bind-9.7.3-2.2.0.1.AXS4.P3

BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Security issues fixed with this release:
CVE-2011-1910
Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service (assertion failure and daemon exit) via a negative response containing large RRSIG RRsets.
CVE-2011-2464
Unspecified vulnerability in ISC BIND 9 9.6.x before 9.6-ESV-R4-P3, 9.7.x before 9.7.3-P3, and 9.8.x before 9.8.0-P4 allows remote attackers to cause a denial of service (named daemon crash) via a crafted UPDATE request.
Fixed bugs:
- bind on 64-bit PowerPC architecture now uses the same native atomic operations as the PowerPC architecture instead of emulated ones.
- the bind package used to generate the /etc/rndc.key file, by using entropy from /dev/random; this could lead to the bind package installation to hang. Since the rndc.key is used by rndc for advanced administration commands, it is no longer generated automatically during the bind package installation. If needed, users can generate the key file with the rndc-confgen -a command.
- named could sometimes enter a deadlock. This has been fixed.
- If the connection failed during named_sdb startup, the named_sdb PostgreSQL database backend failed to reconnect to the database. It now writes error message the systemlog and retries to connect at every lookup.
- removed conflicts between i686 and x86_64 versions of bind-devel, they can now both be installed on the same machine.
- initscripts does not kill all processes with the name 'named' when stopping the named daemon anymore, only the selected ones.
- added the return codes of the dig utility to the dig man page.
- updated the named.8 manpage to reflect that the system-config-bind utility is not provided anymore.
- the status action of the named initscript would not complete when bind-sdb package was installed. This has been fixed.
- if the resolv.conf contained search keyword with no arguments, the host/nslookup/dig utilities failed to parse correctly. They now ignore those lines.
- Removed the incomplete list of TSIG algorithms from the nsupdate man page. It can be found in the dnssec-keygen man page.
Enhancements:
- re-based to version 9.7.3.
- the host utility now honors debug, attempts and timeout options in resolv.conf.
- added the new option DISABLE_ZONE_CHECKING to /etc/sysconfig/named. This is to bypass zone validation via the named-checkzone utility in initscript and allows to start named with misconfigured zones.
- with this update, size, MD5 and the modification time of /etc/sysconfig/named configuration file is no longer checked via the rpm -V bind command.
- Root zone DNSKEY is now included in the bind package, in the /etc/named.root.key file.