4.8. bind97

BZ#883402

When authoritative servers did not return a Start of Authority (SOA) record, the "named" daemon failed to cache and return answers. A patch has been provided to address this issue and "named" is now able to handle such under-performing servers correctly.

Bug Fixes

BZ#657260

Previously, the DNS server (named) init script killed all named processes when stopping the named daemon. This caused a problem for container-virtualized hosts, such as OpenVZ, because their named processes were killed by the init script. The init script has been fixed and now only kills the correct named processes.

BZ#703452

When the /etc/resolv.conf file contained the search keyword with no arguments, the host/nslookup/dig utility failed to parse it correctly. With this update, such lines are ignored.

BZ#719855

The /etc/named.root.key file was not listed in the ROOTDIR_MOUNT variable. Consequently, when using bind97 with chroot, the named.root.key file was not mounted to the chroot environment. A patch has been applied and /etc/named.root.key is now mounted into chroot.

BZ#758057

A non-writable working directory is a long time feature on all Red Hat systems. Previously, named wrote the working directory is not writable as an error to the system log. This update changes the code so that named now writes this information only into the debug log.

BZ#803369

During a DNS zone transfer, named sometimes terminated unexpectedly with an assertion failure. A patch has been applied to make the code more robust, and named no longer crashes in the scenario described.

BZ#829823

Due to an error in the bind spec file, the bind-chroot subpackage did not create a /dev/null device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.

BZ#829829

Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns 1 as the exit code when it fails to get an answer.

BZ#829831

The named daemon, configured as master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:

transfer of './IN': sending zone data: ran out of space

The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.

Enhancements

BZ#693788

Previously, bind97 did not contain the root zone DNSKEY. DNSKEY is now located in /etc/named.root.key.

BZ#703096

With this update, the size, MD5 checksum, and modification time of the /etc/sysconfig/named configuration file is no longer checked via the rpm -V bind command.

BZ#703397

The host utility now honors debug, attempts, and timeout options in the /etc/resolv.conf file.

BZ#703411

The DISABLE_ZONE_CHECKING option has been added to /etc/sysconfig/named. This option adds the possibility to bypass zone validation via the named-checkzone utility in the /etc/init.d/named init script and allows starting named with misconfigured zones.

BZ#749214

The return codes of the dig utility are now documented in the dig man page.

BZ#811566

The option to disable Internationalized Domain Name (IDN) support in the dig utility was incorrectly documented in the man page. The dig man page has been corrected to explain the use of the libidn environment option CHARSET for disabling IDN.

BZ#829827

Previously, the rndc.key file was generated during package installation by the rndc-confgen -a command, but this feature was removed in Red Hat Enterprise Linux 5.8 because users reported that installation of the bind package sometimes became unresponsive due to lack of entropy in /dev/random. The named init script now generates rndc.key during the service startup if it does not exist.

Security Fixes

CVE-2012-1667

A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.

CVE-2012-1033

A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.

Security Fix

CVE-2012-3817

An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.

Security Fix

CVE-2012-4244

A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.

Security Fix

CVE-2012-5166

A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.