2013-07-22 07:56:13 +02:00
|
|
|
################################################################################
|
2006-01-25 21:56:55 +01:00
|
|
|
#
|
|
|
|
# bind
|
|
|
|
#
|
2013-06-06 01:53:30 +02:00
|
|
|
################################################################################
|
2009-12-03 17:19:27 +01:00
|
|
|
|
2022-02-22 23:02:55 +01:00
|
|
|
BIND_VERSION = 9.16.26
|
|
|
|
BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
|
package/bind: security bump to version 9.11.5-P4
Fixes the following security issues:
- named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740.
[GL #387]
- When recursion is enabled but the allow-recursion and allow-query-cache
ACLs are not specified, they should be limited to local networks, but they
were inadvertently set to match the default allow-query, thus allowing
remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
- Code change #4964, intended to prevent double signatures when deleting an
inactive zone DNSKEY in some situations, introduced a new problem during
zone processing in which some delegation glue RRsets are incorrectly
identified as needing RRSIGs, which are then created for them using the
current active ZSK for the zone. In some, but not all cases, the
newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but
incompletely -- this can result in a broken chain, affecting validation of
proof of nonexistence for records in the zone. [GL #771]
- named could crash if it managed a DNSSEC security root with managed-keys
and the authoritative zone rolled the key to an algorithm not supported by
BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
- named leaked memory when processing a request with multiple Key Tag EDNS
options present. ISC would like to thank Toshifumi Sakaguchi for bringing
this to our attention. This flaw is disclosed in CVE-2018-5744. [GL
#772]
- Zone transfer controls for writable DLZ zones were not effective as the
allowzonexfr method was not being called for such zones. This flaw is
disclosed in CVE-2019-6465. [GL #790]
For more details, see the release notes:
http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html
Change the upstream URL to HTTPS as the webserver uses HSTS:
>>> bind 9.11.5-P4 Downloading
URL transformed to HTTPS due to an HSTS policy
Update the hash of the license file to account for a change of copyright
year:
-Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC")
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-22 14:40:38 +01:00
|
|
|
BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
|
2016-02-06 10:00:07 +01:00
|
|
|
# bind does not support parallel builds.
|
|
|
|
BIND_MAKE = $(MAKE1)
|
2013-07-24 12:34:31 +02:00
|
|
|
BIND_INSTALL_STAGING = YES
|
2017-03-30 15:43:42 +02:00
|
|
|
BIND_LICENSE = MPL-2.0
|
2013-01-22 04:35:47 +01:00
|
|
|
BIND_LICENSE_FILES = COPYRIGHT
|
2020-12-04 16:46:01 +01:00
|
|
|
BIND_CPE_ID_VENDOR = isc
|
2021-07-21 19:10:59 +02:00
|
|
|
BIND_SELINUX_MODULES = bind
|
2021-04-21 22:42:26 +02:00
|
|
|
# Only applies to RHEL6.x with DNSSEC validation on
|
|
|
|
BIND_IGNORE_CVES = CVE-2017-3139
|
2021-04-21 22:42:28 +02:00
|
|
|
# Library CVE and not used by bind but used by ISC DHCP
|
|
|
|
BIND_IGNORE_CVES += CVE-2019-6470
|
2014-06-10 12:18:25 +02:00
|
|
|
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
|
|
|
|
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
|
|
|
|
BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
|
|
|
|
BIND_TARGET_SERVER_SBIN += isc-hmac-fixup named-journalprint nsec3hash
|
|
|
|
BIND_TARGET_SERVER_SBIN += lwresd named named-checkconf named-checkzone
|
|
|
|
BIND_TARGET_SERVER_SBIN += named-compilezone rndc rndc-confgen dnssec-dsfromkey
|
2019-08-09 23:53:21 +02:00
|
|
|
BIND_TARGET_SERVER_SBIN += dnssec-keyfromlabel dnssec-signzone tsig-keygen
|
2014-06-10 12:18:25 +02:00
|
|
|
BIND_TARGET_TOOLS_BIN = dig host nslookup nsupdate
|
2014-12-30 08:36:23 +01:00
|
|
|
BIND_CONF_ENV = \
|
|
|
|
BUILD_CC="$(TARGET_CC)" \
|
|
|
|
BUILD_CFLAGS="$(TARGET_CFLAGS)"
|
2014-10-18 00:36:33 +02:00
|
|
|
BIND_CONF_OPTS = \
|
2019-04-26 18:56:11 +02:00
|
|
|
$(if $(BR2_TOOLCHAIN_HAS_THREADS),--enable-threads,--disable-threads) \
|
2017-08-08 18:57:58 +02:00
|
|
|
--without-lmdb \
|
2022-02-22 23:02:55 +01:00
|
|
|
--with-json-c=no \
|
2014-12-22 09:12:05 +01:00
|
|
|
--with-randomdev=/dev/urandom \
|
2014-12-30 08:36:23 +01:00
|
|
|
--enable-epoll \
|
2021-01-03 20:25:48 +01:00
|
|
|
--enable-filter-aaaa \
|
|
|
|
--disable-backtrace
|
2014-06-10 12:18:25 +02:00
|
|
|
|
2022-02-22 23:02:55 +01:00
|
|
|
BIND_DEPENDENCIES = libuv
|
|
|
|
|
2016-10-11 14:54:23 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_ZLIB),y)
|
2022-02-22 23:02:55 +01:00
|
|
|
BIND_CONF_OPTS += --with-zlib
|
2016-10-11 14:54:23 +02:00
|
|
|
BIND_DEPENDENCIES += zlib
|
2022-02-22 23:02:55 +01:00
|
|
|
BIND_DEPENDENCIES += host-pkgconf zlib
|
2016-10-11 14:54:23 +02:00
|
|
|
else
|
|
|
|
BIND_CONF_OPTS += --without-zlib
|
|
|
|
endif
|
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_LIBCAP),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --enable-linux-caps
|
|
|
|
BIND_DEPENDENCIES += libcap
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --disable-linux-caps
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2011-05-03 20:33:42 +02:00
|
|
|
|
2021-11-14 12:24:14 +01:00
|
|
|
ifeq ($(BR2_PACKAGE_LIBKRB5),y)
|
|
|
|
BIND_CONF_OPTS += --with-gssapi=$(STAGING_DIR)/usr/bin/krb5-config
|
|
|
|
BIND_DEPENDENCIES += libkrb5
|
|
|
|
else
|
|
|
|
BIND_CONF_OPTS += --with-gssapi=no
|
|
|
|
endif
|
|
|
|
|
2011-05-03 20:33:42 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_LIBXML2),y)
|
2020-12-02 22:18:48 +01:00
|
|
|
BIND_CONF_OPTS += --with-libxml2=$(STAGING_DIR)/usr
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_DEPENDENCIES += libxml2
|
2011-05-03 20:33:42 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-libxml2=no
|
2011-05-03 20:33:42 +02:00
|
|
|
endif
|
|
|
|
|
2019-04-26 18:56:10 +02:00
|
|
|
BIND_DEPENDENCIES += host-pkgconf openssl
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += \
|
2019-04-13 17:04:53 +02:00
|
|
|
--with-openssl=$(STAGING_DIR)/usr \
|
2018-07-18 20:53:03 +02:00
|
|
|
--with-ecdsa=yes \
|
|
|
|
--with-eddsa=no \
|
|
|
|
--with-aes=yes
|
2019-04-26 18:56:10 +02:00
|
|
|
BIND_CONF_ENV += LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
|
2014-06-10 12:18:25 +02:00
|
|
|
# GOST cipher support requires openssl extra engines
|
|
|
|
ifeq ($(BR2_PACKAGE_OPENSSL_ENGINES),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-gost=yes
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-gost=no
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2006-01-25 21:56:55 +01:00
|
|
|
|
2019-04-27 15:49:25 +02:00
|
|
|
# Used by dnssec-keymgr
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON_PLY),y)
|
|
|
|
BIND_DEPENDENCIES += host-python-ply
|
|
|
|
BIND_CONF_OPTS += --with-python=$(HOST_DIR)/usr/bin/python
|
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-python=no
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2010-09-01 17:04:32 +02:00
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_READLINE),y)
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_DEPENDENCIES += readline
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2015-03-31 09:21:57 +02:00
|
|
|
BIND_CONF_OPTS += --with-readline=no
|
2014-06-10 12:18:25 +02:00
|
|
|
endif
|
2010-09-01 17:04:32 +02:00
|
|
|
|
2019-04-26 18:56:10 +02:00
|
|
|
ifeq ($(BR2_STATIC_LIBS),y)
|
|
|
|
BIND_CONF_OPTS += \
|
|
|
|
--without-dlopen \
|
|
|
|
--without-libtool
|
|
|
|
else
|
|
|
|
BIND_CONF_OPTS += \
|
|
|
|
--with-dlopen \
|
|
|
|
--with-libtool
|
|
|
|
endif
|
|
|
|
|
2011-10-15 05:07:31 +02:00
|
|
|
define BIND_TARGET_REMOVE_SERVER
|
2014-06-10 12:18:25 +02:00
|
|
|
rm -rf $(addprefix $(TARGET_DIR)/usr/sbin/, $(BIND_TARGET_SERVER_SBIN))
|
2011-10-15 05:07:31 +02:00
|
|
|
endef
|
|
|
|
|
2010-09-01 17:04:32 +02:00
|
|
|
define BIND_TARGET_REMOVE_TOOLS
|
2014-06-10 12:18:25 +02:00
|
|
|
rm -rf $(addprefix $(TARGET_DIR)/usr/bin/, $(BIND_TARGET_TOOLS_BIN))
|
2010-09-01 17:04:32 +02:00
|
|
|
endef
|
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_BIND_SERVER),y)
|
|
|
|
define BIND_INSTALL_INIT_SYSV
|
2018-02-27 13:39:22 +01:00
|
|
|
$(INSTALL) -m 0755 -D $(BIND_PKGDIR)/S81named \
|
2014-10-25 20:29:31 +02:00
|
|
|
$(TARGET_DIR)/etc/init.d/S81named
|
2014-06-10 12:18:25 +02:00
|
|
|
endef
|
2015-01-11 06:31:36 +01:00
|
|
|
define BIND_INSTALL_INIT_SYSTEMD
|
2018-02-27 13:39:22 +01:00
|
|
|
$(INSTALL) -D -m 644 $(BIND_PKGDIR)/named.service \
|
2015-01-11 06:31:36 +01:00
|
|
|
$(TARGET_DIR)/usr/lib/systemd/system/named.service
|
|
|
|
endef
|
2014-06-10 12:18:25 +02:00
|
|
|
else
|
2011-10-15 05:07:31 +02:00
|
|
|
BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_SERVER
|
|
|
|
endif
|
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
ifeq ($(BR2_PACKAGE_BIND_TOOLS),)
|
2010-09-01 17:04:32 +02:00
|
|
|
BIND_POST_INSTALL_TARGET_HOOKS += BIND_TARGET_REMOVE_TOOLS
|
2009-03-05 13:11:36 +01:00
|
|
|
endif
|
2006-01-25 21:56:55 +01:00
|
|
|
|
2014-06-10 12:18:25 +02:00
|
|
|
define BIND_USERS
|
2014-11-03 00:39:51 +01:00
|
|
|
named -1 named -1 * /etc/bind - - BIND daemon
|
2014-06-10 12:18:25 +02:00
|
|
|
endef
|
|
|
|
|
2012-07-03 00:07:32 +02:00
|
|
|
$(eval $(autotools-package))
|