powerel7
/
web
2
0
Fork 0
Code Issues Pull Requests Releases Activity
Browse Source

bind package update 

Signed-off-by: webbuilder_pel7ppc64lebuilder0 <webbuilder@powerel.org>
master
webbuilder_pel7ppc64lebuilder0 5 years ago
parent
ee2633a42d
commit
0ebc5605a0
12 changed files with 18389 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 31
      SOURCES/bind-9.5-sdb.patch
  2. 53
      SOURCES/bind99-CVE-2018-5740.patch
  3. 1978
      SOURCES/bind99-fips-tests.patch
  4. 1396
      SOURCES/bind99-fips.patch
  5. 8290
      SOURCES/bind99-nta.patch
  6. 232
      SOURCES/bind99-rh1510008-2.patch
  7. 6053
      SOURCES/bind99-rh1510008.patch
  8. 54
      SOURCES/bind99-rh1549130-2.patch
  9. 183
      SOURCES/bind99-rh1549130.patch
  10. 28
      SOURCES/bind99-rh1647539.patch
  11. 2
      SOURCES/named.conf.sample
  12. 117
      SPECS/bind.spec

31
SOURCES/bind-9.5-sdb.patch
Unescape View File

@ -14,10 +14,10 @@ index 187ec23..e6179e7 100644 @@ -14,10 +14,10 @@ index 187ec23..e6179e7 100644
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index bc5be2a..71324d9 100644
index 5ba3f56..1868418 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@
@@ -32,10 +32,10 @@ top_srcdir = @top_srcdir@
#
# Add database drivers here.
#
@ -31,7 +31,7 @@ index bc5be2a..71324d9 100644 @@ -31,7 +31,7 @@ index bc5be2a..71324d9 100644
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -83,7 +83,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
@@ -81,7 +81,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
@ -40,7 +40,7 @@ index bc5be2a..71324d9 100644 @@ -40,7 +40,7 @@ index bc5be2a..71324d9 100644
GEOIPLINKOBJS = geoip.@O@
@@ -146,7 +146,7 @@ config.@O@: config.c bind.keys.h
@@ -145,7 +145,7 @@ config.@O@: config.c bind.keys.h
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
@ -49,7 +49,7 @@ index bc5be2a..71324d9 100644 @@ -49,7 +49,7 @@ index bc5be2a..71324d9 100644
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -177,15 +177,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
@@ -176,15 +176,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -69,7 +69,7 @@ index bc5be2a..71324d9 100644 @@ -69,7 +69,7 @@ index bc5be2a..71324d9 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index a00687f..4fba625 100644
index d26783f..75691ed 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -86,6 +86,9 @@
@ -163,10 +163,10 @@ index a00687f..4fba625 100644 @@ -163,10 +163,10 @@ index a00687f..4fba625 100644
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index bc5be2a..3c69c9b 100644
index 5ba3f56..4beeaf0 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -51,7 +51,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
@@ -49,7 +49,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
@ -175,7 +175,7 @@ index bc5be2a..3c69c9b 100644 @@ -175,7 +175,7 @@ index bc5be2a..3c69c9b 100644
CWARNINGS =
@@ -75,11 +75,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -73,11 +73,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -189,7 +189,7 @@ index bc5be2a..3c69c9b 100644 @@ -189,7 +189,7 @@ index bc5be2a..3c69c9b 100644
SUBDIRS = unix
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
@@ -92,8 +92,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -199,7 +199,7 @@ index bc5be2a..3c69c9b 100644 @@ -199,7 +199,7 @@ index bc5be2a..3c69c9b 100644
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \
@@ -108,8 +107,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -209,7 +209,7 @@ index bc5be2a..3c69c9b 100644 @@ -209,7 +209,7 @@ index bc5be2a..3c69c9b 100644
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -187,7 +185,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
@@ -186,7 +184,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
@ -218,10 +218,10 @@ index bc5be2a..3c69c9b 100644 @@ -218,10 +218,10 @@ index bc5be2a..3c69c9b 100644
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/configure.in b/configure.in
index 9bb9a2a..d72093f 100644
index d72f635..1aae803 100644
--- a/configure.in
+++ b/configure.in
@@ -4018,12 +4018,15 @@ AC_CONFIG_FILES([
@@ -4050,6 +4050,8 @@ AC_CONFIG_FILES([
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
bin/named/unix/Makefile
@ -230,8 +230,9 @@ index 9bb9a2a..d72093f 100644 @@ -230,8 +230,9 @@ index 9bb9a2a..d72093f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
bin/python/dnssec-checkds.py
@@ -4060,6 +4062,7 @@ AC_CONFIG_FILES([
bin/python/dnssec-coverage.py
bin/python/dnssec-keymgr.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile

53
SOURCES/bind99-CVE-2018-5740.patch
Unescape View File

@ -0,0 +1,53 @@ @@ -0,0 +1,53 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 252a02f..bfffb8a 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5957,6 +5957,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
unsigned int nlabels;
dns_fixedname_t fixed;
dns_name_t prefix;
+ int order;
REQUIRE(rdataset != NULL);
REQUIRE(rdataset->type == dns_rdatatype_cname ||
@@ -5979,18 +5980,26 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
tname = &cname.cname;
break;
case dns_rdatatype_dname:
+ if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+ dns_namereln_subdomain)
+ {
+ return (ISC_TRUE);
+ }
result = dns_rdata_tostruct(&rdata, &dname, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_name_init(&prefix, NULL);
dns_fixedname_init(&fixed);
tname = dns_fixedname_name(&fixed);
- nlabels = dns_name_countlabels(qname) -
- dns_name_countlabels(rname);
+ nlabels = dns_name_countlabels(rname);
dns_name_split(qname, nlabels, &prefix, NULL);
result = dns_name_concatenate(&prefix, &dname.dname, tname,
NULL);
- if (result == DNS_R_NAMETOOLONG)
+ if (result == DNS_R_NAMETOOLONG) {
+ if (chainingp != NULL) {
+ *chainingp = ISC_TRUE;
+ }
return (ISC_TRUE);
+ }
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
default:
@@ -6719,7 +6728,9 @@ answer_response(fetchctx_t *fctx) {
}
if ((ardataset->type == dns_rdatatype_cname ||
ardataset->type == dns_rdatatype_dname) &&
- !is_answertarget_allowed(fctx, qname, aname, ardataset,
+ type != ardataset->type &&
+ type != dns_rdatatype_any &&
+ !is_answertarget_allowed(fctx, qname, aname, ardataset,
NULL))
{
return (DNS_R_SERVFAIL);

1978
SOURCES/bind99-fips-tests.patch
View File

File diff suppressed because it is too large Load Diff

1396
SOURCES/bind99-fips.patch
View File

File diff suppressed because it is too large Load Diff

8290
SOURCES/bind99-nta.patch
View File

File diff suppressed because it is too large Load Diff

232
SOURCES/bind99-rh1510008-2.patch
Unescape View File

@ -0,0 +1,232 @@ @@ -0,0 +1,232 @@
From 4a0a86d84ff11337c363e0540947da136b296b70 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 29 Apr 2016 14:17:21 -0700
Subject: [PATCH] [master] more python2/3 compatibility fixes; use setup.py to
install

---
bin/python/Makefile.in | 2 ++
bin/python/isc/Makefile.in | 28 +++-------------------------
bin/python/isc/__init__.py | 6 ++++--
bin/python/isc/checkds.py | 5 +++--
bin/python/isc/coverage.py | 7 +++----
bin/python/isc/dnskey.py | 4 ++--
bin/python/isc/keymgr.py | 7 +++----
bin/python/isc/policy.py | 6 +++++-
bin/python/setup.py | 8 ++++++++
9 files changed, 33 insertions(+), 40 deletions(-)
create mode 100644 bin/python/setup.py

diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index 1e4af9c2e2..7ef32cc59b 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -55,9 +55,11 @@ install:: ${TARGETS} installdirs
${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
+ test -z "${PYTHON}" || ${PYTHON} setup.py install --prefix=${DESTDIR}${prefix}
clean distclean::
rm -f ${TARGETS}
+ rm -rf build
distclean::
rm -f dnssec-checkds.py dnssec-coverage.py dnssec-keymgr.py
diff --git a/bin/python/isc/Makefile.in b/bin/python/isc/Makefile.in
index 425d054cce..a72f6e4054 100644
--- a/bin/python/isc/Makefile.in
+++ b/bin/python/isc/Makefile.in
@@ -24,44 +24,22 @@ PYTHON = @PYTHON@
PYSRCS = __init__.py dnskey.py eventlist.py keydict.py \
keyevent.py keyzone.py policy.py
-TARGETS = parsetab.py parsetab.pyc \
- __init__.pyc dnskey.pyc eventlist.py keydict.py \
- keyevent.pyc keyzone.pyc policy.pyc
+TARGETS = parsetab.py
@BIND9_MAKE_RULES@
%.pyc: %.py
$(PYTHON) -m compileall .
-parsetab.py parsetab.pyc: policy.py
+parsetab.py: policy.py
$(PYTHON) policy.py parse /dev/null > /dev/null
$(PYTHON) -m parsetab
-installdirs:
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}/isc
-
-install:: ${PYSRCS} installdirs
- ${INSTALL_SCRIPT} __init__.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} __init__.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} dnskey.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} dnskey.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} eventlist.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} eventlist.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keydict.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keydict.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyevent.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyevent.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyzone.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} keyzone.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} policy.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} policy.pyc ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} parsetab.py ${DESTDIR}${libdir}
- ${INSTALL_SCRIPT} parsetab.pyc ${DESTDIR}${libdir}
-
check test: subdirs
clean distclean::
rm -f *.pyc parser.out parsetab.py
+ rm -rf __pycache__ build
distclean::
rm -Rf utils.py
\ No newline at end of file
diff --git a/bin/python/isc/__init__.py b/bin/python/isc/__init__.py
index 0d79f356fd..10b3c45cf1 100644
--- a/bin/python/isc/__init__.py
+++ b/bin/python/isc/__init__.py
@@ -13,8 +13,10 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-__all__ = ['dnskey', 'eventlist', 'keydict', 'keyevent', 'keyseries',
- 'keyzone', 'policy', 'parsetab', 'utils']
+__all__ = ['checkds', 'coverage', 'keymgr', 'dnskey', 'eventlist',
+ 'keydict', 'keyevent', 'keyseries', 'keyzone', 'policy',
+ 'parsetab', 'utils']
+
from isc.dnskey import *
from isc.eventlist import *
from isc.keydict import *
diff --git a/bin/python/isc/checkds.py b/bin/python/isc/checkds.py
index 64ca12ebc6..2b7da39fc9 100644
--- a/bin/python/isc/checkds.py
+++ b/bin/python/isc/checkds.py
@@ -42,7 +42,7 @@ class SECRR:
if not rrtext:
raise Exception
- fields = rrtext.split()
+ fields = rrtext.decode('ascii').split()
if len(fields) < 7:
raise Exception
@@ -75,7 +75,8 @@ class SECRR:
fields = fields[2:]
if fields[0].upper() != self.rrtype:
- raise Exception
+ raise Exception('%s does not match %s' %
+ (fields[0].upper(), self.rrtype))
self.keyid, self.keyalg, self.hashalg = map(int, fields[1:4])
self.digest = ''.join(fields[4:]).upper()
diff --git a/bin/python/isc/coverage.py b/bin/python/isc/coverage.py
index c9e89596f7..bfe811bee8 100644
--- a/bin/python/isc/coverage.py
+++ b/bin/python/isc/coverage.py
@@ -27,9 +27,7 @@ from collections import defaultdict
prog = 'dnssec-coverage'
-from isc import *
-from isc.utils import prefix
-
+from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils
############################################################################
# print a fatal error and exit
@@ -139,7 +137,8 @@ def set_path(command, default=None):
def parse_args():
"""Read command line arguments, set global 'args' structure"""
compilezone = set_path('named-compilezone',
- os.path.join(prefix('sbin'), 'named-compilezone'))
+ os.path.join(utils.prefix('sbin'),
+ 'named-compilezone'))
parser = argparse.ArgumentParser(description=prog + ': checks future ' +
'DNSKEY coverage for a zone')
diff --git a/bin/python/isc/dnskey.py b/bin/python/isc/dnskey.py
index f1559e7239..14079504b6 100644
--- a/bin/python/isc/dnskey.py
+++ b/bin/python/isc/dnskey.py
@@ -205,11 +205,11 @@ class dnskey:
raise Exception('unable to generate key: ' + str(stderr))
try:
- keystr = stdout.splitlines()[0]
+ keystr = stdout.splitlines()[0].decode('ascii')
newkey = dnskey(keystr, keys_dir, ttl)
return newkey
except Exception as e:
- raise Exception('unable to generate key: %s' % str(e))
+ raise Exception('unable to parse generated key: %s' % str(e))
def generate_successor(self, keygen_bin, **kwargs):
quiet = kwargs.get('quiet', False)
diff --git a/bin/python/isc/keymgr.py b/bin/python/isc/keymgr.py
index a3a9043965..cbe86ab65e 100644
--- a/bin/python/isc/keymgr.py
+++ b/bin/python/isc/keymgr.py
@@ -20,8 +20,7 @@ from collections import defaultdict
prog='dnssec-keymgr'
-from isc import *
-from isc.utils import prefix
+from isc import dnskey, keydict, keyseries, policy, parsetab, utils
############################################################################
# print a fatal error and exit
@@ -63,9 +62,9 @@ def parse_args():
"""
keygen = set_path('dnssec-keygen',
- os.path.join(prefix('sbin'), 'dnssec-keygen'))
+ os.path.join(utils.prefix('sbin'), 'dnssec-keygen'))
settime = set_path('dnssec-settime',
- os.path.join(prefix('sbin'), 'dnssec-settime'))
+ os.path.join(utils.prefix('sbin'), 'dnssec-settime'))
parser = argparse.ArgumentParser(description=prog + ': schedule '
'DNSSEC key rollovers according to a '
diff --git a/bin/python/isc/policy.py b/bin/python/isc/policy.py
index ed106c6c92..dbb4abf010 100644
--- a/bin/python/isc/policy.py
+++ b/bin/python/isc/policy.py
@@ -104,8 +104,12 @@ class PolicyLex:
t.lexer.skip(1)
def __init__(self, **kwargs):
+ if 'maketrans' in dir(str):
+ trans = str.maketrans('_', '-')
+ else:
+ trans = maketrans('_', '-')
for r in self.reserved:
- self.reserved_map[r.lower().translate(maketrans('_', '-'))] = r
+ self.reserved_map[r.lower().translate(trans)] = r
self.lexer = lex.lex(object=self, **kwargs)
def test(self, text):
diff --git a/bin/python/setup.py b/bin/python/setup.py
new file mode 100644
index 0000000000..d7ea4a4d41
--- /dev/null
+++ b/bin/python/setup.py
@@ -0,0 +1,8 @@
+from distutils.core import setup
+setup(name='isc',
+ version='2.0',
+ description='Python functions to support BIND utilities',
+ url='https://www.isc.org/bind',
+ author='Internet Systems Consortium, Inc',
+ license='ISC',
+ packages=['isc'])
--
2.14.3

6053
SOURCES/bind99-rh1510008.patch
View File

File diff suppressed because it is too large Load Diff

54
SOURCES/bind99-rh1549130-2.patch
Unescape View File

@ -0,0 +1,54 @@ @@ -0,0 +1,54 @@
From 9f9ce5d91a944407e13360e9c92c090d23777a8b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 27 May 2016 18:39:33 +1000
Subject: [PATCH] fix merge error

---
bin/named/query.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)

diff --git a/bin/named/query.c b/bin/named/query.c
index 6e988f5686..2c44e9ff53 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7195,6 +7195,37 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* we know the answer.
*/
+ /*
+ * If we have a zero ttl from the cache refetch it.
+ */
+ if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+ RECURSIONOK(client))
+ {
+ if (dns_rdataset_isassociated(rdataset))
+ dns_rdataset_disassociate(rdataset);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+
+ result = query_recurse(client, qtype,
+ client->query.qname,
+ NULL, NULL, resuming);
+ if (result == ISC_R_SUCCESS) {
+ client->query.attributes |=
+ NS_QUERYATTR_RECURSING;
+ if (dns64)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64;
+ if (dns64_exclude)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64EXCLUDE;
+ } else
+ RECURSE_ERROR(result);
+ goto cleanup;
+ }
+
#ifdef ALLOW_FILTER_AAAA_ON_V4
/*
* Optionally hide AAAAs from IPv4 clients if there is an A.
--
2.14.4

183
SOURCES/bind99-rh1549130.patch
Unescape View File

@ -0,0 +1,183 @@ @@ -0,0 +1,183 @@
From 02412bfe731d0cb229eb22f0ca4e8fbaed601cbe Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 27 May 2016 09:59:46 +1000
Subject: [PATCH] 4377. [bug] Don't reuse zero TTL responses beyond
the current client set (excludes ANY/SIG/RRSIG
queries). [RT #42142]

(cherry picked from commit aabcb1fde0ca255ff30f0a5c10cbd39f798cc5b7)

REDIRECT macro is 9.11.0+
---
bin/named/query.c | 31 +++++++++++++++
bin/tests/system/zero/ans5/ans.pl | 81 +++++++++++++++++++++++++++++++++++++++
bin/tests/system/zero/ns1/root.db | 2 +
bin/tests/system/zero/tests.sh | 13 +++++++
4 files changed, 127 insertions(+)
create mode 100644 bin/tests/system/zero/ans5/ans.pl

diff --git a/bin/named/query.c b/bin/named/query.c
index 2c44e9ff53..3b402f1d01 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6816,6 +6816,37 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
goto cleanup;
case DNS_R_CNAME:
+ /*
+ * If we have a zero ttl from the cache refetch it.
+ */
+ if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+ RECURSIONOK(client))
+ {
+ if (dns_rdataset_isassociated(rdataset))
+ dns_rdataset_disassociate(rdataset);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ if (node != NULL)
+ dns_db_detachnode(db, &node);
+
+ result = query_recurse(client, qtype,
+ client->query.qname,
+ NULL, NULL, resuming);
+ if (result == ISC_R_SUCCESS) {
+ client->query.attributes |=
+ NS_QUERYATTR_RECURSING;
+ if (dns64)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64;
+ if (dns64_exclude)
+ client->query.attributes |=
+ NS_QUERYATTR_DNS64EXCLUDE;
+ } else
+ RECURSE_ERROR(result);
+ goto cleanup;
+ }
+
/*
* Keep a copy of the rdataset. We have to do this because
* query_addrrset may clear 'rdataset' (to prevent the
diff --git a/bin/tests/system/zero/ans5/ans.pl b/bin/tests/system/zero/ans5/ans.pl
new file mode 100644
index 0000000000..9dfa18e444
--- /dev/null
+++ b/bin/tests/system/zero/ans5/ans.pl
@@ -0,0 +1,81 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+#
+# Don't respond if the "norespond" file exists; otherwise respond to
+# any A or AAAA query.
+#
+
+use IO::File;
+use IO::Socket;
+use Net::DNS;
+use Net::DNS::Packet;
+
+my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
+ LocalPort => 5300, Proto => "udp") or die "$!";
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $octet = 0;
+
+for (;;) {
+ $sock->recv($buf, 512);
+
+ print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
+
+ my $packet;
+
+ if ($Net::DNS::VERSION > 0.68) {
+ $packet = new Net::DNS::Packet(\$buf, 0);
+ $@ and die $@;
+ } else {
+ my $err;
+ ($packet, $err) = new Net::DNS::Packet(\$buf, 0);
+ $err and die $err;
+ }
+
+ print "REQUEST:\n";
+ $packet->print;
+
+ $packet->header->qr(1);
+
+ my @questions = $packet->question;
+ my $qname = $questions[0]->qname;
+ my $qtype = $questions[0]->qtype;
+
+ $packet->header->aa(1);
+ if ($qtype eq "A") {
+ $packet->push("answer",
+ new Net::DNS::RR($qname .
+ " 0 A 192.0.2." . $octet));
+ $octet = $octet + 1;
+ } elsif ($qtype eq "AAAA") {
+ $packet->push("answer",
+ new Net::DNS::RR($qname .
+ " 300 AAAA 2001:db8:beef::1"));
+ }
+
+ $sock->send($packet->data);
+ print "RESPONSE:\n";
+ $packet->print;
+ print "\n";
+}
diff --git a/bin/tests/system/zero/ns1/root.db b/bin/tests/system/zero/ns1/root.db
index 69aca86fb8..beb97cb693 100644
--- a/bin/tests/system/zero/ns1/root.db
+++ b/bin/tests/system/zero/ns1/root.db
@@ -22,3 +22,5 @@ example. NS ns2.example.
ns2.example. A 10.53.0.2
example. NS ns4.example.
ns4.example. A 10.53.0.4
+increment. NS incrementns.
+incrementns A 10.53.0.5
diff --git a/bin/tests/system/zero/tests.sh b/bin/tests/system/zero/tests.sh
index 15c2906a92..bbb78f0fd8 100644
--- a/bin/tests/system/zero/tests.sh
+++ b/bin/tests/system/zero/tests.sh
@@ -44,5 +44,18 @@ done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:check repeated recursive lookups of non recurring zero ttl responses get new values"
+count=`(
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+dig +short -p 5300 @10.53.0.3 foo.increment
+) | sort -u | wc -l `
+if [ $count -ne 7 ] ; then echo "I:failed (count=$count)"; ret=1; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
--
2.14.4

28
SOURCES/bind99-rh1647539.patch
Unescape View File

@ -0,0 +1,28 @@ @@ -0,0 +1,28 @@
From 89293e44e0d022463b03a92a30b3790d4569bd50 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 20 Feb 2014 23:04:54 +1100
Subject: [PATCH] 3752. [bug] Address potential REQUIRE failure if
DNS_STYLEFLAG_COMMENTDATA is set when printing out
a rdataset.

(cherry picked from commit 86856f4f3069bb2d75851b56401ffde18f41198f)
---
lib/dns/masterdump.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 80fcd4c12d..58dcd3de3e 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -451,7 +451,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
* Comment?
*/
if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
- isc_buffer_putstr(target, ";");
+ RETERR(str_totext(";", target));
/*
* Owner name.
--
2.14.5

2
SOURCES/named.conf.sample
Unescape View File

@ -13,6 +13,8 @@ options @@ -13,6 +13,8 @@ options
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
recursing-file "data/named.recursing";
secroots-file "data/named.secroots";


/*

117
SPECS/bind.spec
Unescape View File

@ -17,6 +17,7 @@ @@ -17,6 +17,7 @@
%{?!DEVEL: %global DEVEL 1}
%global bind_dir /var/named
%global chroot_prefix %{bind_dir}/chroot
%global selinuxbooleans named_write_master_zones=1
%if %{SDB}
%global chroot_sdb_prefix %{bind_dir}/chroot_sdb
%endif
@ -25,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv @@ -25,7 +26,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.4
Release: 61%{?PATCHVER}%{?PREVER}%{?dist}
Release: 73%{?PATCHVER}%{?PREVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -38,7 +39,8 @@ Source7: bind-9.3.1rc1-sdb_tools-Makefile.in @@ -38,7 +39,8 @@ Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
Source8: dnszone.schema
Source12: README.sdb_pgsql
Source25: named.conf.sample
Source28: config-15.tar.bz2
Source26: named.conf
Source28: config-16.tar.bz2
# Up-to-date bind.keys from upstream
# Fetch a new one from page https://www.isc.org/bind-keys
Source29: bind.keys
@ -161,6 +163,17 @@ Patch188: bind99-rh1464850-2.patch @@ -161,6 +163,17 @@ Patch188: bind99-rh1464850-2.patch
Patch189: bind99-rh1501531.patch
# ISC 4858
Patch190: bind99-CVE-2017-3145.patch
Patch191: bind99-rh1510008.patch
Patch192: bind99-nta.patch
Patch193: bind99-rh1510008-2.patch
Patch194: bind99-fips.patch
Patch195: bind99-fips-tests.patch
# commit c3fbf330bc014f0470371e8da590d14a1d62977e ISC 4377
Patch196: bind99-rh1549130.patch
# commit cb735b3f902d4bb5f6e30328d5828d38efa63573
Patch197: bind99-rh1549130-2.patch
Patch198: bind99-CVE-2018-5740.patch
Patch199: bind99-rh1647539.patch

# Native PKCS#11 functionality from 9.10
Patch150:bind-9.9-allow_external_dnskey.patch
@ -190,6 +203,8 @@ Requires(postun): systemd @@ -190,6 +203,8 @@ Requires(postun): systemd
Requires: coreutils
Requires: systemd-units
Requires(post): grep, systemd
Requires(post): shadow-utils
Requires(post): glibc-common
Requires(pre): shadow-utils
Requires: bind-libs = %{epoch}:%{version}-%{release}
Obsoletes: bind-config < 30:9.3.2-34.fc6
@ -198,9 +213,18 @@ Obsoletes: caching-nameserver < 31:9.4.1-7.fc8 @@ -198,9 +213,18 @@ Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
Provides: caching-nameserver = 31:9.4.1-7.fc8
Obsoletes: dnssec-conf < 1.27-2
Provides: dnssec-conf = 1.27-1
Requires: python-ply
Provides: python-isc = %{epoch}:%{version}-%{release}
Provides: python-bind = %{epoch}:%{version}-%{release}
# selinux_set_booleans requires
Requires(post): policycoreutils-python, libselinux-utils, selinux-policy
Requires(postun): policycoreutils-python, libselinux-utils, selinux-policy
Requires(posttrans): policycoreutils-python, libselinux-utils, selinux-policy
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires: libidn-devel, libxml2-devel, GeoIP-devel
BuildRequires: systemd-units
BuildRequires: python-ply
BuildRequires: selinux-policy
%if %{SDB}
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mysql-devel
BuildRequires: libdb-devel
@ -467,6 +491,15 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data @@ -467,6 +491,15 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data
%patch188 -p1 -b .rh1464850
%patch189 -p1 -b .rh1501531
%patch190 -p1 -b .CVE-2017-3145
%patch191 -p1 -b .dnssec-keymgr
%patch192 -p1 -b .rh1452091
%patch193 -p1 -b .dnssec-keymgr-2
%patch194 -p1 -b .fips
%patch195 -p1 -b .fips-tests
%patch196 -p1 -b .rh1549130
%patch197 -p1 -b .rh1549130-2
%patch198 -p1 -b .CVE-2018-5740
%patch199 -p1 -b .rh1647539

# Override upstream builtin keys
cp -fp %{SOURCE29} bind.keys
@ -740,6 +773,7 @@ tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28} @@ -740,6 +773,7 @@ tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28}
touch ${RPM_BUILD_ROOT}/etc/rndc.key
touch ${RPM_BUILD_ROOT}/etc/rndc.conf
mkdir ${RPM_BUILD_ROOT}/etc/named
install -m 640 %{SOURCE26} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
install -m 644 bind.keys ${RPM_BUILD_ROOT}/etc/named.iscdlv.key
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key

@ -747,7 +781,7 @@ install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key @@ -747,7 +781,7 @@ install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key
mkdir -p sample/etc sample/var/named/{data,slaves}
install -m 644 %{SOURCE25} sample/etc/named.conf
# Copy default configuration to %%doc to make it usable from system-config-bind
install -m 644 ${RPM_BUILD_ROOT}/etc/named.conf named.conf.default
install -m 644 %{SOURCE26} named.conf.default
install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones
install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named
for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do
@ -765,20 +799,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named @@ -765,20 +799,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
%pre
if [ "$1" -eq 1 ]; then
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :;
fi;
:;

%post
/sbin/ldconfig
%systemd_post named.service
if [ "$1" -eq 1 ]; then
# Initial installation
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
# rndc.key has to have correct perms and ownership, CVE-2007-6283
[ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
[ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
else
# Upgrade, use invalid shell
if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
usermod -s /bin/false named
fi
fi
%systemd_post named.service
:;

%preun
@ -787,8 +826,16 @@ fi @@ -787,8 +826,16 @@ fi

%postun
/sbin/ldconfig
# Package upgrade, not uninstall
%systemd_postun_with_restart named.service
# Unset on both upgrade and install. Boolean would be unset from now
# until %posttrans on upgrade. Write requests might fail during update.
(export LC_ALL=C; %{selinux_unset_booleans %{selinuxbooleans}})

%posttrans
# selinux-policy-targeted is required for following macro to work.
# This package should not depend on it explicitly, but anaconda ensures
# it is installed. Run after all packages are installed.
(export LC_ALL=C; %{selinux_set_booleans %{selinuxbooleans}})

%if %{SDB}
%post sdb
@ -940,6 +987,8 @@ rm -rf ${RPM_BUILD_ROOT} @@ -940,6 +987,8 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sbindir}/named-compilezone
%{_sbindir}/isc-hmac-fixup
%{_libexecdir}/generate-rndc-key.sh
%{python_sitelib}/isc/
%{python_sitelib}/*.egg-info
%{_mandir}/man1/arpaname.1*
%{_mandir}/man5/named.conf.5*
%{_mandir}/man5/rndc.conf.5*
@ -964,19 +1013,20 @@ rm -rf ${RPM_BUILD_ROOT} @@ -964,19 +1013,20 @@ rm -rf ${RPM_BUILD_ROOT}
# Hide configuration
%defattr(0640,root,named,0750)
%dir %{_sysconfdir}/named
%dir %{_localstatedir}/named
%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf
%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones
%config %verify(not link) %{_localstatedir}/named/named.ca
%config %verify(not link) %{_localstatedir}/named/named.localhost
%config %verify(not link) %{_localstatedir}/named/named.loopback
%config %verify(not link) %{_localstatedir}/named/named.empty
%defattr(0660,root,named,01770)
%dir %{_localstatedir}/named
%defattr(0660,named,named,0770)
%dir %{_localstatedir}/named/slaves
%dir %{_localstatedir}/named/data
%dir %{_localstatedir}/named/dynamic
%ghost %{_localstatedir}/log/named.log
%defattr(0640,root,named,0750)
%config %verify(not link) %{_localstatedir}/named/named.ca
%config %verify(not link) %{_localstatedir}/named/named.localhost
%config %verify(not link) %{_localstatedir}/named/named.loopback
%config %verify(not link) %{_localstatedir}/named/named.empty
%ghost %config(noreplace) %{_sysconfdir}/rndc.key
# ^- rndc.key now created on first install only if it does not exist
# %%verify(not size,not md5) %%config(noreplace) %%attr(0640,root,named) /etc/rndc.conf
@ -1078,12 +1128,13 @@ rm -rf ${RPM_BUILD_ROOT} @@ -1078,12 +1128,13 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_prefix}/etc/pki/dnssec-keys
%dir %{chroot_prefix}/var
%dir %{chroot_prefix}/run
%dir %{chroot_prefix}/var/named
%ghost %config(noreplace) %{chroot_prefix}/etc/named.conf
%defattr(-,root,root,-)
%dir %{chroot_prefix}/usr
%dir %{chroot_prefix}/%{_libdir}
%dir %{chroot_prefix}/%{_libdir}/bind
%defattr(0660,root,named,01770)
%dir %{chroot_prefix}/var/named
%defattr(0660,named,named,0770)
%dir %{chroot_prefix}/var/tmp
%dir %{chroot_prefix}/var/log
@ -1109,8 +1160,9 @@ rm -rf ${RPM_BUILD_ROOT} @@ -1109,8 +1160,9 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys
%dir %{chroot_sdb_prefix}/var
%dir %{chroot_sdb_prefix}/run
%dir %{chroot_sdb_prefix}/var/named
%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf
%defattr(0660,root,named,01770)
%dir %{chroot_sdb_prefix}/var/named
%defattr(-,root,root,-)
%dir %{chroot_sdb_prefix}/usr
%dir %{chroot_sdb_prefix}/%{_libdir}
@ -1155,6 +1207,45 @@ rm -rf ${RPM_BUILD_ROOT} @@ -1155,6 +1207,45 @@ rm -rf ${RPM_BUILD_ROOT}
%endif

%changelog
* Fri Nov 23 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-73
- Fixes debug level comments (#1647539)

* Thu Sep 20 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-72
- Fix automatic selinux boolean named_write_master_zones (#1569466)
- Allow starting named with readonly home again

* Wed Aug 08 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-71
- Fix CVE-2018-5740

* Sun Jun 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-70
- Fix compiler warnings

* Thu Jun 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-69
- Refetch always records with TTL 0 (#1549130)

* Thu Jun 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-68
- Detect and disable MD5 functions in FIPS 140-2 mode (#1519306)

* Thu Jun 14 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-67
- Move change of dns_view_t to the end (#1452091)

* Fri Jun 01 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-66
- Correct recursing file name (#1435883)
- Use python binary again, install all modules (#1510008)

* Thu May 31 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-65
- Add rndc secroots and recursing output files into data (#1435883)

* Mon May 28 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-64
- Backported negative trust anchors (#1452091)

* Mon May 28 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-63
- Make named home writeable (#1569466)
- Change named shell to /bin/false

* Tue May 22 2018 Martin Sehnoutka <msehnout@redhat.com> - 32:9.9.4-62
- Resolves: #1510008 - add support for dnssec-keymgr

* Tue Jan 16 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-61
- Fix CVE-2017-3145


Write Preview
Loading…
Cancel
Save