EdDSA support is optional and currently defaults to being disabled.
The following security issues are addressed with this update:
* An error in TSIG handling could permit unauthorized zone transfers
or zone updates. These flaws are disclosed in CVE-2017-3142 and
CVE-2017-3143.
* The BIND installer on Windows used an unquoted service path, which
can enable privilege escalation. This flaw is disclosed in
CVE-2017-3141.
* With certain RPZ configurations, a response with TTL 0 could cause
named to go into an infinite query loop. This flaw is disclosed in
CVE-2017-3140.
* Addresses could be referenced after being freed during resolver
processing, causing an assertion failure. The chances of this
happening were remote, but the introduction of a delay in
resolution increased them. This bug is disclosed in CVE-2017-3145.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
format. Building with libjson support will require the
libxml2 package to be installed as well.
+config BIND_ENABLE_EDDSA
+ bool
+ default n
+ prompt "Include Edwards Curve DNSSEC signature support"
+ help
+ Enable BIND support for Edwards Curve DNSSEC signing algorithms
+ described in RFC 8080.
+
+ Note that this requires OpenSSL 1.1, which is not currently
+ the available in OpenWRT, so it is disabled by default.
endif
include $(TOPDIR)/rules.mk
PKG_NAME:=bind
-PKG_VERSION:=9.11.2-P1
+PKG_VERSION:=9.11.3
PKG_RELEASE:=1
USERID:=bind=57:bind=57
PKG_SOURCE_URL:= \
http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
http://ftp.isc.org/isc/bind9/$(PKG_VERSION)
-PKG_HASH:=cec31548832fca3f85d95178d4019b7d702039e8595d4c93914feba337df1212
+PKG_HASH:=0d9dde14b2ec7f9cdc3b69f19540c7a2e4eee7b6c727965dfae48810965876f5
PKG_FIXUP:=autoreconf
PKG_REMOVE_FILES:=aclocal.m4 libtool.m4
--with-gost=no \
--with-gssapi=no \
--with-ecdsa=$(if $(CONFIG_OPENSSL_WITH_EC),yes,no) \
+ --with-eddsa=$(if $(CONFIG_BIND_ENABLE_EDDSA),yes,no) \
--with-readline=no \
--sysconfdir=/etc/bind