5.15. bind
Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with the DNS server); and tools for verifying that the DNS server is operating properly.
Bug Fix
- BZ#838956
- Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.
All users of bind are advised to upgrade to these updated packages, which fix this bug.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. DNS64 is used to automatically generate DNS records so IPv6 based clients can access IPv4 systems through a NAT64 server.
Security Fix
- CVE-2012-5688
- A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially-crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-4244
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-3817
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library containing routines for applications to use when interfacing with the DNS server; and tools for verifying that the DNS server is operating properly.
Bug Fix
- BZ#858273
- Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.
All users of bind are advised to upgrade to these updated packages, which fix this bug.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Security Fix
- CVE-2012-5166
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the
DNS
(Domain Name System) protocols. BIND includes a DNS server (named
), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Note
Bug Fixes
- BZ#734458
- When
/etc/resolv.conf
contained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, a patch has been applied and nslookup now works as expected in the scenario described. - BZ#739406
- Prior to this update, errors arising on automatic update of DNSSEC trust anchors were handled incorrectly. Consequently, the
named
daemon could become unresponsive on shutdown. With this update, the error handling has been improved andnamed
exits on shutdown gracefully. - BZ#739410
- The multi-threaded
named
daemon uses the atomic operations feature to speed-up access to shared data. This feature did not work correctly on 32-bit and 64-bit PowerPC architectures. Therefore,named
sometimes became unresponsive on these architectures. This update disables the atomic operations feature on 32-bit and 64-bit PowerPC architectures, which ensures thatnamed
is now more stable and reliable and no longer hangs. - BZ#746694
- Prior to this update, a race condition could occur on validation of DNSSEC-signed NXDOMAIN responses and
named
could terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs. - BZ#759502
- The
named
daemon, configured as the master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described. - BZ#759503
- During a DNS zone transfer,
named
sometimes terminated unexpectedly with an assertion failure. With this update, a patch has been applied to make the code more robust, andnamed
no longer crashes in the scenario described. - BZ#768798
- Previously, the
rndc.key
file was generated during package installation by therndc-confgen -a
command, but this feature was removed in Red Hat Enterprise Linux 6.1 because users reported that installation of bind package sometimes hung due to lack of entropy in/dev/random
. Thenamed
initscript now generatesrndc.key
during the service startup if it does not exist. - BZ#786362
- After the
rndc reload
command was executed,named
failed to update DNSSEC trust anchors and emitted the following message to the log:managed-keys-zone ./IN: Failed to create fetch for DNSKEY update
This issue was fixed in the 9.8.2rc1 upstream version. - BZ#789886
- Due to an error in the bind spec file, the bind-chroot subpackage did not create a
/dev/null
device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed. - BZ#795414
- The dynamic-db plug-ins were loaded too early which caused the configuration in the
named.conf
file to override the configuration supplied by the plug-in. Consequently,named
sometimes failed to start. With this update thenamed.conf
is parsed before plug-in initialization andnamed
now starts as expected. - BZ#812900
- Previously, when the
/var/named
directory was mounted the/etc/init.d/named
initscript did not distinguish between situations whenchroot
configuration was enabled and whenchroot
was not enabled. Consequently, when stopping thenamed
service the/var/named
directory was always unmounted. The initscript has been fixed and now unmounts/var/named
only whenchroot
configuration is enabled. As a result,/var/named
stays mounted after thenamed
service is stopped whenchroot
configuration is not enabled. - BZ#816164
- Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns "1" as the exit code when fails to get answer.
Enhancements
- BZ#735438
- By default BIND returns resource records in round-robin order. The
rrset-order
option now supportsfixed
ordering. When this option is set, the resource records for each domain name are always returned in the order they are loaded from the zone file. - BZ#788870
- Previously,
named
logged too many messages relating to external DNS queries. The severity of these error messages has been decreased from “notice” to “debug” so that the system log is not flooded with mostly unnecessary information. - BZ#790682
- The
named
daemon now uses portreserve to reserve the Remote Name Daemon Control (RNDC) port to avoid conflicts with other services.
All users of bind are advised to upgrade to these updated packages, which fix these bugs and provide these enhancements.