct 28 2011 Adam Tkac <atkac redhat com> 32:9.8.1-4 +- nslookup failed to resolve name in certain cases + +* Mon Sep 26 2011 Adam Tkac <atkac redhat com> 32:9.8.1-3 +- remove deps filter, it is no longer needed (#739663) + +* Fri Sep 09 2011 Adam Tkac <atkac redhat com> 32:9.8.1-2 +- fix logrotate config file (#725256) + +* Wed Sep 07 2011 Adam Tkac <atkac redhat com> 32:9.8.1-1 +- update to 9.8.1 +- ship /etc/trusted-key.key (needed by dig) +- use select instead of epoll in export libs (#735103) + +* Wed Aug 31 2011 Adam Tkac <atkac redhat com> 32:9.8.1-0.3.rc1 +- fix DLZ related compilation issues +- make /etc/named.{root,iscdlv}.key world-readable +- add bind-libs versioned requires to bind pkg + +* Wed Aug 31 2011 Adam Tkac <atkac redhat com> 32:9.8.1-0.2.rc1 +- fix rare race condition in request.c +- print "the working directory is not writable" as debug message +- re-add configtest target to initscript +- initscript: sybsys name is always named, not named-sdb +- nsupdate returned zero when target zone didn't exist (#700097) +- nsupdate could have failed if server has multiple IPs and the first + was unreachable (#714049) + +* Wed Aug 31 2011 Adam Tkac <atkac redhat com> 32:9.8.1-0.1.rc1 +- update to 9.8.1rc1 +- patches merged + - bind97-rh674334.patch + - bind97-cleanup.patch + - bind98-includes.patch + +* Wed Aug 03 2011 Adam Tkac <atkac redhat com> 32:9.8.0-9.P4 +- improve patch for #725741 + +* Tue Jul 26 2011 Adam Tkac <atkac redhat com> 32:9.8.0-8.P4 +- named could have crashed during reload when dyndb module is used (#725741) + +* Tue Jul 05 2011 Adam Tkac <atkac redhat com> 32:9.8.0-7.P4 +- update to 9.8.0-P4 + - bind98-libdns-export.patch merged + +* Thu Jun 02 2011 Adam Tkac <atkac redhat com> 32:9.8.0-6.P2 +- update the dyndb patch + +* Fri May 27 2011 Adam Tkac <atkac redhat com> 32:9.8.0-5.P2 +- fix compilation of libdns-export.so + +* Fri May 27 2011 Adam Tkac <atkac redhat com> 32:9.8.0-4.P2 +- update to 9.8.0-P2 (CVE-2011-1910) + +* Fri May 06 2011 Adam Tkac <atkac redhat com> 32:9.8.0-3.P1 +- update to 9.8.0-P1 (CVE-2011-1907) + +* Wed Mar 23 2011 Dan Horák <dan@danny.cz> - 32:9.8.0-2 +- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) + +* Thu Mar 03 2011 Adam Tkac <atkac redhat com> 32:9.8.0-1 +- update to 9.8.0 +- bind97-rh665971.patch merged + +* Thu Mar 03 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.4.rc1 +- revert previous change (integration with libnmserver) + +* Tue Feb 22 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.3.rc1 +- integrate named with libnmserver library + +* Tue Feb 22 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.2.rc1 +- include dns/rpz.h in -devel subpkg + +* Mon Feb 21 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.1.rc1 +- update to 9.8.0rc1 + +* Fri Feb 18 2011 Adam Tkac <atkac redhat com> 32:9.7.3-1 +- update to 9.7.3 +- fix dig +trace on dualstack systems (#674334) +- fix linkage order when building on system with older BIND (#665971) +- reduce number of gcc warnings + +* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.7.3-0.6.rc1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 25 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.5.rc1 +- update to 9.7.3rc1 + - bind97-krb5-self.patch merged + +* Wed Jan 12 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.4.b1 +- fix typo in initscript + +* Thu Jan 06 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.3.b1 +- fix "service named status" when used with named-sdb +- don't check MD5, size and mtime of sysconfig/named + +* Wed Jan 05 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.2.b1 +- add new option DISABLE_ZONE_CHECKING to sysconfig/named + +* Wed Jan 05 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.1.b1 +- update to 9.7.3b1 + +* Wed Jan 05 2011 Adam Tkac <atkac redhat com> 32:9.7.2-10.P3 +- initscript should terminate only the correct "named" process (#622785) + +* Mon Dec 20 2010 Adam Tkac <atkac redhat com> 32:9.7.2-9.P3 +- fix "krb5-self" update-policy rule processing + +* Thu Dec 02 2010 Adam Tkac <atkac redhat com> 32:9.7.2-8.P3 +- update to 9.7.2-P3 + +* Mon Nov 29 2010 Jan Görig <jgorig redhat com> 32:9.7.2-7.P2 +- added tmpfiles.d support (#656550) +- removed old PID checking in initscript + +* Mon Nov 08 2010 Adam Tkac <atkac redhat com> 32:9.7.2-6.P2 +- don't emit various informational messages by default (#645544) + +* Wed Oct 20 2010 Adam Tkac <atkac redhat com> 32:9.7.2-5.P2 +- move BIND9 internal libs back to %%{_libdir} +- add "-export" suffix to public libraries (-lite subpkg) + +* Thu Oct 07 2010 Adam Tkac <atkac redhat com> 32:9.7.2-4.P2 +- ship -devel subpkg for internal libs, dnsperf needs it + +* Thu Oct 07 2010 Adam Tkac <atkac redhat com> 32:9.7.2-3.P2 +- new bind-libs-lite and bind-lite-devel subpkgs which contain + public version of BIND 9 libraries +- don't ship devel files for internal version of BIND 9 libraries + +* Wed Sep 29 2010 Adam Tkac <atkac redhat com> 32:9.7.2-2.P2 +- update to 9.7.2-P2 + +* Thu Sep 16 2010 Adam Tkac <atkac redhat com> 32:9.7.2-1 +- update to 9.7.2 + +* Fri Aug 27 2010 Adam Tkac <atkac redhat com> 32:9.7.2-0.3.rc1 +- update to 9.7.2rc1 + +* Tue Aug 10 2010 Adam Tkac <atkac redhat com> 32:9.7.2-0.2.b1 +- host: handle "debug", "attempts" and "timeout" options in resolv.conf well + +* Tue Aug 03 2010 Adam Tkac <atkac redhat com> 32:9.7.2-0.1.b1 +- update to 9.7.2b1 +- patches merged + - bind97-rh507429.patch + +* Mon Jul 19 2010 Adam Tkac <atkac redhat com> 32:9.7.1-5.P2 +- supply root zone DNSKEY in default configuration + +* Mon Jul 19 2010 Adam Tkac <atkac redhat com> 32:9.7.1-4.P2 +- update to 9.7.1-P2 (CVE-2010-0213) + +* Mon Jul 12 2010 Adam Tkac <atkac redhat com> 32:9.7.1-3.P1 +- remove outdated Copyright.caching-nameserver file +- remove rfc1912.txt, it is already located in %%doc/rfc directory +- move COPYRIGHT to the bind-libs subpkg +- add COPYRIGHT to the -pkcs11 subpkg + +* Fri Jul 09 2010 Adam Tkac <atkac redhat com> 32:9.7.1-2.P1 +- update to 9.7.1-P1 + +* Mon Jun 28 2010 Adam Tkac <atkac redhat com> 32:9.7.1-1 +- update to 9.7.1 +- improve the "dnssec-conf" trigger + +* Wed Jun 09 2010 Adam Tkac <atkac redhat com> 32:9.7.1-0.2.rc1 +- update to 9.7.1rc1 +- patches merged + - bind97-keysdir.patch + +* Mon May 31 2010 Adam Tkac <atkac redhat com> 32:9.7.1-0.1.b1 +- update to 9.7.1b1 +- make /var/named/dynamic as a default directory for managed DNSSEC keys +- add patch to get "managed-keys-directory" option working +- patches merged + - bind97-managed-keyfile.patch + - bind97-rh554316.patch + +* Fri May 21 2010 Adam Tkac <atkac redhat com> 32:9.7.0-11.P2 +- update dnssec-conf Obsoletes/Provides + +* Thu May 20 2010 Adam Tkac <atkac redhat com> 32:9.7.0-10.P2 +- update to 9.7.0-P2 + +* Fri Mar 26 2010 Adam Tkac <atkac redhat com> 32:9.7.0-9.P1 +- added lost patch for #554316 (occasional crash in keytable.c) + +* Fri Mar 26 2010 Adam Tkac <atkac redhat com> 32:9.7.0-8.P1 +- active query might be destroyed in resume_dslookup() which triggered REQUIRE + failure (#507429) + +* Mon Mar 22 2010 Adam Tkac <atkac redhat com> 32:9.7.0-7.P1 +- install SDB related manpages only when build with SDB + +* Fri Mar 19 2010 Adam Tkac <atkac redhat com> 32:9.7.0-6.P1 +- update to 9.7.0-P1 + +* Tue Mar 16 2010 Jan Görig <jgorig redhat com> 32:9.7.0-5 +- bind-sdb now requires bind + +* Mon Mar 15 2010 Jan Görig <jgorig redhat com> 32:9.7.0-4 +- add man-pages ldap2zone.1 zonetodb.1 zone2sqlite.1 named-sdb.8 (#525655) + +* Mon Mar 01 2010 Adam Tkac <atkac redhat com> 32:9.7.0-3 +- fix multilib issue (#478718) [jgorig] + +* Mon Mar 01 2010 Adam Tkac <atkac redhat com> 32:9.7.0-2 +- improve automatic DNSSEC reconfiguration trigger +- initscript now returns 2 in case that action doesn't exist (#523435) +- enable/disable chroot when bind-chroot is installed/uninstalled + +* Wed Feb 17 2010 Adam Tkac <atkac redhat com> 32:9.7.0-1 +- update to 9.7.0 final + +* Mon Feb 15 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.14.rc2 +- obsolete dnssec-conf +- automatically update configuration from old dnssec-conf based +- improve default configuration; enable DLV by default +- remove obsolete triggerpostun from bind-libs subpackage + +* Thu Jan 28 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.13.rc2 +- update to 9.7.0rc2 + +* Wed Jan 27 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.12.rc1 +- initscript LSB related fixes (#523435) + +* Wed Jan 27 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.11.rc1 +- revert the "DEBUG" feature (#510283), it causes too many problems (#545128) + +* Tue Dec 15 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.10.rc1 +- update to 9.7.0rc1 +- bind97-headers.patch merged +- update default configuration + +* Tue Dec 01 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.9.b3 +- update to 9.7.0b3 + +* Thu Nov 26 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.8.b2 +- install isc/namespace.h header + +* Fri Nov 06 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.7.b2 +- update to 9.7.0b2 + +* Tue Nov 03 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.6.b1 +- update to 9.7.0b1 +- add bind-pkcs11 subpackage to support PKCS11 compatible keystores for DNSSEC + keys + +* Thu Oct 08 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.5.a3 +- don't package named-bootconf utility, it is very outdated and unneeded + +* Mon Sep 21 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.4.a3 +- determine file size via `stat` instead of `ls` (#523682) + +* Wed Sep 16 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.3.a3 +- update to 9.7.0a3 + +* Tue Sep 15 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.2.a2 +- improve chroot related documentation (#507795) +- add NetworkManager dispatcher script to reload named when network interface is + activated/deactivated (#490275) +- don't set/unset named_write_master_zones SELinux boolean every time in + initscript, modify it only when it's actually needed + +* Tue Sep 15 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.1.a2 +- update to 9.7.0a2 +- merged patches + - bind-96-db_unregister.patch + - bind96-rh507469.patch + +* Tue Sep 01 2009 Adam Tkac <atkac redhat com> 32:9.6.1-9.P1 +- next attempt to fix the postun trigger (#520385) +- remove obsolete bind-9.3.1rc1-fix_libbind_includedir.patch + +* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 32:9.6.1-8.P1 +- rebuilt with new openssl + +* Tue Aug 04 2009 Martin Nagy <mnagy redhat com> 32:9.6.1-7.P1 +- update the patch for dynamic loading of database backends + +* Wed Jul 29 2009 Adam Tkac <atkac redhat com> 32:9.6.1-6.P1 +- 9.6.1-P1 release (CVE-2009-0696) +- fix postun trigger (#513016, hopefully) + +* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.6.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 20 2009 Adam Tkac <atkac redhat com> 32:9.6.1-4 +- remove useless bind-9.3.3rc2-rndckey.patch + +* Mon Jul 13 2009 Adam Tkac <atkac redhat com> 32:9.6.1-3 +- fix broken symlinks in bind-libs (#509635) +- fix typos in /etc/sysconfig/named (#509650) +- add DEBUG option to /etc/sysconfig/named (#510283) + +* Wed Jun 24 2009 Adam Tkac <atkac redhat com> 32:9.6.1-2 +- improved "chroot automount" patches (#504596) +- host should fail if specified server doesn't respond (#507469) + +* Wed Jun 17 2009 Adam Tkac <atkac redhat com> 32:9.6.1-1 +- 9.6.1 release +- simplify chroot maintenance. Important files and directories are mounted into + chroot (see /etc/sysconfig/named for more info, #504596) +- fix doc/named.conf.default perms + +* Wed May 27 2009 Adam Tkac <atkac redhat com> 32:9.6.1-0.4.rc1 +- 9.6.1rc1 release + +* Wed Apr 29 2009 Martin Nagy <mnagy redhat com> 32:9.6.1-0.3.b1 +- update the patch for dynamic loading of database backends +- create %%{_libdir}/bind directory +- copy default named.conf to doc directory, shared with s-c-bind (atkac) + +* Fri Apr 24 2009 Martin Nagy <mnagy redhat com> 32:9.6.1-0.2.b1 +- update the patch for dynamic loading of database backends +- fix dns_db_unregister() +- useradd now takes "-N" instead of "-n" (atkac, #495726) +- print nicer error msg when zone file is actually a directory (atkac, #490837) + +* Mon Mar 30 2009 Adam Tkac <atkac redhat com> 32:9.6.1-0.1.b1 +- 9.6.1b1 release +- patches merged + - bind-96-isc_header.patch + - bind-95-rh469440.patch + - bind-96-realloc.patch + - bind9-fedora-0001.diff +- use -version-number instead of -version-info libtool param + +* Mon Mar 23 2009 Adam Tkac <atkac redhat com> 32:9.6.0-11.1.P1 +- logrotate configuration file now points to /var/named/data/named.run by + default (#489986) + +* Tue Mar 17 2009 Adam Tkac <atkac redhat com> 32:9.6.0-11.P1 +- fall back to insecure mode when no supported DNSSEC algorithm is found + instead of SERVFAIL +- don't fall back to non-EDNS0 queries when DO bit is set + +* Tue Mar 10 2009 Adam Tkac <atkac redhat com> 32:9.6.0-10.P1 +- enable DNSSEC only if it is enabled in sysconfig/dnssec + +* Mon Mar 09 2009 Adam Tkac <atkac redhat com> 32:9.6.0-9.P1 +- add DNSSEC support to initscript, enabled it per default +- add requires dnssec-conf + +* Mon Mar 09 2009 Adam Tkac <atkac redhat com> 32:9.6.0-8.P1 +- fire away libbind, it is now separate package + +* Wed Mar 04 2009 Adam Tkac <atkac redhat com> 32:9.6.0-7.P1 +- fixed some read buffer overflows (upstream) + +* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 32:9.6.0-6.P1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Feb 12 2009 Martin Nagy <mnagy redhat com> 32:9.6.0-5.P1 +- update the patch for dynamic loading of database backends +- include iterated_hash.h + +* Sat Jan 24 2009 Caolán McNamara <caolanm@redhat.com> 32:9.6.0-4.P1 +- rebuild for dependencies + +* Wed Jan 21 2009 Adam Tkac <atkac redhat com> 32:9.6.0-3.P1 +- rebuild against new openssl + +* Thu Jan 08 2009 Adam Tkac <atkac redhat com> 32:9.6.0-2.P1 +- 9.6.0-P1 release (CVE-2009-0025) + +* Mon Jan 05 2009 Adam Tkac <atkac redhat com> 32:9.6.0-1 +- Happy new year +- 9.6.0 release + +* Thu Dec 18 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.7.rc2 +- 9.6.0rc2 release +- bind-96-rh475120.patch merged + +* Tue Dec 16 2008 Martin Nagy <mnagy redhat com> 32:9.6.0-0.6.rc1 +- add patch for dynamic loading of database backends + +* Tue Dec 09 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.5.1.rc1 +- allow to reuse address for non-random query-source ports (#475120) + +* Wed Dec 03 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.5.rc1 +- 9.6.0rc1 release +- patches merged + - bind-9.2.0rc3-varrun.patch + - bind-95-sdlz-include.patch + - bind-96-libxml2.patch +- fixed rare use-after-free problem in host utility (#452060) +- enabled chase of DNSSEC signature chains in dig + +* Mon Dec 01 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.4.1.b1 +- improved sample config file (#473586) + +* Wed Nov 26 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.4.b1 +- reverted previous change, koji doesn't like it + +* Wed Nov 26 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.3.b1 +- build bind-chroot as noarch + +* Mon Nov 24 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.2.1.b1 +- updates due libtool 2.2.6 +- don't pass -DLDAP_DEPRECATED to cpp, handle it directly in sources + +* Tue Nov 11 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.2.b1 +- make statistics http server working, patch backported from 9.6 HEAD + +* Mon Nov 10 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.1.b1 +- 9.6.0b1 release +- don't build ODBC and Berkeley DB DLZ drivers +- end of bind-chroot-admin script, copy config files to chroot manually +- /proc doesn't have to be mounted to chroot +- temporary use libbind from 9.5 series, noone has been released for 9.6 yet + +* Mon Nov 03 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.4.b2 +- dig/host: use only IPv4 addresses when -4 option is specified (#469440) + +* Thu Oct 30 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.2.b2 +- removed unneeded bind-9.4.1-ldap-api.patch + +* Thu Oct 30 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.1.b2 +- ship dns/{s,}dlz.h and isc/radix.h in bind-devel + +* Tue Oct 07 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.b2 +- removed bind-9.4.0-dnssec-directory.patch, it is wrong + +* Wed Sep 24 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.7.b2 +- 9.5.1b2 release +- patches merged + - bind95-rh454783.patch + - bind-9.5-edns.patch + - bind95-rh450995.patch + - bind95-rh457175.patch + +* Wed Sep 17 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.6.b1 +- IDN output strings didn't honour locale settings (#461409) + +* Tue Aug 05 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.5.b1 +- disable transfer stats on DLZ zones (#454783) + +* Mon Aug 04 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.4.b1 +- add forgotten patch for #457175 +- build with -O2 + +* Thu Jul 31 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.3.b1 +- static libraries are no longer supported +- IP acls weren't merged correctly (#457175) +- use fPIE on sparcv9/sparc64 (Dennis Gilmore) +- add sparc64 to list of 64bit arches in spec (Dennis Gilmore) + +* Mon Jul 21 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.2.b1 +- updated patches due new rpm (--fuzz=0 patch parameter) + +* Mon Jul 14 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.1.1.b1 +- use %%patch0 for Patch0 (#455061) +- correct source address (#455118) + +* Tue Jul 08 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.1.b1 +- 9.5.1b1 release (CVE-2008-1447) +- dropped bind-9.5-recv-race.patch because upstream doesn't want it + +* Mon Jun 30 2008 Adam Tkac <atkac redhat com> 32:9.5.0-37.1 +- update default named.conf statements (#452708) + +* Thu Jun 26 2008 Adam Tkac <atkac redhat com> 32:9.5.0-37 +- some compat changes to fix building on RHEL4 + +* Mon Jun 23 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36.3 +- fixed typo in %%posttrans script + +* Wed Jun 18 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36.2 +- parse inner acls correctly (#450995) + +* Mon Jun 02 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36.1 +- removed dns-keygen utility in favour of rndc-confgen -a (#449287) +- some minor sample fixes (#449274) + +* Thu May 29 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36 +- updated to 9.5.0 final +- use getifaddrs to find available interfaces + +* Mon May 26 2008 Adam Tkac <atkac redhat com> 32:9.5.0-35.rc1 +- make /var/run/named writable by named (#448277) +- fixed one non-utf8 file + +* Thu May 22 2008 Adam Tkac <atkac redhat com> 32:9.5.0-34.rc1 +- fixes needed to pass package review (#225614) + +* Wed May 21 2008 Adam Tkac <atkac redhat com> 32:9.5.0-33.1.rc1 +- bind-chroot now depends on bind (#446477) + +* Wed May 14 2008 Adam Tkac <atkac redhat com> 32:9.5.0-33.rc1 +- updated to 9.5.0rc1 +- merged patches + - bind-9.5-libcap.patch +- make binaries readable by others (#427826) + +* Tue May 13 2008 Adam Tkac <atkac redhat com> 32:9.5.0-32.b3 +- reverted "any" patch, upstream says not needed +- log EDNS failure only when we really switch to plain EDNS (#275091) +- detect configuration file better + +* Tue May 06 2008 Adam Tkac <atkac redhat com> 32:9.5.0-31.1.b3 +- addresses 0.0.0.0 and ::0 really match any (#275091, comment #28) + +* Mon May 05 2008 Adam Tkac <atkac redhat com> 32:9.5.0-31.b3 +- readded bind-9.5-libcap.patch +- added bind-9.5-recv-race.patch from F8 branch (#400461) + +* Wed Apr 23 2008 Adam Tkac <atkac redhat com> 32:9.5.0-30.1.b3 +- build Berkeley DB DLZ backend + +* Mon Apr 21 2008 Adam Tkac <atkac redhat com> 32:9.5.0-30.b3 +- 9.5.0b3 release +- dropped patches (upstream) + - bind-9.5-transfer-segv.patch + - bind-9.5-mudflap.patch + - bind-9.5.0-generate-xml.patch + - bind-9.5-libcap.patch + +* Wed Apr 02 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.3.b2 +- fixed named.conf.sample file (#437569) + +* Fri Mar 14 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.2.b2 +- fixed URLs + +* Mon Feb 25 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.1.b2 +- BuildRequires cleanup + +* Sun Feb 24 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.b2 +- rebuild without mudflap (#434159) + +* Wed Feb 20 2008 Adam Tkac <atkac redhat com> 32:9.5.0-28.b2 +- port named to use libcap library, enable threads (#433102) +- removed some unneeded Requires + +* Tue Feb 19 2008 Adam Tkac <atkac redhat com> 32:9.5.0-27.b2 +- removed conditional build with libefence (use -fmudflapth instead) +- fixed building of DLZ stuff (#432497) +- do not build Berkeley DB DLZ backend +- temporary build with --disable-linux-caps and without threads (#433102) +- update named.ca file to affect IPv6 changes in root zone + +* Mon Feb 11 2008 Adam Tkac <atkac redhat com> 32:9.5.0-26.b2 +- build with -D_GNU_SOURCE (#431734) +- improved fix for #253537, posttrans script is now used +- improved fix for #400461 +- 9.5.0b2 + - bind-9.3.2b1-PIE.patch replaced by bind-9.5-PIE.patch + - only named, named-sdb and lwresd are PIE + - bind-9.5-sdb.patch has been updated + - bind-9.5-libidn.patch has been updated + - bind-9.4.0-sdb-sqlite-bld.patch replaced by bind-9.5-sdb-sqlite-bld.patch + - removed bind-9.5-gssapi-header.patch (upstream) + - removed bind-9.5-CVE-2008-0122.patch (upstream) +- removed bind-9.2.2-nsl.patch +- improved sdb_tools Makefile.in + +* Mon Feb 04 2008 Adam Tkac <atkac redhat com> 32:9.5.0-25.b1 +- fixed segfault during sending notifies (#400461) +- rebuild with gcc 4.3 series + +* Tue Jan 22 2008 Adam Tkac <atkac redhat com> 32:9.5.0-24.b1 +- removed bind-9.3.2-prctl_set_dumpable.patch (upstream) +- allow parallel building of libdns library +- CVE-2008-0122 + +* Thu Dec 27 2007 Adam Tkac <atkac redhat com> 32:9.5.0-23.b1 +- fixed initscript wait loop (#426382) +- removed dependency on policycoreutils and libselinux (#426515) + +* Thu Dec 20 2007 Adam Tkac <atkac redhat com> 32:9.5.0-22.b1 +- fixed regression caused by libidn2 patch (#426348) + +* Wed Dec 19 2007 Adam Tkac <atkac redhat com> 32:9.5.0-21.b1 +- fixed typo in post section (CVE-2007-6283) + +* Wed Dec 19 2007 Adam Tkac <atkac redhat com> 32:9.5.0-20.b1 +- removed obsoleted triggers +- CVE-2007-6283 + +* Wed Dec 12 2007 Adam Tkac <atkac redhat com> 32:9.5.0-19.2.b1 +- added dst/gssapi.h to -devel subpackage (#419091) +- improved fix for (#417431) + +* Mon Dec 10 2007 Adam Tkac <atkac redhat com> 32:9.5.0-19.1.b1 +- fixed shutdown with initscript when rndc doesn't work (#417431) +- fixed IDN patch (#412241) + +* Thu Dec 06 2007 Adam Tkac <atkac redhat com> 32:9.5.0-19.b1 +- 9.5.0b1 (#405281, #392491) + +* Thu Dec 06 2007 Release Engineering <rel-eng at fedoraproject dot org> 32:9.5.0-18.6.a7 +- Rebuild for deps + +* Wed Dec 05 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.5.a7 +- build with -O0 + +* Mon Dec 03 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.4.a7 +- bind-9.5-random_ports.patch was removed because upstream doesn't + like it. query-source{,v6} options are sufficient (#391931) +- bind-chroot-admin called restorecon on /proc filesystem (#405281) + +* Mon Nov 26 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.3.a7 +- removed edns patch to keep compatibility with vanilla bind + (#275091, comment #20) + +* Wed Nov 21 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.2.a7 +- use system port selector instead ISC's (#391931) + +* Mon Nov 19 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.a7 +- removed statement from initscript which passes -D to named + +* Thu Nov 15 2007 Adam Tkac <atkac redhat com> 32:9.5.0-17.a7 +- 9.5.0a7 +- dropped patches (upstream) + - bind-9.5-update.patch + - bind-9.5-pool_badfree.patch + - bind-9.5-_res_errno.patch + +* Thu Nov 15 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.5.a6 +- added bind-sdb again, contains SDB modules and DLZ modules +- bind-9.3.1rc1-sdb.patch replaced by bind-9.5-sdb.patch + +* Mon Nov 12 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.4.a6 +- removed Requires: openldap, postgresql, mysql, db4, unixODBC +- new L.ROOT-SERVERS.NET address + +* Mon Oct 29 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.3.a6 +- completely disable DBUS + +* Fri Oct 26 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.2.a6 +- minor cleanup in bind-chroot-admin + +* Thu Oct 25 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.1.a6 +- fixed typo in initscript + +* Tue Oct 23 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.a6 +- disabled DBUS (dhcdbd doesn't exist & #339191) + +* Thu Oct 18 2007 Adam Tkac <atkac redhat com> 32:9.5.0-15.1.a6 +- fixed missing va_end () functions (#336601) +- fixed memory leak when dbus initialization fails + +* Tue Oct 16 2007 Adam Tkac <atkac redhat com> 32:9.5.0-15.a6 +- corrected named.5 SDB statement (#326051) + +* Mon Sep 24 2007 Adam Tkac <atkac redhat com> 32:9.5.0-14.a6 +- added edns patch again (#275091) + +* Mon Sep 24 2007 Adam Tkac <atkac redhat com> 32:9.5.0-13.a6 +- removed bind-9.3.3-edns.patch patch (see #275091 for reasons) + +* Thu Sep 20 2007 Adam Tkac <atkac redhat com> 32:9.5.0-12.4.a6 +- build with O2 +- removed "autotools" patch +- bugfixing in bind-chroot-admin (#279901) + +* Thu Sep 06 2007 Adam Tkac <atkac redhat com> 32:9.5.0-12.a6 +- bind-9.5-2119_revert.patch and bind-9.5-fix_h_errno.patch are + obsoleted by upstream bind-9.5-_res_errno.patch + +* Wed Sep 05 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.9.a6 +- fixed wrong resolver's dispatch pool cleanup (#275011, patch from + tmraz redhat com) + +* Wed Sep 05 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.3.a6 +- initscript failure message is now printed correctly (#277981, + Quentin Armitage (quentin armitage org uk) ) + +* Mon Sep 03 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.2.a6 +- temporary revert ISC 2119 change and add "libbind-errno" patch + (#254501) again + +* Thu Aug 23 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.1.a6 +- removed end dots from Summary sections (skasal@redhat.com) +- fixed wrong file creation by autotools patch (skasal@redhat.com) + +* Thu Aug 23 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.a6 +- start using --disable-isc-spnego configure option + - remove bind-9.5-spnego-memory_management.patch (source isn't + compiled) + +* Wed Aug 22 2007 Adam Tkac <atkac redhat com> 32:9.5.0-10.2.a6 +- added new initscript option KEYTAB_FILE which specified where + is located kerberos .keytab file for named service +- obsolete temporary bind-9.5-spnego-memory_management.patch by + bind-9.5-gssapictx-free.patch which conforms BIND coding standards + (#251853) + +* Tue Aug 21 2007 Adam Tkac <atkac redhat com> 32:9.5.0-10.a6 +- dropped direct dependency to /etc/openldap/schema directory +- changed hardcoded paths to macros +- fired away code which configure LDAP server + +* Tue Aug 14 2007 Adam Tkac <atkac redhat com> 32:9.5.0-9.1.a6 +- named could crash with SRV record UPDATE (#251336) + +* Mon Aug 13 2007 Adam Tkac <atkac redhat com> 32:9.5.0-9.a6 +- disable 64bit dlz driver patch on alpha and ia64 (#251298) +- remove wrong malloc functions from lib/dns/spnego.c (#251853) + +* Mon Aug 06 2007 Adam Tkac <atkac redhat com> 32:9.5.0-8.2.a6 +- changed licence from BSD-like to ISC + +* Tue Jul 31 2007 Adam Tkac <atkac redhat com> 32:9.5.0-8.1.a6 +- disabled named on all runlevels by default + +* Mon Jul 30 2007 Adam Tkac <atkac redhat com> 32:9.5.0-8.a6 +- minor next improvements on autotools patch +- dig and host utilities now using libidn instead idnkit for + IDN support + +* Wed Jul 25 2007 Warren Togami <wtogami@redhat.com> 32:9.5.0-7.a6 +- binutils/gcc bug rebuild (#249435) + +* Tue Jul 24 2007 Adam Tkac <atkac redhat com> 32:9.5.0-6.a6 +- updated to 9.5.0a6 which contains fixes for CVE-2007-2925 and + CVE-2007-2926 +- fixed building on 64bits + +* Mon Jul 23 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-5 +- integrated "autotools" patch for testing purposes (upstream will + accept it in future, for easier building) + +* Mon Jul 23 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-4.1 +- fixed DLZ drivers building on 64bit systems + +* Fri Jul 20 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-4 +- fixed relation between logrotated and chroot-ed named + +* Wed Jul 18 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-3.9 +- removed bind-sdb package (default named has compiled SDB backend now) +- integrated DLZ (Dynamically loadable zones) drivers +- integrated GSS-TSIG support (RFC 3645) +- build with -O0 (many new features, potential core dumps will be more useful) + +* Tue Jul 17 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-3.2 +- initscript should be ready for parallel booting (#246878) + +* Tue Jul 17 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-3 +- handle integer overflow in isc_time_secondsastimet function gracefully (#247856) + +* Mon Jul 16 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-2.2 +- moved chroot configfiles into chroot subpackage (#248306) + +* Mon Jul 02 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-2 +- minor changes in default configuration +- fix h_errno assigment during resolver initialization (unbounded recursion, #245857) +- removed wrong patch to #150288 + +* Tue Jun 19 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-1 +- updated to latest upstream + +* Wed Jun 13 2007 Adam Tkac <atkac redhat com> 31:9.4.1-7 +- marked caching-nameserver as obsolete (#244604) +- fixed typo in initscript (causes that named doesn't detect NetworkManager + correctly) +- next cleanup in configuration - moved configfiles into config.tar +- removed delay between start & stop in restart function in named.init + +* Tue Jun 12 2007 Adam Tkac <atkac redhat com> 31:9.4.1-6 +- major changes in initscript. Could be LSB compatible now +- removed caching-nameserver subpackage. Move configs from this + package to main bind package as default configuration and major + configuration cleanup + +* Mon Jun 04 2007 Adam Tkac <atkac redhat com> 31:9.4.1-5 +- very minor compatibility change in bind-chroot-admin (line 215) +- enabled IDN support by default and don't distribute IDN libraries +- specfile cleanup +- add dynamic directory to /var/named. This directory will be primarily used for + dynamic DNS zones. ENABLE_ZONE_WRITE and SELinux's named_write_master_zones no longer exist + +* Thu May 24 2007 Adam Tkac <atkac redhat com> 31:9.4.1-4 +- removed ldap-api patch and start using deprecated API +- fixed minor problem in bind-chroot-admin script (#241103) + +* Tue May 22 2007 Adam Tkac <atkac redhat com> 31:9.4.1-3 +- fixed bind-chroot-admin dynamic DNS handling (#239149) +- updated zone-freeze patch to latest upstream +- ldap sdb has been rewriten to latest api (#239802) + +* Mon May 07 2007 Adam Tkac <atkac redhat com> 31:9.4.1-2.fc7 +- test build on new build system + +* Wed May 02 2007 Adam Tkac <atkac redhat com> 31:9.4.1-1.fc7 +- updated to 9.4.1 which contains fix to CVE-2007-2241 + +* Fri Apr 27 2007 Adam Tkac <atkac redhat com> 31:9.4.0-8.fc7 +- improved "zone freeze patch" - if multiple zone with same name exists + no zone is freezed +- minor cleanup in caching-nameserver's config file +- fixed race-condition in dbus code (#235809) +- added forgotten restorecon statement in bind-chroot-admin + +* Tue Apr 17 2007 Adam Tkac <atkac redhat com> 31:9.4.0-7.fc7 +- removed DEBUGINFO option because with this option (default) was bind + builded with -O0 and without this flag no debuginfo package was produced. + (I want faster bind => -O2 + debuginfo) +- fixed zone finding (#236426) + +* Mon Apr 16 2007 Adam Tkac <atkac redhat com> 31:9.4.0-6.fc7 +- added idn support (still under development with upstream, disabled by default) + +* Wed Apr 11 2007 Adam Tkac <atkac redhat com> 31:9.4.0-5.fc7 +- dnssec-signzone utility now doesn't ignore -d parameter + +* Tue Apr 10 2007 Adam Tkac <atkac redhat com> 31:9.4.0-4.fc7 +- removed query-source[-v6] options from caching-nameserver config + (#209954, increase security) +- throw away idn. It won't be ready in fc7 + +* Tue Mar 13 2007 Adam Tkac <atkac redhat com> 31:9.4.0-3.fc7 +- prepared bind to merge review +- added experimental idn support to bind-utils utils (not enabled by default yet) +- change chroot policy in caching-nameserver post section +- fixed bug in bind-chroot-admin - rootdir function is called properly now + +* Mon Mar 12 2007 Adam Tkac <atkac redhat com> 31:9.4.0-2.fc7 +- added experimental SQLite support (written by John Boyd <jaboydjr@netwalk.com>) +- moved bind-chroot-admin script to chroot package +- bind-9.3.2-redhat_doc.patch is always applied (#231738) + +* Tue Mar 06 2007 Adam Tkac <atkac@redhat.com> 31:9.4.0-1.fc7 +- updated to 9.4.0 +- bind-chroot-admin now sets EAs correctly (#213926) +- throw away next_server_on_referral and no_servfail_stops patches (fixed in 9.4.0) + +* Thu Feb 15 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-7.fc7 +- minor cleanup in bind-chroot-admin script + +* Fri Feb 09 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-6.fc7 +- fixed broken bind-chroot-admin script (#227995) + +* Wed Feb 07 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-5.fc7 +- bind-chroot-admin now uses correct chroot path (#227600) + +* Mon Feb 05 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-4.fc7 +- fixed conflict between bind-sdb and ldap +- removed duplicated bind directory in bind-libs + +* Thu Feb 01 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-3.fc7 +- fixed building without libbind +- fixed post section (selinux commands is now in if-endif statement) +- prever macro has been removed from version + +* Mon Jan 29 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-2.fc7 +- redirected output from bind-chroot prep and %%preun stages to /dev/null + +* Thu Jan 25 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-1.fc7 +- updated to version 9.3.4 which contains security bugfixes + +* Tue Jan 23 2007 Adam Tkac <atkac@redhat.com> 31:9.3.3-5.fc7 +- package bind-libbind-devel has been marked as obsolete + +* Mon Jan 22 2007 Adam Tkac <atkac@redhat.com> 31:9.3.3-4.fc7 +- package bind-libbind-devel has beed removed (libs has been moved to bind-devel & bind-libs) +- Resolves: #214208 + +* Tue Jan 16 2007 Martin Stransky <stransky@redhat.com> - 31:9.3.3-3 +- fixed a multi-lib issue +- Resolves: rhbz#222717 + +* Thu Jan 4 2007 Martin Stransky <stransky@redhat.com> - 31:9.3.3-2 +- added namedGetForwarders written in shell (#176100), + created by Baris Cicek <baris@nerd.com.tr>. + +* Sun Dec 10 2006 Martin Stransky <stransky@redhat.com> - 31:9.3.3-1 +- update to 9.3.3 final +- fix for #219069: file included twice in src.rpm + +* Wed Dec 6 2006 Martin Stransky <stransky@redhat.com> - 31:9.3.3-0.1.rc3 +- added back an interval to restart +- renamed package, it should meet the N-V-R criteria +- fix for #216185: bind-chroot-admin able to change root mode 750 +- added fix from #215997: incorrect permissions on dnszone.schema +- added a notice to init script when /etc/named.conf doesn't exist (#216075) + +* Mon Oct 30 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-6 +- fix for #200465: named-checkzone and co. cannot be run as non-root user +- fix for #212348: chroot'd named causes df permission denied error +- fix for #211249, #211083 - problems with stopping named +- fix for #212549: init script does not unmount /proc filesystem +- fix for #211282: EDNS is globally enabled, crashing CheckPoint FW-1, + added edns-enable options to named configuration file which can suppress + EDNS in queries to DNS servers (see /usr/share/doc/bind-9.3.3/misc/options) +- fix for #212961: bind-chroot doesn't clean up its mess on %%preun +- update to 9.3.3rc3, removed already merged patches + +* Fri Oct 13 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-5 +- fix for #209359: bind-libs from compatlayer CD will not + install on ia64 + +* Tue Oct 10 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-4 +- added fix for #210096: warning: group named does not exist - using root + +* Thu Oct 5 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-3 +- added fix from #209400 - Bind Init Script does not create + the PID file always, created by Jeff Means +- added timeout to stop section of init script. + The default is 100 sec. and can be adjusted by NAMED_SHUTDOWN_TIMEOUT + shell variable. + +* Mon Oct 2 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-2 +- removed chcon from %%post script, replaced by restorecon + (Bug 202547, comment no. 37) + +* Fri Sep 15 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-1 +- updated to the latest upstream (9.3.3rc2) + +* Wed Sep 6 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-41 +- added upstream patch for correct SIG handling - CVE-2006-4095 + +* Tue Sep 5 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-40 +- suppressed messages from bind-chroot-admin +- cleared notes about bind-config + +* Tue Aug 22 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-39 +- added fix for #203522 - "bind-chroot-admin -e" command fails + +* Mon Aug 21 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-38 +- fix for #203194 - tmpfile usage + +* Thu Aug 17 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-37 +- fix for #202542 - /usr/sbin/bind-chroot-admin: No such file or directory +- fix for #202547 - file_contexts: invalid context + +* Fri Aug 11 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-36 +- added Provides: bind-config + +* Fri Aug 11 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-35 +- fix bug 197493: renaming subpackage bind-config to caching-nameserver + +* Mon Jul 24 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-34 +- fix bug 199876: make '%%exclude libbbind.*' conditional on %%{LIBBIND} + +* Mon Jul 24 2006 Florian La Roche <laroche@redhat.com> - 30:9.3.2-33 +- fix #195881, perms are not packaged correctly + +* Fri Jul 21 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-32 +- fix addenda to bug 189789: + determination of selinux enabled was still not 100% correct in bind-chroot-admin +- fix addenda to bug 196398: + make named.init test for NetworkManager being enabled AFTER testing for -D absence; + named.init now supports a 'DISABLE_NAMED_DBUS' /etc/sysconfig/named setting to disable + auto-enable of named dbus support if NetworkManager enabled. + +* Wed Jul 19 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-30 +- fix bug 196398 - Enable -D option automatically in initscript + if NetworkManager enabled in any runlevel. +- fix namedGetForwarders for new dbus +- fix bug 195881 - libbind.so should be owned by bind-libbind-devel + +* Wed Jul 19 2006 Matthias Clasen <mclasen@redhat.com> - 30:9.3.2-28.FC6 +- Rebuild against new dbus + +* Wed Jul 12 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-27.FC6 +- rebuild with fixed glibc-kernheaders + +* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 30:9.3.2-26.FC6.1 +- rebuild + +* Wed Jun 14 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-26.FC6 +- fix bugs 191093, 189789 +- backport selected fixes from upstream bind9 'v9_3_3b1' CVS version: + ( see http://www.isc.org/sw/bind9.3.php "Fixes" ): + o change 2024 / bug 16027: + named emitted spurious "zone serial unchanged" messages on reload + o change 2013 / bug 15941: + handle unexpected TSIGs on unsigned AXFR/IXFR responses more gracefully + o change 2009 / bug 15808: coverity fixes + o change 1997 / bug 15818: + named was failing to replace negative cache entries when a positive one + for the type was learnt + o change 1994 / bug 15694: OpenSSL 0.9.8 support + o change 1991 / bug 15813: + The configuration data, once read, should be treated as readonly. + o misc. validator fixes + o misc. resolver fixes + o misc. dns fixes + o misc. isc fixes + o misc. libbind fixes + o misc. isccfg fix + o misc. lwres fix + o misc. named fixes + o misc. dig fixes + o misc. nsupdate fix + o misc. tests fixes + +* Wed Jun 7 2006 Jeremy Katz <katzj@redhat.com> - 30:9.3.2-24.FC6 +- and actually put the devel symlinks in the right subpackage + +* Thu May 25 2006 Jeremy Katz <katzj@redhat.com> - 30:9.3.2-23.FC6 +- rebuild for -devel deps + +* Tue Apr 18 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-22 +- apply upstream patch for ncache_adderesult segfault bug 173961 addenda +- fix bug 188382: rpm --verify permissions inconsistencies +- fix bug 189186: use /sbin/service instead of initscript +- rebuild for new gcc, glibc-kernheaders + +* Tue Apr 04 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-20 +- fix resolver.c ncache_adderesult segfault reported in addenda to bug 173961 + (upstream bugs #15642, #15528 ?) +- allow named ability to generate core dumps after setuid (upstream bug #15753) + +* Mon Apr 03 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-18 +- fix bug 187529: make bind-chroot-admin deal with subdirectories properly + +* Thu Mar 30 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-16 +- fix bug 187286: + prevent host(1) printing duplicate 'is an alias for' messages + for the default AAAA and MX lookups as well as for the A lookup + (it now uses the CNAME returned for the A lookup for the AAAA and MX lookups). + This is upstream bug #15702 fixed in the unreleased bind-9.3.3 +- fix bug 187333: fix SOURCE24 and SOURCE25 transposition + +* Wed Mar 29 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-14 +- fix bug 186577: remove -L/usr/lib from libbind.pc and more .spec file cleanup +- add '%%doc' sample configuration files in /usr/share/doc/bind*/sample +- rebuild with new gcc and glibc + +* Wed Mar 22 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-12 +- fix typo in initscript +- fix Requires(post): policycoreutils in sub-packages + +* Mon Mar 20 2006 Jason Vas Dias <jvdias@redhat.com> - 30.9.3.2-10 +- fix bug 185969: more .spec file cleanup + +* Wed Mar 08 2006 Jason Vas Dias <jvdias@redhat.com> - 30.9.3.2-8 +- Do not allow package to be installed if named:25 userid creation fails +- Give libbind a pkg-config file +- remove restorecon from bind-chroot-admin (not required). +- fix named.caching-nameserver.conf (listen-on-v6 port 53 { ::1 };) + +* Tue Mar 07 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-7 +- fix issues with bind-chroot-admin + +* Mon Mar 06 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-6 +- replace caching-nameserver with bind-config sub-package +- fix bug 177595: handle case where $ROOTDIR is a link in initscript +- fix bug 177001: bind-config creates symlinks OK now +- fix bug 176388: named.conf is now never replaced by any RPM +- fix bug 176248: remove unecessary creation of rpmsave links +- fix bug 174925: no replacement of named.conf +- fix bug 173963: existing named.conf never modified +- major .spec file cleanup + +* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 30:9.3.2-4.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-4 +- regenerate redhat_doc patch for non-DBUS builds +- allow dbus builds to work with dbus version < 0.6 (bz #179816) + +* Tue Feb 07 2006 Florian La Roche <laroche@redhat.com> 30:9.3.2-3 +- try supporting without dbus support + +* Mon Feb 06 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-2.1 +- Rebuild for new gcc, glibc, glibc-kernheaders + +* Mon Jan 16 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-2 +- fix bug 177854: temporary fix for broken kernel-2.6.15-1854+ + /proc/net/if_inet6 format + +* Wed Dec 21 2005 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-1 +- Upgrade to 9.3.2, released today + +* Tue Dec 20 2005 Jason Vas Dias <jvdias@redhat.com> - 28:9.3.2rc1-2 +- fix bug 176100: do not Require: perl just for namedGetForwarders ! + +* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> +- rebuilt + +* Fri Dec 02 2005 Jason Vas Dias <jvdias@redhat.com> - 28:9.3.2rc-1 +- Upgrade to upstream version 9.3.2rc1 +- fix namedSetForwarders -> namedGetForwarders SOURCE14 typo + +* Thu Dec 01 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-26 +- rebuild for new dbus 0.6 dependency; remove use of + DBUS_NAME_FLAG_PROHIBIT_REPLACEMENT + +* Wed Nov 23 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-24 +- allow D-BUS support to work in bind-chroot environment: + workaround latest selinux policy by mounting /var/run/dbus/ + under chroot instead of /var/run/dbus/system-bus-socket + +* Sun Nov 13 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-22 +- fix bug 172632 - remove .la files +- ship namedGetForwarders and namedSetForwarders scripts +- fix detection of -D option in chroot + +* Tue Nov 8 2005 Tomas Mraz <tmraz@redhat.com> - 24:9.3.1-21 +- rebuilt with new openssl + +* Wed Oct 19 2005 Jason Vas Dias <jvdias@redhat.com> - 24.9.3.1-20 +- Allow the -D enable D-BUS option to be used within bind-chroot . +- fix bug 171226: supply some documentation for pgsql SDB . + +* Thu Oct 06 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-18 +- fix bug 169969: do NOT call dbus_svc_dispatch() in dbus_mgr_init_dbus() - + task->state != task_ready and will cause Abort in task.c if process + is waiting for NameOwnerChanged to do a SetForwarders + +* Wed Oct 05 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-16 +- Fix reconnecting to dbus-daemon after it stops & restarts . + +* Tue Sep 27 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-14 +- When forwarder nameservers are changed with D-BUS, flush the cache. + +* Mon Sep 26 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-12 +- fix bug 168302: use %%{__cc} for compiling dns-keygen +- fix bug 167682: bind-chroot directory permissions +- fix issues with -D dbus option when dbus service not running or disabled + +* Tue Aug 30 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-12 +- fix bug 167062: named should be started after syslogd by default + +* Mon Aug 22 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-11 +- fix bug 166227: host: don't do default AAAA and MX lookups with '-t a' option + +* Tue Aug 16 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-10 +- Build with D-BUS patch by default; D-BUS support enabled with named -D option +- Enable D-BUS for named_sdb also +- fix sdb pgsql's zonetodb.c: must use isc_hash_create() before dns_db_create() +- update fix for bug 160914 : test for RD=1 and ARCOUNT=0 also before trying next server +- fix named.init script to handle named_sdb properly +- fix named.init script checkconfig() to handle named '-c' option + and make configtest, test, check configcheck synonyms + +* Tue Jul 19 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-8 +- fix named.init script bugs 163598, 163409, 151852(addendum) + +* Tue Jul 12 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-7 +- fix bug 160914: resolver utilities should try next server on empty referral + (now that glibc bug 162625 is fixed) + host and nslookup now by default try next server on SERVFAIL + (host now has '-s' option to disable, and nslookup given + '[no]fail' option similar to dig's [no]fail option). +- rebuild and re-test with new glibc & gcc (all tests passed). + +* Tue May 31 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-6 +- fix bug 157950: dig / host / nslookup should reject invalid resolv.conf + files and not use uninitialized garbage nameserver values + (ISC bug 14841 raised). + +* Mon May 23 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-4_FC4 +- Fix SDB LDAP + +* Mon May 16 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-4 +- Fix bug 157601: give named.init a configtest function +- Fix bug 156797: named.init should check SELinux booleans.local before booleans +- Fix bug 154335: if no controls in named.conf, stop named with -TERM sig, not rndc +- Fix bug 155848: add NOTES section to named.8 man-page with info on all Red Hat + BIND quirks and SELinux DDNS / slave zone file configuration +- D-BUS patches NOT applied until dhcdbd is in FC + +* Sun May 15 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-4_dbus +- Enhancement to allow dynamic forwarder table management and +- DHCP forwarder auto-configuration with D-BUS + +* Thu Apr 14 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-2_FC4 +- Rebuild for bind-sdb libpq.so.3 dependency +- fix bug 150981: don't install libbind man-pages if no libbind +- fix bug 151852: mount proc on $ROOTDIR/proc to allow sysconf(...) + to work and correct number of CPUs to be determined + +* Fri Mar 11 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-1_FC4 +- Upgrade to ISC BIND 9.3.1 (final release) released today. + +* Wed Mar 9 2005 Jason Vas Dias <jvdias@redhat.com> - 22.9.3.1rc1-5 +- fix bug 150288: h_errno not being accessed / set correctly in libbind +- add libbind man-pages from bind-8.4.6 + +* Mon Mar 7 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.1rc1-4 +- Rebuild with gcc4 / glibc-2.3.4-14. + +* Tue Mar 1 2005 Nalin Dahyabhai <nalin@redhat.com> - 22:9.3.1rc1-3 +- configure with --with-pic to get PIC libraries + +* Sun Feb 20 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.1rc1-2 +- fix bug 149183: don't use getifaddrs() . + +* Wed Feb 16 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.1rc1-1 +- Upgrade to 9.3.1rc1 +- Add Simplified Database Backend (SDB) sub-package ( bind-sdb ) +- add named_sdb - ldap + pgsql + dir database backend support with +- 'ENABLE_SDB' named.sysconfig option +- Add BIND resolver library & includes sub-package ( libbind-devel) +- fix bug 147824 / 147073 / 145664: ENABLE_ZONE_WRITE in named.init +- fix bug 146084 : shutup restorecon + +* Tue Jan 11 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.0-2 +- Fix bug 143438: named.init will now make correct ownership of $ROOTDIR/var/named +- based on 'named_write_master_zones' SELinux boolean. +- Fix bug 143744: dig & nsupdate IPv6 timeout (dup of 140528) + +* Mon Nov 29 2004 Jason Vas Dias <jvdias@redhat.com> - 9.3.0-1 +- Upgrade BIND to 9.3.0 in Rawhide / FC4 (bugs 134529, 133654...) + +* Mon Nov 29 2004 Jason Vas Dias <jvdias@redhat.com> - 20:9.2.4-4 +- Fix bugs 140528 and 141113: +- 2 second timeouts when IPv6 not configured and root nameserver's +- AAAA addresses are queried + +* Mon Oct 18 2004 Jason Vas Dias <jvdias@redhat.com> - 20:9.2.4-2 +- Fix bug 136243: bind-chroot %%post must run restorecon -R %%{prefix} +- Fix bug 135175: named.init must return non-zero if named is not run +- Fix bug 134060: bind-chroot %%post must use mktemp, not /tmp/named +- Fix bug 133423: bind-chroot %%files entries should have been %%dirs + +* Thu Sep 23 2004 Jason Vas Dias <jvdias@redhat.com> - 20:9.2.4-1 +- BIND 9.2.4 (final release) released - source code actually +- identical to 9.2.4rc8, with only version number change. + +* Mon Sep 20 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc8-14 +- Upgrade to upstream bind-9.2.4rc8 . +- Progress: Finally! Hooray! ISC bind now distributes: +- o named.conf(5) and nslookup(8) manpages +- 'bind-manpages.bz2' source can now disappear +- (could this have something to do with ISC bug I raised about this?) +- o 'deprecation_msg' global has vanished +- bind-9.2.3rc3-deprecation_msg_shut_up.diff.bz2 can disappear + +* Mon Sep 20 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc8-14 +- Fix bug 106572/132385: copy /etc/localtime to chroot on start + +* Fri Sep 10 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-12_EL3 +- Fix bug 132303: if ROOTDIR line was replaced after upgrade from +- bind-chroot-9.2.2-21, restart named + +* Wed Sep 8 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-11_EL3 +- Fix bug 131803: replace ROOTDIR line removed by broken +- bind-chroot 9.2.2-21's '%%postun'; added %%triggerpostun for bind-chroot + +* Tue Sep 7 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-10_EL3 +- Fix bugs 130121 & 130981 for RHEL-3 + +* Mon Aug 30 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-10 +- Fix bug 130121: add '%%ghost' entries for files included in previous +- bind-chroot & not in current - ie. named.conf, rndc.key, dev/* - +- that RPM removed after upgrade . + +* Thu Aug 26 2004 Jason Vas Dias <jvdias@redhat.com> +- Fix bug 130981: add '-t' option to named-checkconf invocation in +- named.init if chroot installed. + +* Wed Aug 25 2004 Jason Vas Dias <jvdias@redhat.com> +- Remove resolver(5) manpage now in man-pages (bug 130792); +- Don't create /dev/ entries in bind-chroot if already there (bug 127556); +- fix bind-devel Requires (bug 130919) +- Set default location for dumpdb & stats files to /var/named/data + +* Tue Aug 24 2004 Jason Vas Dias <jvdias@redhat.com> +- Fix devel Requires for bug 130738 & fix version + +* Tue Aug 24 2004 Jason Vas Dias <jvdias@redhat.com> +- Fix errors on clean install if named group does not exist +- (bug 130777) + +* Thu Aug 19 2004 Jason Vas Dias <jvdias@redhat.com> +- Upgrade to bind-9.2.4rc7; applied initscript fix +- for bug 102035. + +* Mon Aug 9 2004 Jason Vas Dias <jvdias@redhat.com> +- Fixed bug 129289: bind-chroot install / deinstall +- on install, existing config files 'safe_replace'd +- with links to chroot copies; on uninstall, moved back. + +* Fri Aug 6 2004 Jason Vas Dias <jvdias@redhat.com> +- Fixed bug 129258: "${prefix}/var/tmp" typo in spec + +* Wed Jul 28 2004 Jason Vas Dias <jvdias@redhat.com> +- Fixed bug 127124 : 'Requires: kernel >= 2.4' +- causes problems with Linux VServers + +* Tue Jul 27 2004 Jason Vas Dias <jvdias@redhat.com> +- Fixed bug 127555 : chroot tar missing var/named/slaves + +* Fri Jul 16 2004 Jason Vas Dias <jvdias@redhat.com> +- Upgraded to ISC version 9.2.4rc6 + +* Fri Jul 16 2004 Jason Vas Dias <jvdias@redhat.com> +- Fixed named.init generation of error messages on +- 'service named stop' and 'service named reload' +- as per bug 127775 + +* Wed Jun 23 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-19 +- Bump for rhel 3.0 U3 + +* Wed Jun 23 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-18 +- remove disable-linux-caps + +* Wed Jun 16 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-17 +- Update RHEL3 to latest bind + +* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com> +- rebuilt + +* Tue Jun 8 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-15 +- Remove device files from chroot, Named uses the system one + +* Fri Mar 26 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-14 +- Move RFC to devel package + +* Fri Mar 26 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-13 +- Fix location of restorecon + +* Thu Mar 25 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-12 +- Tighten security on config files. Should be owned by root + +* Thu Mar 25 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-11 +- Update key patch to include conf-keygen + +* Tue Mar 23 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-10 +- fix chroot to only happen once. +- fix init script to do kill insteall of killall + +* Mon Mar 15 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-9 +- Add fix for SELinux security context + +* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> +- rebuilt + +* Sat Feb 28 2004 Florian La Roche <Florian.LaRoche@redhat.de> +- run ldconfig for libs subrpm + +* Mon Feb 23 2004 Tim Waugh <twaugh@redhat.com> +- Use ':' instead of '.' as separator for chown. + +* Tue Feb 17 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-7 +- Add COPYRIGHT + +* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> +- rebuilt + +* Tue Dec 30 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-5 +- Add defattr to libs + +* Mon Dec 29 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-4 +- Break out library package + +* Mon Dec 22 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-3 +- Fix condrestart + +* Wed Nov 12 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-2 +- Move libisc and libdns to bind from bind-util + +* Tue Nov 11 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-1 +- Move to 9.2.3 + +* Mon Oct 27 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-10 +- Add PIE support + +* Fri Oct 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-9 +- Add /var/named/slaves directory + +* Sun Oct 12 2003 Florian La Roche <Florian.LaRoche@redhat.de> +- do not link against libnsl, not needed for Linux + +* Wed Oct 8 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-6 +- Fix local time in log file + +* Tue Oct 7 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-5 +- Try again + +* Mon Oct 6 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-4 +- Fix handling of chroot -/dev/random + +* Thu Oct 2 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-3 +- Stop hammering stuff on update of chroot environment + +* Mon Sep 29 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-2 +- Fix chroot directory to grab all subdirectories + +* Wed Sep 24 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-1 +- New patch to support for "delegation-only" + +* Wed Sep 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-23 +- patch support for "delegation-only" + +* Wed Jul 30 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-22 +- Update to build on RHL + +* Wed Jul 30 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-21 +- Install libraries as exec so debug info will be pulled + +* Sat Jul 19 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-20 +- Remove BSDCOMPAT (BZ 99454) + +* Tue Jul 15 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-19 +- Update to build on RHL + +* Tue Jul 15 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-18 +- Change protections on /var/named and /var/chroot/named + +* Tue Jun 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-17 +- Update to build on RHL + +* Tue Jun 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-16 +- Update to build on RHEL + +* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com> +- rebuilt + +* Tue Apr 22 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-14 +- Update to build on RHEL + +* Tue Apr 22 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-13 +- Fix config description of named.conf in chroot +- Change named.init script to check for existence of /etc/sysconfig/network + +* Fri Apr 18 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-12 +- Update to build on RHEL + +* Fri Apr 18 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-11 +- Update to build on RHEL + +* Fri Apr 18 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-10 +- Fix echo OK on starting/stopping service + +* Fri Mar 28 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-9 +- Update to build on RHEL + +* Fri Mar 28 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-8 +- Fix echo on startup + +* Tue Mar 25 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-7 +- Fix problems with chroot environment +- Eliminate posix threads + +* Mon Mar 24 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-6 +- Fix build problems + +* Fri Mar 14 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-5 +- Fix build on beehive + +* Thu Mar 13 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-4 +- build bind-chroot kit + +* Tue Mar 11 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-3 +- Change configure to use proper threads model + +* Fri Mar 7 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-2 +- update to 9.2.2 + +* Tue Mar 4 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-1 +- update to 9.2.2 + +* Fri Jan 24 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.1-16 +- Put a sleep in restart to make sure stop completes + +* Wed Jan 22 2003 Tim Powers <timp@redhat.com> +- rebuilt + +* Tue Jan 7 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.1-14 +- Separate /etc/rndc.key to separate file + +* Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 9.2.1-13 +- Use openssl's pkgconfig data, if available, at build-time. + +* Mon Jan 6 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.1-12 +- Fix log rotate to use service named reload +- Change service named reload to give success/failure message [73770] +- Fix File checking [75710] +- Begin change to automatically run in CHROOT environment + +* Tue Dec 24 2002 Daniel Walsh <dwalsh@redhat.com> 9.2.1-10 +- Fix startup script to work like all others. + +* Mon Dec 16 2002 Daniel Walsh <dwalsh@redhat.com> 9.2.1-9 +- Fix configure to build on x86_64 platforms + +* Wed Aug 07 2002 Karsten Hopp <karsten@redhat.de> +- fix #70583, doesn't build on IA64 + +* Tue Jul 30 2002 Karsten Hopp <karsten@redhat.de> 9.2.1-8 +- bind-utils shouldn't require bind + +* Mon Jul 22 2002 Karsten Hopp <karsten@redhat.de> 9.2.1-7 +- fix name of pidfine in logrotate script (#68842) +- fix owner of logfile in logrotate script (#41391) +- fix nslookup and named.conf man pages (output on stderr) + (#63553, #63560, #63561, #54889, #57457) +- add rfc1912 (#50005) +- gzip all rfc's +- fix typo in keygen.c (#54870) +- added missing manpages (#64065) +- shutdown named properly with rndc stop (#62492) +- /sbin/nologin instead of /bin/false (#68607) +- move nsupdate to bind-utils (where the manpage already was) (#66209, #66381) +- don't kill initscript when rndc fails (reload) (#58750) + + +* Mon Jun 24 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.1-5 +- Fix #65975 + +* Fri Jun 21 2002 Tim Powers <timp@redhat.com> +- automated rebuild + +* Thu May 23 2002 Tim Powers <timp@redhat.com> +- automated rebuild + +* Thu May 9 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.1-2 +- Move libisccc, lib isccfg and liblwres from bind-utils to bind, + they're not required if you aren't running a nameserver. + +* Fri May 03 2002 Florian La Roche <Florian.LaRoche@redhat.de> +- update to 9.2.1 release + +* Thu Mar 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-8 +- Merge 30+ bug fixes from 9.2.1rc1 code + +* Mon Mar 11 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-7 +- Don't exit if /etc/named.conf doesn't exist if we're running + chroot (#60868) +- Revert Elliot's changes, we do require specific glibc/glibc-kernheaders + versions or bug #58335 will be back. "It compiles, therefore it works" + isn't always true. + +* Thu Feb 28 2002 Elliot Lee <sopwith@redhat.com> 9.2.0-6 +- Fix BuildRequires (we don't need specific glibc/glibc-kernheaders +versions). +- Use _smp_mflags + +* Wed Feb 20 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-4 +- rebuild, require recent autoconf, automake (#58335) + +* Fri Jan 25 2002 Tim Powers <timp@redhat.com> +- rebuild against new libssl + +* Wed Jan 09 2002 Tim Powers <timp@redhat.com> +- automated rebuild + +* Tue Nov 27 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-1 +- 9.2.0 + +* Thu Nov 22 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc10.2 +- 9.2.0rc10 + +* Mon Nov 5 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc8.2 +- Fix up rndc.conf (#55574) + +* Thu Oct 25 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc8.1 +- rc8 +- Enforce --enable-threads + +* Mon Oct 22 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc7.1 +- 9.2.0rc7 +- Use rndc status for "service named status", it's supposed to actually + work in 9.2.x. + +* Wed Oct 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc5.1 +- 9.2.0rc5 +- Fix rpm --rebuild with ancient libtool versions (#53938, #54257) + +* Tue Sep 25 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc4.1 +- 9.2.0rc4 + +* Fri Sep 14 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc3.1 +- 9.2.0rc3 +- remove ttl patch, I don't think we need this for 8.0. +- remove dig.1.bz2 from the bind8-manpages tar file, 9.2 has a new dig man page +- add lwres* man pages to -devel + +* Mon Sep 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-4 +- Make sure /etc/rndc.conf isn't world-readable even after the + %%post script inserted a random key (#53009) + +* Thu Jul 19 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-3 +- Add build dependencies (#49368) +- Make sure running service named start several times doesn't create + useless processes (#47596) +- Work around the named parent process returning 0 even if the config + file is broken (it's parsed later by the child processes) (#45484) + +* Mon Jul 16 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-2 +- Don't use rndc status, it's not yet implemented (#48839) + +* Sun Jul 08 2001 Florian La Roche <Florian.LaRoche@redhat.de> +- update to 9.1.3 release + +* Tue Jul 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc3.1 +- Fix up rndc configuration and improve security (#46586) + +* Tue Jun 26 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc2.2 +- Sync with caching-nameserver-7.1-6 + +* Mon Jun 25 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc2.1 +- Update to rc2 + +* Fri Jun 1 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc1.3 +- Remove resolv.conf(5) man page, it's now in man-pages + +* Thu May 31 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc1.2 +- Add named.conf man page from bind 8.x (outdated, but better than nothing, + #42732) +- Rename the rndc key (#42895) +- Add dnssec* man pages + +* Mon May 28 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc1.1 +- 9.1.3rc1 +- s/Copyright/License/ + +* Mon May 7 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.2-1 +- 9.1.2 final. No changes between 9.1.2-0.rc1.1 and this one, except for + the version number, though. + +* Thu May 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.2-0.rc1.1 +- 9.1.2rc1 + +* Thu Mar 29 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.1-1 +- 9.1.1 + +* Thu Mar 15 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.0-10 +- Merge fixes from 9.1.1rc5 + +* Sun Mar 11 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.0-9 +- Work around bind 8 -> bind 9 migration problem when using buggy zone files: + accept zones without a TTL, but spew out a big fat warning. (#31393) + +* Thu Mar 8 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Add fixes from rc4 + +* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com> +- rebuild in new environment + +* Thu Mar 1 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- killall -HUP named if rndc reload fails (#30113) + +* Tue Feb 27 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Merge some fixes from 9.1.1rc3 + +* Tue Feb 20 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Don't use the standard rndc key from the documentation, instead, create a random one + at installation time (#26358) +- Make /etc/rndc.conf readable by user named only, it contains secret keys + +* Tue Feb 20 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.1.1 probably won't be out in time, revert to 9.1.0 and apply fixes + from 9.1.1rc2 +- bind requires bind-utils (#28317) + +* Tue Feb 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Update to rc2, fixes 2 more bugs +- Fix build with glibc >= 2.2.1-7 + +* Thu Feb 8 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Update to 9.1.1rc1; fixes 17 bugs (14 of them affecting us; + 1 was fixed in a Red Hat patch already, 2 others are portability + improvements) + +* Wed Feb 7 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Remove initscripts 5.54 requirement (#26489) + +* Mon Jan 29 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Add named-checkconf, named-checkzone (#25170) + +* Mon Jan 29 2001 Trond Eivind Glomsrod <teg@redhat.com> +- use echo, not gprintf + +* Wed Jan 24 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Fix problems with $GENERATE + Patch from Daniel Roesen <droesen@entire-systems.com> + Bug #24890 + +* Thu Jan 18 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.1.0 final + +* Sat Jan 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.1.0rc1 +- i18nify init script +- bzip2 source to save space + +* Thu Jan 11 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Fix %%postun script + +* Tue Jan 9 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.1.0b3 + +* Mon Jan 8 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Add named.conf man page from bind8 (#23503) + +* Sun Jan 7 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Make /etc/rndc.conf and /etc/sysconfig/named noreplace +- Make devel require bind = %%{version} rather than just bind + +* Sun Jan 7 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Fix init script for real + +* Sat Jan 6 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Fix init script when ROOTDIR is not set + +* Thu Jan 4 2001 Bernhard Rosenkraenzer <bero@redhat.com> +- Add hooks for setting up named to run chroot (RFE #23246) +- Fix up requirements + +* Fri Dec 29 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.1.0b2 + +* Wed Dec 20 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- Move run files to /var/run/named/ - /var/run isn't writable + by the user we're running as. (Bug #20665) + +* Tue Dec 19 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- Fix reverse lookups (#22272) +- Run ldconfig in %%post utils + +* Tue Dec 12 2000 Karsten Hopp <karsten@redhat.de> +- fixed logrotate script (wrong path to kill) +- include header files in -devel package +- bugzilla #22049, #19147, 21606 + +* Fri Dec 8 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.1.0b1 (9.1.0 is in our timeframe and less buggy) + +* Mon Nov 13 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.0.1 + +* Mon Oct 30 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- Fix initscript (Bug #19956) +- Add sample rndc.conf (Bug #19956) +- Fix build with tar 1.13.18 + +* Tue Oct 10 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- Add some missing man pages (taken from bind8) (Bug #18794) + +* Sun Sep 17 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.0.0 final + +* Wed Aug 30 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- rc5 +- fix up nslookup + +* Thu Aug 24 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- rc4 + +* Thu Jul 13 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- 9.0.0rc1 + +* Wed Jul 12 2000 Prospector <bugzilla@redhat.com> +- automatic rebuild + +* Sun Jul 9 2000 Florian La Roche <Florian.LaRoche@redhat.de> +- add "exit 0" for uninstall case + +* Fri Jul 7 2000 Florian La Roche <Florian.LaRoche@redhat.de> +- add prereq init.d and cleanup install section + +* Fri Jun 30 2000 Trond Eivind Glomsrod <teg@redhat.com> +- fix the init script + +* Wed Jun 28 2000 Nalin Dahyabhai <nalin@redhat.com> +- make libbind.a and nslookup.help readable again by setting INSTALL_LIB to "" + +* Mon Jun 26 2000 Bernhard Rosenkranzer <bero@redhat.com> +- Fix up the initscript (Bug #13033) +- Fix build with current glibc (Bug #12755) +- /etc/rc.d/init.d -> /etc/init.d +- use %%{_mandir} rather than /usr/share/man + +* Mon Jun 19 2000 Bill Nottingham <notting@redhat.com> +- fix conflict with man-pages +- remove compatibilty chkconfig links +- initscript munging + +* Wed Jun 14 2000 Nalin Dahyabhai <nalin@redhat.com> +- modify logrotate setup to use PID file +- temporarily disable optimization by unsetting $RPM_OPT_FLAGS at build-time +- actually bump the release this time + +* Sun Jun 4 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- FHS compliance + +* Mon Apr 17 2000 Nalin Dahyabhai <nalin@redhat.com> +- clean up restart patch + +* Mon Apr 10 2000 Nalin Dahyabhai <nalin@redhat.com> +- provide /var/named (fix for bugs #9847, #10205) +- preserve args when restarted via ndc(8) (bug #10227) +- make resolv.conf(5) a link to resolver(5) (bug #10245) +- fix SYSTYPE bug in all makefiles +- move creation of named user from %%post into %%pre + +* Mon Feb 28 2000 Bernhard Rosenkranzer <bero@redhat.com> +- Fix TTL (patch from ISC, Bug #9820) + +* Wed Feb 16 2000 Bernhard Rosenkranzer <bero@redhat.com> +- fix typo in spec (it's %%post, without a leading blank) introduced in -6 +- change SYSTYPE to linux + +* Fri Feb 11 2000 Bill Nottingham <notting@redhat.com> +- pick a standard < 100 uid/gid for named + +* Fri Feb 04 2000 Elliot Lee <sopwith@redhat.com> +- Pass named a '-u named' parameter by default, and add/remove user. + +* Thu Feb 3 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- fix host mx bug (Bug #9021) + +* Mon Jan 31 2000 Cristian Gafton <gafton@redhat.com> +- rebuild to fix dependencies +- man pages are compressed + +* Wed Jan 19 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- It's /usr/bin/killall, not /usr/sbin/killall (Bug #8063) + +* Mon Jan 17 2000 Bernhard Rosenkraenzer <bero@redhat.com> +- Fix up location of named-bootconf.pl and make it executable + (Bug #8028) +- bind-devel requires bind + +* Mon Nov 15 1999 Bernhard Rosenkraenzer <bero@redhat.com> +- update to 8.2.2-P5 + +* Wed Nov 10 1999 Bill Nottingham <notting@redhat.com> +- update to 8.2.2-P3 + +* Tue Oct 12 1999 Cristian Gafton <gafton@redhat.com> +- add patch to stop a cache only server from complaining about lame servers + on every request. + +* Fri Sep 24 1999 Preston Brown <pbrown@redhat.com> +- use real stop and start in named.init for restart, not ndc restart, it has + problems when named has changed during a package update... (# 4890) + +* Fri Sep 10 1999 Bill Nottingham <notting@redhat.com> +- chkconfig --del in %%preun, not %%postun + +* Mon Aug 16 1999 Bill Nottingham <notting@redhat.com> +- initscript munging + +* Mon Jul 26 1999 Bill Nottingham <notting@redhat.com> +- fix installed chkconfig links to match init file + +* Sat Jul 3 1999 Jeff Johnson <jbj@redhat.com> +- conflict with new (in man-1.24) man pages (#3876,#3877). + +* Tue Jun 29 1999 Bill Nottingham <notting@redhat.com> +- fix named.logrotate (wrong %%SOURCE) + +* Fri Jun 25 1999 Jeff Johnson <jbj@redhat.com> +- update to 8.2.1. +- add named.logrotate (#3571). +- hack around egcs-1.1.2 -m486 bug (#3413, #3485). +- vet file list. + +* Fri Jun 18 1999 Bill Nottingham <notting@redhat.com> +- don't run by default + +* Sun May 30 1999 Jeff Johnson <jbj@redhat.com> +- nslookup fixes (#2463). +- missing files (#3152). + +* Sat May 1 1999 Stepan Kasal <kasal@math.cas.cz> +- nslookup patched: + to count numRecords properly + to fix subsequent calls to ls -d + to parse "view" and "finger" commands properly + the view hack updated for bind-8 (using sed) + +* Wed Mar 31 1999 Bill Nottingham <notting@redhat.com> +- add ISC patch +- add quick hack to make host not crash +- add more docs + +* Fri Mar 26 1999 Cristian Gafton <gafton@redhat.com> +- add probing information in the init file to keep linuxconf happy +- dont strip libbind + +* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com> +- auto rebuild in the new build environment (release 3) + +* Wed Mar 17 1999 Preston Brown <pbrown@redhat.com> +- removed 'done' output at named shutdown. + +* Tue Mar 16 1999 Cristian Gafton <gafton@redhat.com> +- version 8.2 + +* Wed Dec 30 1998 Cristian Gafton <gafton@redhat.com> +- patch to use the __FDS_BITS macro +- build for glibc 2.1 + +* Wed Sep 23 1998 Jeff Johnson <jbj@redhat.com> +- change named.restart to /usr/sbin/ndc restart + +* Sat Sep 19 1998 Jeff Johnson <jbj@redhat.com> +- install man pages correctly. +- change K10named to K45named. + +* Wed Aug 12 1998 Jeff Johnson <jbj@redhat.com> +- don't start if /etc/named.conf doesn't exist. + +* Sat Aug 8 1998 Jeff Johnson <jbj@redhat.com> +- autmagically create /etc/named.conf from /etc/named.boot in %%post +- remove echo in %%post + +* Wed Jun 10 1998 Jeff Johnson <jbj@redhat.com> +- merge in 5.1 mods + +* Sun Apr 12 1998 Manuel J. Galan <manolow@step.es> +- Several essential modifications to build and install correctly. +- Modified 'ndc' to avoid deprecated use of '-' + +* Mon Dec 22 1997 Scott Lampert <fortunato@heavymetal.org> +- Used buildroot +- patched bin/named/ns_udp.c to use <libelf/nlist.h> for include + on Redhat 5.0 instead of <nlist.h> diff --git a/bind.tmpfiles.d b/bind.tmpfiles.d new file mode 100644 index 0000000..640a656 --- /dev/null +++ b/bind.tmpfiles.d @@ -0,0 +1 @@ +d /run/named 0755 named named - diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch new file mode 100644 index 0000000..4b32b4d --- /dev/null +++ b/bind93-rh490837.patch @@ -0,0 +1,34 @@ +diff --git a/lib/isc/lex.c b/lib/isc/lex.c +index cd44fe3..5b7c539 100644 +--- a/lib/isc/lex.c ++++ b/lib/isc/lex.c +@@ -27,6 +27,8 @@ + #include <isc/string.h> + #include <isc/util.h> + ++#include "../errno2result.h" ++ + typedef struct inputsource { + isc_result_t result; + bool is_file; +@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { + #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */ + if (c == EOF) { + if (ferror(stream)) { +- source->result = ISC_R_IOERROR; ++ source->result = isc__errno2result(errno); + result = source->result; + goto done; + } +diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c +index e3e2644..5e58600 100644 +--- a/lib/isc/unix/errno2result.c ++++ b/lib/isc/unix/errno2result.c +@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file, + case EINVAL: /* XXX sometimes this is not for files */ + case ENAMETOOLONG: + case EBADF: ++ case EISDIR: + return (ISC_R_INVALIDFILE); + case ENOENT: + return (ISC_R_FILENOTFOUND); diff --git a/bind97-rh645544.patch b/bind97-rh645544.patch new file mode 100644 index 0000000..e2ae978 --- /dev/null +++ b/bind97-rh645544.patch @@ -0,0 +1,31 @@ +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 31549c6..65a14b6 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) { + */ + dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), + "success resolving '%s' (in '%s'?) after %s", fctx->info, + domainbuf, fctx->reason); + } +@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) { + dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); + isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), + "lame server resolving '%s' (in '%s'?): %s", namebuf, + domainbuf, addrbuf); + } +@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) { + isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf)); + + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, +- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, ++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), + "DNS format error from %s resolving %s for %s: %s", nsbuf, + fctx->info, fctx->clientstr, msgbuf); + } diff --git a/codesign2021.txt b/codesign2021.txt new file mode 100644 index 0000000..d021b56 --- /dev/null +++ b/codesign2021.txt @@ -0,0 +1,534 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m +r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk +pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI +yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG +ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0 +/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh +qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF +UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv +SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D +o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt +LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB +tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 +LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln +EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA +1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj +tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+ +5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn +Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF +JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI +hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa +xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd +gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX +pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP +vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf +6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr +gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF +FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki +33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I +LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X +gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa +7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A +5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu +8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN +bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo +p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus +HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF +CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW +f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi +wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I +u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY +0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87 +RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP +NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD +6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL +llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0 +85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x +zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF +1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0 +wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH +/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo +dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON +LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA +Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj +cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE +tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak +a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX +THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4 +EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n +ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ +A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY +BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf +5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv +29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx +Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh +nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS +odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87 +y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk +Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr +FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk +7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv +O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k +IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V +Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/ +2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o +NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT ++pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7 +xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym +JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn +uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD +jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06 +3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ +ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb +VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF +SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6 +bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa +C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc +VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek +IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN +z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2 +jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg +dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr +2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB +jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB +CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr +mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy +4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu +f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk +vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO +JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi +8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S +XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY +TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY +3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4 +uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM +x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr +0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J +W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD +4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm +Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0 +p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW +QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId +GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ +4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo +VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM +wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr +iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1 +H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB +UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w +/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI +/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101 +x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys +uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM +npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr +9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M +hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA +DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA +C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929 +y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln +EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB +CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA +hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS +BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0 +xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV +qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4 +W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U +9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn +uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se +mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I +xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/ +WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV +cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3 +E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU +vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2 +LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4 +wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz +nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq +SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z +zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj +pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf +7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/ +08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz +QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ +ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz +iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs +1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ +z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB +Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q +fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg +EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33 +AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ +AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc +bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x +sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua +TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO +vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC +qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0 +TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu +8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z +IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq +x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw +t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO +/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu +Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon +UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q +KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ +SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN +cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn +BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+ +XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71 +e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6 +A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz +Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR +63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1 +oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN +J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima +chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9 +mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU +rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv +EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9 +5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE +sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot +s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2 +lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf +vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu +MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ +BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa +3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx +W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C +GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x +8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo +Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y +chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh +DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx +l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0 +JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1 +P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi +1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ +snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo +Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN +iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws +VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC +m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa +4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J +Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS +H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+ +g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD +9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW +TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o +uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY +QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS +Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ== +=fX+D +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS +ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW +AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/ +41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka +4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z +XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u +/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5 +0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa +9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM +uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ +hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB +tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 +LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA +MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+ +ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID +4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ +JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J +QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV +3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1 +8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/ +/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8 +LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk +QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH +sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9 +BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL +3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj +IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE +U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC +6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G +LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h +BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2 +HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ +kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d +f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8 +4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b +8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF +CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln +xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/ +LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh +KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b +mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya +8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn +vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn +IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7 +VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw +IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2 +YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C +L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s +1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl +qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj +nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x +UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73 +qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc +IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb +s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6 +nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl +8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7 +0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6 +ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf +7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS +PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc +GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh +nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX +vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7 +7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo +bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl +ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j +hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH +Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn +0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY +AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP +PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ +xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN +ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+ +oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp +aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m +/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY +ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52 +BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB +ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4 +GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW +0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp +69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA +qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N ++tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w +uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql +yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc +TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv +XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f +yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7 +zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf +dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V +XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d +iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK +W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY +UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit +BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV +M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I +EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr +6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo +Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb +HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX +ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT ++iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1 +iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs +gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ +AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP +/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH +6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA +5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA +ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC +89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc +493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb +jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g +DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh +nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m +5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld +72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ +RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc +lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS +qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV +FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH +eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ ++gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh +uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN +5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D +IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag +CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL +ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR +2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k +IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n +D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/ +X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm +mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v +zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv +YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a +88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id +pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2 +Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu +MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88 +h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa +YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL +XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4 +MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7 +eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz +rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy +5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid +CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/ +zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6 +Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU +a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2 +ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+ +GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14 +MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL +hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe +16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2 +isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7 +Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW +NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc +qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M +bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt +zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX +DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk +XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu +ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4 +zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY +JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi +qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ +zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS +y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh +qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx +QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww +QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH +X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn +vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi +AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ +aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY +VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+ +flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p +NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ +Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w +lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q +se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc +RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy +MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE +RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71 +PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3 +K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT +Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP +dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+ +qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe +MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc +wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ +7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC +PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj +rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4 +b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g +dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5 +Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS +CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+ +96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/ +ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy +a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT +YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs +KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp +bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ +la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u +Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3 +Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ +BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA +CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7 +AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu +9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK +dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH +fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II +XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK +yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz +HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv +SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN +eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp +jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv +DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR +Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p +hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0 +rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV +Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt +ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ +i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb +rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637 +CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD +LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l +Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp +dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF ++6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs +gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ +8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf +nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C +r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf +eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD +VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT +zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh +Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU +JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6 +IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE +fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB +dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF +W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d +O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK +jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ +TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF +M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39 +oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp +AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi +sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI +ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8 +M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3 +Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A +0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8 +x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv +6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw +QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi +gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o +c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb +1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF +8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8 +Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr +rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt +MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV +grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l +QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR +f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu +O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb +SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT +VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg +J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di +ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8 ++SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH +SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5 +8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76 +uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE +JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4 +ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ +Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c +eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E +dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0 +9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3 +d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526 +tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4 +lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT +KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz +iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR +bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL +d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r +aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6 +X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5 +vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV +4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC +7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5 +UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa +8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588 +7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90 +l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ +4xcYgqlVpv15O7VrD+I= +=Uugw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/generate-rndc-key.sh b/generate-rndc-key.sh new file mode 100755 index 0000000..956bb8e --- /dev/null +++ b/generate-rndc-key.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +if [ -r /etc/rc.d/init.d/functions ]; then + . /etc/rc.d/init.d/functions +else +success() { + echo $" OK " +} + +failure() { + echo -n " " + echo $"FAILED" +} +fi + +# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf + +if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then + echo -n $"Generating /etc/rndc.key:" + if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1 + then + chmod 640 /etc/rndc.key + chown root:named /etc/rndc.key + [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key + success $"/etc/rndc.key generation" + echo + else + rc=$? + failure $"/etc/rndc.key generation" + echo + exit $rc + fi +fi diff --git a/named-chroot-setup.service b/named-chroot-setup.service new file mode 100644 index 0000000..237a909 --- /dev/null +++ b/named-chroot-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Set-up/destroy chroot environment for named (DNS) +BindsTo=named-chroot.service +Wants=named-setup-rndc.service +After=named-setup-rndc.service + + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files +ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files diff --git a/named-chroot.files b/named-chroot.files new file mode 100644 index 0000000..75e6aa1 --- /dev/null +++ b/named-chroot.files @@ -0,0 +1,27 @@ +# Configuration of files used in chroot +# Following files are made available after named-chroot.service start +# if they are missing or empty in target directory. +/etc/localtime +/etc/named.root.key +/etc/named.conf +/etc/named.rfc1912.zones +/etc/rndc.conf +/etc/rndc.key +/etc/named.iscdlv.key +/etc/crypto-policies/back-ends/bind.config +/etc/protocols +/etc/services +/etc/named.dnssec.keys +/etc/pki/dnssec-keys +/etc/named +/usr/lib64/bind +/usr/lib/bind +/usr/lib64/named +/usr/lib/named +/usr/share/GeoIP +/run/named +/proc/sys/net/ipv4/ip_local_port_range +# Warning: the order is important +# If a directory containing $ROOTDIR is listed here, +# it MUST be listed last. (/var/named contains /var/named/chroot) +/var/named diff --git a/named-chroot.service b/named-chroot.service new file mode 100644 index 0000000..a49df15 --- /dev/null +++ b/named-chroot.service @@ -0,0 +1,30 @@ +# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" +# line to your /etc/rsyslog.conf file. Otherwise your logging becomes +# broken when rsyslogd daemon is restarted (due update, for example). + +[Unit] +Description=Berkeley Internet Name Domain (DNS) +Wants=nss-lookup.target +Requires=named-chroot-setup.service +Before=nss-lookup.target +After=named-chroot-setup.service +After=network.target + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/var/named/chroot/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS + +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=false + +[Install] +WantedBy=multi-user.target diff --git a/named-pkcs11.service b/named-pkcs11.service new file mode 100644 index 0000000..27e0693 --- /dev/null +++ b/named-pkcs11.service @@ -0,0 +1,26 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=network.target +After=named-setup-rndc.service + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS + +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/named-setup-rndc.service b/named-setup-rndc.service new file mode 100644 index 0000000..ff85e3c --- /dev/null +++ b/named-setup-rndc.service @@ -0,0 +1,7 @@ +[Unit] +Description=Generate rndc key for BIND (DNS) + +[Service] +Type=oneshot + +ExecStart=/usr/libexec/generate-rndc-key.sh diff --git a/named.conf b/named.conf new file mode 100644 index 0000000..c906875 --- /dev/null +++ b/named.conf @@ -0,0 +1,59 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { 127.0.0.1; }; + listen-on-v6 port 53 { ::1; }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + allow-query { localhost; }; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + geoip-directory "/usr/share/GeoIP"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; + diff --git a/named.conf.sample b/named.conf.sample new file mode 100644 index 0000000..d2ce6dd --- /dev/null +++ b/named.conf.sample @@ -0,0 +1,243 @@ +/* + Sample named.conf BIND DNS server 'named' configuration file + for the Red Hat BIND distribution. + + See the BIND Administrator's Reference Manual (ARM) for details, in: + file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html + Also see the BIND Configuration GUI : /usr/bin/system-config-bind and + its manual. +*/ + +options +{ + // Put files that named is allowed to write in the data/ directory: + directory "/var/named"; // "Working" directory + dump-file "data/cache_dump.db"; + statistics-file "data/named_stats.txt"; + memstatistics-file "data/named_mem_stats.txt"; + secroots-file "data/named.secroots"; + recursing-file "data/named.recursing"; + + + /* + Specify listenning interfaces. You can use list of addresses (';' is + delimiter) or keywords "any"/"none" + */ + //listen-on port 53 { any; }; + listen-on port 53 { 127.0.0.1; }; + + //listen-on-v6 port 53 { any; }; + listen-on-v6 port 53 { ::1; }; + + /* + Access restrictions + + There are two important options: + allow-query { argument; }; + - allow queries for authoritative data + + allow-query-cache { argument; }; + - allow queries for non-authoritative data (mostly cached data) + + You can use address, network address or keywords "any"/"localhost"/"none" as argument + Examples: + allow-query { localhost; 10.0.0.1; 192.168.1.0/8; }; + allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; }; + */ + + allow-query { localhost; }; + allow-query-cache { localhost; }; + + /* Enable/disable recursion - recursion yes/no; + + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */ + + /* Enable DNSSEC validation on recursive servers */ + dnssec-validation yes; + + /* In Fedora we use /run/named instead of default /var/run/named + so we have to configure paths properly. */ + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + managed-keys-directory "/var/named/dynamic"; + + /* In Fedora we use system-wide Crypto Policy */ + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging +{ +/* If you want to enable debugging, eg. using the 'rndc trace' command, + * named will try to write the 'named.run' file in the $directory (/var/named). + * By default, SELinux policy does not allow named to modify the /var/named directory, + * so put the default debug log file in data/ : + */ + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +/* + Views let a name server answer a DNS query differently depending on who is asking. + + By default, if named.conf contains no "view" clauses, all zones are in the + "default" view, which matches all clients. + + Views are processed sequentially. The first match is used so the last view should + match "any" - it's fallback and the most restricted view. + + If named.conf contains any "view" clause, then all zones MUST be in a view. +*/ + +view "localhost_resolver" +{ +/* This view sets up named to be a localhost resolver ( caching only nameserver ). + * If all you want is a caching-only nameserver, then you need only define this view: + */ + match-clients { localhost; }; + recursion yes; + + # all views must contain the root hints zone: + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + /* these are zones that contain definitions for all the localhost + * names and addresses, as recommended in RFC1912 - these names should + * not leak to the other nameservers: + */ + include "/etc/named.rfc1912.zones"; +}; +view "internal" +{ +/* This view will contain zones you want to serve only to "internal" clients + that connect via your directly attached LAN interfaces - "localnets" . + */ + match-clients { localnets; }; + recursion yes; + + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + /* these are zones that contain definitions for all the localhost + * names and addresses, as recommended in RFC1912 - these names should + * not leak to the other nameservers: + */ + include "/etc/named.rfc1912.zones"; + + // These are your "authoritative" internal zones, and would probably + // also be included in the "localhost_resolver" view above : + + /* + NOTE for dynamic DNS zones and secondary zones: + + DO NOT USE SAME FILES IN MULTIPLE VIEWS! + + If you are using views and DDNS/secondary zones it is strongly + recommended to read FAQ on ISC site (www.isc.org), section + "Configuration and Setup Questions", questions + "How do I share a dynamic zone between multiple views?" and + "How can I make a server a slave for both an internal and an external + view at the same time?" + */ + + zone "my.internal.zone" { + type master; + file "my.internal.zone.db"; + }; + zone "my.slave.internal.zone" { + type slave; + file "slaves/my.slave.internal.zone.db"; + masters { /* put master nameserver IPs here */ 127.0.0.1; } ; + // put slave zones in the slaves/ directory so named can update them + }; + zone "my.ddns.internal.zone" { + type master; + allow-update { key ddns_key; }; + file "dynamic/my.ddns.internal.zone.db"; + // put dynamically updateable zones in the slaves/ directory so named can update them + }; +}; + +key ddns_key +{ + algorithm hmac-sha256; + secret "use /usr/sbin/ddns-confgen to generate TSIG keys"; +}; + +view "external" +{ +/* This view will contain zones you want to serve only to "external" clients + * that have addresses that are not match any above view: + */ + match-clients { any; }; + + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + recursion no; + // you'd probably want to deny recursion to external clients, so you don't + // end up providing free DNS service to all takers + + // These are your "authoritative" external zones, and would probably + // contain entries for just your web and mail servers: + + zone "my.external.zone" { + type master; + file "my.external.zone.db"; + }; +}; + +/* Trusted keys + + This statement contains DNSSEC keys. If you want DNSSEC aware resolver you + should configure at least one trusted key. + + Note that no key written below is valid. Especially root key because root zone + is not signed yet. +*/ +/* +trust-anchors { +// Root Key +. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; + +// Key for forward zone +example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW + LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6 + LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws + UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX + yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP + Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m + Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393 + xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M="; + + +// Key for reverse zone. +2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D"; +}; +*/ diff --git a/named.empty b/named.empty new file mode 100644 index 0000000..8e271e7 --- /dev/null +++ b/named.empty @@ -0,0 +1,10 @@ +$TTL 3H +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 diff --git a/named.localhost b/named.localhost new file mode 100644 index 0000000..6fe6a52 --- /dev/null +++ b/named.localhost @@ -0,0 +1,10 @@ +$TTL 1D +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 diff --git a/named.logrotate b/named.logrotate new file mode 100644 index 0000000..5df448f --- /dev/null +++ b/named.logrotate @@ -0,0 +1,12 @@ +/var/named/data/named.run { + missingok + su named named + create 0644 named named + postrotate + /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true + /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true + endscript +} diff --git a/named.loopback b/named.loopback new file mode 100644 index 0000000..7f3d862 --- /dev/null +++ b/named.loopback @@ -0,0 +1,11 @@ +$TTL 1D +@ IN SOA @ rname.invalid. ( + 0 ; serial + 1D ; refresh + 1H ; retry + 1W ; expire + 3H ) ; minimum + NS @ + A 127.0.0.1 + AAAA ::1 + PTR localhost. diff --git a/named.rfc1912.zones b/named.rfc1912.zones new file mode 100644 index 0000000..fa8caf5 --- /dev/null +++ b/named.rfc1912.zones @@ -0,0 +1,45 @@ +// named.rfc1912.zones: +// +// Provided by Red Hat caching-nameserver package +// +// ISC BIND named zone configuration for zones recommended by +// RFC 1912 section 4.1 : localhost TLDs and address zones +// and https://tools.ietf.org/html/rfc6303 +// (c)2007 R W Franks +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// +// Note: empty-zones-enable yes; option is default. +// If private ranges should be forwarded, add +// disable-empty-zone "."; into options +// + +zone "localhost.localdomain" IN { + type master; + file "named.localhost"; + allow-update { none; }; +}; + +zone "localhost" IN { + type master; + file "named.localhost"; + allow-update { none; }; +}; + +zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { + type master; + file "named.loopback"; + allow-update { none; }; +}; + +zone "1.0.0.127.in-addr.arpa" IN { + type master; + file "named.loopback"; + allow-update { none; }; +}; + +zone "0.in-addr.arpa" IN { + type master; + file "named.empty"; + allow-update { none; }; +}; diff --git a/named.root b/named.root new file mode 100644 index 0000000..532d4ff --- /dev/null +++ b/named.root @@ -0,0 +1,61 @@ + +; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net +; (2 servers found) +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900 +;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 1472 +;; QUESTION SECTION: +;. IN NS + +;; ANSWER SECTION: +. 518400 IN NS a.root-servers.net. +. 518400 IN NS b.root-servers.net. +. 518400 IN NS c.root-servers.net. +. 518400 IN NS d.root-servers.net. +. 518400 IN NS e.root-servers.net. +. 518400 IN NS f.root-servers.net. +. 518400 IN NS g.root-servers.net. +. 518400 IN NS h.root-servers.net. +. 518400 IN NS i.root-servers.net. +. 518400 IN NS j.root-servers.net. +. 518400 IN NS k.root-servers.net. +. 518400 IN NS l.root-servers.net. +. 518400 IN NS m.root-servers.net. + +;; ADDITIONAL SECTION: +a.root-servers.net. 518400 IN A 198.41.0.4 +b.root-servers.net. 518400 IN A 199.9.14.201 +c.root-servers.net. 518400 IN A 192.33.4.12 +d.root-servers.net. 518400 IN A 199.7.91.13 +e.root-servers.net. 518400 IN A 192.203.230.10 +f.root-servers.net. 518400 IN A 192.5.5.241 +g.root-servers.net. 518400 IN A 192.112.36.4 +h.root-servers.net. 518400 IN A 198.97.190.53 +i.root-servers.net. 518400 IN A 192.36.148.17 +j.root-servers.net. 518400 IN A 192.58.128.30 +k.root-servers.net. 518400 IN A 193.0.14.129 +l.root-servers.net. 518400 IN A 199.7.83.42 +m.root-servers.net. 518400 IN A 202.12.27.33 +a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 +b.root-servers.net. 518400 IN AAAA 2001:500:200::b +c.root-servers.net. 518400 IN AAAA 2001:500:2::c +d.root-servers.net. 518400 IN AAAA 2001:500:2d::d +e.root-servers.net. 518400 IN AAAA 2001:500:a8::e +f.root-servers.net. 518400 IN AAAA 2001:500:2f::f +g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d +h.root-servers.net. 518400 IN AAAA 2001:500:1::53 +i.root-servers.net. 518400 IN AAAA 2001:7fe::53 +j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 +k.root-servers.net. 518400 IN AAAA 2001:7fd::1 +l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 +m.root-servers.net. 518400 IN AAAA 2001:dc3::35 + +;; Query time: 24 msec +;; SERVER: 198.41.0.4#53(198.41.0.4) +;; WHEN: Thu Apr 05 15:57:34 CEST 2018 +;; MSG SIZE rcvd: 811 + diff --git a/named.root.key b/named.root.key new file mode 100644 index 0000000..fbcb5d3 --- /dev/null +++ b/named.root.key @@ -0,0 +1,13 @@ +trust-anchors { + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"; +}; diff --git a/named.rwtab b/named.rwtab new file mode 100644 index 0000000..2cb3a41 --- /dev/null +++ b/named.rwtab @@ -0,0 +1,6 @@ +dirs /var/named + +files /var/named/named.ca +files /var/named/named.empty +files /var/named/named.localhost +files /var/named/named.loopback diff --git a/named.service b/named.service new file mode 100644 index 0000000..7cd6d34 --- /dev/null +++ b/named.service @@ -0,0 +1,25 @@ +[Unit] +Description=Berkeley Internet Name Domain (DNS) +Wants=nss-lookup.target +Wants=named-setup-rndc.service +Before=nss-lookup.target +After=named-setup-rndc.service +After=network.target + +[Service] +Type=forking +Environment=NAMEDCONF=/etc/named.conf +EnvironmentFile=-/etc/sysconfig/named +Environment=KRB5_KTNAME=/etc/named.keytab +PIDFile=/run/named/named.pid + +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS +ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' + +ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' + +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/named.sysconfig b/named.sysconfig new file mode 100644 index 0000000..5f6f817 --- /dev/null +++ b/named.sysconfig @@ -0,0 +1,17 @@ +# BIND named process options +# ~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# OPTIONS="whatever" -- These additional options will be passed to named +# at startup. Don't add -t here, enable proper +# -chroot.service unit file. +# +# NAMEDCONF=/etc/named/alternate.conf +# -- Don't use -c to change configuration file. +# Extend systemd named.service instead or use this +# variable. +# +# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone +# utility for every zone to ensure all zones are +# valid before named starts. If you set this option +# to 'yes' then service file doesn't perform those +# checks. diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh new file mode 100755 index 0000000..5e68915 --- /dev/null +++ b/setup-named-chroot.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +ROOTDIR="$1" +CONFIG_FILES="${3:-/etc/named-chroot.files}" + +usage() +{ + echo + echo 'This script setups chroot environment for BIND' + echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]' +} + +if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then + echo 'Wrong number of arguments' + usage + exit 1 +fi + +# Exit if ROOTDIR doesn't exist +if ! [ -d "$ROOTDIR" ]; then + echo "Root directory $ROOTDIR doesn't exist" + usage + exit 1 +fi + +if ! [ -r "$CONFIG_FILES" ]; then + echo "Files list $CONFIG_FILES doesn't exist" 2>&1 + usage + exit 1 +fi + +dev_create() +{ + DEVNAME="$ROOTDIR/dev/$1" + shift + if ! [ -e "$DEVNAME" ]; then + /bin/mknod -m 0664 "$DEVNAME" $@ + /bin/chgrp named "$DEVNAME" + if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then + /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || : + fi + fi +} + +dev_chroot_prep() +{ + dev_create random c 1 8 + dev_create urandom c 1 9 + dev_create zero c 1 5 + dev_create null c 1 3 +} + +files_comment_filter() +{ + if [ -d "$1" ]; then + grep -v '^[[:space:]]*#' "$1"/*.files + else + grep -v '^[[:space:]]*#' "$1" + fi +} + +mount_chroot_conf() +{ + if [ -n "$ROOTDIR" ]; then + # Check devices are prepared + dev_chroot_prep + files_comment_filter "$CONFIG_FILES" | while read -r all; do + # Skip nonexistant files + [ -e "$all" ] || continue + + # If mount source is a file + if ! [ -d "$all" ]; then + # mount it only if it is not present in chroot or it is empty + if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then + touch "$ROOTDIR$all" + mount --bind "$all" "$ROOTDIR$all" + fi + else + # Mount source is a directory. Mount it only if directory in chroot is + # empty. + if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then + mount --bind --make-private "$all" "$ROOTDIR$all" + fi + fi + done + fi +} + +umount_chroot_conf() +{ + if [ -n "$ROOTDIR" ]; then + files_comment_filter "$CONFIG_FILES" | while read -r all; do + # Check if file is mount target. Do not use /proc/mounts because detecting + # of modified mounted files can fail. + if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then + umount "$ROOTDIR$all" + # Remove temporary created files + [ -f "$all" ] && rm -f "$ROOTDIR$all" + fi + done + fi +} + +case "$2" in + on) + mount_chroot_conf + ;; + off) + umount_chroot_conf + ;; + *) + echo 'Second argument has to be "on" or "off"' + usage + exit 1 +esac + +exit 0 diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh new file mode 100755 index 0000000..c0f8445 --- /dev/null +++ b/setup-named-softhsm.sh @@ -0,0 +1,124 @@ +#!/bin/sh +# +# This script will initialise token storage of softhsm PKCS11 provider +# in custom location. Is useful to store tokens in non-standard location. +# +# Output can be evaluated from bash, it will prepare it for usage of temporary tokens. +# Quotes around eval are mandatory! +# Recommended use: +# eval "$(bash setup-named-softhsm.sh -A)" +# + +SOFTHSM2_CONF="$1" +TOKENPATH="$2" +GROUPNAME="$3" +# Do not use this script for real keys worth protection +# This is intended for crypto accelerators using PKCS11 interface. +# Uninitialized token would fail any crypto operation. +PIN=1234 +SO_PIN=1234 +LABEL=rpm + +set -e + +echo_i() +{ + echo "#" $@ +} + +random() +{ + if [ -x "$(which openssl 2>/dev/null)" ]; then + openssl rand -base64 $1 + else + dd if=/dev/urandom bs=1c count=$1 | base64 + fi +} + +usage() +{ + echo "Usage: $0 -A [token directory] [group]" + echo " or: $0 <config file> <token directory> [group]" +} + +if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then + TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX) +fi + +if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then + usage >&2 + exit 1 +fi + +if [ "$SOFTHSM2_CONF" = "-A" ]; then + # Automagic mode instead + MODE=secure + SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf" + PIN_SOURCE="$TOKENPATH/pin" + SOPIN_SOURCE="$TOKENPATH/so-pin" + TOKENPATH="$TOKENPATH/tokens" +else + MODE=legacy +fi + +[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" + +umask 0022 + +if ! [ -f "$SOFTHSM2_CONF" ]; then +cat << SED > "$SOFTHSM2_CONF" +# SoftHSM v2 configuration file + +directories.tokendir = ${TOKENPATH} +objectstore.backend = file + +# ERROR, WARNING, INFO, DEBUG +log.level = ERROR + +# If CKF_REMOVABLE_DEVICE flag should be set +slots.removable = false +SED +else + echo_i "Config file $SOFTHSM2_CONF already exists" >&2 +fi + +if [ -n "$PIN_SOURCE" ]; then + touch "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE" + if [ -n "$GROUPNAME" ]; then + chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE" + fi +fi + +export SOFTHSM2_CONF + +if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null +then + echo_i "Token in ${TOKENPATH} is already initialized" >&2 + + [ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE") + [ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE") +else + PIN=$(random 6) + SO_PIN=$(random 18) + if [ -n "$PIN_SOURCE" ]; then + echo -n "$PIN" > "$PIN_SOURCE" + echo -n "$SO_PIN" > "$SOPIN_SOURCE" + fi + + echo_i "Initializing tokens to ${TOKENPATH}..." + softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /' + + if [ -n "$GROUPNAME" ]; then + chgrp -R -- "$GROUPNAME" "$TOKENPATH" + chmod -R -- g=rX,o= "$TOKENPATH" + fi +fi + +echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\"" +echo "export PIN_SOURCE=\"$PIN_SOURCE\"" +echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\"" +# These are intentionaly not exported +echo "PIN=\"$PIN\"" +echo "SO_PIN=\"$SO_PIN\"" @@ -0,0 +1 @@ +0bf3c0f656844194579647abd7a2961a bind-9.16.23.tar.xz diff --git a/trusted-key.key b/trusted-key.key new file mode 100644 index 0000000..7b845f3 --- /dev/null +++ b/trusted-key.key @@ -0,0 +1 @@ +. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
|