bind-9.8.2-0.10.rc1.AXS4

BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Security issues fixed with this release:

• CVE-2012-1033
The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.

• CVE-2012-1667
ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive

Fixed bugs:

• nslookup does not fail anymore when /etc/resolv.conf contains nameservers with disabled recursion.

• Improved the handling of errors arising on automatic update of DNSSEC trust anchors: the named daemon now exits gracefully.

• Disabled the atomic options on PowerPC to make the multi-threaded named daemon more reliable.

• Fixed a race condition happening on validation of DNSSEC-signed NXDOMAIN responses.

• When the named server was configured as a master server, it could sometimes fail to compress an incompressible zone with the following error message: "transfer of './IN': sending zone data: ran out of space". This has been fixed.

• Named no longer crashes during a DNS zone transfer.

• If it does not exist, the rndc.key file is now generated by the named initscript during the service startup, instead of by the rndc-confgen -a command during installation.

• After running the rndc reload command, named failed to update DNSSEC trust anchors and logged the message:"managed-keys-zone ./IN: Failed to create fetch for DNSKEY update". This has been fixed.

• Fixed the bind spec file error responsible for not bind-chroot not creating a /dev/null device and leaving some empty directories after uninstalling.

• Because the dynamic-db plug-ins were loaded too early, it could cause the configuration in the named.conf file to override the configuration supplied by the plug-in, and named could fail to start. This has been fixed.

• Previously, when stopping the named service, the /var/named directory was always unmounted, regardless of chroot configuration. Now it is unmounted only when the chroot configuration is enabled.

• It was previously impossible to determine whether an nslookup run was successful from the error code as it failed to return a non-zero exit code when it failed to get an answer. This has been fixed; the exit code is "1".

Enhancements

• Added fixed ordering support for the rrset-order option: resource records can now be ordered in the order they are loaded from the zone file.

• Lowered the severity of the messages relating to external DNS queries from "notice" to "debug" to not flood the log with too much unnecessary information.

• In order to avoid conflicts with other services, the named daemon now uses portreserve to reserve the Remote Name Daemon.