8.20. bind

Bug Fixes

BZ#1044545

Previously, the allow-notify configuration option did not take into account the Transaction SIGnature (TSIG) key for authentication. Consequently, this caused a slave server not to accept a NOTIFY message from a non-master server that used the TSIG key for authentication, even though the slave server was configured to accept NOTIFY messages when the specific TSIG key was used. The named source code has been fixed to also check the TSIG key ID when receiving a NOTIFY message from a non-master server, and the slave server now correctly accepts NOTIFY messages in this scenario.

BZ#1036700

Prior to this update, the Response Rate Limiting (RRL) functionality in BIND distributed in Red Hat Enterprise Linux 6 was missing the referrals-per-second and nodata-per-second options. As a consequence, users of BIND that was configured to use the RRL functionality could not explicitly filter empty responses for a valid domain and referrals or delegations to the server for a given domain. With this update, the missing functionality has been backported to BIND, and users can now explicitly filter empty responses for a valid domain and referrals or delegations to the server for a given domain when using the RRL functionality in BIND.

BZ#1008827

Previously, the host utility used the same send buffer for all outgoing queries. As a consequence, under high network load, a race condition occurred when the buffer was used by multiple queries, and the host utility terminated unexpectedly with a segmentation fault when sending of one query finished after another query had been sent. The host utility source code has been modified to use a separate send buffer for all outgoing queries, and the described problem no longer occurs.

BZ#993612

Prior to this update, a bug in the BIND resolver source code caused a race condition, which could lead to prematurely freeing a fetch memory object. As a consequence, BIND could terminate unexpectedly with a segmentation fault when it accessed already freed memory. The BIND resolver source code has been fixed to guarantee that the resolver fetch object is not freed until there is no outstanding reference to that object, and BIND no longer crashes in this scenario.

BZ#1023045

Previously, the manual page for the dig utility contained upstream-specific options for an Internationalized Domain Name (IDN) library. Consequently, these options did not function as expected and users were incapable of disabling IDN support in dig following the steps from the manual page. The dig(1) manual page has been modified to include the options of the IDN library used in Red Hat Enterprise Linux and users can now successfully disable IDN support in dig following the steps from the manual page.

BZ#919545

Prior to this update, due to a regression, the dig utility could access an already freed query when trying multiple origins during domain name resolution. Consequently, the dig utility sometimes terminated unexpectedly with a segmentation fault, especially when running on a host that had multiple search domains configured in the /etc/resolv.conf file. The dig source code has been modified to always use a query that is still valid when trying the next origin, and the dig utility no longer crashes in this scenario.

BZ#1066876

Prior to this update, the named source code was unable to correctly handle the Internet Control Message Protocol (ICMP) Destination unreachable (Protocol unreachable) responses. Consequently, an error message was logged by named upon receiving such an ICMP response but BIND did not add the address of the name server to a list of unreachable name servers. This bug has been fixed, and no errors are now logged when the ICMP Destination unreachable (Protocol unreachable) response is received.

BZ#902431

Previously, the /var/named/chroot/etc/localtime file was created during the installation of the bind-chroot package, but its SELinux context was not restored. Consequently, /var/named/chroot/etc/localtime had an incorrect SELinux context. With this update, the command to restore the SELinux context of /var/named/chroot/etc/localtime after creation has been added in the post transaction section of the SPEC file, and the correct SELinux context is preserved after installing bind-chroot.

BZ#917356

Previously, the /var/named/named.ca file was outdated and the IP addresses of certain root servers were not valid. Although the named service fetches the current IP addresses of all root servers during its startup, invalid IP addresses can reduce performance just after a restart. Now, /var/named/named.ca has been updated to include the current IP addresses of root servers.

BZ#997743

Prior to this update, the named init script checked the existence of the rndc.key file only during the server startup. Consequently, the init script generated rndc.key even if the user had a custom Remote Name Daemon Control (RNDC) configuration. This bug has been fixed, and the init script no longer generates rndc.key if the user has a custom RNDC configuration.

BZ#919414

Previously, when calling the sqlite commands, the zone2sqlite utility used a formatting option that did not add single quotes around the argument. As a consequence, zone2sqlite was unable to perform operations on tables whose name started with a digit or contained the period (.) or dash (–) characters. With this update, zone2sqlite has been fixed to use the correct formatting option and the described problem no longer occurs.

BZ#980632

Previously, the named init script did not check whether the PID written in the named.pid file was a PID of a running named server. After an unclean shutdown of the server, the PID written in named.pid could belong to an existing process while the named server was not running. Consequently, the init script could identify the server as running and therefore the user was unable to start the server. With this update, the init script has been enhanced to perform the necessary check, and if the PID written in named.pid is not a PID of the running named server, the init script deletes the named.pid file. The check is performed before starting, stopping, or reloading the server, and before checking its status. As a result, the user is able to start the server without problems in the described scenario.

BZ#1025008

Prior to this update, BIND was not configured with the --enable-filter-aaaa configuration option. As a consequence, the filter-aaaa-on-v4 option could not be used in the BIND configuration. The --enable-filter-aaaa option has been added, and users can now configure the filter-aaaa-on-v4 option in BIND.

BZ#851123

Prior to this update, the named init script command configtest did not check if BIND was already running, and mounted or unmounted the file system into a chroot environment. As a consequence, the named chroot file system was damaged by executing the configtest command while the named service was running in a chroot environment. This bug has been fixed, and using the init script configtest command no longer damages the file system if named is running in a chroot environment.

BZ#848033

Previously, due to a missing statement in the named init script, the init script could return an incorrect exit status when calling certain commands (namely, checkconfig, configtest, check, and test) if the named configuration included an error. Consequently, for example, when the service named configtest command was run, the init script returned a zero value meaning success, regardless of the errors in the configuration. With this update, the init script has been fixed to correctly return a non-zero value in case of an error in the named configuration.

BZ#1051283

Previously, ownership of some documentation files installed by the bind package was not correctly set. Consequently, the files were incorrectly owned by named instead of the root user. A patch has been applied, and the ownership of documentation files installed by the bind package has been corrected.

BZ#951255

Prior to this update, the /dev/random device, which is a source of random data, did not have a sufficient amount of entropy when booting a newly installed virtual machine (VM). Consequently, generating the /etc/rndc.key file took excessively long when the named service was started for the first time. The init script has been changed to use /dev/urandom instead of /dev/random as the source of random data, and the generation of /etc/rndc.key now consumes a more reasonable amount of time in this scenario.

BZ#1064045

Previously, the nsupdate utility was unable to correctly handle an extra argument after the -r option, which sets the number of User Datagram Protocol (UDP) retries. As a consequence, when an argument followed the -r option, nsupdate terminated unexpectedly with a segmentation fault. A patch has been applied, and nsupdate now handles the -r option with an argument as expected.

BZ#948743

Previously, when the named service was running in a chroot environment, the init script checked whether the server was already running after it had mounted the chroot file system. As a consequence, if some directories were empty in the chroot environment, they were mounted again when the service named start command was used. With this update, the init script has been fixed to check whether named is running before mounting file system into the chroot environment and no directories are mounted multiple times in this scenario.

BZ#846065

Previously, BIND was not configured with the --with-dlopen=yes option. As a consequence, external Dynamically Loadable Zones (DLZ) drivers could not be dynamically loaded. A patch has been applied, and external DLZ drivers are now dynamically loadable as expected.

Enhancements

BZ#1092035

Previously, the number of workers and client-objects was hard-coded in the Lightweight Resolver Daemon (lwresd) source, and it was insufficient. This update adds two new options: the lwres-tasks option, which can be used for modifying the number of workers created, and the lwres-clients option, which can be used for specifying the number of client objects created per worker. The options can be used inside the lwres statement in the named/lwresd configuration file.

BZ#956685

This update adds support for the TLSA resource record type in input zone files, as specified in RFC 6698. TLSA records together with Domain Name System Security Extensions (DNSSEC) are used for DNS-Based Authentication of Named Entities (DANE).