8.20. bind
Updated bind packages that fix several bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (
named
), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Bug Fixes
- BZ#1044545
- Previously, the
allow-notify
configuration option did not take into account the Transaction SIGnature (TSIG) key for authentication. Consequently, this caused a slave server not to accept aNOTIFY
message from a non-master server that used the TSIG key for authentication, even though the slave server was configured to acceptNOTIFY
messages when the specific TSIG key was used. Thenamed
source code has been fixed to also check the TSIG key ID when receiving aNOTIFY
message from a non-master server, and the slave server now correctly acceptsNOTIFY
messages in this scenario. - BZ#1036700
- Prior to this update, the Response Rate Limiting (RRL) functionality in BIND distributed in Red Hat Enterprise Linux 6 was missing the
referrals-per-second
andnodata-per-second
options. As a consequence, users of BIND that was configured to use the RRL functionality could not explicitly filter empty responses for a valid domain and referrals or delegations to the server for a given domain. With this update, the missing functionality has been backported to BIND, and users can now explicitly filter empty responses for a valid domain and referrals or delegations to the server for a given domain when using the RRL functionality in BIND. - BZ#1008827
- Previously, the host utility used the same send buffer for all outgoing queries. As a consequence, under high network load, a race condition occurred when the buffer was used by multiple queries, and the host utility terminated unexpectedly with a segmentation fault when sending of one query finished after another query had been sent. The host utility source code has been modified to use a separate send buffer for all outgoing queries, and the described problem no longer occurs.
- BZ#993612
- Prior to this update, a bug in the BIND resolver source code caused a race condition, which could lead to prematurely freeing a fetch memory object. As a consequence, BIND could terminate unexpectedly with a segmentation fault when it accessed already freed memory. The BIND resolver source code has been fixed to guarantee that the resolver fetch object is not freed until there is no outstanding reference to that object, and BIND no longer crashes in this scenario.
- BZ#1023045
- Previously, the manual page for the dig utility contained upstream-specific options for an Internationalized Domain Name (IDN) library. Consequently, these options did not function as expected and users were incapable of disabling IDN support in dig following the steps from the manual page. The dig(1) manual page has been modified to include the options of the IDN library used in Red Hat Enterprise Linux and users can now successfully disable IDN support in dig following the steps from the manual page.
- BZ#919545
- Prior to this update, due to a regression, the dig utility could access an already freed query when trying multiple origins during domain name resolution. Consequently, the dig utility sometimes terminated unexpectedly with a segmentation fault, especially when running on a host that had multiple search domains configured in the
/etc/resolv.conf
file. The dig source code has been modified to always use a query that is still valid when trying the next origin, and the dig utility no longer crashes in this scenario. - BZ#1066876
- Prior to this update, the
named
source code was unable to correctly handle the Internet Control Message Protocol (ICMP) Destination unreachable (Protocol unreachable) responses. Consequently, an error message was logged bynamed
upon receiving such an ICMP response but BIND did not add the address of the name server to a list of unreachable name servers. This bug has been fixed, and no errors are now logged when the ICMP Destination unreachable (Protocol unreachable) response is received. - BZ#902431
- Previously, the
/var/named/chroot/etc/localtime
file was created during the installation of the bind-chroot package, but its SELinux context was not restored. Consequently,/var/named/chroot/etc/localtime
had an incorrect SELinux context. With this update, the command to restore the SELinux context of/var/named/chroot/etc/localtime
after creation has been added in the post transaction section of the SPEC file, and the correct SELinux context is preserved after installing bind-chroot. - BZ#917356
- Previously, the
/var/named/named.ca
file was outdated and the IP addresses of certain root servers were not valid. Although thenamed
service fetches the current IP addresses of all root servers during its startup, invalid IP addresses can reduce performance just after a restart. Now,/var/named/named.ca
has been updated to include the current IP addresses of root servers. - BZ#997743
- Prior to this update, the
named
init script checked the existence of therndc.key
file only during the server startup. Consequently, the init script generatedrndc.key
even if the user had a custom Remote Name Daemon Control (RNDC) configuration. This bug has been fixed, and the init script no longer generatesrndc.key
if the user has a custom RNDC configuration. - BZ#919414
- Previously, when calling the
sqlite
commands, the zone2sqlite utility used a formatting option that did not add single quotes around the argument. As a consequence, zone2sqlite was unable to perform operations on tables whose name started with a digit or contained the period (.
) or dash (–
) characters. With this update, zone2sqlite has been fixed to use the correct formatting option and the described problem no longer occurs. - BZ#980632
- Previously, the
named
init script did not check whether the PID written in thenamed.pid
file was a PID of a runningnamed
server. After an unclean shutdown of the server, the PID written innamed.pid
could belong to an existing process while thenamed
server was not running. Consequently, the init script could identify the server as running and therefore the user was unable to start the server. With this update, the init script has been enhanced to perform the necessary check, and if the PID written innamed.pid
is not a PID of the runningnamed
server, the init script deletes thenamed.pid
file. The check is performed before starting, stopping, or reloading the server, and before checking its status. As a result, the user is able to start the server without problems in the described scenario. - BZ#1025008
- Prior to this update, BIND was not configured with the
--enable-filter-aaaa
configuration option. As a consequence, thefilter-aaaa-on-v4
option could not be used in the BIND configuration. The--enable-filter-aaaa
option has been added, and users can now configure thefilter-aaaa-on-v4
option in BIND. - BZ#851123
- Prior to this update, the
named
init script commandconfigtest
did not check if BIND was already running, and mounted or unmounted the file system into a chroot environment. As a consequence, thenamed
chroot file system was damaged by executing theconfigtest
command while thenamed
service was running in a chroot environment. This bug has been fixed, and using the init scriptconfigtest
command no longer damages the file system ifnamed
is running in a chroot environment. - BZ#848033
- Previously, due to a missing statement in the
named
init script, the init script could return an incorrect exit status when calling certain commands (namely,checkconfig
,configtest
,check
, andtest
) if thenamed
configuration included an error. Consequently, for example, when theservice named configtest
command was run, the init script returned a zero value meaning success, regardless of the errors in the configuration. With this update, the init script has been fixed to correctly return a non-zero value in case of an error in thenamed
configuration. - BZ#1051283
- Previously, ownership of some documentation files installed by the bind package was not correctly set. Consequently, the files were incorrectly owned by
named
instead of theroot
user. A patch has been applied, and the ownership of documentation files installed by the bind package has been corrected. - BZ#951255
- Prior to this update, the
/dev/random
device, which is a source of random data, did not have a sufficient amount of entropy when booting a newly installed virtual machine (VM). Consequently, generating the/etc/rndc.key
file took excessively long when thenamed
service was started for the first time. The init script has been changed to use/dev/urandom
instead of/dev/random
as the source of random data, and the generation of/etc/rndc.key
now consumes a more reasonable amount of time in this scenario. - BZ#1064045
- Previously, the nsupdate utility was unable to correctly handle an extra argument after the
-r
option, which sets the number of User Datagram Protocol (UDP) retries. As a consequence, when an argument followed the-r
option, nsupdate terminated unexpectedly with a segmentation fault. A patch has been applied, and nsupdate now handles the-r
option with an argument as expected. - BZ#948743
- Previously, when the
named
service was running in a chroot environment, the init script checked whether the server was already running after it had mounted the chroot file system. As a consequence, if some directories were empty in the chroot environment, they were mounted again when theservice named start
command was used. With this update, the init script has been fixed to check whethernamed
is running before mounting file system into the chroot environment and no directories are mounted multiple times in this scenario. - BZ#846065
- Previously, BIND was not configured with the
--with-dlopen=yes
option. As a consequence, external Dynamically Loadable Zones (DLZ) drivers could not be dynamically loaded. A patch has been applied, and external DLZ drivers are now dynamically loadable as expected.
Enhancements
- BZ#1092035
- Previously, the number of workers and client-objects was hard-coded in the Lightweight Resolver Daemon (
lwresd
) source, and it was insufficient. This update adds two new options: thelwres-tasks
option, which can be used for modifying the number of workers created, and thelwres-clients
option, which can be used for specifying the number of client objects created per worker. The options can be used inside thelwres
statement in thenamed/lwresd
configuration file. - BZ#956685
- This update adds support for the TLSA resource record type in input zone files, as specified in RFC 6698. TLSA records together with Domain Name System Security Extensions (DNSSEC) are used for DNS-Based Authentication of Named Entities (DANE).
Users of bind are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. After installing the update, the BIND daemon (
named
) will be restarted automatically.