5.15. bind

Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with the DNS server); and tools for verifying that the DNS server is operating properly.

Bug Fix

BZ#838956
Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.
All users of bind are advised to upgrade to these updated packages, which fix this bug.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. DNS64 is used to automatically generate DNS records so IPv6 based clients can access IPv4 systems through a NAT64 server.

Security Fix

CVE-2012-5688
A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially-crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-4244
A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-3817
An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library containing routines for applications to use when interfacing with the DNS server; and tools for verifying that the DNS server is operating properly.

Bug Fix

BZ#858273
Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.
All users of bind are advised to upgrade to these updated packages, which fix this bug.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-5166
A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Note

The bind package has been upgraded to upstream version 9.8.2rc1 which provides a number of bug fixes and enhancements over the previous version. Refer to /usr/share/doc/bind-9.8.2/README for a detailed list of enhancements. (BZ#745284, BZ#755618, BZ#797972)

Bug Fixes

BZ#734458
When /etc/resolv.conf contained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, a patch has been applied and nslookup now works as expected in the scenario described.
BZ#739406
Prior to this update, errors arising on automatic update of DNSSEC trust anchors were handled incorrectly. Consequently, the named daemon could become unresponsive on shutdown. With this update, the error handling has been improved and named exits on shutdown gracefully.
BZ#739410
The multi-threaded named daemon uses the atomic operations feature to speed-up access to shared data. This feature did not work correctly on 32-bit and 64-bit PowerPC architectures. Therefore, named sometimes became unresponsive on these architectures. This update disables the atomic operations feature on 32-bit and 64-bit PowerPC architectures, which ensures that named is now more stable and reliable and no longer hangs.
BZ#746694
Prior to this update, a race condition could occur on validation of DNSSEC-signed NXDOMAIN responses and named could terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs.
BZ#759502
The named daemon, configured as the master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:
transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.
BZ#759503
During a DNS zone transfer, named sometimes terminated unexpectedly with an assertion failure. With this update, a patch has been applied to make the code more robust, and named no longer crashes in the scenario described.
BZ#768798
Previously, the rndc.key file was generated during package installation by the rndc-confgen -a command, but this feature was removed in Red Hat Enterprise Linux 6.1 because users reported that installation of bind package sometimes hung due to lack of entropy in /dev/random. The named initscript now generates rndc.key during the service startup if it does not exist.
BZ#786362
After the rndc reload command was executed, named failed to update DNSSEC trust anchors and emitted the following message to the log:
managed-keys-zone ./IN: Failed to create fetch for DNSKEY update
This issue was fixed in the 9.8.2rc1 upstream version.
BZ#789886
Due to an error in the bind spec file, the bind-chroot subpackage did not create a /dev/null device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.
BZ#795414
The dynamic-db plug-ins were loaded too early which caused the configuration in the named.conf file to override the configuration supplied by the plug-in. Consequently, named sometimes failed to start. With this update the named.conf is parsed before plug-in initialization and named now starts as expected.
BZ#812900
Previously, when the /var/named directory was mounted the /etc/init.d/named initscript did not distinguish between situations when chroot configuration was enabled and when chroot was not enabled. Consequently, when stopping the named service the /var/named directory was always unmounted. The initscript has been fixed and now unmounts /var/named only when chroot configuration is enabled. As a result, /var/named stays mounted after the named service is stopped when chroot configuration is not enabled.
BZ#816164
Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns "1" as the exit code when fails to get answer.

Enhancements

BZ#735438
By default BIND returns resource records in round-robin order. The rrset-order option now supports fixed ordering. When this option is set, the resource records for each domain name are always returned in the order they are loaded from the zone file.
BZ#788870
Previously, named logged too many messages relating to external DNS queries. The severity of these error messages has been decreased from notice to debug so that the system log is not flooded with mostly unnecessary information.
BZ#790682
The named daemon now uses portreserve to reserve the Remote Name Daemon Control (RNDC) port to avoid conflicts with other services.
All users of bind are advised to upgrade to these updated packages, which fix these bugs and provide these enhancements.