This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit . - CVE-2018-5741: Fixed the documentation . - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer . - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference with a particular zone content and query patterns . - CVE-2020-8624: quot;update-policyquot; rules of type quot;subdomainquot; were incorrectly treated as quot;zonesubquot; rules, which allowed keys used in quot;subdomainquot; rules to update names outside of the specified subdomains. The problem was fixed by making sure quot;subdomainquot; rules are again processed as described in the ARM . - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet . - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled . - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message . - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request . Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates - Fixed an issue where bind was not working in FIPS mode . - Fixed dependency issues . - GeoIP support is now discontinued, now GeoIP2 is used. - Fixed an issue with FIPS . - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts . - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of quot;max-stale-ttlquot; has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The quot;primaryquot; and quot;secondaryquot; keywords, when used as parameters for quot;check-namesquot;, were not processed correctly and were being ignored. - "rndc dnstap -roll lt;valuegt;" did not limit the number of saved files to lt;valuegt;. - Add "rndc dnssec -status" command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the quot;namedquot; group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added quot;/etc/bind.keysquot; to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file . - Removed quot;-r /dev/urandomquot; from all invocations of rndc-confgen as this option is deprecated and causes rndc-confgen to fail. - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums . - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.