4.8. bind97
Updated bind97 packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. It contains a DNS server (named), a resolver library with routines for applications to use when interfacing with DNS, and tools for verifying that the DNS server is operating correctly. These packages contain version 9.7 of the BIND suite.
Bug Fix
- BZ#883402
- When authoritative servers did not return a Start of Authority (SOA) record, the "named" daemon failed to cache and return answers. A patch has been provided to address this issue and "named" is now able to handle such under-performing servers correctly.
Users of bind97 are advised to upgrade to these updated packages, which fix this bug.
Updated bind97 packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Bug Fixes
- BZ#657260
- Previously, the
DNS
server (named
) init script killed allnamed
processes when stopping thenamed
daemon. This caused a problem for container-virtualized hosts, such as OpenVZ, because theirnamed
processes were killed by the init script. The init script has been fixed and now only kills the correctnamed
processes. - BZ#703452
- When the
/etc/resolv.conf
file contained thesearch
keyword with no arguments, the host/nslookup/dig utility failed to parse it correctly. With this update, such lines are ignored. - BZ#719855
- The
/etc/named.root.key
file was not listed in theROOTDIR_MOUNT
variable. Consequently, when using bind97 with chroot, thenamed.root.key
file was not mounted to the chroot environment. A patch has been applied and/etc/named.root.key
is now mounted into chroot. - BZ#758057
- A non-writable working directory is a long time feature on all Red Hat systems. Previously,
named
wrotethe working directory is not writable
as an error to the system log. This update changes the code so thatnamed
now writes this information only into the debug log. - BZ#803369
- During a
DNS
zone transfer,named
sometimes terminated unexpectedly with an assertion failure. A patch has been applied to make the code more robust, andnamed
no longer crashes in the scenario described. - BZ#829823
- Due to an error in the bind spec file, the bind-chroot subpackage did not create a
/dev/null
device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed. - BZ#829829
- Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns
1
as the exit code when it fails to get an answer. - BZ#829831
- The
named
daemon, configured as master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.
Enhancements
- BZ#693788
- Previously, bind97 did not contain the root zone
DNSKEY
.DNSKEY
is now located in/etc/named.root.key
. - BZ#703096
- With this update, the size, MD5 checksum, and modification time of the
/etc/sysconfig/named
configuration file is no longer checked via therpm -V bind
command. - BZ#703397
- The host utility now honors
debug
,attempts
, andtimeout
options in the/etc/resolv.conf
file. - BZ#703411
- The
DISABLE_ZONE_CHECKING
option has been added to/etc/sysconfig/named
. This option adds the possibility to bypass zone validation via the named-checkzone utility in the/etc/init.d/named
init script and allows startingnamed
with misconfigured zones. - BZ#749214
- The return codes of the dig utility are now documented in the dig man page.
- BZ#811566
- The option to disable Internationalized Domain Name (IDN) support in the dig utility was incorrectly documented in the man page. The dig man page has been corrected to explain the use of the
libidn
environment optionCHARSET
for disabling IDN. - BZ#829827
- Previously, the
rndc.key
file was generated during package installation by therndc-confgen -a
command, but this feature was removed in Red Hat Enterprise Linux 5.8 because users reported that installation of the bind package sometimes became unresponsive due to lack of entropy in/dev/random
. Thenamed
init script now generatesrndc.key
during the service startup if it does not exist.
All users of bind97 are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated bind97 packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fixes
- CVE-2012-1667
- A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
- CVE-2012-1033
- A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
Users of bind97 are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-3817
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Users of bind97 are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-4244
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Users of bind97 are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-5166
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
Users of bind97 are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.