- When authoritative servers did not return a Start of Authority (SOA) record, the "named" daemon failed to cache and return answers. A patch has been provided to address this issue and "named" is now able to handle such under-performing servers correctly.
- Previously, the
named) init script killed all
namedprocesses when stopping the
nameddaemon. This caused a problem for container-virtualized hosts, such as OpenVZ, because their
namedprocesses were killed by the init script. The init script has been fixed and now only kills the correct
- When the
/etc/resolv.conffile contained the
searchkeyword with no arguments, the host/nslookup/dig utility failed to parse it correctly. With this update, such lines are ignored.
/etc/named.root.keyfile was not listed in the
ROOTDIR_MOUNTvariable. Consequently, when using bind97 with chroot, the
named.root.keyfile was not mounted to the chroot environment. A patch has been applied and
/etc/named.root.keyis now mounted into chroot.
- A non-writable working directory is a long time feature on all Red Hat systems. Previously,
the working directory is not writableas an error to the system log. This update changes the code so that
namednow writes this information only into the debug log.
- During a
namedsometimes terminated unexpectedly with an assertion failure. A patch has been applied to make the code more robust, and
namedno longer crashes in the scenario described.
- Due to an error in the bind spec file, the bind-chroot subpackage did not create a
/dev/nulldevice. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.
- Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns
1as the exit code when it fails to get an answer.
nameddaemon, configured as master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:
transfer of './IN': sending zone data: ran out of spaceThe code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.
- Previously, bind97 did not contain the root zone
DNSKEYis now located in
- With this update, the size, MD5 checksum, and modification time of the
/etc/sysconfig/namedconfiguration file is no longer checked via the
rpm -V bindcommand.
- The host utility now honors
timeoutoptions in the
DISABLE_ZONE_CHECKINGoption has been added to
/etc/sysconfig/named. This option adds the possibility to bypass zone validation via the named-checkzone utility in the
/etc/init.d/namedinit script and allows starting
namedwith misconfigured zones.
- The return codes of the dig utility are now documented in the dig man page.
- The option to disable Internationalized Domain Name (IDN) support in the dig utility was incorrectly documented in the man page. The dig man page has been corrected to explain the use of the
CHARSETfor disabling IDN.
- Previously, the
rndc.keyfile was generated during package installation by the
rndc-confgen -acommand, but this feature was removed in Red Hat Enterprise Linux 5.8 because users reported that installation of the bind package sometimes became unresponsive due to lack of entropy in
namedinit script now generates
rndc.keyduring the service startup if it does not exist.
- A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
- A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.