- Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.
- A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially-crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
- Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
DNS(Domain Name System) protocols. BIND includes a DNS server (
named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
/etc/resolv.confcontained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, a patch has been applied and nslookup now works as expected in the scenario described.
- Prior to this update, errors arising on automatic update of DNSSEC trust anchors were handled incorrectly. Consequently, the
nameddaemon could become unresponsive on shutdown. With this update, the error handling has been improved and
namedexits on shutdown gracefully.
- The multi-threaded
nameddaemon uses the atomic operations feature to speed-up access to shared data. This feature did not work correctly on 32-bit and 64-bit PowerPC architectures. Therefore,
namedsometimes became unresponsive on these architectures. This update disables the atomic operations feature on 32-bit and 64-bit PowerPC architectures, which ensures that
namedis now more stable and reliable and no longer hangs.
- Prior to this update, a race condition could occur on validation of DNSSEC-signed NXDOMAIN responses and
namedcould terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs.
nameddaemon, configured as the master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:
transfer of './IN': sending zone data: ran out of spaceThe code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.
- During a DNS zone transfer,
namedsometimes terminated unexpectedly with an assertion failure. With this update, a patch has been applied to make the code more robust, and
namedno longer crashes in the scenario described.
- Previously, the
rndc.keyfile was generated during package installation by the
rndc-confgen -acommand, but this feature was removed in Red Hat Enterprise Linux 6.1 because users reported that installation of bind package sometimes hung due to lack of entropy in
namedinitscript now generates
rndc.keyduring the service startup if it does not exist.
- After the
rndc reloadcommand was executed,
namedfailed to update DNSSEC trust anchors and emitted the following message to the log:
managed-keys-zone ./IN: Failed to create fetch for DNSKEY updateThis issue was fixed in the 9.8.2rc1 upstream version.
- Due to an error in the bind spec file, the bind-chroot subpackage did not create a
/dev/nulldevice. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.
- The dynamic-db plug-ins were loaded too early which caused the configuration in the
named.conffile to override the configuration supplied by the plug-in. Consequently,
namedsometimes failed to start. With this update the
named.confis parsed before plug-in initialization and
namednow starts as expected.
- Previously, when the
/var/nameddirectory was mounted the
/etc/init.d/namedinitscript did not distinguish between situations when
chrootconfiguration was enabled and when
chrootwas not enabled. Consequently, when stopping the
/var/nameddirectory was always unmounted. The initscript has been fixed and now unmounts
chrootconfiguration is enabled. As a result,
/var/namedstays mounted after the
namedservice is stopped when
chrootconfiguration is not enabled.
- Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns "1" as the exit code when fails to get answer.
- By default BIND returns resource records in round-robin order. The
rrset-orderoption now supports
fixedordering. When this option is set, the resource records for each domain name are always returned in the order they are loaded from the zone file.
namedlogged too many messages relating to external DNS queries. The severity of these error messages has been decreased from “notice” to “debug” so that the system log is not flooded with mostly unnecessary information.
nameddaemon now uses portreserve to reserve the Remote Name Daemon Control (RNDC) port to avoid conflicts with other services.