| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: bind-modules-bdbhpt | Distribution: openSUSE Tumbleweed |
| Version: 9.20.13 | Vendor: openSUSE |
| Release: 1.2 | Build date: Thu Sep 11 11:17:09 2025 |
| Group: Productivity/Networking/DNS/Servers | Build host: reproducible |
| Size: 67400 | Source RPM: bind-9.20.13-1.2.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://www.isc.org/bind/ | |
| Summary: A DLZ module which stores zone data in a BerkeleyDB | |
This package provides the externally loadable bdbhpt DLZ driver, without update support
MPL-2.0
* Thu Sep 11 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.13
New Features:
* Add a new option `manual-mode` to dnssec-policy.
* Add a new option `servfail-until-ready` to response-policy
zones.
* Support for parsing HHIT and BRID records has been added.
Removed Features:
* Deprecate the `tkey-gssapi-credential` statement.
* Obsolete the `tkey-domain` statement.
Bug Fixes:
* Prevent spurious SERVFAILs for certain 0-TTL resource records.
* Fix unexpected termination if catalog-zones had undefined
`default-primaries`.
* Thu Aug 21 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.12
New Features:
* Support for parsing DSYNC records has been added.
Feature Changes:
* Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS
digest type 1.
Bug Fixes:
* Stale RRsets in a CNAME chain were not always refreshed.
* Add RPZ extended DNS error for zones with a CNAME override
policy configured.
* Fix dig +keepopen option.
* Log dropped or slipped responses in the query-errors category.
* Fix synth-from-dnssec not working in some scenarios.
* Clean enough memory when adding new ADB names/entries under
memory pressure.
* Prevent spurious validation failures.
* Tue Jul 15 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.11
Security Fixes:
* Fix a possible assertion failure when
stale-answer-client-timeout is set to 0. In specific
circumstances the named resolver process could exit with an
assertion failure when stale answers were enabled and the
stale-answer-client-timeout configuration option was set to 0.
(CVE-2025-40777)
[bsc#1246548]
New Features:
* Add support for the CO flag to dig.
Bug Fixes:
* Correct the default interface-interval from 60s to 60m.
* Fix a purge-keys bug when using multiple views of a zone.
* Use IPv6 queries in delv +ns.
* Mon Jun 23 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.10
New Features:
* Implement a new notify-defer configuration option. This new
option sets a delay (in seconds) to wait before sending a set
of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending is deferred for this duration. This
option should not be confused with the notify-delay option. The
default is 0 seconds.
Removed Features:
* Implement the systemd notification protocol manually to remove
dependency on libsystemd.
Bug Fixes:
* A secondary zone could initiate a new zone transfer from the
primary server after it had been already deleted from the
secondary server, and before the internal garbage collection
was activated to clean it up completely. This has been fixed.
* A secondary zone could fail to further refresh with new
versions of the zone from a primary server if named was
reconfigured during the SOA request step of an ongoing zone
transfer. This has been fixed.
- Clean up systemd BuildRequires
* Tue May 20 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.9
Security Fixes:
* Prevent an assertion failure when processing TSIG algorithm.
(CVE-2025-40775)
[bsc#1243361]
Feature Changes:
* Return DNS COOKIE and NSID with BADVERS.
* Disable separate memory context for libxml2 memory allocations
on macOS.
* Use Jinja2 templates in system tests.
Bug Fixes:
* Revert NSEC3 closest encloser lookup improvements.
* Fix EDNS YAML output in dig.
* Fix RDATA checks for PRIVATEOID keys.
* Fix a serve-stale issue with a delegated zone.
* Thu Apr 17 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.8
New Features:
* Add support for EDE 20 (Not Authoritative)
* Add support for EDE 7 and EDE 8.
* `dig` can now display the received BADVERS message during
negotiation.
* Add an `rndc` command to reset some statistics counters.
Bug Fixes:
* Restore NSEC3 closest-encloser lookup improvements.
* Stop caching lack of EDNS support.
* Fix resolver statistics counters for timed-out responses.
* Nested DNS validation could cause an assertion failure.
* Wait for memory reclamation to finish in `named-checkconf`.
* Ensure `max-clients-per-query` is at least `clients-per-query`.
* Fix write after free in validator code.
* Don't enforce NOAUTH/NOCONF flags in DNSKEYs.
* Fix several small DNSSEC timing issues.
* Fix inconsistency in CNAME/DNAME handling during resolution.
* Mon Mar 24 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.7
New Features:
* Implement the min-transfer-rate-in configuration option.
A new option min-transfer-rate-in has been added to the view
and zone configurations. It can abort incoming zone transfers
that run very slowly due to network-related issues, for
example. The default value is 10240 bytes in five minutes. [GL
[#3914]]
* Add HTTPS record query to host command line tool.
The host command was extended to also query for the HTTPS RR
type by default.
* Implement sig0key-checks-limit and sig0message-checks-limit.
Previously, a hard-coded limitation of a maximum of two key or
message verification checks was introduced when checking a
message’s SIG(0) signature, to protect against possible DoS
attacks. Two as a maximum was chosen so that more than a single
key should only be required during key rotations, and in that
case two keys are enough. It later became apparent that there
are other use cases where even more keys are required; see the
related GitLab issue for examples.
This change introduces two new configuration options for the
views: sig0key-checks-limit and sig0message-checks-limit. They
define how many keys can be checked to find a matching key, and
how many message verifications are allowed to take place once a
matching key has been found. The former provides slightly less
“expensive” key parsing operations and defaults to 16. The
latter protects against expensive cryptographic operations when
there are keys with colliding tags and algorithm numbers; the
default is 2. [GL #5050]
* Adds support for EDE code 1 and 2.
Support was added for EDE codes 1 and 2, which might occur
during DNSSEC validation in the case of an unsupported RRSIG
algorithm or DNSKEY digest. [GL #2715]
* Add an rndc command to toggle jemalloc profiling.
The new command is rndc memprof; the memory profiling status is
also reported inside rndc status. The status shows whether
named can toggle memory profiling, and whether the server is
built with jemalloc. [GL #4759]
* Add support for multiple extended DNS errors.
The Extended DNS Error (EDE) mechanism may raise errors during
a DNS resolution. named is now able to add up to three EDE
codes in a DNS response. If there are duplicate error codes,
only the first one is part of the DNS response. [GL #5085]
* Print the expiration time of stale records.
BIND now prints the expiration time of any stale RRsets in the
cache dump.
Bug Fixes:
* Fix dual-stack-servers configuration option.
The dual-stack-servers configuration option was not working as
expected; the specified servers were not being used when they
should have been, leading to resolution failures. This has been
fixed. [GL #5019]
* Fix a data race causing a permanent active client increase.
Previously, a data race could cause a newly created fetch
context for a new client to be used before it had been fully
initialized, which would cause the query to become stuck;
queries for the same data would be either paused indefinitely
or dropped because of the clients-per-query limit. This has
been fixed. [GL #5053]
* Fix deferred validation of unsigned DS and DNSKEY records.
When processing a query with the “checking disabled” bit set
(CD=1), named stores the invalidated result in the cache,
marked “pending”. When the same query is sent with CD=0, the
cached data is validated and either accepted as an answer, or
ejected from the cache as invalid. This deferred validation was
not attempted for DS and DNSKEY records if they had no cached
signatures, causing spurious validation failures. The deferred
validation is now completed in this scenario.
Also, if deferred validation fails, the data is now re-queried
to find out whether the zone has been corrected since the
invalid data was cached. [GL #5066]
* Fix RPZ race condition during a reconfiguration.
With RPZ in use, named could terminate unexpectedly because of
a race condition when a reconfiguration command was received
using rndc. This has been fixed. [GL #5146]
* “CNAME and other data check” not applied to all types.
An incorrect optimization caused “CNAME and other data” errors
not to be detected if certain types were at the same node as a
CNAME. This has been fixed. [GL #5150]
* Relax private DNSKEY and RRSIG constraints.
DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to
allow empty key and signature material after the algorithm
identifier for PRIVATEOID and PRIVATEDNS. It is arguable
whether this falls within the expected use of these types, as
no key material is shared and the signatures are ineffective,
but these are private algorithms and they can be totally
insecure. [GL #5167]
* Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
Previously, when parsing responses, named incorrectly rejected
responses without matching RRSIG records for NSEC/DS/NSEC3
records in the authority section. This rejection, if
appropriate, should have been left for the validator to
determine and has been fixed. [GL #5185]
* Fix TTL issue with ANY queries processed through RPZ
“passthru”.
Answers to an “ANY” query which were processed by the RPZ
“passthru” policy had the response-policy’s max-policy-ttl
value unexpectedly applied. This has been fixed. [GL #5187]
* dnssec-signzone needs to check for a NULL key when setting
offline.
dnssec-signzone could dereference a NULL key pointer when
resigning a zone. This has been fixed. [GL #5192]
* Fix a bug in the statistics channel when querying zone transfer
information.
When querying zone transfer information from the statistics
channel, there was a rare possibility that named could
terminate unexpectedly if a zone transfer was in a state when
transferring from all the available primary servers had failed
earlier. This has been fixed. [GL #5198]
* Fix assertion failure when dumping recursing clients.
Previously, if a new counter was added to the hash table while
dumping recursing clients via the rndc recursing command, and
fetches-per-zone was enabled, an assertion failure could occur.
This has been fixed. [GL #5200]
* Dump the active resolver fetches from
dns_resolver_dumpfetches()
Previously, active resolver fetches were only dumped when the
fetches-per-zone configuration option was enabled. Now, active
resolver fetches are dumped along with the number of
clients-per-query counters per resolver fetch.
* Recently expired records could be returned with a timestamp in
future.
Under rare circumstances, an RRSet that expired at the time of
the query could be returned with a TTL in the future. This has
been fixed.
As a side effect, the expiration time of expired RRSets is no
longer returned in a cache dump. [GL #5094]
* YAML string not terminated in negative response in delv.
* Fix a bug in dnssec-signzone related to keys being offline.
When dnssec-signzone was called on an already-signed zone and
the private key file was unavailable, a signature that needed
to be refreshed was dropped without being able to generate a
replacement. This has been fixed. [GL #5126]
* Apply the memory limit only to ADB database items.
Under heavy load, a resolver could exhaust the memory available
for storing the information in the Address Database (ADB),
effectively discarding previously stored information in the
ADB. The memory used to retrieve and provide information from
the ADB is no longer subject to the same memory limits that are
applied to the Address Database. [GL #5127]
* Avoid unnecessary locking in the zone/cache database.
Lock contention among many worker threads referring to the same
database node at the same time is now prevented. This improves
zone and cache database performance for any heavily contended
database nodes. [GL #5130]
* Fix reporting of Extended DNS Error 22 (No Reachable
Authority).
This error code was previously not reported in some applicable
situations. This has been fixed. [GL #5137]
* Thu Jan 30 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Upgrade to release 9.20.5
Security Fixes:
* DNS-over-HTTPS flooding fixes.
Fix DNS-over-HTTPS implementation issues that arise under heavy
query load. Optimize resource usage for named instances that
accept queries over DNS-over-HTTPS.
Previously, named processed all incoming HTTP/2 data at once,
which could overwhelm the server, especially when dealing with
clients that sent requests but did not wait for responses. That
has been fixed. Now, named handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many
requests at once.
In addition, named now evaluates excessive streams opened by
clients that include no DNS data, which is considered
“flooding.” It logs these clients and drops connections from
them.
In some cases, named could leave DNS-over-HTTPS connections in
the CLOSE_WAIT state indefinitely. That has also been fixed.
(CVE-2024-12705)
[bsc#1236597]
* Limit additional section processing for large RDATA sets.
When answering queries, don’t add data to the additional
section if the answer has more than 13 names in the RDATA. This
limits the number of lookups into the database(s) during a
single client query, reducing the query-processing load.
(CVE-2024-11187)
[bsc#1236596]
New Features:
* Add Extended DNS Error Code 22 - No Reachable Authority.
When the resolver is trying to query an authoritative server
and eventually times out, a SERVFAIL answer is given to the
client. Add the Extended DNS Error Code 22 - No Reachable
Authority to the response.
* Add a new option to configure the maximum number of outgoing
queries per client request.
The configuration option max-query-count sets how many outgoing
queries per client request are allowed. The existing
max-recursion-queries value is the number of permissible
queries for a single name and is reset on every CNAME
redirection. This new option is a global limit on the client
request. The default is 200.
The default for max-recursion-queries is changed from 32 to 50.
This allows named to send a few more queries while looking up a
single name.
* Use the Server Name Indication (SNI) extension for all outgoing
TLS connections.
This improves compatibility with other DNS server software.
Feature Changes:
* Performance optimization for NSEC3 lookups introduced in BIND
9.20.2 was reverted to avoid risks associated with a complex
code change.
* The configuration clauses parental-agents and primaries are
renamed to remote-servers.
The top blocks primaries and parental-agents are no longer
preferred and should be renamed to remote-servers. The zone
statements parental-agents and primaries are still used, and
may refer to any remote-servers top block.
* Add none parameter to query-source and query-source-v6 to
disable IPv4 or IPv6 upstream queries but allow listening to
queries from clients on IPv4 or IPv6.
Bug Fixes:
* Fix nsupdate hang when processing a large update.
To mitigate DNS flood attacks over a single TCP connection,
throttle the connection when the other side does not read the
data. Throttling should only occur on server-side sockets, but
erroneously also happened for nsupdate, which acts as a client.
When nsupdate started throttling the connection, it never
attempted to read again. This has been fixed.
* Fix possible assertion failure when reloading server while
processing update policy rules.
* Preserve cache across reconfig when using attach-cache.
When the attach-cache option is used in the options block with
an arbitrary name, it causes all views to use the same cache.
Previously, this configuration caused the cache to be deleted
and a new cache to be created every time the server was
reconfigured. This has been fixed.
* Resolve the spurious drops in performance due to glue cache.
For performance reasons, the returned glue records are cached
on the first use. The current implementation could randomly
cause a performance drop and increased memory use. This has
been fixed.
* Fix dnssec-signzone signing non-DNSKEY RRsets with revoked
keys.
dnssec-signzone was using revoked keys for signing RRsets other
than DNSKEY. This has been corrected.
* Fix improper handling of unknown directives in resolv.conf.
The line after an unknown directive in resolv.conf could
accidentally be skipped, potentially affecting dig, host,
nslookup, nsupdate, or delv. This has been fixed.
* Fix response policy zones and catalog zones with an $INCLUDE
statement defined.
Response policy zones (RPZ) and catalog zones were not working
correctly if they had an $INCLUDE statement defined. This has
been fixed
- Remove desktop file and BuildRequires: update-desktop-files
* Tue Jan 21 2025 Steve Kowalik <steven.kowalik@suse.com>
- Explicitly BuildRequire sphinx_rtd_theme.
* Thu Dec 12 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Add new dlz-modules source
- Update to release 9.20.4
New Features:
* Update built-in bind.keys file with the new 2025 IANA root key.
* Add an initial-ds entry to bind.keys for the new root key, ID
38696, which is scheduled for publication in January 2025.
Removed Features:
* Move contributed DLZ modules into a separate repository. DLZ
modules should not be used except in testing.
* The DLZ modules were not maintained, the DLZ interface itself
is going to be scheduled for removal, and the DLZ interface is
blocking. Any module that blocks the query to the database
blocks the whole server.
* The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
Feature Changes:
* dnssec-ksr now supports KSK rollovers.
* The tool now allows for KSK generation, as well as planned KSK
rollovers. When signing a bundle from a Key Signing Request
(KSR), only the key that is active in that time frame is used
for signing. Also, the CDS and CDNSKEY records are now added
and removed at the correct time.
* Print RFC 7314: EXPIRE option in transfer summary.
* Emit more helpful log messages for exceeding
max-records-per-type.
* The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log
includes the owner name and type, corresponding zone name, and
the limit value. It will be emitted on loading a zone file,
inbound zone transfer (both AXFR and IXFR), handling a DDNS
update, or updating a cache DB. It’s especially helpful in the
case of zone transfer, since the secondary side doesn’t have
direct access to the offending zone data.
* It could also be used for max-types-per-name, but this change
doesn’t implement it yet as it’s much less likely to happen in
practice.
* Harden key management when key files have become unavailable.
* Prior to doing key management, BIND 9 will check if the key
files on disk match the expected keys. If key files for
previously observed keys have become unavailable, this will
prevent the internal key manager from running.
Bug Fixes:
* Use TLS for notifies if configured to do so.
* Notifies configured to use TLS will now be sent over TLS,
instead of plain text UDP or TCP. Also, failing to load the TLS
configuration for notify now results in an error.
* {&dns} is as valid as {?dns} in a SVCB’s dohpath.
* dig failed to parse a valid SVCB record with a dohpath URI
template containing a {&dns}, like
dohpath=/some/path?key=value{&dns}”.
* Fix NSEC3 closest encloser lookup for names with empty
non-terminals.
* A previous performance optimization for finding the NSEC3
closest encloser when generating authoritative responses could
cause servers to return incorrect NSEC3 records in some cases.
This has been fixed.
* recursive-clients statement with value 0 triggered an assertion
failure.
* BIND 9.20.0 broke recursive-clients 0;. This has now been
fixed.
* Parsing of hostnames in rndc.conf was broken.
* When DSCP support was removed, parsing of hostnames in
rndc.conf was accidentally broken, resulting in an assertion
failure. This has been fixed.
* dig options of the form [+-]option=<value> failed to display
the value on the printed command line. This has been fixed.
* Provide more visibility into TLS configuration errors by
logging SSL_CTX_use_certificate_chain_file() and
SSL_CTX_use_PrivateKey_file() errors individually.
* Fix a race condition when canceling ADB find which could cause
an assertion failure.
* SERVFAIL cache memory cleaning is now more aggressive; it no
longer consumes a lot of memory if the server encounters many
SERVFAILs at once.
* Fix trying the next primary XoT server when the previous one
was marked as unreachable.
* In some cases named failed to try the next primary server in
the primaries list when the previous one was marked as
unreachable. This has been fixed.
* Thu Dec 12 2024 Andreas Stieger <andreas.stieger@gmx.de>
- update root hints file to 2024-11-20 version (boo#1234406)
* Mon Oct 21 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.3
New Features:
* Log query response status to the query log.
* Log a query response summary using the new responses category.
Logging can be controlled via the responselog option and via
rndc responselog.
* Added WALLET type.
* Add the new record type WALLET (262). This provides a mapping
from a domain name to a cryptographic currency wallet. Multiple
mappings can exist if multiple records exist.
Feature Changes:
* Set logging category for notify/xfer-in-related messages.
* Some notify and xfer-in-related log messages were logged at the
“general” category level instead of their own category. This
has been fixed.
* Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
* This change allows fallback from an IXFR failure to AXFR when
the reason is DNS_R_TOOMANYRECORDS.
Bug Fixes:
* Fix a statistics channel counter bug when “forward only” zones
are used.
* When resolving a zone with a “forward only” policy, and finding
out that all the forwarders were marked as “bad”, the
“ServerQuota” counter of the statistics channel was incorrectly
increased. This has been fixed.
* Fix a bug in the static-stub implementation.
* Static-stub addresses and addresses from other sources were
being mixed together, resulting in static-stub queries going to
addresses not specified in the configuration, or alternatively,
static-stub addresses being used instead of the correct server
addresses.
* Don’t allow statistics-channels if libxml2 and libjson-c are
not configured.
* When BIND 9 is not configured with the libxml2 and libjson-c
libraries, the use of the statistics-channels option is a fatal
error.
* Separate DNSSEC validation from long-running tasks.
* Split CPU-intensive and long-running tasks into separate
threadpools in a way that the long-running tasks - like RPZ,
catalog zone processing, or zone file operations - don’t block
CPU-intensive operations like DNSSEC validations.
* Fix an assertion failure when processing access control lists.
* The named process could terminate unexpectedly when processing
ACLs. This has been fixed.
* Fix a bug in Offline KSK using a ZSK with an unlimited
lifetime.
* If the ZSK had an unlimited lifetime, the timing metadata
Inactive and Delete could not be found and were treated as an
error, preventing the zone from being signed. This has been
fixed.
* Limit the outgoing UDP send queue size.
* If the operating system UDP queue got full and the outgoing UDP
sending started to be delayed, BIND 9 could exhibit memory
spikes as it tried to enqueue all the outgoing UDP messages. It
now tries to deliver the outgoing UDP messages synchronously;
if that fails, it drops the outgoing DNS message that would get
queued up and then timeout on the client side.
* Do not set SO_INCOMING_CPU.
* Remove the SO_INCOMING_CPU setting as kernel scheduling
performs better without constraints.
* Fix the rndc dumpdb command’s error reporting.
* The rndc dumpdb command was not reporting errors that occurred
when named started up the database dump process. This has been
fixed.
* Fix long-running incoming transfers.
* Incoming transfers that took longer than 30 seconds would stop
reading from the TCP stream and the incoming transfer would be
indefinitely stuck, causing BIND 9 to hang during shutdown.
* This has been fixed, and the max-transfer-time-in and
max-transfer-idle-in timeouts are now honored.
* Fix an assertion failure when receiving DNS responses over TCP.
* When matching the received Query ID in the TCP connection, an
invalid Query ID could cause an assertion failure. This has
been fixed.
* Thu Sep 19 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.2
New Features:
* Support for Offline KSK implemented.
* Add a new configuration option offline-ksk to enable Offline
KSK key management. Signed Key Response (SKR) files created
with dnssec-ksr (or other programs) can now be imported into
named with the new rndc skr -import command. Rather than
creating new DNSKEY, CDS, and CDNSKEY records and generating
signatures covering these types, these records are loaded from
the currently active bundle from the imported SKR.
* The implementation is loosely based on
draft-icann-dnssec-keymgmt-01.txt.
* Print the full path of the working directory in startup log
messages.
* named now prints its initial working directory during startup,
and the changed working directory when loading or reloading its
configuration file, if it has a valid directory option defined.
* Support a restricted key tag range when generating new keys.
* When multiple signers are being used to sign a zone, it is
useful to be able to specify a restricted range of key tags to
be used by an operator to sign the zone. The range can be
specified with tag-range in dnssec-policy’s keys (for named and
dnssec-ksr) and with the new options dnssec-keyfromlabel -M and
dnssec-keygen -M.
Feature Changes:
* Exempt prefetches from the fetches-per-zone and
fetches-per-server quotas.
* Fetches generated automatically as a result of prefetch are now
exempt from the fetches-per-zone and fetches-per-server quotas.
This should help in maintaining the cache from which query
responses can be given.
* Follow the number of CPUs set by taskset/cpuset.
* Administrators may wish to constrain the set of cores that
named runs on via the taskset, cpuset, or numactl programs (or
equivalents on other OSes).
* If the admin has used taskset, named now automatically uses the
given number of CPUs rather than the system-wide count.
Bug Fixes:
* Delay the release of root privileges until after configuring
controls.
* Delay relinquishing root privileges until the control channel
has been configured, for the benefit of systems that require
root to use privileged port numbers. This mostly affects
systems without fine- grained privilege systems (i.e., other
than Linux).
* Fix a rare assertion failure when shutting down incoming
transfer.
* A very rare assertion failure could be triggered when the
incoming transfer was either forcefully shut down, or it
finished during the printing of the details about the
statistics channel. This has been fixed.
* Fix algorithm rollover bug when there are two keys with the
same keytag.
* If there was an algorithm rollover and two keys of different
algorithms shared the same keytags, there was the possibility
that the check of whether the key matched a specific state
could be performed against the wrong key. This has been fixed
by not only checking for the matching key tag but also the key
algorithm.
* Fix an assertion failure in validate_dnskey_dsset_done().
* Under rare circumstances, named could terminate unexpectedly
when validating a DNSKEY resource record if the validation had
been canceled in the meantime. This has been fixed.
Known Issues:
* Long-running tasks in offloaded threads (e.g. the loading of
RPZ zones or processing zone transfers) may block the
resolution of queries during these operations and cause the
queries to time out. To work around the issue, the
UV_THREADPOOL_SIZE environment variable can be set to a larger
value before starting named. The recommended value is the
number of RPZ zones (or number of transfers) plus the number of
threads BIND should use, which is typically the number of CPUs.
* Fri Aug 23 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.20.1
New Features:
* Implement rndc retransfer -force.
* A new optional argument -force has been added to the command
rndc retransfer. When it is specified, named aborts the ongoing
zone transfer (if there is one) and starts a new transfer.
* dig now reports a missing QUESTION section for messages with
opcode QUERY.
* Query responses should contain the QUESTION section, with some
exceptions. dig was not reporting this.
Feature Changes:
* Tighten max-recursion-queries and add max-query-restarts
configuration statement.
* There were cases when the max-recursion-queries quota was
ineffective. It was possible to craft zones that would cause a
resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by
correcting errors in the implementation of
max-recursion-queries and by reducing the default value from
100 to 32.
* In addition, a new max-query-restarts configuration statement
has been added, which limits the number of times a recursive
server will follow CNAME or DNAME records before terminating
resolution. This was previously a hard-coded limit of 16 but is
now configurable with a default value of 11.
* ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli,
and Cagin Tanir from NetSec group, ETH Zurich for discovering
and notifying us about the issue.
* Allow shorter resolver-query-timeout configuration.
* The minimum allowed value of resolver-query-timeout was lowered
from its previous value of 10 000 milliseconds (which is still
the default) to 301 milliseconds. Note however that values of 1
to 300 inclusive are interpreted as seconds before applying the
limit. A value of zero is interpreted as the default.
* Raise the log level of priming failures.
* When a priming query is complete, it was previously logged at
level DEBUG(1), regardless of success or failure. It is now
logged to NOTICE in the case of failure.
Bug Fixes:
* Fix a crash caused by valid TSIG signatures with invalid time.
* An assertion failure was triggered when the TSIG had a valid
cryptographic signature but the time was invalid. This could
happen when the times between the primary and secondary servers
were not synchronised. The crash has now been fixed.
* Return SERVFAIL for a too long CNAME chain.
* When following long CNAME chains, named was returning NOERROR
(along with a partial answer) instead of SERVFAIL, if the chain
exceeded the maximum length. This has been fixed.
* Reconfigure catz member zones during named reconfiguration.
* During a reconfiguration, named wasn’t reconfiguring catalog
zones’ member zones. This has been fixed.
* Update key lifetime and metadata after dnssec-policy
reconfiguration.
* Adjust key state and timing metadata if dnssec-policy key
lifetime configuration is updated, so that it also affects
existing keys.
* Fix a crash during zone modification.
* Fix an assertion failure that could happen when an
authoritative zone was modified while the server was generating
an answer from that zone.
* Fix assertion failure when executing named-checkconf -v to
print its version.
* Fix generation of 6to4-self name expansion from IPv4 address.
* The period between the most significant nibble of the encoded
IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing,
resulting in the wrong name being checked. This has been fixed.
* dig +yaml was producing unexpected and/or invalid YAML. output.
* SVBC ALPN text parsing failed to reject zero-length ALPN.
* Fix false QNAME minimisation error being reported.
* Remove the false positive success resolving log message when
QNAME minimisation is in effect and the final result is an
NXDOMAIN.
* Fix --enable-tracing build on systems without dtrace.
* A missing util/dtrace.sh file prevented builds on systems
without the dtrace utility. This has been corrected.
* Wed Jul 24 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to new major version 9.20.0
For a complete list of all changes see:
* https://bind9.readthedocs.io/en/v9.20.0/notes.html
* The CHANGES file in the source RPM
Some noteworthy changes:
* Added new BuildRequires liburcu for lock free data structures.
* A new DNSSEC tool dnssec-ksr has been added to create Key
Signing Request (KSR) and Signed Key Response (SKR) files.
* /etc/bind.keys and /var/lib/named/named.root.key have been
removed as the correct defaults are pre-compiled and there is
no need to configure bind.keys manually.
* The functions that were in the libbind9 shared library have
been moved to the libisc and libisccfg libraries. The now-empty
libbind9 has been removed and is no longer installed.
* The irs_resconf module has been moved to the libdns shared
library. The now-empty libirs library has been removed and is
no longer installed.
Security Fixes:
* A malicious DNS client that sent many queries over TCP but
never read the responses could cause a server to respond slowly
or not at all for other clients. This has been fixed.
(CVE-2024-0760)
[bsc#1228255]
* It is possible to craft excessively large resource records
sets, which have the effect of slowing down database
processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and
type in a cache or zone database. The default is 100, which can
be tuned with the new max-records-per-type option.
* It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
adding a configurable limit to the number of records that can
be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
max-types-per-name option. (CVE-2024-1737)
[bsc#1228256]
* Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975)
[bsc#1228257]
* Due to a logic error, lookups that triggered serving stale data
and required lookups in local authoritative zone data could
have resulted in an assertion failure. This has been fixed.
* Potential data races were found in our DoH implementation,
related to HTTP/2 session object management and endpoints set
object management after reconfiguration. These issues have been
fixed.
* When looking up the NS records of parent zones as part of
looking up DS records, it was possible for named to trigger an
assertion failure if serve-stale was enabled. This has been
fixed. (CVE-2024-4076)
[bsc#1228258]
* Fri May 17 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.27
New Features:
* A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
Feature Changes:
* DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
* Sun Apr 21 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.26
New Features:
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Bug Fixes:
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed.
* Wed Mar 20 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.25
Bug Fixes:
* A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed.
* Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed.
* The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
max-cache-ttl and max-ncache-ttl in a timely manner. [GL #4591]
* It was possible to trigger a use-after-free assertion when the
overmem cache cleaning was initiated. This has been fixed.
* Tue Feb 13 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.24
Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851]
* Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been
fixed. (CVE-2023-5517)
[bsc#1219852]
* A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these
features were enabled. This has been fixed. (CVE-2023-5679)
[bsc#1219853]
* Query patterns that continuously triggered cache database
maintenance could cause an excessive amount of memory to be
allocated, exceeding max-cache-size and potentially leading to
all available memory on the host running named being exhausted
This has been fixed. (CVE-2023-6516)
[bsc#1219854]
* Under certain circumstances, the DNS-over-TLS client code
incorrectly attempted to process more than one DNS message at a
time, which could cause named to crash with an assertion
failure. This has been fixed.
Bug Fixes:
* The counters exported via the statistics channel were changed
back to 64-bit signed values; they were being inadvertently
truncated to unsigned 32-bit values since BIND 9.15.0.
* Thu Jan 04 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.21
Removed Features:
* Support for using AES as the DNS COOKIE algorithm
(cookie-algorithm aes;) has been deprecated and will be removed
in a future release. Please use the current default,
SipHash-2-4, instead.
* The resolver-nonbackoff-tries and resolver-retry-interval
statements have been deprecated. Using them now causes a
warning to be logged.
* Wed Nov 15 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.20
Feature Changes:
* The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b.
Bug Fixes:
* If the unsigned version of an inline-signed zone contained
DNSSEC records, it was incorrectly scheduled for resigning.
This has been fixed.
* Looking up stale data from the cache did not take local
authoritative data into account. This has been fixed.
* An assertion failure was triggered when lock-file was used at
the same time as the named -X command-line option. This has
been fixed.
* The lock-file file was being removed when it should not have
been, making the statement ineffective when named was started
three or more times. This has been fixed.
* Fri Oct 13 2023 Thorsten Kukuk <kukuk@suse.com>
- Disable SLP by default for Factory and ALP (bsc#1214884)
* Tue Sep 19 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.19
Security Fixes:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed. (CVE-2023-3341)
[bsc#1215472]
* A flaw in the networking code handling DNS-over-TLS queries
could cause named to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has
been fixed. (CVE-2023-4236)
[bsc#1215471]
Removed Features:
* The dnssec-must-be-secure option has been deprecated and will
be removed in a future release.
Feature Changes:
* If the server command is specified, nsupdate now honors the
nsupdate -v option for SOA queries by sending both the UPDATE
request and the initial query over TCP.
Bug Fixes:
* The value of the If-Modified-Since header in the statistics
channel was not being correctly validated for its length,
potentially allowing an authorized user to trigger a buffer
overflow. Ensuring the statistics channel is configured
correctly to grant access exclusively to authorized users is
essential (see the statistics-channels block definition and
usage section).
* The Content-Length header in the statistics channel was lacking
proper bounds checking. A negative or excessively large value
could potentially trigger an integer overflow and result in an
assertion failure.
* Several memory leaks caused by not clearing the OpenSSL error
stack were fixed.
* The introduction of krb5-subdomain-self-rhs and
ms-subdomain-self-rhs UPDATE policies accidentally caused named
to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed.
* The stale-refresh-time feature was mistakenly disabled when the
server cache was flushed by rndc flush. This has been fixed.
* BIND’s memory consumption has been improved by implementing
dedicated jemalloc memory arenas for sending buffers. This
optimization ensures that memory usage is more efficient and
better manages the return of memory pages to the operating
system.
* Previously, partial writes in the TLS DNS code were not
accounted for correctly, which could have led to DNS message
corruption. This has been fixed.
* Mon Sep 11 2023 Pedro Monreal <pmonreal@suse.com>
- Enable crypto-policies support: [bsc#1211301]
* Rebase vendor-files/config/named.conf
* Wed Aug 16 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.18
Feature Changes:
* When a primary server for a zone responds to an SOA query, but
the subsequent TCP connection required to transfer the zone is
refused, that server is marked as temporarily unreachable. This
now also happens if the TCP connection attempt times out,
preventing too many zones from queuing up on an unreachable
server and allowing the refresh process to move on to the next
configured primary more quickly.
* The dialup and heartbeat-interval options have been deprecated
and will be removed in a future BIND 9 release.
Bug Fixes:
* Processing already-queued queries received over TCP could cause
an assertion failure, when the server was reconfigured at the
same time or the cache was being flushed. This has been fixed.
* Setting dnssec-policy to insecure prevented zones containing
resource records with a TTL value larger than 86400 seconds (1
day) from being loaded. This has been fixed by ignoring the TTL
values in the zone and using a value of 604800 seconds (1 week)
as the maximum zone TTL in key rollover timing calculations.
* Wed Jul 19 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.17
Feature Changes:
* If a response from an authoritative server has its RCODE set to
FORMERR and contains an echoed EDNS COOKIE option that was
present in the query, named now retries sending the query to
the same server without an EDNS COOKIE option.
* The relaxed QNAME minimization mode now uses NS records. This
reduces the number of queries named makes when resolving, as it
allows the non-existence of NS RRsets at non-referral nodes to
be cached in addition to the normally cached referrals.
Bug Fixes:
* The ability to read HMAC-MD5 key files, which was accidentally
lost in BIND 9.18.8, has been restored.
* Several minor stability issues with the catalog zone
implementation have been fixed.
* Thu Jul 13 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Enable dnstap support
* Thu Jul 06 2023 Dirk Müller <dmueller@suse.com>
- rebuild bind-utils on libuv updates (bsc#1212090)
* Thu Jun 22 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.16
Security Fixes:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit. (CVE-2023-2828)
* A query that prioritizes stale data over lookup triggers a
fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for
named to enter an infinite callback loop and crash due to stack
overflow. This has been fixed. (CVE-2023-2911)
New Features:
* The system test suite can now be executed with pytest (along
with pytest-xdist for parallel execution).
Removed Features:
* TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now
deprecated, and will be removed in a future release. A warning
will be logged when the tkey-dhkey option is used in
named.conf.
Bug Fixes:
* BIND could get stuck on reconfiguration when a listen-on
statement for HTTP is removed from the configuration. That has
been fixed.
* Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed.
* BIND could allocate too big buffers when sending data via
stream-based DNS transports, leading to increased memory usage.
This has been fixed.
* When the stale-answer-enable option was enabled and the
stale-answer-client-timeout option was enabled and larger than
0, named previously allocated two slots from the
clients-per-query limit for each client and failed to gradually
auto-tune its value, as configured. This has been fixed.
* Wed May 17 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.15
Bug Fixes:
* The max-transfer-time-in and max-transfer-idle-in statements
have not had any effect since the BIND 9 networking stack was
refactored in version 9.16. The missing functionality has been
re-implemented and incoming zone transfers now time out
properly when not progressing.
* The read timeout in rndc is now 60 seconds, matching the
behavior in BIND 9.16 and earlier. It had previously been
lowered to 30 seconds by mistake.
* When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT)
error code is returned by libuv, it is now treated as a network
failure: the server for which that error code is returned gets
marked as broken and is not contacted again during a given
resolution process.
* When removing delegations from an opt-out range,
empty-non-terminal NSEC3 records generated by those delegations
were not cleaned up. This has been fixed.
* Log file rotation code did not clean up older versions of log
files when the logging channel had an absolute path configured
as a file destination. This has been fixed.
Known Issues:
* Sending NOTIFY messages silently fails when the source port
specified in the notify-source statement is already in use.
This can happen e.g. when multiple servers are configured as
NOTIFY targets for a zone and some of them are unresponsive.
This issue can be worked around by not specifying the source
port for NOTIFY messages in the notify-source statement; note
that source port configuration is already deprecated and will
be removed altogether in a future release.
* Fri Apr 21 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.14
Removed Features:
* Zone type delegation-only, and the delegation-only and
root-delegation-only statements, have been deprecated. A
warning is now logged when they are used.
* These statements were created to address the SiteFinder
controversy, in which certain top-level domains redirected
misspelled queries to other sites instead of returning NXDOMAIN
responses. Since top-level domains are now DNSSEC-signed, and
DNSSEC validation is active by default, the statements are no
longer needed.
Bug Fixes:
* Several bugs which could cause named to crash during catalog
zone processing have been fixed.
* Previously, downloading large zones over TLS (XoT) from a
primary could hang the transfer on the secondary, especially
when the connection was unstable. This has been fixed.
* Performance of DNSSEC validation in zones with many DNSKEY
records has been improved.
* Wed Mar 15 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.13
New Features:
* RPZ updates are now run on specialized “offload” threads to
reduce the amount of time they block query processing on the
main networking threads. This increases the responsiveness of
named when RPZ updates are being applied after an RPZ zone has
been successfully transferred.
Feature Changes:
* Catalog zone updates are now run on specialized “offload”
threads to reduce the amount of time they block query
processing on the main networking threads. This increases the
responsiveness of named when catalog zone updates are being
applied after a catalog zone has been successfully transferred.
* libuv support for receiving multiple UDP messages in a single
recvmmsg() system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for
running with a different version of libuv than the one used at
compilation time. These rules may trigger a fatal error at
startup:
- Building against or running with libuv versions 1.35.0 and
1.36.0 is now a fatal error.
- Running with libuv version higher than 1.34.2 is now a
fatal error when named is built against libuv version
1.34.2 or lower.
- Running with libuv version higher than 1.39.0 is now a
fatal error when named is built against libuv version
1.37.0, 1.38.0, 1.38.1, or 1.39.0.
* This prevents the use of libuv versions that may trigger an
assertion failure when receiving multiple UDP messages in a
single system call.
Bug Fixes:
* named could crash with an assertion failure when adding a new
zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been
fixed.
* When named starts up, it sends a query for the DNSSEC key for
each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a
zone for which the server is itself authoritative, and would
have failed if it were sent before the zone was fully loaded.
This has now been fixed by delaying the key queries until all
zones have finished loading.
* Thu Feb 16 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.12
Removed Features:
* Specifying a port when configuring source addresses (i.e., as
an argument to query-source, query-source-v6, transfer-source,
transfer-source-v6, notify-source, notify-source-v6,
parental-source, or parental-source-v6, or in the source or
source-v6 arguments to primaries, parental-agents, also-notify,
or catalog-zones) has been deprecated. In addition, the
use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and
avoid-v6-udp-ports options have also been deprecated.
Warnings are now logged when any of these options are
encountered in named.conf. In a future release, they will be
made nonfunctional.
Bug Fixes:
* A constant stream of zone additions and deletions via rndc
reconfig could cause increased memory consumption due to
delayed cleaning of view memory. This has been fixed.
* The speed of the message digest algorithms (MD5, SHA-1, SHA-2),
and of NSEC3 hashing, has been improved.
* Pointing parental-agents to a resolver did not work because the
RD bit was not set on DS requests. This has been fixed.
* Building BIND 9 failed when the --enable-dnsrps switch for
./configure was used. This has been fixed.
- Updated keyring and signature
* Tue Jan 24 2023 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.11
Security Fixes:
* An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a new
update-quota option that controls the maximum number of
outstanding DNS UPDATE messages that named can hold in a queue
at any given time (default: 100). (CVE-2022-3094)
* named could crash with an assertion failure when an RRSIG query
was received and stale-answer-client-timeout was set to a
non-zero value. This has been fixed. (CVE-2022-3736)
* named running as a resolver with the
stale-answer-client-timeout option set to any value greater
than 0 could crash with an assertion failure, when the
recursive-clients soft quota was reached. This has been fixed.
(CVE-2022-3924)
New Features:
* The new update-quota option can be used to control the number
of simultaneous DNS UPDATE messages that can be processed to
update an authoritative zone on a primary server, or forwarded
to the primary server by a secondary server. The default is
100. A new statistics counter has also been added to record
events when this quota is exceeded, and the version numbers for
the XML and JSON statistics schemas have been updated.
Removed Features:
* The Differentiated Services Code Point (DSCP) feature in BIND
has been non-operational since the new Network Manager was
introduced in BIND 9.16. It is now marked as obsolete, and
vestigial code implementing it has been removed. Configuring
DSCP values in named.conf now causes a warning to be logged.
Feature Changes:
* The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones.
Bug Fixes:
* A rare assertion failure was fixed in outgoing TCP DNS
connection handling.
* Large zone transfers over TLS (XoT) could fail. This has been
fixed.
* In addition to a previously fixed bug, another similar issue
was discovered where quotas could be erroneously reached for
servers, including any configured forwarders, resulting in
SERVFAIL answers being sent to clients. This has been fixed.
* In certain query resolution scenarios (e.g. when following
CNAME records), named configured to answer from stale cache
could return a SERVFAIL response despite a usable, non-stale
answer being present in the cache. This has been fixed.
* When an outgoing request timed out, named would retry up to
three times with the same server instead of trying the next
available name server. This has been fixed.
* Recently used ADB names and ADB entries (IP addresses) could
get cleaned when ADB was under memory pressure. To mitigate
this, only actual ADB names and ADB entries are now counted
(excluding internal memory structures used for “housekeeping”)
and recently used (<= 10 seconds) ADB names and entries are
excluded from the overmem memory cleaner.
* The “Prohibited” Extended DNS Error was inadvertently set in
some NOERROR responses. This has been fixed.
* Previously, TLS session resumption could have led to handshake
failures when client certificates were used for authentication
(Mutual TLS). This has been fixed.
[bsc#1207471, bsc#1207473, bsc#1207475]
* Wed Jan 04 2023 Thiago Macieira <thiago@kde.org>
- Declare that named.service depends on network-online.target, otherwise named
may start too early and thus fail (time out) when resolving some
domains. This happens easily in containers.
* Thu Dec 22 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to release 9.18.10
Feature Changes:
* To reduce unnecessary memory consumption in the cache, NXDOMAIN
records are no longer retained past the normal negative cache
TTL, even if stale-cache-enable is set to yes.
* The auto-dnssec option has been deprecated and will be removed
in a future BIND 9.19.x release. Please migrate to
dnssec-policy.
* The coresize, datasize, files, and stacksize options have been
deprecated. The limits these options set should be enforced
externally, either by manual configuration (e.g. using ulimit)
or via the process supervisor (e.g. systemd).
* Setting alternate local addresses for inbound zone transfers
has been deprecated. The relevant options (alt-transfer-source,
alt-transfer-source-v6, and use-alt-transfer-source) will be
removed in a future BIND 9.19.x release.
* The number of HTTP headers allowed in requests sent to named’s
statistics channel has been increased from 10 to 100, to
accommodate some browsers that send more than 10 headers by
default.
Bug Fixes:
* named could crash due to an assertion failure when an HTTP
connection to the statistics channel was closed prematurely
(due to a connection error, shutdown, etc.).
* When a catalog zone was removed from the configuration, in some
cases a dangling pointer could cause the named process to
crash.
* When a zone was deleted from a server, a key management object
related to that zone was inadvertently kept in memory and only
released upon shutdown. This could lead to constantly
increasing memory use on servers with a high rate of changes
affecting the set of zones being served.
* TLS configuration for primary servers was not applied for zones
that were members of a catalog zone.
* In certain cases, named waited for the resolution of
outstanding recursive queries to finish before shutting down.
* host and nslookup command-line options setting the custom
TCP/UDP port to use were ignored for ANY queries (which are
sent over TCP).
* The zone <name>/<class>: final reference detached log message
was moved from the INFO log level to the DEBUG(1) log level to
prevent the named-checkzone tool from superfluously logging
this message in non-debug mode.
* Mon Nov 21 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to bind release 9.18.9
Bug Fixes:
* A crash was fixed that happened when a dnssec-policy zone that
used NSEC3 was reconfigured to enable inline-signing.
* In certain resolution scenarios, quotas could be erroneously
reached for servers, including any configured forwarders,
resulting in SERVFAIL answers being sent to clients.
* rpz-ip rules in response-policy zones could be ineffective in
some cases if a query had the CD (Checking Disabled) bit set to
1.
* Previously, if Internet connectivity issues were experienced
during the initial startup of named, a BIND resolver with
dnssec-validation set to auto could enter into a state where it
would not recover without stopping named, manually deleting the
managed-keys.bind and managed-keys.bind.jnl files, and starting
named again.
* The statistics counter representing the current number of
clients awaiting recursive resolution results (RecursClients)
could overflow in certain resolution scenarios.
* Previously, the port in remote servers such as in primaries and
parental-agents could be wrongly configured because of an
inheritance bug.
* Previously, BIND failed to start on Solaris-based systems with
hundreds of CPUs.
* When a DNS resource record’s TTL value was equal to the
resolver’s configured prefetch “eligibility” value, the record
was erroneously not treated as eligible for prefetching.
* Mon Nov 07 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to bind release 9.18.8
New Features:
* Support for parsing and validating the dohpath service
parameter in SVCB records was added.
* named now logs the supported cryptographic algorithms during
startup and in the output of named -V.
* The recursion not available and query (cache) '...' denied log
messages were extended to include the name of the ACL that
caused a given query to be denied.
Bug Fixes:
* An assertion failure was fixed in named that was caused by
aborting the statistics channel connection while sending
statistics data to the client.
* Changing just the TSIG key names for primaries in catalog
zones’ member zones was not effective. This has been fixed.
Known Issues:
* Upgrading from BIND 9.16.32, 9.18.6, or any older version may
require a manual configuration change. The following
configurations are affected:
- type primary zones configured with dnssec-policy but without
either allow-update or update-policy,
- type secondary zones configured with dnssec-policy.
In these cases please add inline-signing yes; to the individual
zone configuration(s). Without applying this change, named will
fail to start. For more details, see
https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
* BIND 9.18 does not support dynamic update forwarding (see
allow-update-forwarding) in conjuction with zone transfers over
TLS (XoT).
This obsoletes the following patch:
* fix_documentation-Sphinx.patch
* Wed Oct 05 2022 Matej Cepl <mcepl@suse.com>
- Add fix_documentation-Sphinx.patch to fix building with the
current Sphinx
(https://gitlab.isc.org/isc-projects/bind9/-/issues/3572).
- Reapply bind-ldapdump-use-valid-host.patch
* Wed Sep 21 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to bind release 9.18.7
Security Fixes:
* Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be
abused to severely impact the performance of named running as a
recursive resolver. This has been fixed. (CVE-2022-2795)
* When an HTTP connection was reused to request statistics from the
stats channel, the content length of successive responses could
grow in size past the end of the allocated buffer.
This has been fixed. (CVE-2022-2881)
* Memory leaks in code handling Diffie-Hellman (DH) keys were fixed
that could be externally triggered, when using TKEY records in DH
mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906)
* named running as a resolver with the stale-answer-client-timeout
option set to 0 could crash with an assertion failure, when there
was a stale CNAME in the cache for the incoming query.
This has been fixed. (CVE-2022-3080)
* Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
Feature Changes:
* Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same
name, to prevent circumventing the limits enforced by RRL.
* Zones using dnssec-policy now require dynamic DNS or
inline-signing to be configured explicitly.
* When reconfiguring dnssec-policy from using NSEC with an NSEC-only
DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
BIND 9 no longer fails to sign the zone; instead, it keeps using
NSEC until the offending DNSKEY records have been removed from the
zone, then switches to using NSEC3.
* A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the
domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
conversion.
Bug Fixes:
* A serve-stale bug was fixed, where BIND would try to return stale
data from cache for lookups that received duplicate queries or
queries that would be dropped. This bug resulted in premature
SERVFAIL responses, and has now been resolved.
This obsoletes the following patch:
* bind-fix-mysql-bindings.patch
[bsc#1203614, bsc#1203615, bsc#1203616, bsc#1203618, bsc#1203620]
* Thu Aug 18 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Fix typo in contrib/dlz/modules/{mysql,mysqldyn} that references
LDAP_LIBS instead of MYSQL_LIBS.
[bsc#1202149, bind.spec, bind-fix-mysql-bindings.patch]
* Thu Aug 18 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to bind release 9.18.6
Bug Fixes:
* When running as a validating resolver forwarding all queries
to another resolver, named could crash with an assertion failure.
These crashes occurred when the configured forwarder sent
a broken DS response and named failed its attempts to find
a proper one instead. This has been fixed.
* Non-dynamic zones that inherit dnssec-policy from the view
or options blocks were not marked as inline-signed
and therefore never scheduled to be re-signed. This has been fixed.
* The old max-zone-ttl zone option was meant to be superseded
by the max-zone-ttl option in dnssec-policy; however,
the latter option was not fully effective. This has been corrected:
zones no longer load if they contain TTLs greater than the limit
configured in dnssec-policy. For zones with both the old
max-zone-ttl option and dnssec-policy configured,
the old option is ignored, and a warning is generated.
* rndc dumpdb -expired was fixed to include expired RRsets,
even if stale-cache-enable is set to no and the cache-cleaning
time window has passed.
For a complete list of changes, see
* Bind Release Notes
https://downloads.isc.org/isc/bind9/9.18.6/doc/arm/html/notes.html
* The CHANGES file in the source RPM
[bind.spec bind-9.18.6.tar.xz bind-9.18.6.tar.xz.sha512.asc]
* Wed Aug 03 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- When enabling query_logging by un-commenting an example in
bind.conf, named attempts to create a file in /var/log which
fails due to missing credentials. This also applies to the
"dump-file" and the "statistics-file".
This is solved by having systemd-tmpfiles create a subdirectory
"/var/log/named" owned by named:named and changing the file
paths accordingly:
/var/log/named_querylog -> /var/log/named/querylog
/var/log/named_dump.db -> /var/log/named/dump.db
/var/log/named.stats -> /var/log/named/stats
Also, in "named.service", the ReadWritePath was changed to
include "/var/log/named" rather than just "var/log".
[bsc#1200685, bind.conf, vendor-files/config/named.conf,
vendor-files/system/named.service]
* Mon Aug 01 2022 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Add systemd drop-in directory for named service
[bsc#1201689, bind.spec]
* Thu Jul 21 2022 Josef Möllers <josef.moellers@suse.com>
- Update to bind release 9.18.5
Bugs fixed:
* When resolving a name, don't give up immediately if an
authoritative server returns FORMERR; try the other servers first.
* When synth-from-dnssec generated a response using records from a
higher zone, it could unexpectedly prove non-existance of
records in a subordinate grafted-on namespace.
* Update HTTP listener settings on reconfiguration.
* Fix a crash in dig NS search mode when one of the NS server
queries fail.
* Changed dnssec-signzone -H default to 0 additional NSEC3
iterations.
* When processing a catalog zone member zone make sure that there
is no configured pre-existing forward-only forw]ard zone with
that name.
[bind-9.18.5.tar.xz bind-9.18.5.tar.xz.sha512.asc]
* Wed Jun 15 2022 Josef Möllers <josef.moellers@suse.com>
- Upgrade to 9.18.4:
Bugs fixed:
* Only write key files if the dnssec-policy keymgr has
changed the metadata.
* When the fetches-per-server quota was adjusted
because of an authoritative server timing out more
or less frequently, it was incorrectly set to 1
rather than the intended value.
Notable functional changes:
* Key timing options for `dnssec-keygen` and
`dnssec-settime` now accept times as printed by
`dnssec-settime -p`.
* Key timing options for `dnssec-settime` and related
utilities now accept "UNSET" times as printed by
`dnssec-settime -p`.
This obsoletes the following patch:
bind-prevent-buffer-overflow.patch
[bind-9.18.4.tar.xz, bind-9.18.4.tar.xz.sha512.asc,
bind-prevent-buffer-overflow.patch]
* Thu May 19 2022 Josef Möllers <josef.moellers@suse.com>
- Upgrade to 9.18.3:
Bugs fixed:
* Fix a crash in DNS-over-HTTPS (DoH) code caused by premature
TLS stream socket object deletion.
* RPZ NSIP and NSDNAME rule processing didn't handle stub and
static-stub zones at or above the query name. This has now
been addressed.
* Fixed a deadlock that could occur if an rndc connection arrived
during the shutdown of network interfaces.
* Refactor the fctx_done() function to set fctx to NULL after
detaching, so that reference counting errors will be easier to
avoid.
* udp_recv() in dispatch could trigger an INSIST when the
callback's result indicated success but the response was
canceled in the meantime.
* Work around a jemalloc quirk which could trigger an
out-of-memory condition in named over time.
* If there was a pending negative cache DS entry, validations
depending upon it could fail.
* dig returned a 0 exit status on UDP connection failure.
* Fix an assertion failure when using dig with +nssearch and
+tcp options by starting the next query in the send_done()
callback (like in the UDP mode) instead of doing that
recursively in start_tcp(). Also ensure that queries
interrupted while connecting are detached properly.
* Don't remove CDS/CDNSKEY DELETE records on zone sign when
using 'auto-dnssec maintain;'.
This obsoletes the following patch:
bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
[CVE-2022-1183, bsc#1199619]
* Tue May 17 2022 Josef Möllers <josef.moellers@suse.com>
- An assertion failure can be triggered if a TLS connection to a
configured http TLS listener with a defined endpoint is destroyed too
early.
[CVE-2022-1183, bsc#1199619, CVE-2022-1183.patch]
* Mon May 16 2022 Martin Liška <mliska@suse.cz>
- Add upstream patch bind-prevent-buffer-overflow.patch.
* Thu May 12 2022 Josef Möllers <josef.moellers@suse.com>
- The named-checkconf had been moved from /usr/sbin to /usr/bin
but that had not been reflected in scripts that called this,
eg named.prep. So these scripts failed.
Some installations still have "createNamedConfInclude" in the
NAMED_INITIALIZE_SCRIPTS in /etc/sysconfig/named. The named.prep
will now report this but continue.
[bsc#1199044, vendor-files.tar.bz2]
* Mon Apr 25 2022 Josef Möllers <josef.moellers@suse.com>
- Upgrade to 9.18.2:
Most important bugs fixed:
* The "starting maxtime timer" message related to outgoing
zone transfers was incorrectly logged at the ERROR level
instead of DEBUG(1).
* Ensure that zone maintenance queries have a retry limit.
* When using both the `+qr` and `+y` options `dig` could
crash if the connection to the first server was not
successful.
* dig could hang in some cases involving multiple servers
in a lookup, when a request fails and the next one
refuses to start for some reason, for example if it was
an IPv4 mapped IPv6 address.
* dig +nssearch was hanging until manually interrupted.
* When an UPDATE targets a zone that is not configured,
the requested zone name is now logged in the "not
authoritative" error message, so that it is easier to
track down problematic update clients.
* Quote the dns64 prefix in error messages that complain
about problems with it, to avoid confusion with the
following dns64 ACLs.
* When encountering socket error while trying to initiate
a TCP connection to a server, dig could hang
indefinitely, when there were more servers to try.
* When timing-out or having other types of socket errors
during a query, dig wasn't trying to perform the lookup
using other servers, in case they exist.
* Resending a UDP request in the result of a timeout
could cause an assertion failure when the resent
query's result was SERVFAIL.
* Replace single TCP write timer with per-TCP write
timers.
* Invalid dnssec-policy definitions were being accepted
where the defined keys did not cover both KSK and ZSK
roles for a given algorithm. This is now checked for
and the dnssec-policy is rejected if both roles are
not present for all algorithms in use.
* Fix query context management issues in the TCP part
of dig.
Noteworthy functional changes:
* Add new "reuseport" option to enable/disable load
balancing of sockets.
* Set the minimum MTU on UDPv6 and TCPv6 sockets and
limit TCP maximum segment size (TCP_MAXSEG) to (1220)
for both TCPv4 and TCPv6 sockets.
Needed to define two macros in contrib code:
FALLTHOUGH is a copy of how it is defined in <isc/util.h>
UNREACHABLE follows the model used in MacOS /usr/include/c++/v1/cstdlib
to determine if __builtin_ureachable is available
[bind-9.18.2.tar.xz, bind-9.18.2.tar.xz.sha512.asc,
bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch]
* Thu Mar 17 2022 Josef Möllers <josef.moellers@suse.com>
- * When using forwarders, bogus NS records supplied by, or via, those
forwarders may be cached and used by named if it needs to recurse
for any reason, causing it to obtain and pass on potentially
incorrect answers. [CVE-2021-25220]
* TCP connection slots may be consumed for an indefinite time frame
via a specifically crafted TCP stream sent from a client.
This issue can only be triggered on BIND servers which have
keep-response-order enabled, which is not the default configuration.
The keep-response-order option is an ACL block, and as such, any
hosts specified within it will be able to trigger this issue on
affected versions. [CVE-2022-0396]
* The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature
(synth-from-dnssec) had been refactored and the default has been
changed so that is now automatically enabled for dnssec-validating
resolvers. Subsequently it was found that repeated patterns of
specific queries to servers with this feature enabled could cause
an INSIST failure in query.c:query_dname which causes named to
terminate unexpectedly.
The vulnerability affects BIND resolvers running 9.18.0 that have
both dnssec-validation and synth-from-dnssec enabled. (Note that
dnssec-validation auto; is the default setting unless configured
otherwise in named.conf and that enabling dnssec-validation
automatically enables synth-from-dnssec unless explicitly disabled)
[CVE-2022-0635]
* The refactoring of the recursive client code introduced a
"backstop lifetime timer."
While BIND is processing a request for a DS record that needs to be
forwarded, it waits until this processing is complete or until the
backstop lifetime timer has timed out. When the resume_dslookup() function
is called as a result of such a timeout, the function does not test
whether the fetch has previously been shut down. This introduces the
possibility of triggering an assertion failure, which could cause the BIND
process to terminate. [CVE-2022-0667]
* Reset client TCP connection when data received cannot
be parsed as a valid DNS request.
For a complete list of changes, see
* Bind Release Notes
https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html
* The CHANGES file in the source RPM
This obsoletes bind-define-missing-threads.patch
Also, removed bind-python3 from the spec file as it is not build
any longer.
[bind.spec, bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc,
bind-define-missing-threads.patch]
* Mon Jan 31 2022 Josef Möllers <josef.moellers@suse.com>
- Update to new MAJOR VERSION 9.18.0.
This has many enhnancements, bug fixes and changes.
The spec file also has mechanisms to run the integrated test suite.
MAJOR CHANGES:
* Support for securing DNS traffic using Transport Layer Security (TLS).
TLS is used by both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).
* Support for zone transfers over TLS (XFR-over-TLS, XoT) for both
incoming and outgoing zone transfers.
* The dig tool is now able to send DoT queries (+tls option).
* Support for OpenSSL 3.0 APIs was added.
A number of utilities have been removed: dnssec-checkds,
dnssec-coverage, dnssec-keymgr, which have been deprecated in
favor of dnssec-policy feature, as well as python support
(package python3-bind).
A number of utilities have been moved from (/usr)/sbin to (/usr)/bin
The DLZ modules have been put into seperate sub-packages
to keep unwanted dependencies out of the main package:
* bind-modules-perl: dlz_perl_driver.so
* bind-modules-mysql: dlz_mysql_dynamic.so, dlz_mysqldyn_mod.so
* bind-modules-ldap: dlz_ldap_dynamic.so
* bind-modules-bdbhpt: dlz_bdbhpt_dynamic.so
* bind-modules-sqlite3: dlz_sqlite3_dynamic.so
* bind-modules-generic: dlz_filesystem_dynamic.so, dlz_wildcard_dynamic.so
For a complete list of changes, see
* Bind Release Notes
https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/notes.html
* The CHANGES file in the source RPM
[bind.spec, bind-9.18.0.tar.xz, bind-9.18.0.tar.xz.sha512.asc,
bind-avoid-fallthrough-warning-error.patch,
bind-contrib-pthread.patch, named-bootconf.diff, bind-define-missing-threads.patch]
* Mon Jan 24 2022 Josef Möllers <josef.moellers@suse.com>
- Old-style DLZ drivers have been deprecated in favor of
DLZ modules. The DLZ drivers configuration option will
be removed from the next major BIND 9 release.
The option to use the DLZ modules is already available
in BIND 9; please see the ARM section on DLZ modules.
The dynamically lodable driver modules are stored in
/usr/lib64/bind-plugins
Example configurations for ldap and mysql are provided in
named.conf.
[bind.spec, vendor-files/config/named.conf]
* Fri Jan 21 2022 Callum Farmer <gmbr3@opensuse.org>
- Add now working CONFIG parameter to sysusers generator
* Thu Jan 20 2022 Josef Möllers <josef.moellers@suse.com>
- Upgrade to release 9.16.25
This upgrade fixes the following bugs:
* Enforce enqueuing TCP resumeread to prevent the next read
callback from being executed before the current read callback
has finished, and the worker receive buffer has been marked as
"freed".
* Allow replacing expired zone signatures with signatures created
by the KSK.
* An assertion could occur if a catalog zone event was scheduled
while the task manager was being shut down.
* Defer detaching from zone->raw in zone_shutdown() if the zone
is in the process of being dumped to disk, to ensure that the
unsigned serial number information is always written in the
raw-format header of the signed version on an inline-signed
zone.
* named could leak memory when two dnssec-policy clauses had the
same name. named failed to log this error.
* Add a missing isc_condition_destroy() for nmsocket condition
variable and add missing isc_mutex_destroy() for nmworker lock.
[bind-9.16.25.tar.xz, bind-9.16.25.tar.xz.sha512.asc]
* Wed Jan 19 2022 Josef Möllers <josef.moellers@suse.com>
- Added /var/log to the ReadWritePaths as some log files are
written there:
* dump-file "/var/log/named_dump.db"
* statistics-file "/var/log/named.stats"
[bsc#1194721, vendor-files.tar.bz2]
/usr/lib64/bind-plugins/dlz_bdbhpt_dynamic.so
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun Oct 19 22:42:15 2025