bind-9.10.1-P2 and BIND Utilities-9.10.1-P2

[Fernando de Oliveira]

​ftp://ftp.isc.org/isc/bind9/9.10.1-P2/bind-9.10.1-P2.tar.gz

​ftp://ftp.isc.org/isc/bind9/9.10.1-P2/RELEASE-NOTES-BIND-9.10.1-P2.txt

Security Fixes

   On servers configured to perform DNSSEC validation using managed
   trust anchors (i.e., keys configured explicitly via managed-keys, or
   implicitly via dnssec-validation auto; or dnssec-lookaside auto;),
   revoking a trust anchor and sending a new untrusted replacement could
   cause named to crash with an assertion failure.  This could occur in
   the event of a botched key rollover, or potentially as a result of a
   deliberate attack if the attacker was in position to monitor the
   victim's DNS traffic.  This flaw was discovered by Jan-Piet Mens, and
   is disclosed in [CVE-2015-1349] [RT #38344] (**)

   A flaw in delegation handling could be exploited to put named
   into an infinite loop, in which each lookup of a name server
   triggered additional lookups of more name servers.  This has
   been addressed by placing limits on the number of levels of
   recursion named will allow (default 7), and on the number of
   queries that it will send before terminating a recursive query
   (default 50).  The recursion depth limit is configured via the
   max-recursion-depth option, and the query limit via the
   max-recursion-queries option.  The flaw was discovered by
   Florian Maury of ANSSI [CVE-2014-8500] [RT #37580]

   Two separate problems were identified in BIND's GeoIP code that
   could lead to an assertion failure. One was triggered by use of
   both IPv4 and IPv6 address families, the other by referencing a
   GeoIP database in named.conf which was not installed. Both are
   covered by CVE-2014-8680. [RT #37672] [RT #37679]

   A less serious security flaw was also found in GeoIP: changes
   to the geoip-directory option in named.conf were ignored when
   running rndc reconfig. In theory, this could allow named to allow
   access to unintended clients.

   A query specially crafted to exploit a defect in EDNS option
   processing could cause named to terminate with an assertion
   failure, due to a missing isc_buffer_availablelength() check
   when formatting packet contents for logging. For more information,
   see the security advisory at https://kb.isc.org/article/AA-01166/.
   [CVE-2014-3859] [RT #36078]

   A programming error in the prefetch feature could cause named
   to crash with a "REQUIRE" assertion failure in name.c. For more
   information, see the security advisory at
   https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]

New Features

   ...

Feature Changes

   ...

Bug Fixes

   ...

[Fernando de Oliveira]

I needed to do the following change in /srv/named/etc/named.conf:

s:directory "/etc/namedb":directory "/srv/named/etc/namedb"

otherwise, an error would occur with:

sudo named-checkconf /srv/named/etc/named.conf

Linking the file /srv/named/etc/named.conf to /etc did not solve the problem.

Fixed at r15531.

[Fernando de Oliveira]

I'm reopening this ticket.

Sent a message to -dev but no replies untill now:

​http://lists.linuxfromscratch.org/pipermail/blfs-dev/2015-February/029551.html

In revision 15537, I've just reverted a modification done in the update
yesterday to the file "/srv/named/etc/named.conf".

The reason I did that modification is the following:

$ sudo named-checkconf /srv/named/etc/named.conf
/srv/named/etc/named.conf:11: change directory to '/etc/namedb' failed:
file not found

However, with that modification that fixes the command above, named
fails to start, so I reverted:

> -    directory "/srv/named/etc/namedb";
> +    directory "/etc/namedb";

I failed to use named-checkconf with this, though.
...

Some fix is necessary.

I will give the ticket back to the book, because could not find a solution.

[bdubbs@…]

I'll take this. It will be a couple of days. I want to do Xorg and KDE first.

[bdubbs@…]

I found some more switches for bind. I used:

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --localstatedir=/var \
            --mandir=/usr/share/man \
            --enable-threads  \
            --with-libtool  \
            --disable-static \
            --with-randomdev=/dev/urandom \
            --with-tuning=default \
            --enable-sit \
            --enable-fixed-rrset  \
            --enable-seccomp \
            --with-atf \
            --with-openssl \
            --with-gost

There is a new optional dependency: geoip at ​https://github.com/cjheath/geoip

The only test that failed for me was tsiggss and that has something to do with kerberos. I think the ecdsa test passed for me because I used the extra switches. In any case I don't think they are significant for us.

I don't think the chmod is needed because the command didn't change any permissions.

The rest of the instructions seem fine.

When I run 'named-checkconf -t /srv/named', no errors are returned.

I'll finish this up tomorrow.