Feature update for bind
| Announcement ID: | SUSE-FU-2023:0142-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Affected Products: |
|
An update that contains two features can now be installed.
Description:
This update for bind fixes the following issues:
Version update from 9.16.33 to 9.16.35 (jsc#SLE-24801, jsc#SLE-24600)
- New Features:
- Support for parsing and validating the dohpath service parameter in SVCB records was added.
-
named now logs the supported cryptographic algorithms during startup and in the output of named -V
-
Bug Fixes:
- A crash was fixed that happened when a dnssec-policy zone that used NSEC3 was reconfigured to enable inline-signing.
- In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients.
- rpz-ip rules in response-policy zones could be ineffective in some cases if a query had the CD (Checking Disabled) bit set to 1.
- Previously, if Internet connectivity issues were experienced during the initial startup of named, a BIND resolver with dnssec-validation set to auto could enter into a state where it would not recover without stopping named, manually deleting the managed-keys.bind and managed-keys.bind.jnl files, and starting named again.
- The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could overflow in certain resolution scenarios.
- Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs.
- When a DNS resource records TTL value was equal to the resolver configured prefetch eligibility value, the record was erroneously not treated as eligible for prefetching.
-
Changing just the TSIG key names for primaries in catalog zones member zones was not effective. This has been fixed.
-
Known Issues:
- Upgrading from BIND 9.16.32 or any older version may require a
manual configuration change. The following configurations are
affected:
- type primary zones configured with dnssec-policy but without either allow-update or update-policy
- type secondary zones configured with dnssec-policy In these cases please add inline-signing yes; to the individual zone configuration(s). Without applying this change, named will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-142=1 -
Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-142=1 -
Server Applications Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2023-142=1
Package List:
-
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
- bind-debuginfo-9.16.35-150400.5.14.1
- bind-utils-9.16.35-150400.5.14.1
- bind-9.16.35-150400.5.14.1
- bind-debugsource-9.16.35-150400.5.14.1
- bind-utils-debuginfo-9.16.35-150400.5.14.1
-
openSUSE Leap 15.4 (noarch)
- bind-doc-9.16.35-150400.5.14.1
- python3-bind-9.16.35-150400.5.14.1
-
Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
- bind-debuginfo-9.16.35-150400.5.14.1
- bind-utils-9.16.35-150400.5.14.1
- bind-utils-debuginfo-9.16.35-150400.5.14.1
- bind-debugsource-9.16.35-150400.5.14.1
-
Basesystem Module 15-SP4 (noarch)
- python3-bind-9.16.35-150400.5.14.1
-
Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64)
- bind-debuginfo-9.16.35-150400.5.14.1
- bind-9.16.35-150400.5.14.1
- bind-debugsource-9.16.35-150400.5.14.1
-
Server Applications Module 15-SP4 (noarch)
- bind-doc-9.16.35-150400.5.14.1