Browse Source

bind package update

Signed-off-by: webbuilder_pel7ppc64lebuilder0 <webbuilder@powerel.org>
master
webbuilder_pel7ppc64lebuilder0 6 years ago
parent
commit
0ebc5605a0
  1. 31
      SOURCES/bind-9.5-sdb.patch
  2. 53
      SOURCES/bind99-CVE-2018-5740.patch
  3. 1978
      SOURCES/bind99-fips-tests.patch
  4. 1396
      SOURCES/bind99-fips.patch
  5. 8290
      SOURCES/bind99-nta.patch
  6. 232
      SOURCES/bind99-rh1510008-2.patch
  7. 6053
      SOURCES/bind99-rh1510008.patch
  8. 54
      SOURCES/bind99-rh1549130-2.patch
  9. 183
      SOURCES/bind99-rh1549130.patch
  10. 28
      SOURCES/bind99-rh1647539.patch
  11. 2
      SOURCES/named.conf.sample
  12. 117
      SPECS/bind.spec

31
SOURCES/bind-9.5-sdb.patch

@ -14,10 +14,10 @@ index 187ec23..e6179e7 100644 @@ -14,10 +14,10 @@ index 187ec23..e6179e7 100644
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index bc5be2a..71324d9 100644
index 5ba3f56..1868418 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@
@@ -32,10 +32,10 @@ top_srcdir = @top_srcdir@
#
# Add database drivers here.
#
@ -31,7 +31,7 @@ index bc5be2a..71324d9 100644 @@ -31,7 +31,7 @@ index bc5be2a..71324d9 100644
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -83,7 +83,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
@@ -81,7 +81,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
@ -40,7 +40,7 @@ index bc5be2a..71324d9 100644 @@ -40,7 +40,7 @@ index bc5be2a..71324d9 100644
GEOIPLINKOBJS = geoip.@O@
@@ -146,7 +146,7 @@ config.@O@: config.c bind.keys.h
@@ -145,7 +145,7 @@ config.@O@: config.c bind.keys.h
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
@ -49,7 +49,7 @@ index bc5be2a..71324d9 100644 @@ -49,7 +49,7 @@ index bc5be2a..71324d9 100644
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -177,15 +177,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
@@ -176,15 +176,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -69,7 +69,7 @@ index bc5be2a..71324d9 100644 @@ -69,7 +69,7 @@ index bc5be2a..71324d9 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index a00687f..4fba625 100644
index d26783f..75691ed 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -86,6 +86,9 @@
@ -163,10 +163,10 @@ index a00687f..4fba625 100644 @@ -163,10 +163,10 @@ index a00687f..4fba625 100644
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index bc5be2a..3c69c9b 100644
index 5ba3f56..4beeaf0 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -51,7 +51,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
@@ -49,7 +49,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
@ -175,7 +175,7 @@ index bc5be2a..3c69c9b 100644 @@ -175,7 +175,7 @@ index bc5be2a..3c69c9b 100644
CWARNINGS =
@@ -75,11 +75,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -73,11 +73,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -189,7 +189,7 @@ index bc5be2a..3c69c9b 100644 @@ -189,7 +189,7 @@ index bc5be2a..3c69c9b 100644
SUBDIRS = unix
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
@@ -92,8 +92,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -199,7 +199,7 @@ index bc5be2a..3c69c9b 100644 @@ -199,7 +199,7 @@ index bc5be2a..3c69c9b 100644
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \
@@ -108,8 +107,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -209,7 +209,7 @@ index bc5be2a..3c69c9b 100644 @@ -209,7 +209,7 @@ index bc5be2a..3c69c9b 100644
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -187,7 +185,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
@@ -186,7 +184,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
@ -218,10 +218,10 @@ index bc5be2a..3c69c9b 100644 @@ -218,10 +218,10 @@ index bc5be2a..3c69c9b 100644
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/configure.in b/configure.in
index 9bb9a2a..d72093f 100644
index d72f635..1aae803 100644
--- a/configure.in
+++ b/configure.in
@@ -4018,12 +4018,15 @@ AC_CONFIG_FILES([
@@ -4050,6 +4050,8 @@ AC_CONFIG_FILES([
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
bin/named/unix/Makefile
@ -230,8 +230,9 @@ index 9bb9a2a..d72093f 100644 @@ -230,8 +230,9 @@ index 9bb9a2a..d72093f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
bin/python/dnssec-checkds.py
@@ -4060,6 +4062,7 @@ AC_CONFIG_FILES([
bin/python/dnssec-coverage.py
bin/python/dnssec-keymgr.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile

53
SOURCES/bind99-CVE-2018-5740.patch

@ -0,0 +1,53 @@ @@ -0,0 +1,53 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 252a02f..bfffb8a 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5957,6 +5957,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
unsigned int nlabels;
dns_fixedname_t fixed;
dns_name_t prefix;
+ int order;
REQUIRE(rdataset != NULL);
REQUIRE(rdataset->type == dns_rdatatype_cname ||
@@ -5979,18 +5980,26 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
tname = &cname.cname;
break;
case dns_rdatatype_dname:
+ if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+ dns_namereln_subdomain)
+ {
+ return (ISC_TRUE);
+ }
result = dns_rdata_tostruct(&rdata, &dname, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_name_init(&prefix, NULL);
dns_fixedname_init(&fixed);
tname = dns_fixedname_name(&fixed);
- nlabels = dns_name_countlabels(qname) -
- dns_name_countlabels(rname);
+ nlabels = dns_name_countlabels(rname);
dns_name_split(qname, nlabels, &prefix, NULL);
result = dns_name_concatenate(&prefix, &dname.dname, tname,
NULL);
- if (result == DNS_R_NAMETOOLONG)
+ if (result == DNS_R_NAMETOOLONG) {
+ if (chainingp != NULL) {
+ *chainingp = ISC_TRUE;
+ }
return (ISC_TRUE);
+ }
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
default:
@@ -6719,7 +6728,9 @@ answer_response(fetchctx_t *fctx) {
}
if ((ardataset->type == dns_rdatatype_cname ||
ardataset->type == dns_rdatatype_dname) &&
- !is_answertarget_allowed(fctx, qname, aname, ardataset,
+ type != ardataset->type &&
+ type != dns_rdatatype_any &&
+ !is_answertarget_allowed(fctx, qname, aname, ardataset,
NULL))
{
return (DNS_R_SERVFAIL);

1978
SOURCES/bind99-fips-tests.patch

File diff suppressed because it is too large Load Diff

1396
SOURCES/bind99-fips.patch

File diff suppressed because it is too large Load Diff

8290
SOURCES/bind99-nta.patch

File diff suppressed because it is too large Load Diff

232
SOURCES/bind99-rh1510008-2.patch

@ -0,0 +1,232 @@ @@ -0,0 +1,232 @@
From 4a0a86d84ff11337c363e0540947da136b296b70 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 29 Apr 2016 14:17:21 -0700
Subject: [PATCH] [master] more python2/3 compatibility fixes; use setup.py to
install

---
bin/python/Makefile.in | 2 ++
bin/python/isc/Makefile.in | 28 +++-------------------------
bin/python/isc/__init__.py | 6 ++++--
bin/python/isc/checkds.py | 5 +++--
bin/python/isc/coverage.py | 7 +++----
bin/python/isc/dnskey.py | 4 ++--
bin/python/isc/keymgr.py | 7 +++----
bin/python/isc/policy.py | 6 +++++-
bin/python/setup.py | 8 ++++++++
9 files changed, 33 insertions(+), 40 deletions(-)
create mode 100644 bin/python/setup.py

diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index 1e4af9c2e2..7ef32cc59b 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -55,9 +55,11 @@ install:: ${TARGETS} installdirs
${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
+ test -z "${PYTHON}" || ${PYTHON} setup.py install --prefix=${DESTDIR}${prefix}
clean distclean::
rm -f ${TARGETS}
+ rm -rf build
distclean::
rm -f dnssec-checkds.py dnssec-coverage.py dnssec-keymgr.py
diff --git a/bin/python/isc/Makefile.in b/bin/python/isc/Makefile.in
index 425d054cce..a72f6e4054 100644
--- a/bin/python/isc/Makefile.in
+++ b/bin/python/isc/Makefile.in
@@ -24,44 +24,22 @@ PYTHON = @PYTHON@
PYSRCS = __init__.py dnskey.py eventlist.py keydict.py \
keyevent.py keyzone.py policy.py
-TARGETS = parsetab.py parsetab.pyc \
- __init__.pyc dnskey.pyc eventlist.py keydict.py \
- keyevent.pyc keyzone.pyc policy.pyc
+TARGETS = parsetab.py
@BIND9_MAKE_RULES@
%.pyc: %.py
$(PYTHON) -m compileall .
-parsetab.py parsetab.pyc: policy.py
+parsetab.py: policy.py
$(PYTHON) policy.py parse /dev/null > /dev/null
$(PYTHON) -m parsetab
-installdirs:
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}/isc
-
-install:: ${PYSRCS} installdirs
- ${INSTALL_SCRIPT} __init__.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} __init__.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} dnskey.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} dnskey.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} eventlist.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} eventlist.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keydict.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keydict.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyevent.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyevent.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyzone.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyzone.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} policy.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} policy.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} parsetab.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} parsetab.pyc ${DESTDIR}${libdir}
-
check test: subdirs
clean distclean::
rm -f *.pyc parser.out parsetab.py
+ rm -rf __pycache__ build
distclean::
rm -Rf utils.py
\ No newline at end of file
diff --git a/bin/python/isc/__init__.py b/bin/python/isc/__init__.py
index 0d79f356fd..10b3c45cf1 100644
--- a/bin/python/isc/__init__.py
+++ b/bin/python/isc/__init__.py
@@ -13,8 +13,10 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-__all__ = ['dnskey', 'eventlist', 'keydict', 'keyevent', 'keyseries',
- 'keyzone', 'policy', 'parsetab', 'utils']
+__all__ = ['checkds', 'coverage', 'keymgr', 'dnskey', 'eventlist',
+ 'keydict', 'keyevent', 'keyseries', 'keyzone', 'policy',
+ 'parsetab', 'utils']
+
from isc.dnskey import *
from isc.eventlist import *
from isc.keydict import *
diff --git a/bin/python/isc/checkds.py b/bin/python/isc/checkds.py
index 64ca12ebc6..2b7da39fc9 100644
--- a/bin/python/isc/checkds.py
+++ b/bin/python/isc/checkds.py
@@ -42,7 +42,7 @@ class SECRR:
if not rrtext:
raise Exception
- fields = rrtext.split()
+ fields = rrtext.decode('ascii').split()
if len(fields) < 7:
raise Exception
@@ -75,7 +75,8 @@ class SECRR:
fields = fields[2:]
if fields[0].upper() != self.rrtype:
- raise Exception
+ raise Exception('%s does not match %s' %
+ (fields[0].upper(), self.rrtype))
self.keyid, self.keyalg, self.hashalg = map(int, fields[1:4])
self.digest = ''.join(fields[4:]).upper()
diff --git a/bin/python/isc/coverage.py b/bin/python/isc/coverage.py
index c9e89596f7..bfe811bee8 100644
--- a/bin/python/isc/coverage.py
+++ b/bin/python/isc/coverage.py
@@ -27,9 +27,7 @@ from collections import defaultdict
prog = 'dnssec-coverage'
-from isc import *
-from isc.utils import prefix
-
+from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils
############################################################################
# print a fatal error and exit
@@ -139,7 +137,8 @@ def set_path(command, default=None):
def parse_args():
"""Read command line arguments, set global 'args' structure"""
compilezone = set_path('named-compilezone',
- os.path.join(prefix('sbin'), 'named-compilezone'))
+ os.path.join(utils.prefix('sbin'),
+ 'named-compilezone'))
parser = argparse.ArgumentParser(description=prog + ': checks future ' +
'DNSKEY coverage for a zone')
diff --git a/bin/python/isc/dnskey.py b/bin/python/isc/dnskey.py
index f1559e7239..14079504b6 100644
--- a/bin/python/isc/dnskey.py
+++ b/bin/python/isc/dnskey.py
@@ -205,11 +205,11 @@ class dnskey:
raise Exception('unable to generate key: ' + str(stderr))
try:
- keystr = stdout.splitlines()[0]
+ keystr = stdout.splitlines()[0].decode('ascii')
newkey = dnskey(keystr, keys_dir, ttl)
return newkey
except Exception as e:
- raise Exception('unable to generate key: %s' % str(e))
+ raise Exception('unable to parse generated key: %s' % str(e))
def generate_successor(self, keygen_bin, **kwargs):
quiet = kwargs.get('quiet', False)
diff --git a/bin/python/isc/keymgr.py b/bin/python/isc/keymgr.py
index a3a9043965..cbe86ab65e 100644
--- a/bin/python/isc/keymgr.py
+++ b/bin/python/isc/keymgr.py
@@ -20,8 +20,7 @@ from collections import defaultdict
prog='dnssec-keymgr'
-from isc import *
-from isc.utils import prefix
+from isc import dnskey, keydict, keyseries, policy, parsetab, utils
############################################################################
# print a fatal error and exit
@@ -63,9 +62,9 @@ def parse_args():
"""
keygen = set_path('dnssec-keygen',
- os.path.join(prefix('sbin'), 'dnssec-keygen'))
+ os.path.join(utils.prefix('sbin'), 'dnssec-keygen'))
settime = set_path('dnssec-settime',
- os.path.join(prefix('sbin'), 'dnssec-settime'))
+ os.path.join(utils.prefix('sbin'), 'dnssec-settime'))
parser = argparse.ArgumentParser(description=prog + ': schedule '
'DNSSEC key rollovers according to a '
diff --git a/bin/python/isc/policy.py b/bin/python/isc/policy.py
index ed106c6c92..dbb4abf010 100644
--- a/bin/python/isc/policy.py
+++ b/bin/python/isc/policy.py
@@ -104,8 +104,12 @@ class PolicyLex:
t.lexer.skip(1)
def __init__(self, **kwargs):
+ if 'maketrans' in dir(str):
+ trans = str.maketrans('_', '-')
+ else:
+ trans = maketrans('_', '-')
for r in self.reserved:
- self.reserved_map[r.lower().translate(maketrans('_', '-'))] = r
+ self.reserved_map[r.lower().translate(trans)] = r
self.lexer = lex.lex(object=self, **kwargs)
def test(self, text):
diff --git a/bin/python/setup.py b/bin/python/setup.py
new file mode 100644
index 0000000000..d7ea4a4d41
--- /dev/null
+++ b/bin/python/setup.py
@@ -0,0 +1,8 @@
+from distutils.core import setup
+setup(name='isc',
+ version='2.0',
+ description='Python functions to support BIND utilities',
+ url='https://www.isc.org/bind',
+ author='Internet Systems Consortium, Inc',
+ license='ISC',
+ packages=['isc'])
--
2.14.3

6053
SOURCES/bind99-rh1510008.patch

File diff suppressed because it is too large Load Diff

54
SOURCES/bind99-rh1549130-2.patch

@ -0,0 +1,54 @@ @@ -0,0 +1,54 @@
From 9f9ce5d91a944407e13360e9c92c090d23777a8b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 27 May 2016 18:39:33 +1000
Subject: [PATCH] fix merge error

---
bin/named/query.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)

diff --git a/bin/named/query.c b/bin/named/query.c
index 6e988f5686..2c44e9ff53 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7195,6 +7195,37 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* we know the answer.
*/
+ /*
+ * If we have a zero ttl from the cache refetch it.
+ */
+ if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+ RECURSIONOK(client))
+ {
+ if (dns_rdataset_isassociated(rdataset))
+ dns_rdataset_disassociate(rdataset);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+
+ result = query_recurse(client, qtype,
+ client->query.qname,
+ NULL, NULL, resuming);
+ if (result == ISC_R_SUCCESS) {
+ client->query.attributes |=
+ NS_QUERYATTR_RECURSING;
+ if (dns64)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64;
+ if (dns64_exclude)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64EXCLUDE;
+ } else
+ RECURSE_ERROR(result);
+ goto cleanup;
+ }
+
#ifdef ALLOW_FILTER_AAAA_ON_V4
/*
* Optionally hide AAAAs from IPv4 clients if there is an A.
--
2.14.4

183
SOURCES/bind99-rh1549130.patch

@ -0,0 +1,183 @@ @@ -0,0 +1,183 @@
From 02412bfe731d0cb229eb22f0ca4e8fbaed601cbe Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 27 May 2016 09:59:46 +1000
Subject: [PATCH] 4377. [bug] Don't reuse zero TTL responses beyond
the current client set (excludes ANY/SIG/RRSIG
queries). [RT #42142]

(cherry picked from commit aabcb1fde0ca255ff30f0a5c10cbd39f798cc5b7)

REDIRECT macro is 9.11.0+
---
bin/named/query.c | 31 +++++++++++++++
bin/tests/system/zero/ans5/ans.pl | 81 +++++++++++++++++++++++++++++++++++++++
bin/tests/system/zero/ns1/root.db | 2 +
bin/tests/system/zero/tests.sh | 13 +++++++
4 files changed, 127 insertions(+)
create mode 100644 bin/tests/system/zero/ans5/ans.pl

diff --git a/bin/named/query.c b/bin/named/query.c
index 2c44e9ff53..3b402f1d01 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6816,6 +6816,37 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
goto cleanup;
case DNS_R_CNAME:
+ /*
+ * If we have a zero ttl from the cache refetch it.
+ */
+ if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+ RECURSIONOK(client))
+ {
+ if (dns_rdataset_isassociated(rdataset))
+ dns_rdataset_disassociate(rdataset);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+
+ result = query_recurse(client, qtype,
+ client->query.qname,
+ NULL, NULL, resuming);
+ if (result == ISC_R_SUCCESS) {
+ client->query.attributes |=
+ NS_QUERYATTR_RECURSING;
+ if (dns64)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64;
+ if (dns64_exclude)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64EXCLUDE;
+ } else
+ RECURSE_ERROR(result);
+ goto cleanup;
+ }
+
/*
* Keep a copy of the rdataset. We have to do this because
* query_addrrset may clear 'rdataset' (to prevent the
diff --git a/bin/tests/system/zero/ans5/ans.pl b/bin/tests/system/zero/ans5/ans.pl
new file mode 100644
index 0000000000..9dfa18e444
--- /dev/null
+++ b/bin/tests/system/zero/ans5/ans.pl
@@ -0,0 +1,81 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+#
+# Don't respond if the "norespond" file exists; otherwise respond to
+# any A or AAAA query.
+#
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
+ LocalPort => 5300, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $octet = 0;
+
+for (;;) {
+ $sock->recv($buf, 512);
+
+ print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+ my $packet;
+
+ if ($Net::DNS::VERSION > 0.68) {
+ $packet = new Net::DNS::Packet(\$buf, 0);
+ $@ and die $@;
+ } else {
+ my $err;
+ ($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+ $err and die $err;
+ }
+
+ print "REQUEST:\n";
+ $packet->print;
+
+ $packet->header->qr(1);
+
+ my @questions = $packet->question;
+ my $qname = $questions[0]->qname;
+ my $qtype = $questions[0]->qtype;
+
+ $packet->header->aa(1);
+ if ($qtype eq "A") {
+ $packet->push("answer",
+ new Net::DNS::RR($qname .
+ " 0 A 192.0.2." . $octet));
+ $octet = $octet + 1;
+ } elsif ($qtype eq "AAAA") {
+ $packet->push("answer",
+ new Net::DNS::RR($qname .
+ " 300 AAAA 2001:db8:beef::1"));
+ }
+
+ $sock->send($packet->data);
+ print "RESPONSE:\n";
+ $packet->print;
+ print "\n";
+}
diff --git a/bin/tests/system/zero/ns1/root.db b/bin/tests/system/zero/ns1/root.db
index 69aca86fb8..beb97cb693 100644
--- a/bin/tests/system/zero/ns1/root.db
+++ b/bin/tests/system/zero/ns1/root.db
@@ -22,3 +22,5 @@ example. NS ns2.example.
ns2.example. A 10.53.0.2
example. NS ns4.example.
ns4.example. A 10.53.0.4
+increment. NS incrementns.
+incrementns A 10.53.0.5
diff --git a/bin/tests/system/zero/tests.sh b/bin/tests/system/zero/tests.sh
index 15c2906a92..bbb78f0fd8 100644
--- a/bin/tests/system/zero/tests.sh
+++ b/bin/tests/system/zero/tests.sh
@@ -44,5 +44,18 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:check repeated recursive lookups of non recurring zero ttl responses get new values"
+count=`(
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+) | sort -u | wc -l `
+if [ $count -ne 7 ] ; then echo "I:failed (count=$count)"; ret=1; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
--
2.14.4

28
SOURCES/bind99-rh1647539.patch

@ -0,0 +1,28 @@ @@ -0,0 +1,28 @@
From 89293e44e0d022463b03a92a30b3790d4569bd50 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 20 Feb 2014 23:04:54 +1100
Subject: [PATCH] 3752. [bug] Address potential REQUIRE failure if
DNS_STYLEFLAG_COMMENTDATA is set when printing out
a rdataset.

(cherry picked from commit 86856f4f3069bb2d75851b56401ffde18f41198f)
---
lib/dns/masterdump.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 80fcd4c12d..58dcd3de3e 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -451,7 +451,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
* Comment?
*/
if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
- isc_buffer_putstr(target, ";");
+ RETERR(str_totext(";", target));
/*
* Owner name.
--
2.14.5

2
SOURCES/named.conf.sample

@ -13,6 +13,8 @@ options @@ -13,6 +13,8 @@ options
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
recursing-file "data/named.recursing";
secroots-file "data/named.secroots";


/*

117
SPECS/bind.spec

@ -17,6 +17,7 @@ @@ -17,6 +17,7 @@
%{?!DEVEL: %global DEVEL 1}
%global bind_dir /var/named
%global chroot_prefix %{bind_dir}/chroot
%global selinuxbooleans named_write_master_zones=1
%if %{SDB}
%global chroot_sdb_prefix %{bind_dir}/chroot_sdb
%endif
@ -25,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv @@ -25,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.4
Release: 61%{?PATCHVER}%{?PREVER}%{?dist}
Release: 73%{?PATCHVER}%{?PREVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -38,7 +39,8 @@ Source7: bind-9.3.1rc1-sdb_tools-Makefile.in @@ -38,7 +39,8 @@ Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
Source8: dnszone.schema
Source12: README.sdb_pgsql
Source25: named.conf.sample
Source28: config-15.tar.bz2
Source26: named.conf
Source28: config-16.tar.bz2
# Up-to-date bind.keys from upstream
# Fetch a new one from page https://www.isc.org/bind-keys
Source29: bind.keys
@ -161,6 +163,17 @@ Patch188: bind99-rh1464850-2.patch @@ -161,6 +163,17 @@ Patch188: bind99-rh1464850-2.patch
Patch189: bind99-rh1501531.patch
# ISC 4858
Patch190: bind99-CVE-2017-3145.patch
Patch191: bind99-rh1510008.patch
Patch192: bind99-nta.patch
Patch193: bind99-rh1510008-2.patch
Patch194: bind99-fips.patch
Patch195: bind99-fips-tests.patch
# commit c3fbf330bc014f0470371e8da590d14a1d62977e ISC 4377
Patch196: bind99-rh1549130.patch
# commit cb735b3f902d4bb5f6e30328d5828d38efa63573
Patch197: bind99-rh1549130-2.patch
Patch198: bind99-CVE-2018-5740.patch
Patch199: bind99-rh1647539.patch

# Native PKCS#11 functionality from 9.10
Patch150:bind-9.9-allow_external_dnskey.patch
@ -190,6 +203,8 @@ Requires(postun): systemd @@ -190,6 +203,8 @@ Requires(postun): systemd
Requires: coreutils
Requires: systemd-units
Requires(post): grep, systemd
Requires(post): shadow-utils
Requires(post): glibc-common
Requires(pre): shadow-utils
Requires: bind-libs = %{epoch}:%{version}-%{release}
Obsoletes: bind-config < 30:9.3.2-34.fc6
@ -198,9 +213,18 @@ Obsoletes: caching-nameserver < 31:9.4.1-7.fc8 @@ -198,9 +213,18 @@ Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
Provides: caching-nameserver = 31:9.4.1-7.fc8
Obsoletes: dnssec-conf < 1.27-2
Provides: dnssec-conf = 1.27-1
Requires: python-ply
Provides: python-isc = %{epoch}:%{version}-%{release}
Provides: python-bind = %{epoch}:%{version}-%{release}
# selinux_set_booleans requires
Requires(post): policycoreutils-python, libselinux-utils, selinux-policy
Requires(postun): policycoreutils-python, libselinux-utils, selinux-policy
Requires(posttrans): policycoreutils-python, libselinux-utils, selinux-policy
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires: libidn-devel, libxml2-devel, GeoIP-devel
BuildRequires: systemd-units
BuildRequires: python-ply
BuildRequires: selinux-policy
%if %{SDB}
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mysql-devel
BuildRequires: libdb-devel
@ -467,6 +491,15 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data @@ -467,6 +491,15 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data
%patch188 -p1 -b .rh1464850
%patch189 -p1 -b .rh1501531
%patch190 -p1 -b .CVE-2017-3145
%patch191 -p1 -b .dnssec-keymgr
%patch192 -p1 -b .rh1452091
%patch193 -p1 -b .dnssec-keymgr-2
%patch194 -p1 -b .fips
%patch195 -p1 -b .fips-tests
%patch196 -p1 -b .rh1549130
%patch197 -p1 -b .rh1549130-2
%patch198 -p1 -b .CVE-2018-5740
%patch199 -p1 -b .rh1647539

# Override upstream builtin keys
cp -fp %{SOURCE29} bind.keys
@ -740,6 +773,7 @@ tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28} @@ -740,6 +773,7 @@ tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28}
touch ${RPM_BUILD_ROOT}/etc/rndc.key
touch ${RPM_BUILD_ROOT}/etc/rndc.conf
mkdir ${RPM_BUILD_ROOT}/etc/named
install -m 640 %{SOURCE26} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
install -m 644 bind.keys ${RPM_BUILD_ROOT}/etc/named.iscdlv.key
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key

@ -747,7 +781,7 @@ install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key @@ -747,7 +781,7 @@ install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key
mkdir -p sample/etc sample/var/named/{data,slaves}
install -m 644 %{SOURCE25} sample/etc/named.conf
# Copy default configuration to %%doc to make it usable from system-config-bind
install -m 644 ${RPM_BUILD_ROOT}/etc/named.conf named.conf.default
install -m 644 %{SOURCE26} named.conf.default
install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones
install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named
for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do
@ -765,20 +799,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named @@ -765,20 +799,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
%pre
if [ "$1" -eq 1 ]; then
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :;
fi;
:;

%post
/sbin/ldconfig
%systemd_post named.service
if [ "$1" -eq 1 ]; then
# Initial installation
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
# rndc.key has to have correct perms and ownership, CVE-2007-6283
[ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
[ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
else
# Upgrade, use invalid shell
if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
usermod -s /bin/false named
fi
fi
%systemd_post named.service
:;

%preun
@ -787,8 +826,16 @@ fi @@ -787,8 +826,16 @@ fi

%postun
/sbin/ldconfig
# Package upgrade, not uninstall
%systemd_postun_with_restart named.service
# Unset on both upgrade and install. Boolean would be unset from now
# until %posttrans on upgrade. Write requests might fail during update.
(export LC_ALL=C; %{selinux_unset_booleans %{selinuxbooleans}})

%posttrans
# selinux-policy-targeted is required for following macro to work.
# This package should not depend on it explicitly, but anaconda ensures
# it is installed. Run after all packages are installed.
(export LC_ALL=C; %{selinux_set_booleans %{selinuxbooleans}})

%if %{SDB}
%post sdb
@ -940,6 +987,8 @@ rm -rf ${RPM_BUILD_ROOT} @@ -940,6 +987,8 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sbindir}/named-compilezone
%{_sbindir}/isc-hmac-fixup
%{_libexecdir}/generate-rndc-key.sh
%{python_sitelib}/isc/
%{python_sitelib}/*.egg-info
%{_mandir}/man1/arpaname.1*
%{_mandir}/man5/named.conf.5*
%{_mandir}/man5/rndc.conf.5*
@ -964,19 +1013,20 @@ rm -rf ${RPM_BUILD_ROOT} @@ -964,19 +1013,20 @@ rm -rf ${RPM_BUILD_ROOT}
# Hide configuration
%defattr(0640,root,named,0750)
%dir %{_sysconfdir}/named
%dir %{_localstatedir}/named
%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf
%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones
%config %verify(not link) %{_localstatedir}/named/named.ca
%config %verify(not link) %{_localstatedir}/named/named.localhost
%config %verify(not link) %{_localstatedir}/named/named.loopback
%config %verify(not link) %{_localstatedir}/named/named.empty
%defattr(0660,root,named,01770)
%dir %{_localstatedir}/named
%defattr(0660,named,named,0770)
%dir %{_localstatedir}/named/slaves
%dir %{_localstatedir}/named/data
%dir %{_localstatedir}/named/dynamic
%ghost %{_localstatedir}/log/named.log
%defattr(0640,root,named,0750)
%config %verify(not link) %{_localstatedir}/named/named.ca
%config %verify(not link) %{_localstatedir}/named/named.localhost
%config %verify(not link) %{_localstatedir}/named/named.loopback
%config %verify(not link) %{_localstatedir}/named/named.empty
%ghost %config(noreplace) %{_sysconfdir}/rndc.key
# ^- rndc.key now created on first install only if it does not exist
# %%verify(not size,not md5) %%config(noreplace) %%attr(0640,root,named) /etc/rndc.conf
@ -1078,12 +1128,13 @@ rm -rf ${RPM_BUILD_ROOT} @@ -1078,12 +1128,13 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_prefix}/etc/pki/dnssec-keys
%dir %{chroot_prefix}/var
%dir %{chroot_prefix}/run
%dir %{chroot_prefix}/var/named
%ghost %config(noreplace) %{chroot_prefix}/etc/named.conf
%defattr(-,root,root,-)
%dir %{chroot_prefix}/usr
%dir %{chroot_prefix}/%{_libdir}
%dir %{chroot_prefix}/%{_libdir}/bind
%defattr(0660,root,named,01770)
%dir %{chroot_prefix}/var/named
%defattr(0660,named,named,0770)
%dir %{chroot_prefix}/var/tmp
%dir %{chroot_prefix}/var/log
@ -1109,8 +1160,9 @@ rm -rf ${RPM_BUILD_ROOT} @@ -1109,8 +1160,9 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys
%dir %{chroot_sdb_prefix}/var
%dir %{chroot_sdb_prefix}/run
%dir %{chroot_sdb_prefix}/var/named
%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf
%defattr(0660,root,named,01770)
%dir %{chroot_sdb_prefix}/var/named
%defattr(-,root,root,-)
%dir %{chroot_sdb_prefix}/usr
%dir %{chroot_sdb_prefix}/%{_libdir}
@ -1155,6 +1207,45 @@ rm -rf ${RPM_BUILD_ROOT} @@ -1155,6 +1207,45 @@ rm -rf ${RPM_BUILD_ROOT}
%endif

%changelog
* Fri Nov 23 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-73
- Fixes debug level comments (#1647539)

* Thu Sep 20 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-72
- Fix automatic selinux boolean named_write_master_zones (#1569466)
- Allow starting named with readonly home again

* Wed Aug 08 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-71
- Fix CVE-2018-5740

* Sun Jun 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-70
- Fix compiler warnings

* Thu Jun 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-69
- Refetch always records with TTL 0 (#1549130)

* Thu Jun 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-68
- Detect and disable MD5 functions in FIPS 140-2 mode (#1519306)

* Thu Jun 14 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-67
- Move change of dns_view_t to the end (#1452091)

* Fri Jun 01 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-66
- Correct recursing file name (#1435883)
- Use python binary again, install all modules (#1510008)

* Thu May 31 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-65
- Add rndc secroots and recursing output files into data (#1435883)

* Mon May 28 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-64
- Backported negative trust anchors (#1452091)

* Mon May 28 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-63
- Make named home writeable (#1569466)
- Change named shell to /bin/false

* Tue May 22 2018 Martin Sehnoutka <msehnout@redhat.com> - 32:9.9.4-62
- Resolves: #1510008 - add support for dnssec-keymgr

* Tue Jan 16 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-61
- Fix CVE-2017-3145


Loading…
Cancel
Save