Bug 1640561 (bind911_rebase_el7)
Summary: | [RFE] rebase to ESV bind 9.11 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Menšík <pemensik> |
Component: | bind | Assignee: | Petr Menšík <pemensik> |
Status: | CLOSED ERRATA | QA Contact: | Petr Sklenar <psklenar> |
Severity: | medium | Docs Contact: | Marie Hornickova <mdolezel> |
Priority: | medium | ||
Version: | 7.7 | CC: | christian.bretterhofer, mkolaja, pemensik, thozza |
Target Milestone: | rc | Keywords: | FutureFeature, Rebase |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | bind-9.11.4-1.P2.el7 | Doc Type: | Enhancement |
Doc Text: |
.`bind` rebased to version 9.11
The `bind` packages have been upgraded to upstream version 9.11, which provides a number of bug fixes and enhancements over the previous version:
New features:
* A new method of provisioning secondary servers called *Catalog Zones* has been added.
* Domain Name System Cookies can now be sent by the `named` service and the `dig` utility.
* The *Response Rate Limiting* feature can now help with mitigation of DNS amplification attacks.
* Performance of response-policy zone (RPZ) has been improved.
* A new zone file format called `map` has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster.
* A new tool called `delv` (domain entity lookup and validation) for sending DNS queries and validating the results has been added. The tool uses the same internal resolver and validator logic as the `named` daemon.
* A new `mdig` command is now available. This command is a version of the `dig` command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query.
* A new `prefetch` option, which improves the recursive resolver performance, has been added.
* A new `in-view` zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory.
* A new `max-zone-ttl` option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated.
* New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
* The `nslookup` utility now looks up both IPv6 and IPv4 addresses by default.
* The `named` service now checks whether other name server processes are running before starting up.
* When loading a signed zone, `named` now checks whether a Resource Record Signature's (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately.
* Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.
Feature changes:
* The version `3 XML` schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version `2 XML` schema is still the default format.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 12:39:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1677382, 1683754 | ||
Bug Blocks: | 1325789, 1520808, 1578128, 1599276, 1599970, 1622704, 1630058, 1630905, 1630913, 1631407, 1640358, 1663257, 1677373 |
Description
Petr Menšík
2018-10-18 10:27:22 UTC
Found rebased bind is denied to autoconfigure source ports from sysctl values of /proc/sys/net/ipv4/ip_local_port_range. Older defauls were fixed to range of ports 1024-65535. Filled bug #1683754 for it. If it is included in configuration, option use-v4-udp-ports and use-v6-udp-ports overrides both defaults and auto detection. It is possible to use original values like in 9.9, but I think it should be left to system configuration. Current defaults on test machine are 32768-60999, which is still in original range. I think it is ok if range is narrowed a bit. I did not notice it before. Original includes installed by bind-lite-devel package were used only by dhcp and export libs. They were in /usr/include directly. Because we have two similar headers, I think it is not safe to keep them there. Especially because they should not be usually used for linking any programs by customers. Headers from /usr/include/isc moved into /usr/include/bind9-export/isc subdirectory. If any single threaded program should really link to these export libraries, it should use isc-export-config.sh for parameters detection. Linking any program with export libraries isc and dns would require: CPPFLAGS+=`isc-export-config.sh --cflags isc dns` LDFLAGS+=`isc-export-config.sh --libs isc dns` These includes are not intented to be used by customers. *** Bug 1640358 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2057 |