5.15. bind
Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with the DNS server); and tools for verifying that the DNS server is operating properly.
Bug Fix
- BZ#838956
- Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.
All users of bind are advised to upgrade to these updated packages, which fix this bug.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. DNS64 is used to automatically generate DNS records so IPv6 based clients can access IPv4 systems through a NAT64 server.
Security Fix
- CVE-2012-5688
- A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially-crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-4244
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-3817
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library containing routines for applications to use when interfacing with the DNS server; and tools for verifying that the DNS server is operating properly.
Bug Fix
- BZ#858273
- Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.
All users of bind are advised to upgrade to these updated packages, which fix this bug.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-5166
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the
DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Note
Bug Fixes
- BZ#734458
- When
/etc/resolv.confcontained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, a patch has been applied and nslookup now works as expected in the scenario described. - BZ#739406
- Prior to this update, errors arising on automatic update of DNSSEC trust anchors were handled incorrectly. Consequently, the
nameddaemon could become unresponsive on shutdown. With this update, the error handling has been improved andnamedexits on shutdown gracefully. - BZ#739410
- The multi-threaded
nameddaemon uses the atomic operations feature to speed-up access to shared data. This feature did not work correctly on 32-bit and 64-bit PowerPC architectures. Therefore,namedsometimes became unresponsive on these architectures. This update disables the atomic operations feature on 32-bit and 64-bit PowerPC architectures, which ensures thatnamedis now more stable and reliable and no longer hangs. - BZ#746694
- Prior to this update, a race condition could occur on validation of DNSSEC-signed NXDOMAIN responses and
namedcould terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs. - BZ#759502
- The
nameddaemon, configured as the master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:transfer of './IN': sending zone data: ran out of spaceThe code which handles zone transfers has been fixed and this error no longer occurs in the scenario described. - BZ#759503
- During a DNS zone transfer,
namedsometimes terminated unexpectedly with an assertion failure. With this update, a patch has been applied to make the code more robust, andnamedno longer crashes in the scenario described. - BZ#768798
- Previously, the
rndc.keyfile was generated during package installation by therndc-confgen -acommand, but this feature was removed in Red Hat Enterprise Linux 6.1 because users reported that installation of bind package sometimes hung due to lack of entropy in/dev/random. Thenamedinitscript now generatesrndc.keyduring the service startup if it does not exist. - BZ#786362
- After the
rndc reloadcommand was executed,namedfailed to update DNSSEC trust anchors and emitted the following message to the log:managed-keys-zone ./IN: Failed to create fetch for DNSKEY updateThis issue was fixed in the 9.8.2rc1 upstream version. - BZ#789886
- Due to an error in the bind spec file, the bind-chroot subpackage did not create a
/dev/nulldevice. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed. - BZ#795414
- The dynamic-db plug-ins were loaded too early which caused the configuration in the
named.conffile to override the configuration supplied by the plug-in. Consequently,namedsometimes failed to start. With this update thenamed.confis parsed before plug-in initialization andnamednow starts as expected. - BZ#812900
- Previously, when the
/var/nameddirectory was mounted the/etc/init.d/namedinitscript did not distinguish between situations whenchrootconfiguration was enabled and whenchrootwas not enabled. Consequently, when stopping thenamedservice the/var/nameddirectory was always unmounted. The initscript has been fixed and now unmounts/var/namedonly whenchrootconfiguration is enabled. As a result,/var/namedstays mounted after thenamedservice is stopped whenchrootconfiguration is not enabled. - BZ#816164
- Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns "1" as the exit code when fails to get answer.
Enhancements
- BZ#735438
- By default BIND returns resource records in round-robin order. The
rrset-orderoption now supportsfixedordering. When this option is set, the resource records for each domain name are always returned in the order they are loaded from the zone file. - BZ#788870
- Previously,
namedlogged too many messages relating to external DNS queries. The severity of these error messages has been decreased from “notice” to “debug” so that the system log is not flooded with mostly unnecessary information. - BZ#790682
- The
nameddaemon now uses portreserve to reserve the Remote Name Daemon Control (RNDC) port to avoid conflicts with other services.
All users of bind are advised to upgrade to these updated packages, which fix these bugs and provide these enhancements.
