Hello community,
here is the log from the commit of package bind.14948 for
openSUSE:Leap:15.2:Update checked in at 2020-11-14 06:26:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/bind.14948 (Old)
and /work/SRC/openSUSE:Leap:15.2:Update/.bind.14948.new.24930 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind.14948"
Sat Nov 14 06:26:01 2020 rev:1 rq:847627 version:9.16.6
Changes:
--------
New Changes file:
--- /dev/null 2020-11-12 01:11:43.462704170 +0100
+++ /work/SRC/openSUSE:Leap:15.2:Update/.bind.14948.new.24930/bind.changes
2020-11-14 06:26:02.623105566 +0100
@@ -0,0 +1,2942 @@
+-------------------------------------------------------------------
+Tue Oct 27 15:16:25 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Add /usr/lib64/named to the files and directories in
+ bind-chrootenv.conf. This directory contains plugins loaded
+ after the chroot().
+- Replaced named's dependency on time-sync with a dependency on time-set
+ in named.service. The former leads to a dependency-loop.
+- Removed "dnssec-enable" from named.conf as it has been obsoleted.
+ Added a comment for reference which should be removed
+ in the future.
+- Added a comment to the "dnssec-validation" in named.conf
+ with a reference to forwarders which do not return signed responses.
+- Replaced an INSIST macro which calls abort with a test and a
+ diagnostic output.
+ [bsc#1177913,bsc#1178078,bsc#1177790,bsc#1177603,bsc#1175894,
+ bsc#1177915,
+ bind-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch,
+ bind-chrootenv.conf,vendor-files.tar.bz2]
+
+-------------------------------------------------------------------
+Fri Sep 18 13:20:34 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Removed "-r /dev/urandom" from all invocations of rndc-confgen
+ (init/named system/lwresd.init system/named.init in vendor-files)
+ as this option is deprecated and causes rndc-confgen to fail.
+ [bsc#1173311, bsc#1176674, bsc#1170713, vendor-files.tar.bz2]
+
+-------------------------------------------------------------------
+Tue Sep 15 13:54:05 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
+ of /usr/sbin/dnssec-keygen as BIND now uses the random number
+ functions provided by the crypto library (i.e., OpenSSL or a
+ PKCS#11 provider) as a source of randomness rather than /dev/random.
+ Therefore the -r command line option no longer has any effect on
+ dnssec-keygen. Leaving the option in genDDNSkey as to not break
+ compatibility. Patch provided by Stefan Eisenwiener.
+ [bsc#1171313, vendor-files.tar.bz2]
+
+-------------------------------------------------------------------
+Fri Sep 4 14:40:27 UTC 2020 - Reinhard Max <m...@suse.com>
+
+- Put libns into a separate subpackage to avoid file conflicts
+ in the libisc subpackage due to different sonums (bsc#1176092).
+
+-------------------------------------------------------------------
+Fri Aug 28 09:38:11 UTC 2020 - Dominique Leuenberger <dims...@opensuse.org>
+
+- Require /sbin/start_daemon: both init scripts, the one used in
+ systemd context as well as legacy sysv, make use of start_daemon.
+
+-------------------------------------------------------------------
+Tue Aug 18 12:13:49 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Upgrade to version 9.16.6
+ Fixes five vilnerabilities:
+ 5481. [security] "update-policy" rules of type "subdomain" were
+ incorrectly treated as "zonesub" rules, which allowed
+ keys used in "subdomain" rules to update names
outside
+ of the specified subdomains. The problem was fixed by
+ making sure "subdomain" rules are again processed as
+ described in the ARM. (CVE-2020-8624) [GL #2055]
+
+ 5480. [security] When BIND 9 was compiled with native PKCS#11
support, it
+ was possible to trigger an assertion failure in code
+ determining the number of bits in the PKCS#11 RSA
public
+ key with a specially crafted packet. (CVE-2020-8623)
+ [GL #2037]
+
+ 5479. [security] named could crash in certain query resolution
scenarios
+ where QNAME minimization and forwarding were both
+ enabled. (CVE-2020-8621) [GL #1997]
+
+ 5478. [security] It was possible to trigger an assertion failure by
+ sending a specially crafted large TCP DNS message.
+ (CVE-2020-8620) [GL #1996]
+
+ 5476. [security] It was possible to trigger an assertion failure when
+ verifying the response to a TSIG-signed request.
+ (CVE-2020-8622) [GL #2028]
+ For the less severe bugs fixed, see the CHANGES file.
+ [bsc#1175443, CVE-2020-8624, CVE-2020-8623, CVE-2020-8621,
+ CVE-2020-8620, CVE-2020-8622]
+
+-------------------------------------------------------------------
+Thu Aug 6 12:35:10 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Added "/etc/bind.keys" to NAMED_CONF_INCLUDE_FILES in
+ /etc/sysconfig/named to suppress warning message re
+ missing file.
+ [vendor-files.tar.bz2, bsc#1173983]
+
+-------------------------------------------------------------------
+Tue Jul 21 14:06:51 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Upgrade to version bind-9.16.5
+ * The "primary" and "secondary" keywords, when used
+ as parameters for "check-names", were not
+ processed correctly and were being ignored.
+ * 'rndc dnstap -roll <value>' did not limit the number of
+ saved files to <value>.
+ * Add 'rndc dnssec -status' command.
+ * Addressed a couple of situations where named could crash
+ For the full list, see the CHANGES file in the source RPM.
+
+-------------------------------------------------------------------
+Tue Jun 30 08:32:21 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
+ so that named, being a/the only member of the "named" group
+ has full r/w access yet cannot change directories owned by root
+ in the case of a compromized named.
+ [bsc#1173307, bind-chrootenv.conf]
+
+-------------------------------------------------------------------
+Thu Jun 18 06:35:35 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Upgrade to version bind-9.16.4
+ Fixing two security problems:
+ * It was possible to trigger an INSIST when determining
+ whether a record would fit into a TCP message buffer.
+ (CVE-2020-8618)
+ * It was possible to trigger an INSIST in
+ lib/dns/rbtdb.c:new_reference() with a particular zone
+ content and query patterns. (CVE-2020-8619)
+ Also the following functional changes:
+ * Reject DS records at the zone apex when loading
+ master files. Log but otherwise ignore attempts to
+ add DS records at the zone apex via UPDATE.
+ * The default value of "max-stale-ttl" has been changed
+ from 1 week to 12 hours.
+ * Zone timers are now exported via statistics channel.
+ Thanks to Paul Frieden, Verizon Media.
+ Added support for idn2 to spec file (Thanks to Holger Bruenjes
+ <holgerbruen...@gmx.net>).
+ More internal changes see the CHANGES file in the source RPM
+ This update obsoletes Makefile.in.diff
+ [bsc#1172958, CVE-2020-8618, CVE-2020-8619, Makefile.in.diff
+ bind.spec]
+
+-------------------------------------------------------------------
+Fri May 15 13:43:46 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Upgrade to version bind-9.16.3
+ Fixing two security problems:
+ * Further limit the number of queries that can be triggered from
+ a request. Root and TLD servers are no longer exempt
+ from max-recursion-queries. Fetches for missing name server
+ address records are limited to 4 for any domain. (CVE-2020-8616)
+ * Replaying a TSIG BADTIME response as a request could trigger an
+ assertion failure. (CVE-2020-8617)
+ Also
+ * Add engine support to OpenSSL EdDSA implementation.
+ * Add engine support to OpenSSL ECDSA implementation.
+ * Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
+ * Warn about AXFR streams with inconsistent message IDs.
+ * Make ISC rwlock implementation the default again.
+ For more see CHANGS file in source RPM.
+ [CVE-2020-8616, CVE-2020-8617, bsc#1171740, bind-9.16.3.tar.xz]
+
+-------------------------------------------------------------------
+Fri May 8 12:07:50 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- bind needs an accurate clock, so wait for the time-sync.target
+ to be reached before starting bind.
+ [bsc#1170667, bsc#1170713, vendor-files.tar.bz2]
+
+-------------------------------------------------------------------
+Sat Mar 21 08:56:28 UTC 2020 - Thorsten Kukuk <ku...@suse.com>
+
+- Use sysusers.d to create named user
+- Have only one package creating the user
+
+-------------------------------------------------------------------
+Fri Mar 20 09:00:07 UTC 2020 - Thorsten Kukuk <ku...@suse.com>
+
+- coreutils are not used in %post, remove Requires.
+- Use systemd_ordering instead of hard requiring systemd
+
+-------------------------------------------------------------------
+Fri Mar 20 08:04:19 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Upgrade to version 9.16.1
+ * UDP network ports used for listening can no longer simultaneously
+ be used for sending traffic.
+ * The system-provided POSIX Threads read-write lock implementation
+ is now used by default instead of the native BIND 9 implementation.
+ * Fixed re-signing issues with inline zones which resulted in records
+ being re-signed late or not at all.
+ [bind-9.16.1.tar.xz]
+
+-------------------------------------------------------------------
+Sat Feb 22 07:42:08 UTC 2020 - Tomáš Chvátal <tchva...@suse.com>
+
+- Update download urls
+- Do not enable geoip on old distros, the geoip db was shut down
++++ 2745 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:Leap:15.2:Update/.bind.14948.new.24930/bind.changes
New:
----
baselibs.conf
bind-9.16.6.tar.xz
bind-9.16.6.tar.xz.sha512.asc
bind-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch
bind-chrootenv.conf
bind-ldapdump-use-valid-host.patch
bind.changes
bind.conf
bind.keyring
bind.spec
dlz-schema.txt
dnszone-schema.txt
named-bootconf.diff
named.conf
named.root
pie_compile.diff
vendor-files.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bind.spec ++++++
++++ 689 lines (skipped)
++++++ baselibs.conf ++++++
libbind9-1600
libdns1605
libirs1601
libisc1606
obsoletes "bind-libs-<targettype> = <version>"
provides "bind-libs-<targettype> = <version>"
libisccc1600
libisccfg1600
libns1604
bind-devel
requires -bind-<targettype>
requires "libbind9-1600-<targettype> = <version>"
requires "libdns1605-<targettype> = <version>"
requires "libirs1601-<targettype> = <version>"
requires "libisc1606-<targettype> = <version>"
requires "libisccc1600-<targettype> = <version>"
requires "libisccfg1600-<targettype> = <version>"
++++++ bind-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch ++++++
Index: bind-9.16.6/lib/dns/resolver.c
===================================================================
--- bind-9.16.6.orig/lib/dns/resolver.c
+++ bind-9.16.6/lib/dns/resolver.c
@@ -5122,7 +5122,14 @@ fctx_create(dns_resolver_t *res, const d
log_ns_ttl(fctx, "fctx_create");
- INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
+ if (!dns_name_issubdomain(&fctx->name, &fctx->domain)) {
+ dns_name_format(&fctx->domain, buf, sizeof(buf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
+ "'%s' is not subdomain of '%s'", fctx->info,
+ buf);
+ result = ISC_R_UNEXPECTED;
+ goto cleanup_fcount;
+ }
fctx->qmessage = NULL;
result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
++++++ bind-chrootenv.conf ++++++
# See tmpfiles.d(5) for details
#Type Path Mode UID GID Age Argument
d /var/lib/named 1775 root named - -
d /var/lib/named/dev 755 root root - -
c /var/lib/named/dev/null 666 root root - 1:3
c /var/lib/named/dev/random 666 root root - 1:8
c /var/lib/named/dev/urandom 664 root root - 1:9
d /var/lib/named/etc 755 root root - -
d /var/lib/named/etc/named.d 755 root root - -
d /var/lib/named/log 755 named named - -
d /var/lib/named/var - - - - -
d /var/lib/named/var/lib - - - - -
L /var/lib/named/var/lib/named - - - - ../..
L /var/lib/named/var/log - - - - ../log
d /var/lib/named/var/run - - - - -
d /var/lib/named/var/run/named 755 named named - -
C /var/lib/named/usr/lib64/named - - - - /usr/lib64/named
++++++ bind-ldapdump-use-valid-host.patch ++++++
--- a/vendor-files/tools/ldapdump
+++ b/vendor-files/tools/ldapdump
@@ -343,11 +343,11 @@
};
print PIPE "server $server\n" or die "can’t write to $nsupdate pipe:
$!";
}
- print STDERR "\t\tupdate add $zone. 1234 NS ldapdump_kill_me\n" if( $DEBUG
);
+ print STDERR "\t\tupdate add $zone. 1234 NS ldapdump.kill.me\n" if( $DEBUG
);
if( $DONSUPDATE ) {
# create dummy NS record
# sadly this one is needed if we want to change the last NS record
- print PIPE "update add $zone. 1234 NS ldapdump_kill_me\n" or die
"can’t write to $nsupdate pipe: $!";
+ print PIPE "update add $zone. 1234 NS ldapdump.kill.me\n" or die
"can’t write to $nsupdate pipe: $!";
}
foreach my $e ( @data ) {
next if( $e =~ /^[\s;]/ );
@@ -587,6 +587,7 @@
my $ref = $zone_entry->get_value($rec.'record', asref => 1);
next unless $ref;
foreach my $rr ( @$ref ) {
+ $rdn =~ s/\.$zone\.$//;
my $where = ($rdn eq '@')?("$zone."):("$rdn.$zone");
my $command = "update add $where $ttl $rec $rr\n";
print STDERR "\t\t$command" if($DEBUG);
@@ -596,9 +597,10 @@
}
}
}
- print STDERR "\t\tupdate delete $zone. NS ldapdump_kill_me\n" if($DEBUG);
+ print STDERR "\t\tupdate delete $zone. NS ldapdump.kill.me\n" if($DEBUG);
if( $DONSUPDATE ) {
- print PIPE "update delete $zone. NS ldapdump_kill_me\n" or die "can’t
write to $nsupdate pipe: $!";
+ print PIPE "update delete $zone. NS ldapdump.kill.me\n" or die "can’t
write to $nsupdate pipe: $!";
+ print PIPE "send\n" or die "can’t write to $nsupdate pipe: $!";
print PIPE "\n\n\n" or die "can’t write to $nsupdate pipe: $!";
close(PIPE) or die "can’t close $nsupdate pipe: status=$?";
}
@@ -688,9 +688,11 @@
my %entries;
my $entry = "";
foreach( my $i=0; $i<@data; $i++ ) {
- if( $data[$i] =~ /^(\S+)\s+(.*)/ ) {
+ if( $data[$i] =~ /^(\S+)\s+(.*)/ && $data[$i] !~ /^\$TTL/ ) {
$entry = $1;
$entries{$1} .= "$2\n";
+ } elsif ($data[$i] =~ /^\$TTL/) {
+ $entries{$entry} .= $data[$i];
} else {
$data[$i] =~ /^\s+(.*)/;
$entries{$entry} .= "\t$1\n";
++++++ bind.conf ++++++
# See tmpfiles.d(5) for details
#Type Path Mode UID GID Age Argument
d /var/lib/named 1775 root named - -
d /var/lib/named/dyn 755 named named - -
d /var/lib/named/master 755 named named - -
d /var/lib/named/slave 755 named named - -
C /var/lib/named/127.0.0.zone - - - - -
C /var/lib/named/localhost.zone - - - - -
C /var/lib/named/named.root.key - - - - -
C /var/lib/named/root.hint - - - - -
++++++ dlz-schema.txt ++++++
#
#
# 1.3.6.1.4.1.18420.1.1.X is reserved for attribute types declared by the DLZ
project.
# 1.3.6.1.4.1.18420.1.2.X is reserved for object classes declared by the DLZ
project.
# 1.3.6.1.4.1.18420.1.3.X is reserved for PRIVATE extensions to the DLZ
attribute
# types and object classes that may be needed by end users
# to add security, etc. Attributes and object classes using
# this OID MUST NOT be published outside of an organization
# except to offer them for consideration to become part of
the
# standard attributes and object classes published by the
DLZ project.
attributetype ( 1.3.6.1.4.1.18420.1.1.10
NAME 'dlzZoneName'
DESC 'DNS zone name - domain name not including host name'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.20
NAME 'dlzHostName'
DESC 'Host portion of a domain name'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.30
NAME 'dlzData'
DESC 'Data for the resource record'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.40
NAME 'dlzType'
DESC 'DNS record type - A, SOA, NS, MX, etc...'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.50
NAME 'dlzSerial'
DESC 'SOA record serial number'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.60
NAME 'dlzRefresh'
DESC 'SOA record refresh time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.70
NAME 'dlzRetry'
DESC 'SOA retry time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.80
NAME 'dlzExpire'
DESC 'SOA expire time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.90
NAME 'dlzMinimum'
DESC 'SOA minimum time in seconds'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.100
NAME 'dlzAdminEmail'
DESC 'E-mail address of person responsible for this zone - @ should be
replaced with . (period)'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.110
NAME 'dlzPrimaryNS'
DESC 'Primary name server for this zone - should be host name not IP
address'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.120
NAME 'dlzIPAddr'
DESC 'IP address - IPV4 should be in dot notation xxx.xxx.xxx.xxx IPV6
should be in colon notation xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{40}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.130
NAME 'dlzCName'
DESC 'DNS cname'
SUP name
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.140
NAME 'dlzPreference'
DESC 'DNS MX record preference. Lower numbers have higher preference'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.150
NAME 'dlzTTL'
DESC 'DNS time to live - how long this record can be cached by caching
DNS servers'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.18420.1.1.160
NAME 'dlzRecordID'
DESC 'Unique ID for each DLZ resource record'
SUP name
SINGLE-VALUE )
#------------------------------------------------------------------------------
# Object class definitions
#------------------------------------------------------------------------------
objectclass ( 1.3.6.1.4.1.18420.1.2.10
NAME 'dlzZone'
DESC 'Zone name portion of a domain name'
SUP top STRUCTURAL
MUST ( objectclass $ dlzZoneName ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.20
NAME 'dlzHost'
DESC 'Host name portion of a domain name'
SUP top STRUCTURAL
MUST ( objectclass $ dlzHostName ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.30
NAME 'dlzAbstractRecord'
DESC 'Data common to all DNS record types'
SUP top ABSTRACT
MUST ( objectclass $ dlzRecordID $ dlzHostName $ dlzType $ dlzTTL ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.40
NAME 'dlzGenericRecord'
DESC 'Generic DNS record - useful when a specific object class has not
been defined for a DNS record'
SUP dlzAbstractRecord STRUCTURAL
MUST ( dlzData ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.50
NAME 'dlzARecord'
DESC 'DNS A record'
SUP dlzAbstractrecord STRUCTURAL
MUST ( dlzIPAddr ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.60
NAME 'dlzNSRecord'
DESC 'DNS NS record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.70
NAME 'dlzMXRecord'
DESC 'DNS MX record'
SUP dlzGenericRecord STRUCTURAL
MUST ( dlzPreference ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.80
NAME 'dlzSOARecord'
DESC 'DNS SOA record'
SUP dlzAbstractRecord STRUCTURAL
MUST ( dlzSerial $ dlzRefresh $ dlzRetry
$ dlzExpire $ dlzMinimum $ dlzAdminEmail $ dlzPrimaryNS ) )
objectclass ( 1.3.6.1.4.1.18420.1.2.90
NAME 'dlzTextRecord'
DESC 'Text data with spaces should be wrapped in double quotes'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.100
NAME 'dlzPTRRecord'
DESC 'DNS PTR record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.110
NAME 'dlzCNameRecord'
DESC 'DNS CName record'
SUP dlzGenericRecord STRUCTURAL )
objectclass ( 1.3.6.1.4.1.18420.1.2.120
NAME 'dlzXFR'
DESC 'Host allowed to perform zone transfer'
SUP top STRUCTURAL
MUST ( objectclass $ dlzRecordID $ dlzIPAddr ) )
++++++ dnszone-schema.txt ++++++
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
DESC 'Sender Policy Framework, RFC 4408'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
RRSIGRecord $ NSECRecord $ sPFRecord ) )
++++++ named-bootconf.diff ++++++
Index: bind-9.14.7/contrib/scripts/named-bootconf.sh
===================================================================
--- bind-9.14.7.orig/contrib/scripts/named-bootconf.sh
+++ bind-9.14.7/contrib/scripts/named-bootconf.sh
@@ -39,7 +39,8 @@
# POSSIBILITY OF SUCH DAMAGE.
if [ ${OPTIONFILE-X} = X ]; then
- WORKDIR=/tmp/`date +%s`.$$
+ TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1
+ WORKDIR=$TMPDIR/`date +%s`.$$
( umask 077 ; mkdir $WORKDIR ) || {
echo "unable to create work directory '$WORKDIR'" >&2
exit 1
@@ -293,7 +294,7 @@ if [ $DUMP -eq 1 ]; then
cat $ZONEFILE $COMMENTFILE
rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE
- rmdir $WORKDIR
+ rm -rf $TMPDIR
fi
exit 0
++++++ named.conf ++++++
# Type Name ID GECOS [HOME]
g named 44 - -
u named 44 "Name server daemon" /var/lib/named
++++++ named.root ++++++
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: February 20, 2020
; related version of root zone: 2020022000
;
; FORMERLY NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file++++++ pie_compile.diff ++++++
Index: bind-9.16.4/bin/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/Makefile.in
+++ bind-9.16.4/bin/Makefile.in
@@ -15,4 +15,8 @@ SUBDIRS = named rndc dig delv dnssec too
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
TARGETS =
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bind-9.16.4/bin/check/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/check/Makefile.in
+++ bind-9.16.4/bin/check/Makefile.in
@@ -46,8 +46,12 @@ TARGETS = named-checkconf@EXEEXT@ named-
# Alphabetically
SRCS = named-checkconf.c named-checkzone.c check-tool.c
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
named-checkconf.@O@: named-checkconf.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bind-9.16.4/bin/confgen/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/confgen/Makefile.in
+++ bind-9.16.4/bin/confgen/Makefile.in
@@ -55,8 +55,12 @@ TARGETS = rndc-confgen@EXEEXT@ ddns-conf
UOBJS = unix/os.@O@
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
Index: bind-9.16.4/bin/confgen/unix/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/confgen/unix/Makefile.in
+++ bind-9.16.4/bin/confgen/unix/Makefile.in
@@ -25,4 +25,8 @@ SRCS = os.c
TARGETS = ${OBJS}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bind-9.16.4/bin/dig/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/dig/Makefile.in
+++ bind-9.16.4/bin/dig/Makefile.in
@@ -57,10 +57,14 @@ UOBJS =
SRCS = dig.c dighost.c host.c nslookup.c
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
LDFLAGS = @LDFLAGS@ @LIBIDN2_LDFLAGS@
+LDFLAGS += -pie
+
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
Index: bind-9.16.4/bin/dnssec/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/dnssec/Makefile.in
+++ bind-9.16.4/bin/dnssec/Makefile.in
@@ -50,8 +50,12 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
Index: bind-9.16.4/bin/named/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/named/Makefile.in
+++ bind-9.16.4/bin/named/Makefile.in
@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \
tkeyconf.c tsigconf.c zoneconf.c \
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bind-9.16.4/bin/named/unix/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/named/unix/Makefile.in
+++ bind-9.16.4/bin/named/unix/Makefile.in
@@ -27,4 +27,8 @@ SRCS = os.c dlz_dlopen_driver.c
TARGETS = ${OBJS}
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+
+LDFLAGS += -pie
Index: bind-9.16.4/bin/nsupdate/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/nsupdate/Makefile.in
+++ bind-9.16.4/bin/nsupdate/Makefile.in
@@ -59,8 +59,12 @@ UOBJS =
SRCS = nsupdate.c
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
nsupdate.@O@: nsupdate.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
Index: bind-9.16.4/bin/rndc/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/rndc/Makefile.in
+++ bind-9.16.4/bin/rndc/Makefile.in
@@ -45,8 +45,12 @@ SRCS= rndc.c
TARGETS = rndc@EXEEXT@
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
rndc.@O@: rndc.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
Index: bind-9.16.4/bin/tools/Makefile.in
===================================================================
--- bind-9.16.4.orig/bin/tools/Makefile.in
+++ bind-9.16.4/bin/tools/Makefile.in
@@ -54,8 +54,12 @@ SRCS = arpaname.c named-journalprint.c
nsec3hash.c mdig.c \
@DNSTAPSRCS@ @NZDSRCS@
+EXT_CFLAGS = -fPIE -static
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie
+
arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-o $@ arpaname.@O@ ${ISCLIBS} ${LIBS}
_______________________________________________
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
