ISC has issued advisories on February 21: https://kb.isc.org/docs/cve-2018-5744 https://kb.isc.org/docs/cve-2018-5745 https://kb.isc.org/docs/cve-2019-6465 The issues are fixed upstream in BIND 9.11.5-P4: https://ftp.isc.org/isc/bind9/9.11.5-P4/CHANGES Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
bind-9.11.5.P4-1.mga7 submitted in cauldron.
Whiteboard: MGA6TOO => (none)Status comment: (none) => Fixed upstream in 9.11.5-P4Version: Cauldron => 6
Ubuntu has issued an advisory for this on February 22: https://usn.ubuntu.com/3893-1/
ISC has issued an advisory on April 24: https://kb.isc.org/docs/cve-2018-5743 The issue (CVE-2018-5743) is fixed upstream in 9.11.6-P1: https://ftp.isc.org/isc/bind9/9.11.6-P1/CHANGES
Version: 6 => CauldronStatus comment: Fixed upstream in 9.11.5-P4 => Fixed upstream in 9.11.6-P1Whiteboard: (none) => MGA6TOOSummary: bind new security issues CVE-2018-574[45] and CVE-2019-6465 => bind new security issues CVE-2018-574[3-5] and CVE-2019-6465
Might need some additional commits to build on ARM: https://www.openwall.com/lists/oss-security/2019/04/27/1
(In reply to David Walser from comment #3) > ISC has issued an advisory on April 24: > https://kb.isc.org/docs/cve-2018-5743 > > The issue (CVE-2018-5743) is fixed upstream in 9.11.6-P1: > https://ftp.isc.org/isc/bind9/9.11.6-P1/CHANGES RedHat has issued an advisory for this on May 29: https://access.redhat.com/errata/RHSA-2019:1294
ISC has issued an advisory on June 19: https://kb.isc.org/docs/cve-2019-6471 The issue (CVE-2019-6471) is fixed upstream in 9.11.8: https://ftp.isc.org/isc/bind9/9.11.8/CHANGES
Status comment: Fixed upstream in 9.11.6-P1 => Fixed upstream in 9.11.8Summary: bind new security issues CVE-2018-574[3-5] and CVE-2019-6465 => bind new security issues CVE-2018-574[3-5], CVE-2019-6465, CVE-2019-6471Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
CVE-2019-6471 and CVE-2018-5743 are both fixed in bind-9.11.6-1.1.mga7, submitted in update_testing for mageia 7. In addition to those two security issues, this package releases also fixes two additional issues: - a missing conflict tag between old bind and bnew ind-utils subpackages, preventing upgrade due to a file conflict - missing root.key file, despite this one being refered in default configuration
CC: (none) => qa-bugs
OK, still need an update for Mageia 6. Mageia 7 packages are: bind-9.11.6-1.1.mga7 bind-sdb-9.11.6-1.1.mga7 bind-utils-9.11.6-1.1.mga7 bind-dnssec-utils-9.11.6-1.1.mga7 libdns1105-9.11.6-1.1.mga7 libirs161-9.11.6-1.1.mga7 libisc1100-9.11.6-1.1.mga7 libbind9_161-9.11.6-1.1.mga7 liblwres161-9.11.6-1.1.mga7 libisccc161-9.11.6-1.1.mga7 libisccfg163-9.11.6-1.1.mga7 bind-devel-9.11.6-1.1.mga7 bind-chroot-9.11.6-1.1.mga7 bind-sdb-chroot-9.11.6-1.1.mga7 python3-bind-9.11.6-1.1.mga7 from bind-9.11.6-1.1.mga7.src.rpm
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOCC: qa-bugs => (none)Version: Cauldron => 7
RedHat has issued an advisory for CVE-2019-6471 on July 9: https://access.redhat.com/errata/RHSA-2019:1714
Mageia 6 also needs a fix (documentation-only change) for CVE-2018-5741: https://access.redhat.com/errata/RHSA-2019:2057
Blocks: (none) => 25528
Summary: bind new security issues CVE-2018-574[3-5], CVE-2019-6465, CVE-2019-6471 => bind new security issues CVE-2018-574[3-5], CVE-2019-6465, CVE-2019-6471 (+ file conflict fix)
Needs to be assigned to QA to actually get tested
Whiteboard: MGA6TOO => (none)Assignee: guillomovitch => qa-bugsCC: (none) => tmb
testing on Mageia 7 (64 bit) $ uname -a Linux nameserver2.home 5.3.2-desktop-1.mga7 #1 SMP Wed Oct 2 05:37:47 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
CC: (none) => paul.blackburn
Hit a snag with the updated BIND. Investigating. Notes on testing BIND for mageia7 bug: https://bugs.mageia.org/show_bug.cgi?id=24422 existing BIND rpms installed: bind-9.11.6-1.mga7 bind-dnssec-utils-9.11.6-1.mga7 bind-utils-9.11.6-1.mga7 lib64bind9_161-9.11.6-1.mga7 python3-bind-9.11.6-1.mga7 BIND rpms available in Core testing: [mpb@nameserver2 ~]$ server=www.mirrorservice.org; rsync ${server}::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/ | grep bind -rw-r--r-- 1,851,140 2019/07/08 22:41:13 bind-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 13,896 2019/07/08 22:41:12 bind-chroot-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 372,100 2019/07/08 22:41:12 bind-devel-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 185,664 2019/07/08 22:41:13 bind-dnssec-utils-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 345,928 2019/07/08 22:41:12 bind-sdb-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 14,000 2019/07/08 22:41:13 bind-sdb-chroot-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 185,852 2019/07/08 22:41:13 bind-utils-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 35,988 2019/07/08 22:41:13 lib64bind9_161-9.11.6-1.1.mga7.x86_64.rpm -rw-r--r-- 59,176 2019/07/08 22:41:13 python3-bind-9.11.6-1.1.mga7.noarch.rpm Add Core Updates Testing urpmi source: [mpb@nameserver2 ~]$ /bin/sudo urpmi.addmedia CUTesting --update rsync://www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/ # add core updates testing [sudo] password for mpb: adding medium "CUTesting" www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/media_info/20191007-101025-synthesis.hdlist.cz Install BIND 9.11.6-1.1 versions rpms: /bin/sudo urpmi bind-9.11.6-1.1 bind-dnssec-utils-9.11.6-1.1 bind-utils-9.11.6-1.1 lib64bind9_161-9.11.6-1.1 python3-bind-9.11.6-1.1 /bin/sudo urpmi bind bind-dnssec-utils bind-utils lib64bind9_161 python3-bind [mpb@nameserver2 ~]$ /bin/sudo urpmi bind bind-dnssec-utils bind-utils lib64bind9_161 python3-bind [sudo] password for mpb: Marking lib64bind9_161 as manually installed, it won't be auto-orphaned Marking bind-dnssec-utils as manually installed, it won't be auto-orphaned Marking python3-bind as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/bind-9.11.6-1.1.mga7.x86_64.rpm www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/bind-utils-9.11.6-1.1.mga7.x86_64.rpm www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/lib64bind9_161-9.11.6-1.1.mga7.x86_64.rpm www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/python3-bind-9.11.6-1.1.mga7.noarch.rpm www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/bind-dnssec-utils-9.11.6-1.1.mga7.x86_64.rpm installing lib64bind9_161-9.11.6-1.1.mga7.x86_64.rpm bind-9.11.6-1.1.mga7.x86_64.rpm bind-utils-9.11.6-1.1.mga7.x86_64.rpm python3-bind-9.11.6-1.1.mga7.noarch.rpm bind-dnssec-utils-9.11.6-1.1.mga7.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ###################################################################################################################################################### 1/5: lib64bind9_161 ###################################################################################################################################################### 2/5: bind-utils ###################################################################################################################################################### 3/5: python3-bind ###################################################################################################################################################### 4/5: bind-dnssec-utils ###################################################################################################################################################### 5/5: bind ###################################################################################################################################################### warning: %post(bind-9.11.6-1.1.mga7.x86_64) scriptlet failed, exit status 1 ERROR: 'script' failed for bind-9.11.6-1.1.mga7.x86_64 1/5: removing bind-9.11.6-1.mga7.x86_64 ###################################################################################################################################################### 2/5: removing bind-dnssec-utils-9.11.6-1.mga7.x86_64 ###################################################################################################################################################### 3/5: removing bind-utils-9.11.6-1.mga7.x86_64 ###################################################################################################################################################### 4/5: removing python3-bind-9.11.6-1.mga7.noarch ###################################################################################################################################################### 5/5: removing lib64bind9_161-9.11.6-1.mga7.x86_64 ###################################################################################################################################################### # Verify we have the updated DNS rpms installed (eg version 9.11.6-1.1): [mpb@nameserver2 ~]$ rpm -qa | sort | grep bind bind-9.11.6-1.1.mga7 bind-dnssec-utils-9.11.6-1.1.mga7 bind-utils-9.11.6-1.1.mga7 lib64bind9_161-9.11.6-1.1.mga7 lib64keybinder0-0.3.0-11.mga7 lib64keybinder3.0_0-0.3.0-9.mga7 python3-bind-9.11.6-1.1.mga7 rpcbind-1.2.5-1.mga7 # stop and restart BIND plus display status: [mpb@nameserver2 ~]$ /bin/sudo systemctl restart named.service && systemctl status named.service Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details. # check named status for error [mpb@nameserver2 ~]$ systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2019-10-07 15:34:05 BST; 25s ago Process: 9794 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi> Process: 9796 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=127) Oct 07 15:34:05 nameserver2.home bash[9794]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 07 15:34:05 nameserver2.home bash[9794]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 07 15:34:05 nameserver2.home bash[9794]: master/db.home:10: NS record '127.0.0.1.' appears to be an address Oct 07 15:34:05 nameserver2.home bash[9794]: zone home/IN: loaded serial 101 Oct 07 15:34:05 nameserver2.home bash[9794]: zone 0.0.10.in-addr.arpa/IN: loaded serial 43 Oct 07 15:34:05 nameserver2.home bash[9794]: zone 101.168.192.in-addr.arpa/IN: loaded serial 83 Oct 07 15:34:05 nameserver2.home named[9796]: /usr/sbin/named: symbol lookup error: /usr/sbin/named: undefined symbol: isc_quota_force Oct 07 15:34:05 nameserver2.home systemd[1]: named.service: Control process exited, code=exited, status=127/n/a Oct 07 15:34:05 nameserver2.home systemd[1]: named.service: Failed with result 'exit-code'. Oct 07 15:34:05 nameserver2.home systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Checking my local BIND named configuration. Don't see any issue with this yet.
Tried a "voodoo reboot". ;-) No difference: unable to start BIND named. Key error message seems to be: Oct 07 16:38:19 nameserver2.home named[2404]: /usr/sbin/named: symbol lookup error: /usr/sbin/named: undefined symbol: isc_quota_force [root@nameserver2 ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2019-10-07 16:38:19 BST; 2min 52s ago Process: 2393 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi> Process: 2404 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=127) Oct 07 16:38:19 nameserver2.home bash[2393]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 07 16:38:19 nameserver2.home bash[2393]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 07 16:38:19 nameserver2.home bash[2393]: master/db.home:10: NS record '127.0.0.1.' appears to be an address Oct 07 16:38:19 nameserver2.home bash[2393]: zone home/IN: loaded serial 101 Oct 07 16:38:19 nameserver2.home bash[2393]: zone 0.0.10.in-addr.arpa/IN: loaded serial 43 Oct 07 16:38:19 nameserver2.home bash[2393]: zone 101.168.192.in-addr.arpa/IN: loaded serial 83 Oct 07 16:38:19 nameserver2.home named[2404]: /usr/sbin/named: symbol lookup error: /usr/sbin/named: undefined symbol: isc_quota_force Oct 07 16:38:19 nameserver2.home systemd[1]: named.service: Control process exited, code=exited, status=127/n/a Oct 07 16:38:19 nameserver2.home systemd[1]: named.service: Failed with result 'exit-code'. Oct 07 16:38:19 nameserver2.home systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Did you miss any package in the update? What does rpm -qa |grep 9.11.6-1 |sort say ?
[root@nameserver2 ~]# rpm -qa |grep 9.11.6-1 |sort bind-9.11.6-1.1.mga7 bind-dnssec-utils-9.11.6-1.1.mga7 bind-utils-9.11.6-1.1.mga7 lib64bind9_161-9.11.6-1.1.mga7 lib64dns1105-9.11.6-1.mga7 lib64irs161-9.11.6-1.mga7 lib64isc1100-9.11.6-1.mga7 lib64isccc161-9.11.6-1.mga7 lib64isccfg163-9.11.6-1.mga7 lib64lwres161-9.11.6-1.mga7 python3-bind-9.11.6-1.1.mga7
Thank you Thomas, I will check: lib64dns1105-9.11.6-1.mga7 lib64irs161-9.11.6-1.mga7 lib64isc1100-9.11.6-1.mga7 lib64isccc161-9.11.6-1.mga7 lib64isccfg163-9.11.6-1.mga7 lib64lwres161-9.11.6-1.mga7 All get updated to 9.11.6-1.1. And try again
# enable Core Updates Testing /bin/sudo urpmi.update --no-ignore CUTesting # Thank you Thomas, I will check: # lib64dns1105-9.11.6-1.mga7 # lib64irs161-9.11.6-1.mga7 # lib64isc1100-9.11.6-1.mga7 # lib64isccc161-9.11.6-1.mga7 # lib64isccfg163-9.11.6-1.mga7 # lib64lwres161-9.11.6-1.mga7 All get updated to 9.11.6-1.1. And try again # install libraries identrified for BIND 9.11.6-1.1 /bin/sudo urpmi lib64dns1105 lib64irs161 lib64isc1100 lib64isccc161 lib64isccfg163 lib64lwres161 [mpb@nameserver2 ~]$ /bin/sudo urpmi lib64dns1105 lib64irs161 lib64isc1100 lib64isccc161 lib64isccfg163 lib64lwres161 [sudo] password for mpb: Packages lib64irs161-9.11.6-1.mga7.x86_64, lib64isccfg163-9.11.6-1.mga7.x86_64, lib64isc1100-9.11.6-1.mga7.x86_64, lib64isccc161-9.11.6-1.mga7.x86_64, lib64lwres161-9.11.6-1.mga7.x86_64, lib64dns1105-9.11.6-1.mga7.x86_64 are already installed Marking lib64irs161 as manually installed, it won't be auto-orphaned Marking lib64isccfg163 as manually installed, it won't be auto-orphaned Marking lib64isc1100 as manually installed, it won't be auto-orphaned Marking lib64isccc161 as manually installed, it won't be auto-orphaned Marking lib64lwres161 as manually installed, it won't be auto-orphaned Marking lib64dns1105 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list # verify all BIND 9.11.6-1 updates installed: [mpb@nameserver2 ~]$ rpm -qa |grep 9.11.6-1 |sort bind-9.11.6-1.1.mga7 bind-dnssec-utils-9.11.6-1.1.mga7 bind-utils-9.11.6-1.1.mga7 lib64bind9_161-9.11.6-1.1.mga7 lib64dns1105-9.11.6-1.mga7 lib64irs161-9.11.6-1.mga7 lib64isc1100-9.11.6-1.mga7 lib64isccc161-9.11.6-1.mga7 lib64isccfg163-9.11.6-1.mga7 lib64lwres161-9.11.6-1.mga7 python3-bind-9.11.6-1.1.mga7 # restart named and check status [mpb@nameserver2 ~]$ /bin/sudo systemctl start named.service && systemctl status named.service Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details. # Check named status for error [mpb@nameserver2 ~]$ systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2019-10-07 19:03:41 BST; 7s ago Process: 12311 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; f> Process: 12313 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=127) Oct 07 19:03:41 nameserver2.home bash[12311]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 07 19:03:41 nameserver2.home bash[12311]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 07 19:03:41 nameserver2.home bash[12311]: master/db.home:10: NS record '127.0.0.1.' appears to be an address Oct 07 19:03:41 nameserver2.home bash[12311]: zone home/IN: loaded serial 101 Oct 07 19:03:41 nameserver2.home bash[12311]: zone 0.0.10.in-addr.arpa/IN: loaded serial 43 Oct 07 19:03:41 nameserver2.home bash[12311]: zone 101.168.192.in-addr.arpa/IN: loaded serial 83 Oct 07 19:03:41 nameserver2.home named[12313]: /usr/sbin/named: symbol lookup error: /usr/sbin/named: undefined symbol: isc_quota_force Oct 07 19:03:41 nameserver2.home systemd[1]: named.service: Control process exited, code=exited, status=127/n/a Oct 07 19:03:41 nameserver2.home systemd[1]: named.service: Failed with result 'exit-code'. Oct 07 19:03:41 nameserver2.home systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). # Disable Core Updates testing /bin/sudo urpmi.update --ignore CUTesting
Check for dnsmasq using port 53
Hello Claire, thank you. I do not have dnsmasq installed on this machine. I have two BIND dedicated nameservers here. I am testing the 9.11.6-1.1 core updates release on one of them. Both nameservers have been running very well with 9.11.6-1.
(In reply to Paul Blackburn from comment #19) > # enable Core Updates Testing > /bin/sudo urpmi.update --no-ignore CUTesting > > # Thank you Thomas, I will check: > # lib64dns1105-9.11.6-1.mga7 > # lib64irs161-9.11.6-1.mga7 > # lib64isc1100-9.11.6-1.mga7 > # lib64isccc161-9.11.6-1.mga7 > # lib64isccfg163-9.11.6-1.mga7 > # lib64lwres161-9.11.6-1.mga7 > > All get updated to 9.11.6-1.1. > > And try again > # install libraries identrified for BIND 9.11.6-1.1 > > /bin/sudo urpmi lib64dns1105 lib64irs161 lib64isc1100 lib64isccc161 > lib64isccfg163 lib64lwres161 > > [mpb@nameserver2 ~]$ /bin/sudo urpmi lib64dns1105 lib64irs161 lib64isc1100 > lib64isccc161 lib64isccfg163 lib64lwres161 > [sudo] password for mpb: > Packages lib64irs161-9.11.6-1.mga7.x86_64, > lib64isccfg163-9.11.6-1.mga7.x86_64, lib64isc1100-9.11.6-1.mga7.x86_64, > lib64isccc161-9.11.6-1.mga7.x86_64, lib64lwres161-9.11.6-1.mga7.x86_64, > lib64dns1105-9.11.6-1.mga7.x86_64 are already installed > Marking lib64irs161 as manually installed, it won't be auto-orphaned > Marking lib64isccfg163 as manually installed, it won't be auto-orphaned > Marking lib64isc1100 as manually installed, it won't be auto-orphaned > Marking lib64isccc161 as manually installed, it won't be auto-orphaned > Marking lib64lwres161 as manually installed, it won't be auto-orphaned > Marking lib64dns1105 as manually installed, it won't be auto-orphaned > writing /var/lib/rpm/installed-through-deps.list > > # verify all BIND 9.11.6-1 updates installed: > > [mpb@nameserver2 ~]$ rpm -qa |grep 9.11.6-1 |sort > bind-9.11.6-1.1.mga7 > bind-dnssec-utils-9.11.6-1.1.mga7 > bind-utils-9.11.6-1.1.mga7 > lib64bind9_161-9.11.6-1.1.mga7 > lib64dns1105-9.11.6-1.mga7 > lib64irs161-9.11.6-1.mga7 > lib64isc1100-9.11.6-1.mga7 > lib64isccc161-9.11.6-1.mga7 > lib64isccfg163-9.11.6-1.mga7 > lib64lwres161-9.11.6-1.mga7 > python3-bind-9.11.6-1.1.mga7 > Something went wrong here.... seems your media is not uptodate... All those libs should have *-1.1.mga7" to get it to work... Otherwise you get the missing symbols that makes bind starting fail...
Thank you Thomas, I checked again for any missing 9.11.6-1.1 packages: [mpb@nameserver2 ~]$ rpm -qa | sort | grep 9.11.6-1 | grep -v 1.1 lib64dns1105-9.11.6-1.mga7 lib64isc1100-9.11.6-1.mga7 lib64isccfg163-9.11.6-1.mga7 #Update to 1.1 these: lib64dns1105 lib64isc1100 lib64isccfg163 [mpb@nameserver2 ~]$ /bin/sudo urpmi lib64dns1105 lib64isc1100 lib64isccfg163 www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/lib64dns1105-9.11.6-1.1.mga7.x86_64.rpm www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/lib64isc1100-9.11.6-1.1.mga7.x86_64.rpm www.mirrorservice.org::mageia.org/pub/mageia/distrib/7/x86_64/media/core/updates_testing/lib64isccfg163-9.11.6-1.1.mga7.x86_64.rpm installing lib64dns1105-9.11.6-1.1.mga7.x86_64.rpm lib64isc1100-9.11.6-1.1.mga7.x86_64.rpm lib64isccfg163-9.11.6-1.1.mga7.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ###################################################################################################################################################### 1/3: lib64isc1100 ###################################################################################################################################################### 2/3: lib64dns1105 ###################################################################################################################################################### 3/3: lib64isccfg163 ###################################################################################################################################################### 1/3: removing lib64isccfg163-9.11.6-1.mga7.x86_64 ###################################################################################################################################################### 2/3: removing lib64dns1105-9.11.6-1.mga7.x86_64 ###################################################################################################################################################### 3/3: removing lib64isc1100-9.11.6-1.mga7.x86_64 ###################################################################################################################################################### # check again for any missing 1.1 packages: [mpb@nameserver2 ~]$ rpm -qa | sort | grep 9.11.6-1 | grep -v 1.1 # start BIND named and display status [mpb@nameserver2 ~]$ /bin/sudo systemctl start named.service && systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2019-10-08 16:43:56 BST; 62ms ago Process: 15162 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; f> Process: 15165 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 15166 (named) Memory: 55.2M CGroup: /system.slice/named.service └─15166 /usr/sbin/named -u named -c /etc/named.conf Oct 08 16:43:55 nameserver2.home named[15166]: 08-Oct-2019 16:43:55.937 general: info: zone 0.0.10.in-addr.arpa/IN: loaded serial 43 Oct 08 16:43:55 nameserver2.home named[15166]: 08-Oct-2019 16:43:55.956 general: info: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 08 16:43:55 nameserver2.home named[15166]: 08-Oct-2019 16:43:55.960 general: info: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Oct 08 16:43:55 nameserver2.home named[15166]: 08-Oct-2019 16:43:55.974 general: info: zone localhost.localdomain/IN: loaded serial 0 Oct 08 16:43:55 nameserver2.home named[15166]: 08-Oct-2019 16:43:55.977 general: info: zone localhost/IN: loaded serial 0 Oct 08 16:43:55 nameserver2.home named[15166]: 08-Oct-2019 16:43:55.994 general: info: zone 101.168.192.in-addr.arpa/IN: loaded serial 83 Oct 08 16:43:56 nameserver2.home named[15166]: 08-Oct-2019 16:43:56.000 general: info: zone home/IN: loaded serial 101 Oct 08 16:43:56 nameserver2.home named[15166]: 08-Oct-2019 16:43:56.000 general: notice: all zones loaded Oct 08 16:43:56 nameserver2.home named[15166]: 08-Oct-2019 16:43:56.001 general: notice: running Oct 08 16:43:56 nameserver2.home systemd[1]: Started Berkeley Internet Name Domain (DNS). # Verify BIND named running status: [mpb@nameserver2 ~]$ /bin/sudo rndc status version: BIND 9.11.6Mageia-1.1.mga7 (Extended Support Version) <id:f4bd4ca> running on nameserver2.home: Linux x86_64 5.3.2-desktop-1.mga7 #1 SMP Wed Oct 2 05:37:47 UTC 2019 boot time: Tue, 08 Oct 2019 15:43:55 GMT last configured: Tue, 08 Oct 2019 15:43:55 GMT configuration file: /etc/named.conf CPUs found: 2 worker threads: 2 UDP listeners per interface: 1 number of zones: 106 (97 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/900/1000 tcp clients: 3/150 server is up and running
9.11.6-1.1 seems to be working fine. I have querylog set on. So, when I query "www.acm.org" on loopback, due to the way I have BIND logging configured I can see the query handled in the log. from: /var/log/named/query.log 08-Oct-2019 17:18:03.035 client @0x7f4c60042be0 127.0.0.1#45173 (www.acm.org): query: www.acm.org IN A + (127.0.0.1) 08-Oct-2019 17:18:03.039 client @0x7f4c60042be0 127.0.0.1#47835 (acm.hosting.csnl.onehippo.com): query: acm.hosting.csnl.onehippo.com IN AAAA + (127.0.0.1) 08-Oct-2019 17:18:03.041 client @0x7f4c60042be0 127.0.0.1#41407 (acm.hosting.csnl.onehippo.com): query: acm.hosting.csnl.onehippo.com IN MX + (127.0.0.1) If there are any specific tests to run to verify the update from 9.11.6-1 to 9.11.6-1.1, please share.
Switched to running the 9.11.6-1.1 updated BIND named as my main DNS nameserver. Seems to be stable and working fine. Searched for but found very little regarding the 9.11.6-1.1 specific update to test the new BIND code. Any 9.11.6-1.1 testing suggestions welcome.
MGA7-64 Plasma on Lenovo B50. First step: this laptop is a rather default network client, but s first DNS server points to my desktop PC which runs as a local DNS server. Used nslookup and ping commands before any update:all OK. Checked what DNS packages are present now: found bind-utils and lib64bind9_161, updated those, and tested again nslookup and ping, all OK. Continuing by setting up DNS server.
CC: (none) => herman.viaene
Installed rest of the updates, used MCC wizard to populate DNS server with two addresses to control, then at CLI: # systemctl -l start named Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details. # journalctl -b | grep named okt 11 10:09:23 mach5.hviaene.thuis kernel: r8169 0000:08:00.0 enp8s0: renamed from eth0 okt 11 10:09:25 mach5.hviaene.thuis kernel: iwlwifi 0000:09:00.0 wlp9s0: renamed from wlan0 okt 11 10:10:10 mach5.hviaene.thuis systemd[1]: systemd-hostnamed.service: Succeeded. okt 11 10:28:21 mach5.hviaene.thuis useradd[16422]: new group: name=named, GID=968 okt 11 10:28:21 mach5.hviaene.thuis useradd[16422]: new user: name=named, UID=975, GID=968, home=/var/named, shell=/bin/false okt 11 10:33:17 mach5.hviaene.thuis systemd[1]: named-setup-rndc.service: Succeeded. okt 11 10:33:18 mach5.hviaene.thuis named[28791]: /usr/sbin/named: symbol lookup error: /usr/sbin/named: undefined symbol: isc_quota_force Googled on this error, find refs to incorrect bind-libs, which does not make me any wiser. but as above: # rpm -qa | sort | grep 9.11.6-1 | grep -v 1.1 lib64dns1105-9.11.6-1.mga7 lib64isc1100-9.11.6-1.mga7 lib64isccfg163-9.11.6-1.mga7 Installing those, checking DNS settings now. Remark: I have been setting up DNS since MGA4 at least,and doing updates on it, but I cann't remember having to sselect these packages manually.
"There is something rotten in ....." When I start named either from MCC or from # systemctl -l start named I get from: # systemctl -l status named the lines CGroup: /system.slice/named.service └─9814 /usr/sbin/named -u named -c /etc/named.conf and # ls -als /etc/named* 4 -rw-r--r-- 1 root root 621 jul 8 23:09 /etc/named-chroot.files 4 -rw-r--r-- 1 root root 1851 jul 8 23:09 /etc/named.conf 4 -rw-r--r-- 1 root root 1029 jul 8 23:09 /etc/named.rfc1912.zones 4 -rw-r--r-- 1 root root 1070 jul 8 23:09 /etc/named.root.key shows these are real files, not links but configuring DNS from Webmin makes edits to /var/lib/named, the chrooted environment, which has always worked up to now. But as it stands now, the bind does not work callingg it from nslookup or ping. Found and tried named-chroot, so # systemctl -l stop named # systemctl -l start named-chroot # systemctl -l status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2019-10-11 11:47:22 CEST; 4s ago Process: 4213 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z > Process: 4218 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 4220 (named) Memory: 56.7M CGroup: /system.slice/named-chroot.service └─4220 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot So this still points to /etc/named.conf i.s.o. /var/lib/named/named.conf and consequently name resolution does not work.
Have not yet found a way to test the race condition that the BIND update from 9.11.6-1 to 9.11.6-1.1 addresses. Ideas? My test of BIND named 9.11.6-1.1 on Mageia7 is stable and working fine doing DNS resolution for all my local systems. [root@nameserver2 ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2019-10-08 16:43:56 BST; 3 days ago Process: 15162 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Process: 15165 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 15166 (named) Memory: 186.9M CGroup: /system.slice/named.service └─15166 /usr/sbin/named -u named -c /etc/named.conf Oct 08 16:43:56 nameserver2.home named[15166]: 08-Oct-2019 16:43:56.762 resolver: info: resolver priming query complete Oct 09 16:43:55 nameserver2.home named[15166]: 09-Oct-2019 16:43:55.744 general: info: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL' Oct 09 16:43:56 nameserver2.home named[15166]: 09-Oct-2019 16:43:56.794 general: info: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted Oct 10 16:43:55 nameserver2.home named[15166]: 10-Oct-2019 16:43:55.744 general: info: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL' Oct 10 16:43:56 nameserver2.home named[15166]: 10-Oct-2019 16:43:56.972 general: info: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted Oct 11 16:43:55 nameserver2.home named[15166]: 11-Oct-2019 16:43:55.744 general: info: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL' Oct 11 16:43:57 nameserver2.home named[15166]: 11-Oct-2019 16:43:57.139 general: info: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted To address the point that Claire made earlier. we can check what process is listening on the domain name server ports 53/tcp and 53/udp as follows: [mpb@nameserver2 ~]$ /bin/sudo lsof -i :53 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME named 15166 named 21u IPv6 43975 0t0 TCP *:domain (LISTEN) named 15166 named 22u IPv4 43979 0t0 TCP localhost:domain (LISTEN) named 15166 named 23u IPv4 43981 0t0 TCP nameserver2.home:domain (LISTEN) named 15166 named 512u IPv6 45110 0t0 UDP *:domain named 15166 named 513u IPv4 43978 0t0 UDP localhost:domain named 15166 named 514u IPv4 43980 0t0 UDP nameserver2.home:domain Then check what is (in this case) PID=15166: [mpb@nameserver ~]$ ps -ef | grep 15166 named 2224 1 0 Oct07 ? 00:02:53 /usr/sbin/named -u named -c /etc/named.conf mpb 29479 3301 0 17:01 pts/0 00:00:00 grep --color 2224 # Identify which rpm package and version /usr/bin/named is from: [mpb@nameserver2 ~]$ rpm -q --whatprovides /usr/sbin/named bind-9.11.6-1.1.mga7 So, for sure, no dnsmasq here. :-)
just noticed my copy&paste error in comment 29 (above): [mpb@nameserver ~]$ ps -ef | grep 15166 named 2224 1 0 Oct07 ? 00:02:53 /usr/sbin/named -u named -c /etc/named.conf mpb 29479 3301 0 17:01 pts/0 00:00:00 grep --color 2224 should be: [mpb@nameserver2 ~]$ ps -ef | grep 15166 named 15166 1 0 Oct08 ? 00:01:06 /usr/sbin/named -u named -c /etc/named.conf mpb 32007 27458 0 20:18 pts/0 00:00:00 grep --color 15166
I consider this configuration in MGA7 less than desirable (the least to say). Check this: In MGA7 (see Comments 28 and 29: CGroup: /system.slice/named.service └─15166 /usr/sbin/named -u named -c /etc/named.conf In MGA6 on my desktop: CGroup: /system.slice/named.service └─22229 /usr/sbin/named -u named -t /var/lib/named which means that - as is recommended - DNS bind runs in its own environment. And I am pretty sure I did not do any changes to the paths of the bind installation in MGA6. So as this bind package stands , it is to me not acceptable, unless configuration changes are applied, which should be not necessary in the first place.
Hello Herman, there is a separate "bind-chroot" rpm available in mga7: $ urpmq -i bind-chroot Name : bind-chroot Version : 9.11.6 Release : 1.mga7 Group : System/Servers Size : 4517 Architecture: x86_64 Source RPM : bind-9.11.6-1.mga7.src.rpm URL : http://www.isc.org/products/BIND/ Summary : A chroot runtime environment for the ISC BIND DNS server, named(8) Description : This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
@ Paul, Please read my comment 28 at the end, the bind-chroot still points to the /etc/named.conf and from there it never finds the proper zone files.
Thanks Herman. My understanding and experience is that many configuration files are in /etc/ by default. Where we locate the actual named.conf is really up to us. I keep my local configuration in local file space to avoid any clash with system installed files. This makes systems management much simpler and well documented. So on my systems, I have renamed /etc/named.conf as /etc/named.conf.original and then linked /etc/named.conf to /usr/local/etc/named.conf. So on a newly installed system, I only need to establish this link to local config to get things working. In addition, I have all my named configuration files in a separate partition /usr/local/src/ under appropriate sub directories using source code control and per directory makefiles to manage and track configuration changes and appropriate actions to install (on new) or update existing. For example, I have my own named logging configuration file: logging.conf BIND's named zone files are defined in the named.conf file. My local named.conf is a modified version of the default named.conf which addresses the configuration I need. So I have zone files for my local (private) domain and subnets. Here is a snippet from my local named.conf where I identify my variations from the default version using the tag #LOCAL: [root@nameserver2 ~]# nl -ba /etc/named.conf | head -20 1 // 2 // named.conf 3 // 4 // Provided by Mageia bind package to configure the ISC BIND named(8) DNS 5 // server as a caching only nameserver (as a localhost DNS resolver only). 6 // 7 // See /usr/share/doc/bind*/sample/ for example named configuration files. 8 // 9 10 // #LOCAL local changes (variations from default as-installed version) marked by #LOCAL 11 // #LOCAL configuration for a private DNS nameserver running in RFC-1918 private subnet 12 // #LOCAL serving a local DNS domain ".home" and also cacheing DNS server to Internet systems 13 14 // Access lists (ACL's) should be defined here // #LOCAL 15 include "/etc/named/bogon_acl.conf"; // #LOCAL 16 include "/etc/named/named_trusted_networks_acl.conf"; // #LOCAL 17 18 // Define logging channels // #LOCAL 19 include "/etc/named/logging.conf"; // #LOCAL Hope this helps.
@ Paul, I've been thru a number of possible settings for bind years ago, so I understand what you are doing there. You can choose this way, nobody should stop you. My point is, and I refer to my Comment 31 on MGA6, that this MGA7 installation needs tinkering - as you did - while in MGA6 there was no need for that. The installation of bind and the setup of DNS in MCC and in webmin all pointed to the chrooted environment in /var/lib/named CONSISTENTLY. If you - or anyone else for that matter - is changing this setup, I would expect that we end up with a consistent situation, not one where users need to replace the configuration file by links to whatever place and/or change refs in the configuration file to the zone files and/or copy zone files from one folder to another..
I have been running bind-9.11.6-1.1.mga7 update for a week as nameserver in local network. So far, named is stable and no problems have been observed. The only thing I am not yet able to test is the specific update (from 9.11.6-1 to 9.11.6-1.1) for the race condition issue identified in the ISC advisory: https://kb.isc.org/docs/cve-2019-6471 "Description: A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c." Any ideas or suggestions to test for the race condition are welcome.
Unless you can find a PoC for the race condition, don't worry about it.
Hello, A user occurred a conflict during 6->7 upgrade: bind-9.11.6-1.mga7.x86_64 (en raison de conflit avec dnsmasq-2.80-5.mga7.x86_64). Will this conflict go away with this update?
CC: (none) => yves.brungard_mageia
Those packages are supposed to conflict. They shouldn't have both installed.
well, that was actually a broken conflict atleast in older mageia releases as some of the libvirt/qemu stuff required dnsmasq even if you did not need to use it... I know, since I hit it on infra and had to force the install of bind even if dnsmasq was also installed... The conflict is artificial as there is no file conflict, it only conflicts if both services are *running*... on atleast mga7 the dep on dnsmasq is gone so one can have virt/qemu stuff installed along with bind
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA7-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0299.html
Status: NEW => RESOLVEDResolution: (none) => FIXED