Bug 1640561 (bind911_rebase_el7)

Summary: [RFE] rebase to ESV bind 9.11
Product: Red Hat Enterprise Linux 7 Reporter: Petr Menšík <pemensik>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Petr Sklenar <psklenar>
Severity: medium Docs Contact: Marie Hornickova <mdolezel>
Priority: medium    
Version: 7.7CC: christian.bretterhofer, mkolaja, pemensik, thozza
Target Milestone: rcKeywords: FutureFeature, Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-9.11.4-1.P2.el7 Doc Type: Enhancement
Doc Text:
.`bind` rebased to version 9.11 The `bind` packages have been upgraded to upstream version 9.11, which provides a number of bug fixes and enhancements over the previous version: New features: * A new method of provisioning secondary servers called *Catalog Zones* has been added. * Domain Name System Cookies can now be sent by the `named` service and the `dig` utility. * The *Response Rate Limiting* feature can now help with mitigation of DNS amplification attacks. * Performance of response-policy zone (RPZ) has been improved. * A new zone file format called `map` has been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster. * A new tool called `delv` (domain entity lookup and validation) for sending DNS queries and validating the results has been added. The tool uses the same internal resolver and validator logic as the `named` daemon. * A new `mdig` command is now available. This command is a version of the `dig` command that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query. * A new `prefetch` option, which improves the recursive resolver performance, has been added. * A new `in-view` zone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory. * A new `max-zone-ttl` option, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated. * New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks. * The `nslookup` utility now looks up both IPv6 and IPv4 addresses by default. * The `named` service now checks whether other name server processes are running before starting up. * When loading a signed zone, `named` now checks whether a Resource Record Signature's (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately. * Zone transfers now use smaller message sizes to improve message compression, which reduces network usage. Feature changes: * The version `3 XML` schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version `2 XML` schema is still the default format.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:39:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1677382, 1683754    
Bug Blocks: 1325789, 1520808, 1578128, 1599276, 1599970, 1622704, 1630058, 1630905, 1630913, 1631407, 1640358, 1663257, 1677373    

Description Petr Menšík 2018-10-18 10:27:22 UTC 
Description of problem:
Customers are demanding more and more features that are not supported by our BIND 9.9. Our major version is currently deprecated and without support. No security patches would be released for it. It makes maintaining difficult and time intensive. We already have problems to backport features to current version.

The 9.11 is Extended support version that would be supported at least new 3 years. We have it already prepared for RHEL8 and is used in Fedora. It is not the most recent stable version, but recent enough for working feature backports from 9.12.

Backport bugs that would be solved by rebase:
- Bug #1325789 - RPZ full support, also requested in bug #1622704
- Bug #1640358 - dig ednsneg and cookie support

Version-Release number of selected component (if applicable):

Additional info:
There are already some incompatibilities found.
- Change of statistics-channels XML output format. The same format as had 9.9 is no longer supported in code. Might require backport, might be even not possible. Not yet sure.
- Different libraries layout, dhcp package is built against bind 9.11 in RHEL8 different way. New subpackage was introduced.
- New version listens on IPv6 interface by default. It can be turned off by listen-on-v6 { none; }; I am not sure if default should be changed in code.
- Dns cookies are supported. It might be catched by too restrictive firewalls or intrusion detection systems. I would suggest to turn them off by default, allow enabling it.
Comment 13 Petr Menšík 2019-02-27 18:15:39 UTC 
Found rebased bind is denied to autoconfigure source ports from sysctl values of /proc/sys/net/ipv4/ip_local_port_range. Older defauls were fixed to range of ports 1024-65535. Filled bug #1683754 for it.

If it is included in configuration, option use-v4-udp-ports and use-v6-udp-ports overrides both defaults and auto detection. It is possible to use original values like in 9.9, but I think it should be left to system configuration. Current defaults on test machine are 32768-60999, which is still in original range. I think it is ok if range is narrowed a bit.
Comment 14 Petr Menšík 2019-02-28 15:30:39 UTC 
I did not notice it before. Original includes installed by bind-lite-devel package were used only by dhcp and export libs. They were in /usr/include directly. Because we have two similar headers, I think it is not safe to keep them there. Especially because they should not be usually used for linking any programs by customers.

Headers from /usr/include/isc moved into /usr/include/bind9-export/isc subdirectory. If any single threaded program should really link to these export libraries, it should use isc-export-config.sh for parameters detection.

Linking any program with export libraries isc and dns would require:

CPPFLAGS+=`isc-export-config.sh --cflags isc dns`
LDFLAGS+=`isc-export-config.sh --libs isc dns`

These includes are not intented to be used by customers.
Comment 19 Tomáš Hozza 2019-08-02 10:32:44 UTC 
*** Bug 1640358 has been marked as a duplicate of this bug. ***
Comment 23 errata-xmlrpc 2019-08-06 12:39:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2057