The package rpms/bind.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/bind.git/commit/?id=219b0e889f74e....
Change:
-%ifnarch alpha ia64
Thanks.
Full change:
============
commit 32d91f12ca83ef8ec46df091fc0fe72cd05f91d9
Author: Petr Menk <pemensik(a)redhat.com>
Date: Wed Jan 23 21:15:03 2019 +0100
Made RAND_status check optional (broke --disable-crypto-rand)
Unlike upstream, skip it also for DHCP.
Disable RAND_status also in non-threaded builds. DHCP is built without
threads and should not check RAND_status on dns library initialization.
Lack of entropy is possible state for dhclient, but it must not fail
even in this case. Because DHCP itself does not require custom random
generator, leave default RAND_OpenSSL configured. It should help TLS
connection to LDAP in single DHCP binary, while keeping secure random
data if needed.
Resolves: #1663318
(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
diff --git a/bind-9.11-rh1663318.patch b/bind-9.11-rh1663318.patch
index 79487b0..1af7efb 100644
--- a/bind-9.11-rh1663318.patch
+++ b/bind-9.11-rh1663318.patch
@@ -1,21 +1,37 @@
-From 48d86dd3d834bcedd0c977d193c36b12e8398b4e Mon Sep 17 00:00:00 2001
-From: Francis Dupont <fdupont(a)isc.org>
-Date: Sun, 17 Sep 2017 12:02:09 +0200
+From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Wed, 23 Jan 2019 21:11:07 +0100
Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Unlike upstream, skip it also for DHCP.
+
+Disable RAND_status also in non-threaded builds. DHCP is built without
+threads and should not check RAND_status on dns library initialization.
+Lack of entropy is possible state for dhclient, but it must not fail
+even in this case. Because DHCP itself does not require custom random
+generator, leave default RAND_OpenSSL configured. It should help TLS
+connection to LDAP in single DHCP binary, while keeping secure random
+data if needed.
+
+(modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
+
+Signed-off-by: Petr Menk <pemensik(a)redhat.com>
---
lib/dns/openssl_link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index 91e87d0..3cddaa9 100644
+index 7a233dd..941eb17 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
-+#ifdef ISC_PLATFORM_CRYPTORANDOM
++#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
diff --git a/bind.spec b/bind.spec
index 421da0d..5b2f349 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -736,7 +736,6 @@ export LIBDIR_SUFFIX
--without-libjson \
--without-zlib \
--without-dlopen \
- --disable-crypto-rand \
--enable-full-report
## We don't want to build other libs than -export twice
@@ -1510,6 +1509,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Wed Jan 23 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-6
+- Reenable crypto rand for DHCP, disable just entropy check (#1663318)
+
* Thu Jan 17 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-5
- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
commit 219b0e889f74ed22e0fa512d501eeba3355a11bf
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Jan 17 13:51:29 2019 +0100
Remove conditional patch for alpha and ia64
It emits warning just because architectures no longer supported
diff --git a/bind.spec b/bind.spec
index 6293ab4..421da0d 100644
--- a/bind.spec
+++ b/bind.spec
@@ -489,9 +489,7 @@ are used for building ISC DHCP.
# Common patches
%patch10 -p1 -b .PIE
%patch16 -p1 -b .redhat_doc
-%ifnarch alpha ia64
%patch72 -p1 -b .64bit
-%endif
%patch102 -p1 -b .rh452060
%patch106 -p1 -b .rh490837
%patch109 -p1 -b .rh478718
commit 2830e00b88ea8bb956e0cdeb6f205fc72741b167
Author: Petr Menk <pemensik(a)redhat.com>
Date: Thu Jan 17 13:07:46 2019 +0100
Move dnssec related tools to bind-dnssec-utils
Most often clients require just dig or host to lookup addresses.
Move dnssec and zone file into dedicated subpackage. For a limited time,
make bind-utils suggest bind-dnssec-utils, until all dependencies are
resolved. (#1649398)
diff --git a/bind.spec b/bind.spec
index a6357de..6293ab4 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) serv
Name: bind
License: MPLv2.0
Version: 9.11.5
-Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url:
http://www.isc.org/products/BIND/
#
@@ -159,6 +159,7 @@ Provides: dnssec-conf = 1.27-2
Requires(post): policycoreutils-python-utils
Requires(post): libselinux-utils
Requires(post): selinux-policy
+Recommends: bind-utils bind-dnssec-utils
BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires: libidn2-devel, libxml2-devel, GeoIP-devel
@@ -299,9 +300,14 @@ Contains license of the BIND DNS suite.
%package utils
Summary: Utilities for querying DNS name servers
-Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: python3-bind = %{epoch}:%{version}-%{release}
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+# TODO: this is just temporary workaround until all packages depending on
+# bind-utils can be satisfied without dnssec-utils
+# It will be removed after some time, or changed to Recommends
+Suggests: bind-dnssec-utils
+# For compatibility with Debian package
+Provides: dnsutils = %{epoch}:%{version}-%{release}
%description utils
Bind-utils contains a collection of utilities for querying DNS (Domain
@@ -313,6 +319,20 @@ network addresses.
You should install bind-utils if you need to get information from DNS name
servers.
+%package dnssec-utils
+Summary: Utilities for DNSSEC keys and DNS zone files management
+Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
+Recommends: bind-utils
+Requires: python3-bind = %{epoch}:%{version}-%{release}
+
+%description dnssec-utils
+Bind-dnssec-utils contains a collection of utilities for editing
+DNSSEC keys and BIND zone files. These tools provide generation,
+revocation and verification of keys and DNSSEC signatures in zone files.
+
+You should install bind-dnssec-utils if you need to sign a DNS zone
+or maintain keys for it.
+
%if %{with DEVEL}
%package devel
Summary: Header files and libraries needed for BIND DNS development
@@ -1254,6 +1274,19 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/nslookup
%{_bindir}/nsupdate
%{_bindir}/arpaname
+%if %{with DNSTAP}
+%{_bindir}/dnstap-read
+%{_mandir}/man1/dnstap-read.1*
+%endif
+%{_mandir}/man1/host.1*
+%{_mandir}/man1/nsupdate.1*
+%{_mandir}/man1/dig.1*
+%{_mandir}/man1/delv.1*
+%{_mandir}/man1/nslookup.1*
+%{_mandir}/man1/arpaname.1*
+%{_sysconfdir}/trusted-key.key
+
+%files dnssec-utils
%{_sbindir}/ddns-confgen
%{_sbindir}/tsig-keygen
%{_sbindir}/genrandom
@@ -1268,16 +1301,6 @@ rm -rf ${RPM_BUILD_ROOT}
%if %{with LMDB}
%{_sbindir}/named-nzd2nzf
%endif
-%if %{with DNSTAP}
-%{_bindir}/dnstap-read
-%{_mandir}/man1/dnstap-read.1*
-%endif
-%{_mandir}/man1/host.1*
-%{_mandir}/man1/nsupdate.1*
-%{_mandir}/man1/dig.1*
-%{_mandir}/man1/delv.1*
-%{_mandir}/man1/nslookup.1*
-%{_mandir}/man1/arpaname.1*
%{_mandir}/man8/ddns-confgen.8*
%{_mandir}/man8/tsig-keygen.8*
%{_mandir}/man8/genrandom.8*
@@ -1292,7 +1315,6 @@ rm -rf ${RPM_BUILD_ROOT}
%if %{with LMDB}
%{_mandir}/man8/named-nzd2nzf.8*
%endif
-%{_sysconfdir}/trusted-key.key
%if %{with DEVEL}
%files devel
@@ -1490,6 +1512,9 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Thu Jan 17 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-5
+- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
+
* Wed Jan 16 2019 Petr Menk <pemensik(a)redhat.com> - 32:9.11.5-4
- Reject invalid binary file (#1666814)