diff --git a/.bind.metadata b/.bind.metadata
new file mode 100644
index 0000000..2a4946f
--- /dev/null
+++ b/.bind.metadata
@@ -0,0 +1 @@
+30cbd1f3e9d2d47d653498143334128aac1f8fc0 SOURCES/bind-9.16.23.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bed248e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/bind-9.16.23.tar.xz
diff --git a/SOURCES/bind-9.10-dist-native-pkcs11.patch b/SOURCES/bind-9.10-dist-native-pkcs11.patch
new file mode 100644
index 0000000..85ece30
--- /dev/null
+++ b/SOURCES/bind-9.10-dist-native-pkcs11.patch
@@ -0,0 +1,550 @@
+From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 21 Jan 2021 10:46:20 +0100
+Subject: [PATCH] Enable custom pkcs11 native build
+
+Share common parts like libisc, libcc and others. But provide native
+pkcs11 libraries as a new copy of libdns and libns.
+---
+ bin/Makefile.in | 2 +-
+ bin/confgen/Makefile.in | 2 +-
+ bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++---------------
+ bin/named-pkcs11/Makefile.in | 33 ++++++++++++++-------------
+ configure.ac | 19 ++++++++++++++++
+ lib/Makefile.in | 2 +-
+ lib/dns-pkcs11/Makefile.in | 22 +++++++++---------
+ lib/dns-pkcs11/tests/Makefile.in | 8 +++----
+ lib/ns-pkcs11/Makefile.in | 26 ++++++++++-----------
+ lib/ns-pkcs11/tests/Makefile.in | 12 +++++-----
+ make/includes.in | 7 ++++++
+ 11 files changed, 101 insertions(+), 71 deletions(-)
+
+diff --git a/bin/Makefile.in b/bin/Makefile.in
+index 9ad7f62..094775a 100644
+--- a/bin/Makefile.in
++++ b/bin/Makefile.in
+@@ -11,7 +11,7 @@ srcdir = @srcdir@
+ VPATH = @srcdir@
+ top_srcdir = @top_srcdir@
+
+-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
++SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
+ @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
+ TARGETS =
+
+diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
+index c126bf3..1b7512d 100644
+--- a/bin/confgen/Makefile.in
++++ b/bin/confgen/Makefile.in
+@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
+ CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+-CDEFINES = @USE_PKCS11@
++CDEFINES =
+ CWARNINGS =
+
+ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
+index ace0e5a..e0f6a00 100644
+--- a/bin/dnssec-pkcs11/Makefile.in
++++ b/bin/dnssec-pkcs11/Makefile.in
+@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
+
+ @BIND9_MAKE_INCLUDES@
+
+-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
++CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+ ${OPENSSL_CFLAGS}
+
+-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
++CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
+ CWARNINGS =
+
+-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+ ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+
+-DNSDEPLIBS = ../../lib/dns/libdns.@A@
++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+
+@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+ NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+
++# Add suffix to all targets
++EXEEXT = -pkcs11@EXEEXT@
++
+ # Alphabetically
+-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
+- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
+- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
+- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
+- dnssec-verify@EXEEXT@
++TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
++ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
++ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
++ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
++ dnssec-verify${EXEEXT}
+
+ OBJS = dnssectool.@O@
+
+@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
+
+ @BIND9_MAKE_RULES@
+
+-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
++dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
+-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
++dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
+-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
++dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
+-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
++dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
+@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+ -c ${srcdir}/dnssec-signzone.c
+
+-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
+@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+ -c ${srcdir}/dnssec-verify.c
+
+-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+ export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
+ ${FINALBUILDCMD}
+
+-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ dnssec-revoke.@O@ ${OBJS} ${LIBS}
+
+-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
++dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ dnssec-settime.@O@ ${OBJS} ${LIBS}
+
+-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
++dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ dnssec-importkey.@O@ ${OBJS} ${LIBS}
+
+diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
+index 98125dd..518a75f 100644
+--- a/bin/named-pkcs11/Makefile.in
++++ b/bin/named-pkcs11/Makefile.in
+@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
+
+ DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
+
+-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
+-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
+-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
+-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
++# Skip building on PKCS11 variant
++DLZDRIVER_OBJS =
++DLZDRIVER_SRCS =
++DLZDRIVER_INCLUDES =
++DLZDRIVER_LIBS =
+
+ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
+- ${NS_INCLUDES} ${DNS_INCLUDES} \
++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
+ ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
+ ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
+ ${DBDRIVER_INCLUDES} \
+@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
+ ${LIBXML2_CFLAGS} \
+ ${MAXMINDDB_CFLAGS}
+
+-CDEFINES = @CONTRIB_DLZ@
++CDEFINES =
+
+ CWARNINGS =
+
+-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+ ISCCCLIBS = ../../lib/isccc/libisccc.@A@
+ ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
+ BIND9LIBS = ../../lib/bind9/libbind9.@A@
+-NSLIBS = ../../lib/ns/libns.@A@
++NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
+
+-DNSDEPLIBS = ../../lib/dns/libdns.@A@
++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+ ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
+ ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+-NSDEPLIBS = ../../lib/ns/libns.@A@
++NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
+
+ DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+ ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
+@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
+
+ SUBDIRS = unix
+
+-TARGETS = named@EXEEXT@ feature-test@EXEEXT@
++TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
+
+ GEOIP2LINKOBJS = geoip.@O@
+
+@@ -151,7 +152,7 @@ server.@O@: server.c
+ -DPRODUCT=\"${PRODUCT}\" \
+ -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
+
+-named@EXEEXT@: ${OBJS} ${DEPLIBS}
++named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
+ export MAKE_SYMTABLE="yes"; \
+ export BASEOBJS="${OBJS} ${UOBJS}"; \
+ ${FINALBUILDCMD}
+@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
+
+-feature-test@EXEEXT@: feature-test.@O@
++feature-test-pkcs11@EXEEXT@: feature-test.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
+
+@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h
+ installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+
+-install:: named@EXEEXT@ installdirs
+- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
++install:: named-pkcs11@EXEEXT@ installdirs
++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
+
+ uninstall::
+- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
+
+ @DLZ_DRIVER_RULES@
+
+diff --git a/configure.ac b/configure.ac
+index 032228b..64e3da0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
+ AC_SUBST(DST_GSSAPI_INC)
+ AC_SUBST(DNS_GSSAPI_LIBS)
+ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
+
+ #
+ # Applications linking with libdns also need to link with these libraries.
+ #
+
+ AC_SUBST(DNS_CRYPTO_LIBS)
++AC_SUBST(DNS_CRYPTO_PK11_LIBS)
+
+ #
+ # was --with-lmdb specified?
+@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
+ AC_SUBST(BIND9_NS_BUILDINCLUDE)
+ AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
+ AC_SUBST(BIND9_IRS_BUILDINCLUDE)
++AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
++AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
+ if test "X$srcdir" != "X"; then
+ BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
+ BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
+@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
+ BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
+ BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
+ BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
++ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
++ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
+ else
+ BIND9_ISC_BUILDINCLUDE=""
+ BIND9_ISCCC_BUILDINCLUDE=""
+@@ -2343,6 +2349,8 @@ else
+ BIND9_NS_BUILDINCLUDE=""
+ BIND9_BIND9_BUILDINCLUDE=""
+ BIND9_IRS_BUILDINCLUDE=""
++ BIND9_DNS_PKCS11_BUILDINCLUDE=""
++ BIND9_NS_PKCS11_BUILDINCLUDE=""
+ fi
+
+ AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
+@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
+ bin/delv/Makefile
+ bin/dig/Makefile
+ bin/dnssec/Makefile
++ bin/dnssec-pkcs11/Makefile
+ bin/named/Makefile
+ bin/named/unix/Makefile
++ bin/named-pkcs11/Makefile
++ bin/named-pkcs11/unix/Makefile
+ bin/nsupdate/Makefile
+ bin/pkcs11/Makefile
+ bin/plugins/Makefile
+@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
+ lib/dns/include/dns/Makefile
+ lib/dns/include/dst/Makefile
+ lib/dns/tests/Makefile
++ lib/dns-pkcs11/Makefile
++ lib/dns-pkcs11/include/Makefile
++ lib/dns-pkcs11/include/dns/Makefile
++ lib/dns-pkcs11/include/dst/Makefile
+ lib/irs/Makefile
+ lib/irs/include/Makefile
+ lib/irs/include/irs/Makefile
+@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
+ lib/ns/include/Makefile
+ lib/ns/include/ns/Makefile
+ lib/ns/tests/Makefile
++ lib/ns-pkcs11/Makefile
++ lib/ns-pkcs11/include/Makefile
++ lib/ns-pkcs11/include/ns/Makefile
++ lib/ns-pkcs11/tests/Makefile
+ make/Makefile
+ make/mkdep
+ unit/unittest.sh
+diff --git a/lib/Makefile.in b/lib/Makefile.in
+index 833964e..058ba2f 100644
+--- a/lib/Makefile.in
++++ b/lib/Makefile.in
+@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
+ # Attempt to disable parallel processing.
+ .NOTPARALLEL:
+ .NO_PARALLEL:
+-SUBDIRS = isc isccc dns ns isccfg bind9 irs
++SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
+ TARGETS =
+
+ @BIND9_MAKE_RULES@
+diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
+index 58bda3c..d6a45df 100644
+--- a/lib/dns-pkcs11/Makefile.in
++++ b/lib/dns-pkcs11/Makefile.in
+@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
+
+ @BIND9_MAKE_INCLUDES@
+
+-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
++CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_INCLUDES} \
+ ${FSTRM_CFLAGS} \
+ ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
+@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+ ${LMDB_CFLAGS} \
+ ${MAXMINDDB_CFLAGS}
+
+-CDEFINES = @USE_GSSAPI@
++CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
+
+ CWARNINGS =
+
+@@ -135,15 +135,15 @@ version.@O@: version.c
+ -DMAPAPI=\"${MAPAPI}\" \
+ -c ${srcdir}/version.c
+
+-libdns.@SA@: ${OBJS}
++libdns-pkcs11.@SA@: ${OBJS}
+ ${AR} ${ARFLAGS} $@ ${OBJS}
+ ${RANLIB} $@
+
+-libdns.la: ${OBJS}
++libdns-pkcs11.la: ${OBJS}
+ ${LIBTOOL_MODE_LINK} \
+- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
+ -release "${VERSION}" \
+- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
++ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
+
+ include: gen
+ ${MAKE} include/dns/enumtype.h
+@@ -174,22 +174,22 @@ gen: gen.c
+ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
+ ${BUILD_LIBS} ${LFS_LIBS}
+
+-timestamp: include libdns.@A@
++timestamp: include libdns-pkcs11.@A@
+ touch timestamp
+
+-testdirs: libdns.@A@
++testdirs: libdns-pkcs11.@A@
+
+ installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+ install:: timestamp installdirs
+- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
+
+ uninstall::
+- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
+
+ clean distclean::
+- rm -f libdns.@A@ timestamp
++ rm -f libdns-pkcs11.@A@ timestamp
+ rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+ rm -f include/dns/rdatastruct.h
+ rm -f dnstap.pb-c.c dnstap.pb-c.h
+diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
+index 3bb5e01..c96fe7d 100644
+--- a/lib/dns-pkcs11/tests/Makefile.in
++++ b/lib/dns-pkcs11/tests/Makefile.in
+@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
+
+ @BIND9_MAKE_INCLUDES@
+
+-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
++CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
+ ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
+ ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
+-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
++CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
+
+ ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ ISCDEPLIBS = ../../isc/libisc.@A@
+-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+-DNSDEPLIBS = ../libdns.@A@
++DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
++DNSDEPLIBS = ../libdns-pkcs11.@A@
+
+ LIBS = @LIBS@ @CMOCKA_LIBS@
+
+diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
+index bc683ce..7a9d2f2 100644
+--- a/lib/ns-pkcs11/Makefile.in
++++ b/lib/ns-pkcs11/Makefile.in
+@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
+
+ @BIND9_MAKE_INCLUDES@
+
+-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
+- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
++CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
+ ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
+ ${FSTRM_CFLAGS}
+
+-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\"
++CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
+
+ CWARNINGS =
+
+@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
+
+ ISCDEPLIBS = ../../lib/isc/libisc.@A@
+
+-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+
+-DNSDEPLIBS = ../../lib/dns/libdns.@A@
++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+
+ LIBS = @LIBS@
+
+@@ -60,28 +60,28 @@ version.@O@: version.c
+ -DMAJOR=\"${MAJOR}\" \
+ -c ${srcdir}/version.c
+
+-libns.@SA@: ${OBJS}
++libns-pkcs11.@SA@: ${OBJS}
+ ${AR} ${ARFLAGS} $@ ${OBJS}
+ ${RANLIB} $@
+
+-libns.la: ${OBJS}
++libns-pkcs11.la: ${OBJS}
+ ${LIBTOOL_MODE_LINK} \
+- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
+ -release "${VERSION}" \
+- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
++ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
+
+-timestamp: libns.@A@
++timestamp: libns-pkcs11.@A@
+ touch timestamp
+
+ installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+ install:: timestamp installdirs
+- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
+ ${DESTDIR}${libdir}
+
+ uninstall::
+- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
+
+ clean distclean::
+- rm -f libns.@A@ timestamp
++ rm -f libns-pkcs11.@A@ timestamp
+diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
+index 4c3e694..c1b6d99 100644
+--- a/lib/ns-pkcs11/tests/Makefile.in
++++ b/lib/ns-pkcs11/tests/Makefile.in
+@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
+
+ WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
+
+-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
++CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
+ ${OPENSSL_CFLAGS} \
+ @CMOCKA_CFLAGS@
+-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
++CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
+
+ ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
+ ISCDEPLIBS = ../../isc/libisc.@A@
+-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+-DNSDEPLIBS = ../../dns/libdns.@A@
+-NSLIBS = ../libns.@A@
+-NSDEPLIBS = ../libns.@A@
++DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
++DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@
++NSLIBS = ../libns-pkcs11.@A@
++NSDEPLIBS = ../libns-pkcs11.@A@
+
+ LIBS = @LIBS@ @CMOCKA_LIBS@
+
+diff --git a/make/includes.in b/make/includes.in
+index b8317d3..b73b0c4 100644
+--- a/make/includes.in
++++ b/make/includes.in
+@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+
+ TEST_INCLUDES = \
+ -I${top_srcdir}/lib/tests/include
++
++DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
++ -I${top_srcdir}/lib/dns-pkcs11/include
++
++NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
++ -I${top_srcdir}/lib/ns-pkcs11/include
++
+--
+2.26.3
+
diff --git a/SOURCES/bind-9.11-feature-test-named.patch b/SOURCES/bind-9.11-feature-test-named.patch
new file mode 100644
index 0000000..9af8d73
--- /dev/null
+++ b/SOURCES/bind-9.11-feature-test-named.patch
@@ -0,0 +1,59 @@
+From e645046202006750f87531e21e3ff7c26fba3466 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 30 Jan 2019 14:37:17 +0100
+Subject: [PATCH] Create feature-test in source directory
+
+Feature-test tool is used in system tests to test compiled in changes.
+Because we build more variants of named with different configuration,
+compile feature-test for each of them this way.
+---
+ bin/named/Makefile.in | 12 +++++++++++-
+ bin/tests/system/conf.sh.in | 2 +-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
+index 37053a7..ed9add2 100644
+--- a/bin/named/Makefile.in
++++ b/bin/named/Makefile.in
+@@ -91,7 +91,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
+
+ SUBDIRS = unix
+
+-TARGETS = named@EXEEXT@
++TARGETS = named@EXEEXT@ feature-test@EXEEXT@
+
+ GEOIP2LINKOBJS = geoip.@O@
+
+@@ -154,6 +154,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS}
+ export BASEOBJS="${OBJS} ${UOBJS}"; \
+ ${FINALBUILDCMD}
+
++# Bit of hack, do not produce intermediate .o object for featuretest
++feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
++ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
++ -c ${top_srcdir}/bin/tests/system/feature-test.c
++
++feature-test@EXEEXT@: feature-test.@O@
++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
++ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
++
++
+ clean distclean maintainer-clean::
+ rm -f ${TARGETS} ${OBJS}
+
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index 7934930..e84fde2 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -37,7 +37,7 @@ DELV=$TOP/bin/delv/delv
+ DIG=$TOP/bin/dig/dig
+ DNSTAPREAD=$TOP/bin/tools/dnstap-read
+ DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+-FEATURETEST=$TOP/bin/tests/system/feature-test
++FEATURETEST=$TOP/bin/named/feature-test
+ FSTRM_CAPTURE=@FSTRM_CAPTURE@
+ HOST=$TOP/bin/dig/host
+ IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
+--
+2.26.2
+
diff --git a/SOURCES/bind-9.11-fips-tests.patch b/SOURCES/bind-9.11-fips-tests.patch
new file mode 100644
index 0000000..51927a4
--- /dev/null
+++ b/SOURCES/bind-9.11-fips-tests.patch
@@ -0,0 +1,959 @@
+From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 2 Aug 2018 23:46:45 +0200
+Subject: [PATCH] FIPS tests changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Squashed commit of the following:
+
+commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 20:35:13 2018 +0100
+
+ Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
+
+commit ab303db70082db76ecf36493d0b82ef3e8750cad
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 18:11:10 2018 +0100
+
+ Changed root key to be RSASHA256
+
+ Change bad trusted key to be the same algorithm.
+
+commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 16:56:17 2018 +0100
+
+ Change used key to not use hmac-md5
+
+ Fix upforwd test, do not use hmac-md5
+
+commit aec891571626f053acfb4d0a247240cbc21a84e9
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 15:54:11 2018 +0100
+
+ Increase bitsize of DSA key to pass FIPS 140-2 mode.
+
+commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 15:41:08 2018 +0100
+
+ Fix tsig and rndc tests for disabled md5
+
+ Use hmac-sha256 instead of hmac-md5.
+
+commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 13:21:00 2018 +0100
+
+ Add md5 availability detection to featuretest
+
+commit f389a918803e2853e4b55fed62765dc4a492e34f
+Author: Petr Menšík <pemensik@redhat.com>
+Date: Wed Mar 7 10:44:23 2018 +0100
+
+ Change tests to not use hmac-md5 algorithms if not required
+
+ Use hmac-sha256 instead of default hmac-md5 for allow-query
+---
+ bin/tests/system/acl/ns2/named1.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named2.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named3.conf.in | 6 +-
+ bin/tests/system/acl/ns2/named4.conf.in | 4 +-
+ bin/tests/system/acl/ns2/named5.conf.in | 4 +-
+ bin/tests/system/acl/tests.sh | 32 ++++-----
+ .../system/allow-query/ns2/named10.conf.in | 2 +-
+ .../system/allow-query/ns2/named11.conf.in | 4 +-
+ .../system/allow-query/ns2/named12.conf.in | 2 +-
+ .../system/allow-query/ns2/named30.conf.in | 2 +-
+ .../system/allow-query/ns2/named31.conf.in | 4 +-
+ .../system/allow-query/ns2/named32.conf.in | 2 +-
+ .../system/allow-query/ns2/named40.conf.in | 4 +-
+ bin/tests/system/allow-query/tests.sh | 18 ++---
+ bin/tests/system/catz/ns1/named.conf.in | 2 +-
+ bin/tests/system/catz/ns2/named.conf.in | 2 +-
+ bin/tests/system/checkconf/bad-tsig.conf | 2 +-
+ bin/tests/system/checkconf/good.conf | 2 +-
+ bin/tests/system/feature-test.c | 14 ++++
+ bin/tests/system/notify/ns5/named.conf.in | 6 +-
+ bin/tests/system/notify/tests.sh | 6 +-
+ bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
+ bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
+ bin/tests/system/nsupdate/setup.sh | 6 +-
+ bin/tests/system/nsupdate/tests.sh | 15 +++--
+ bin/tests/system/rndc/setup.sh | 2 +-
+ bin/tests/system/rndc/tests.sh | 23 ++++---
+ bin/tests/system/tsig/ns1/named.conf.in | 10 +--
+ bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
+ bin/tests/system/tsig/setup.sh | 5 ++
+ bin/tests/system/tsig/tests.sh | 65 ++++++++++++-------
+ bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
+ bin/tests/system/upforwd/tests.sh | 2 +-
+ 33 files changed, 162 insertions(+), 108 deletions(-)
+ create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
+
+diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
+index 60f22e1..249f672 100644
+--- a/bin/tests/system/acl/ns2/named1.conf.in
++++ b/bin/tests/system/acl/ns2/named1.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
+index ada97bc..f82d858 100644
+--- a/bin/tests/system/acl/ns2/named2.conf.in
++++ b/bin/tests/system/acl/ns2/named2.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
+index 97684e4..de6a2e9 100644
+--- a/bin/tests/system/acl/ns2/named3.conf.in
++++ b/bin/tests/system/acl/ns2/named3.conf.in
+@@ -33,17 +33,17 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key three {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
+index 462b3fa..994b35c 100644
+--- a/bin/tests/system/acl/ns2/named4.conf.in
++++ b/bin/tests/system/acl/ns2/named4.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
+index 728da58..8f00d09 100644
+--- a/bin/tests/system/acl/ns2/named5.conf.in
++++ b/bin/tests/system/acl/ns2/named5.conf.in
+@@ -35,12 +35,12 @@ options {
+ };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
+index be59d64..13d5bdc 100644
+--- a/bin/tests/system/acl/tests.sh
++++ b/bin/tests/system/acl/tests.sh
+@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
+ # key "one" should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+
+ # any other key should be fine
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ copy_setports ns2/named2.conf.in ns2/named.conf
+@@ -39,18 +39,18 @@ sleep 5
+ # prefix 10/8 should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # any other address should work, as long as it sends key "one"
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ echo_i "testing nested ACL processing"
+@@ -62,31 +62,31 @@ sleep 5
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # but only one or the other should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ t=`expr $t + 1`
+@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
+ # and other values? right out
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
+@@ -108,31 +108,31 @@ sleep 5
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+
+ echo_i "testing allow-query-on ACL processing"
+diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
+index 7d43e36..f7b25f9 100644
+--- a/bin/tests/system/allow-query/ns2/named10.conf.in
++++ b/bin/tests/system/allow-query/ns2/named10.conf.in
+@@ -10,7 +10,7 @@
+ */
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
+index 2952518..121557e 100644
+--- a/bin/tests/system/allow-query/ns2/named11.conf.in
++++ b/bin/tests/system/allow-query/ns2/named11.conf.in
+@@ -10,12 +10,12 @@
+ */
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234efgh8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
+index 0c01071..ceabbb5 100644
+--- a/bin/tests/system/allow-query/ns2/named12.conf.in
++++ b/bin/tests/system/allow-query/ns2/named12.conf.in
+@@ -10,7 +10,7 @@
+ */
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
+index 4c17292..9cd9d1f 100644
+--- a/bin/tests/system/allow-query/ns2/named30.conf.in
++++ b/bin/tests/system/allow-query/ns2/named30.conf.in
+@@ -10,7 +10,7 @@
+ */
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
+index a2690a4..f488730 100644
+--- a/bin/tests/system/allow-query/ns2/named31.conf.in
++++ b/bin/tests/system/allow-query/ns2/named31.conf.in
+@@ -10,12 +10,12 @@
+ */
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234efgh8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
+index a0708c8..51fa457 100644
+--- a/bin/tests/system/allow-query/ns2/named32.conf.in
++++ b/bin/tests/system/allow-query/ns2/named32.conf.in
+@@ -10,7 +10,7 @@
+ */
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
+index 687768e..d24d6d2 100644
+--- a/bin/tests/system/allow-query/ns2/named40.conf.in
++++ b/bin/tests/system/allow-query/ns2/named40.conf.in
+@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
+ acl badaccept { 10.53.0.1; };
+
+ key one {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+
+ key two {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234efgh8765";
+ };
+
+diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
+index fe40635..543c663 100644
+--- a/bin/tests/system/allow-query/tests.sh
++++ b/bin/tests/system/allow-query/tests.sh
+@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
+
+ echo_i "test $n: key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
+
+ echo_i "test $n: key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
+
+ echo_i "test $n: key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
+
+ echo_i "test $n: views key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
+
+ echo_i "test $n: views key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
+
+ echo_i "test $n: views key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -500,7 +500,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -510,7 +510,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -520,7 +520,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
+index 1218669..e62715e 100644
+--- a/bin/tests/system/catz/ns1/named.conf.in
++++ b/bin/tests/system/catz/ns1/named.conf.in
+@@ -61,5 +61,5 @@ zone "catalog4.example" {
+
+ key tsig_key. {
+ secret "LSAnCU+Z";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
+index 30333e6..4005152 100644
+--- a/bin/tests/system/catz/ns2/named.conf.in
++++ b/bin/tests/system/catz/ns2/named.conf.in
+@@ -70,5 +70,5 @@ zone "catalog4.example" {
+
+ key tsig_key. {
+ secret "LSAnCU+Z";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
+index 21be03e..e57c308 100644
+--- a/bin/tests/system/checkconf/bad-tsig.conf
++++ b/bin/tests/system/checkconf/bad-tsig.conf
+@@ -11,7 +11,7 @@
+
+ /* Bad secret */
+ key "badtsig" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "jEdD+BPKg==";
+ };
+
+diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
+index e09b9e8..2e824b3 100644
+--- a/bin/tests/system/checkconf/good.conf
++++ b/bin/tests/system/checkconf/good.conf
+@@ -210,6 +210,6 @@ dyndb "name" "library.so" {
+ system;
+ };
+ key "mykey" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "qwertyuiopasdfgh";
+ };
+diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
+index 877504f..577660a 100644
+--- a/bin/tests/system/feature-test.c
++++ b/bin/tests/system/feature-test.c
+@@ -14,6 +14,7 @@
+ #include <string.h>
+ #include <unistd.h>
+
++#include <isc/md.h>
+ #include <isc/net.h>
+ #include <isc/print.h>
+ #include <isc/util.h>
+@@ -186,6 +187,19 @@ main(int argc, char **argv) {
+ #endif /* ifdef DLZ_FILESYSTEM */
+ }
+
++ if (strcmp(argv[1], "--md5") == 0) {
++ unsigned char digest[ISC_MAX_MD_SIZE];
++ const unsigned char test[] = "test";
++ unsigned int size = sizeof(digest);
++
++ if (isc_md(ISC_MD_MD5, test, sizeof(test),
++ digest, &size) == ISC_R_SUCCESS) {
++ return (0);
++ } else {
++ return (1);
++ }
++ }
++
+ if (strcmp(argv[1], "--with-idn") == 0) {
+ #ifdef HAVE_LIBIDN2
+ return (0);
+diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
+index 1ee8df4..2b75d9a 100644
+--- a/bin/tests/system/notify/ns5/named.conf.in
++++ b/bin/tests/system/notify/ns5/named.conf.in
+@@ -10,17 +10,17 @@
+ */
+
+ key "a" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "aaaaaaaaaaaaaaaaaaaa";
+ };
+
+ key "b" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "bbbbbbbbbbbbbbbbbbbb";
+ };
+
+ key "c" {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "cccccccccccccccccccc";
+ };
+
+diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
+index 3d7e0b7..ec4d9a7 100644
+--- a/bin/tests/system/notify/tests.sh
++++ b/bin/tests/system/notify/tests.sh
+@@ -212,16 +212,16 @@ ret=0
+ $NSUPDATE << EOF
+ server 10.53.0.5 ${PORT}
+ zone x21
+-key a aaaaaaaaaaaaaaaaaaaa
++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
+ update add added.x21 0 in txt "test string"
+ send
+ EOF
+
+ for i in 1 2 3 4 5 6 7 8 9
+ do
+- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ txt > dig.out.b.ns5.test$n || ret=1
+- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
+ txt > dig.out.c.ns5.test$n || ret=1
+ grep "test string" dig.out.b.ns5.test$n > /dev/null &&
+ grep "test string" dig.out.c.ns5.test$n > /dev/null &&
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index b51e700..436c97d 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
++++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -37,7 +37,7 @@ controls {
+ };
+
+ key altkey {
+- algorithm hmac-md5;
++ algorithm hmac-sha512;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
+index da6b3b4..c547e47 100644
+--- a/bin/tests/system/nsupdate/ns2/named.conf.in
++++ b/bin/tests/system/nsupdate/ns2/named.conf.in
+@@ -32,7 +32,7 @@ controls {
+ };
+
+ key altkey {
+- algorithm hmac-md5;
++ algorithm hmac-sha512;
+ secret "1234abcd8765";
+ };
+
+diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
+index c055da3..4e1242b 100644
+--- a/bin/tests/system/nsupdate/setup.sh
++++ b/bin/tests/system/nsupdate/setup.sh
+@@ -56,7 +56,11 @@ EOF
+
+ $DDNSCONFGEN -q -z example.nil > ns1/ddns.key
+
+-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
++if $FEATURETEST --md5; then
++ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
++else
++ echo -n > ns1/md5.key
++fi
+ $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
+ $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
+ $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index b35d797..41c128e 100755
+--- a/bin/tests/system/nsupdate/tests.sh
++++ b/bin/tests/system/nsupdate/tests.sh
+@@ -797,7 +797,14 @@ fi
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++if $FEATURETEST --md5
++then
++ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
++else
++ ALGS="sha1 sha224 sha256 sha384 sha512"
++ echo_i "skipping disabled md5 algorithm"
++fi
++for alg in $ALGS; do
+ $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
+ server 10.53.0.1 ${PORT}
+ update add ${alg}.keytests.nil. 600 A 10.10.10.3
+@@ -805,7 +812,7 @@ send
+ END
+ done
+ sleep 2
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++for alg in $ALGS; do
+ $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+ done
+ if [ $ret -ne 0 ]; then
+@@ -816,7 +823,7 @@ fi
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++for alg in $ALGS; do
+ secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
+ $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
+ server 10.53.0.1 ${PORT}
+@@ -825,7 +832,7 @@ send
+ END
+ done
+ sleep 2
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++for alg in $ALGS; do
+ $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
+ done
+ if [ $ret -ne 0 ]; then
+diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
+index b59e7a7..04d5f5a 100644
+--- a/bin/tests/system/rndc/setup.sh
++++ b/bin/tests/system/rndc/setup.sh
+@@ -33,7 +33,7 @@ make_key () {
+ sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
+ }
+
+-make_key 1 ${EXTRAPORT1} hmac-md5
++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
+ make_key 2 ${EXTRAPORT2} hmac-sha1
+ make_key 3 ${EXTRAPORT3} hmac-sha224
+ make_key 4 ${EXTRAPORT4} hmac-sha256
+diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
+index 9fd84ed..d0b188f 100644
+--- a/bin/tests/system/rndc/tests.sh
++++ b/bin/tests/system/rndc/tests.sh
+@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+-echo_i "testing rndc with hmac-md5 ($n)"
+-ret=0
+-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+-for i in 2 3 4 5 6
+-do
+- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+-done
+-if [ $ret != 0 ]; then echo_i "failed"; fi
+-status=`expr $status + $ret`
++if $FEATURETEST --md5
++then
++ echo_i "testing rndc with hmac-md5 ($n)"
++ ret=0
++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
++ for i in 2 3 4 5 6
++ do
++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++ done
++ if [ $ret != 0 ]; then echo_i "failed"; fi
++ status=`expr $status + $ret`
++else
++ echo_i "skipping rndc with hmac-md5 ($n)"
++fi
+
+ n=`expr $n + 1`
+ echo_i "testing rndc with hmac-sha1 ($n)"
+diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
+index 3470c4f..cf539cd 100644
+--- a/bin/tests/system/tsig/ns1/named.conf.in
++++ b/bin/tests/system/tsig/ns1/named.conf.in
+@@ -21,10 +21,7 @@ options {
+ notify no;
+ };
+
+-key "md5" {
+- secret "97rnFx24Tfna4mHPfgnerA==";
+- algorithm hmac-md5;
+-};
++# md5 key appended by setup.sh at the end
+
+ key "sha1" {
+ secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+@@ -51,10 +48,7 @@ key "sha512" {
+ algorithm hmac-sha512;
+ };
+
+-key "md5-trunc" {
+- secret "97rnFx24Tfna4mHPfgnerA==";
+- algorithm hmac-md5-80;
+-};
++# md5-trunc key appended by setup.sh at the end
+
+ key "sha1-trunc" {
+ secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
+new file mode 100644
+index 0000000..0682194
+--- /dev/null
++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
+@@ -0,0 +1,10 @@
++# Conditionally included when support for MD5 is available
++key "md5" {
++ secret "97rnFx24Tfna4mHPfgnerA==";
++ algorithm hmac-md5;
++};
++
++key "md5-trunc" {
++ secret "97rnFx24Tfna4mHPfgnerA==";
++ algorithm hmac-md5-80;
++};
+diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
+index e3b4a45..ae21d04 100644
+--- a/bin/tests/system/tsig/setup.sh
++++ b/bin/tests/system/tsig/setup.sh
+@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
+ $SHELL clean.sh
+
+ copy_setports ns1/named.conf.in ns1/named.conf
++
++if $FEATURETEST --md5
++then
++ cat ns1/rndc5.conf.in >> ns1/named.conf
++fi
+diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
+index 38d842a..668aa6f 100644
+--- a/bin/tests/system/tsig/tests.sh
++++ b/bin/tests/system/tsig/tests.sh
+@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
+
+ status=0
+
+-echo_i "fetching using hmac-md5 (old form)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
+-fi
++if $FEATURETEST --md5
++then
++ echo_i "fetching using hmac-md5 (old form)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
+
+-echo_i "fetching using hmac-md5 (new form)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
++ echo_i "fetching using hmac-md5 (new form)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
++else
++ echo_i "skipping using hmac-md5"
+ fi
+
+ echo_i "fetching using hmac-sha1"
+@@ -87,12 +92,17 @@ fi
+ # Truncated TSIG
+ #
+ #
+-echo_i "fetching using hmac-md5 (trunc)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
++if $FEATURETEST --md5
++then
++ echo_i "fetching using hmac-md5 (trunc)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
++else
++ echo_i "skipping using hmac-md5 (trunc)"
+ fi
+
+ echo_i "fetching using hmac-sha1 (trunc)"
+@@ -141,12 +151,17 @@ fi
+ # Check for bad truncation.
+ #
+ #
+-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+- echo_i "failed"; status=1
++if $FEATURETEST --md5
++then
++ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
++ ret=0
++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
++ if [ $ret -eq 1 ] ; then
++ echo_i "failed"; status=1
++ fi
++else
++ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
+ fi
+
+ echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
+diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
+index 3873c7c..b359a5a 100644
+--- a/bin/tests/system/upforwd/ns1/named.conf.in
++++ b/bin/tests/system/upforwd/ns1/named.conf.in
+@@ -10,7 +10,7 @@
+ */
+
+ key "update.example." {
+- algorithm "hmac-md5";
++ algorithm "hmac-sha256";
+ secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+ };
+
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index a50c896..8062d68 100644
+--- a/bin/tests/system/upforwd/tests.sh
++++ b/bin/tests/system/upforwd/tests.sh
+@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+
+ echo_i "updating zone (signed) ($n)"
+ ret=0
+-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
++$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+ server 10.53.0.3 ${PORT}
+ update add updated.example. 600 A 10.10.10.1
+ update add updated.example. 600 TXT Foo
+--
+2.26.2
+
diff --git a/SOURCES/bind-9.11-kyua-pkcs11.patch b/SOURCES/bind-9.11-kyua-pkcs11.patch
new file mode 100644
index 0000000..ea9a51a
--- /dev/null
+++ b/SOURCES/bind-9.11-kyua-pkcs11.patch
@@ -0,0 +1,58 @@
+From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 2 Jan 2018 18:13:07 +0100
+Subject: [PATCH] Fix pkcs11 variants atf tests
+
+Add dns-pkcs11 tests Makefile to configure
+
+Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
+---
+ configure.ac | 1 +
+ lib/Kyuafile | 2 ++
+ lib/dns-pkcs11/tests/dh_test.c | 3 ++-
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index d80ae31..0fb9328 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
+ lib/dns-pkcs11/include/Makefile
+ lib/dns-pkcs11/include/dns/Makefile
+ lib/dns-pkcs11/include/dst/Makefile
++ lib/dns-pkcs11/tests/Makefile
+ lib/irs/Makefile
+ lib/irs/include/Makefile
+ lib/irs/include/irs/Makefile
+diff --git a/lib/Kyuafile b/lib/Kyuafile
+index 39ce986..037e5ef 100644
+--- a/lib/Kyuafile
++++ b/lib/Kyuafile
+@@ -2,8 +2,10 @@ syntax(2)
+ test_suite('bind9')
+
+ include('dns/Kyuafile')
++include('dns-pkcs11/Kyuafile')
+ include('irs/Kyuafile')
+ include('isc/Kyuafile')
+ include('isccc/Kyuafile')
+ include('isccfg/Kyuafile')
+ include('ns/Kyuafile')
++include('ns-pkcs11/Kyuafile')
+diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
+index 934e8fd..658d1af 100644
+--- a/lib/dns-pkcs11/tests/dh_test.c
++++ b/lib/dns-pkcs11/tests/dh_test.c
+@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
+ result = dst_key_computesecret(key, key, &buf);
+ assert_int_equal(result, DST_R_NOTPRIVATEKEY);
+ result = key->func->computesecret(key, key, &buf);
+- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
++ /* PKCS11 variant gives different result, accept both */
++ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
+
+ dst_key_free(&key);
+ }
+--
+2.20.1
+
diff --git a/SOURCES/bind-9.11-rh1666814.patch b/SOURCES/bind-9.11-rh1666814.patch
new file mode 100644
index 0000000..7429999
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1666814.patch
@@ -0,0 +1,29 @@
+From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 16 Jan 2019 16:27:33 +0100
+Subject: [PATCH] Fix possible crash when loading corrupted file
+
+Some values passes internal triggers by coincidence. Fix the check and
+check also first_node_offset before even passing it further.
+---
+ lib/dns/rbt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
+index 5aee5f6..7f2c2d2 100644
+--- a/lib/dns/rbt.c
++++ b/lib/dns/rbt.c
+@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+ rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
+ header->first_node_offset);
+
+- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
++ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
++ || header->first_node_offset > filesize) {
++
+ result = ISC_R_INVALIDFILE;
+ goto cleanup;
+ }
+--
+2.31.1
+
diff --git a/SOURCES/bind-9.11-tests-variants.patch b/SOURCES/bind-9.11-tests-variants.patch
new file mode 100644
index 0000000..807a4a0
--- /dev/null
+++ b/SOURCES/bind-9.11-tests-variants.patch
@@ -0,0 +1,65 @@
+From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 1 Mar 2019 15:48:20 +0100
+Subject: [PATCH] Make alternative named builds testable in system tests
+
+Red Hat has alternative variant builds of named, which are not ever
+tested by system tests. New variables make it relatively easy to test
+alternative variants.
+
+For sdb variant use:
+export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
+
+For pkcs variant use:
+export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
+---
+ bin/tests/system/conf.sh.in | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index d859909..9152f07 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
+ DELV=$TOP/bin/delv/delv
+ DIG=$TOP/bin/dig/dig
+ DNSTAPREAD=$TOP/bin/tools/dnstap-read
+-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+-FEATURETEST=$TOP/bin/named/feature-test
++DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
++FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
+ FSTRM_CAPTURE=@FSTRM_CAPTURE@
+ HOST=$TOP/bin/dig/host
+-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
++IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
+ JOURNALPRINT=$TOP/bin/tools/named-journalprint
+-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
+-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
++KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
++KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
+ KEYMGR=$TOP/bin/python/dnssec-keymgr
+ MDIG=$TOP/bin/tools/mdig
+-NAMED=$TOP/bin/named/named
++NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
+ NSEC3HASH=$TOP/bin/tools/nsec3hash
+ NSLOOKUP=$TOP/bin/dig/nslookup
+ NSUPDATE=$TOP/bin/nsupdate/nsupdate
+@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
+ PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+ PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+ RESOLVE=$TOP/bin/tests/system/resolve
+-REVOKE=$TOP/bin/dnssec/dnssec-revoke
++REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
+ RNDC=$TOP/bin/rndc/rndc
+ RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
+ RRCHECKER=$TOP/bin/tools/named-rrchecker
+-SETTIME=$TOP/bin/dnssec/dnssec-settime
+-SIGNER=$TOP/bin/dnssec/dnssec-signzone
++SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
++SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
+ TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
+ VERIFY=$TOP/bin/dnssec/dnssec-verify
+ WIRETEST=$TOP/bin/tests/wire_test
+--
+2.26.3
+
diff --git a/SOURCES/bind-9.14-config-pkcs11.patch b/SOURCES/bind-9.14-config-pkcs11.patch
new file mode 100644
index 0000000..0d62df6
--- /dev/null
+++ b/SOURCES/bind-9.14-config-pkcs11.patch
@@ -0,0 +1,83 @@
+From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 18 Oct 2019 21:30:52 +0200
+Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
+
+Building two variants with the same common code requires to unset
+USE_PKCS11 on part of build. That is not possible with config.h value.
+Move it as normal define to CDEFINES.
+---
+ bin/confgen/Makefile.in | 2 +-
+ configure.ac | 8 ++++++--
+ lib/dns/dst_internal.h | 12 +++++++++---
+ 3 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
+index 1b7512d..c126bf3 100644
+--- a/bin/confgen/Makefile.in
++++ b/bin/confgen/Makefile.in
+@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
+ CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+-CDEFINES =
++CDEFINES = @USE_PKCS11@
+ CWARNINGS =
+
+ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+diff --git a/configure.ac b/configure.ac
+index f5483fe..08a7d8a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
+ AC_SUBST([PKCS11_TOOLS])
+ AC_SUBST([PKCS11_MANS])
+
++USE_PKCS11='-DUSE_PKCS11=0'
++USE_OPENSSL='-DUSE_OPENSSL=0'
+ AC_SUBST([CRYPTO])
+ AS_CASE([$CRYPTO],
+- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
+- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
++ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
++ [USE_OPENSSL='-DUSE_OPENSSL=1'])
++AC_SUBST(USE_PKCS11)
++AC_SUBST(USE_OPENSSL)
+
+ # preparation for automake
+ # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
+diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
+index 2c3b4a3..55e9dc4 100644
+--- a/lib/dns/dst_internal.h
++++ b/lib/dns/dst_internal.h
+@@ -38,6 +38,13 @@
+ #include <isc/stdtime.h>
+ #include <isc/types.h>
+
++#ifndef USE_PKCS11
++#define USE_PKCS11 0
++#endif
++#ifndef USE_OPENSSL
++#define USE_OPENSSL (! USE_PKCS11)
++#endif
++
+ #if USE_PKCS11
+ #include <pk11/pk11.h>
+ #include <pk11/site.h>
+@@ -116,11 +123,10 @@ struct dst_key {
+ void *generic;
+ dns_gss_ctx_id_t gssctx;
+ DH *dh;
+-#if USE_OPENSSL
+- EVP_PKEY *pkey;
+-#endif /* if USE_OPENSSL */
+ #if USE_PKCS11
+ pk11_object_t *pkey;
++#else
++ EVP_PKEY *pkey;
+ #endif /* if USE_PKCS11 */
+ dst_hmac_key_t *hmac_key;
+ } keydata; /*%< pointer to key in crypto pkg fmt */
+--
+2.26.2
+
diff --git a/SOURCES/bind-9.16-redhat_doc.patch b/SOURCES/bind-9.16-redhat_doc.patch
new file mode 100644
index 0000000..ef76e16
--- /dev/null
+++ b/SOURCES/bind-9.16-redhat_doc.patch
@@ -0,0 +1,60 @@
+From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 17 Jun 2020 23:17:13 +0200
+Subject: [PATCH] Update man named with Red Hat specifics
+
+This is almost unmodified text and requires revalidation. Some of those
+statements are no longer correct.
+---
+ bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/bin/named/named.rst b/bin/named/named.rst
+index 6fd8f87..3cd6350 100644
+--- a/bin/named/named.rst
++++ b/bin/named/named.rst
+@@ -228,6 +228,41 @@ Files
+ ``/var/run/named/named.pid``
+ The default process-id file.
+
++Notes
++~~~~~
++
++**Red Hat SELinux BIND Security Profile:**
++
++By default, Red Hat ships BIND with the most secure SELinux policy
++that will not prevent normal BIND operation and will prevent exploitation
++of all known BIND security vulnerabilities. See the selinux(8) man page
++for information about SElinux.
++
++It is not necessary to run named in a chroot environment if the Red Hat
++SELinux policy for named is enabled. When enabled, this policy is far
++more secure than a chroot environment. Users are recommended to enable
++SELinux and remove the bind-chroot package.
++
++*With this extra security comes some restrictions:*
++
++By default, the SELinux policy does not allow named to write outside directory
++/var/named. That directory used to be read-only for named, but write access is
++enabled by default now.
++
++The "named" group must be granted read privelege to
++these files in order for named to be enabled to read them.
++Any file updated by named must be writeable by named user or named group.
++
++Any file created in the zone database file directory is automatically assigned
++the SELinux file context *named_zone_t* .
++
++The Red Hat BIND distribution and SELinux policy creates three directories where
++named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
++*/var/named/data*. The service is able to write and file under */var/named* with appropriate
++permissions. They are used for better organisation of zones and backward compatibility.
++Files in these directories are automatically assigned the '*named_cache_t*'
++file context, which SELinux always allows named to write.
++
+ See Also
+ ~~~~~~~~
+
+--
+2.26.2
+
diff --git a/SOURCES/bind-9.16.23.tar.xz.asc b/SOURCES/bind-9.16.23.tar.xz.asc
new file mode 100644
index 0000000..d48514d
--- /dev/null
+++ b/SOURCES/bind-9.16.23.tar.xz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABAgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMcACgkQxbTukxqf
+nf1EbQ//YXsBbMtyI3c0MoleSi5zwzcpCTZTWTFHqH5WUiruLMDF453j/Fn2zaSC
+WuaUnhN61dR+BVtX+D2Y8GiVQFICo5X1nJj0jb/TcflXFq7YLWUAO0NPwPkBL1J4
+/PA0YCp1zYcvBXIxTKaU7AcBxlKmcGLdZcgCyGU6NSKaOJSxHOWXM460uD/crskB
+iSPEbMevN9TTJs9webztJNKH/3BuNkOD9SFb6JlUIQqwKx1v8rosgdI7BvgGMZqy
+s+10+GlIRFFvsX2XkX8BnjDlQ1QdzDOAoyCU+Se9rXDqu+zZf1VN4ReUCSDuPYf9
+z+GW1EbMxuZzEKrEIJvhnVNNiHqtKVaK6IIUX5bHqgPLEx87HxJMOPmbyBc1kDAe
+0WCmsITaq62WvKOG8Ho8wLrlG4AAO5+A7xit4bJ4XUtLiqyt+9FUIeEFY9nZb/6O
+OXK9eBMZHZ++r52RtA+GYZllkNRpzwnULOdR/9svVQuc10/MjnRoFqInzLlqwfwm
+2q6r372oWn8+MUvjQVBgzprn5BvY+HDo2gNEYEi5QyR3ql2dX/Qz7iUdUfhRvMNL
+FdPt3B3kktfOV98p/imrIwLwVVWwKBlphntkRxLtSZBs3nbo27F/ND54fixC2eCa
+epB6FF5IquzQ/MOiz4uql3YexNDQQ+7N2IGPJVMwO2ILAyZDNOQ=
+=pVtf
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/bind-9.5-PIE.patch b/SOURCES/bind-9.5-PIE.patch
new file mode 100644
index 0000000..d3c73ee
--- /dev/null
+++ b/SOURCES/bind-9.5-PIE.patch
@@ -0,0 +1,30 @@
+diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
+index eb622d1..37053a7 100644
+--- a/bin/named/Makefile.in
++++ b/bin/named/Makefile.in
+@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \
+ tkeyconf.c tsigconf.c zoneconf.c \
+ ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+
++EXT_CFLAGS = -fpie
++
+ @BIND9_MAKE_RULES@
+
++LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
++
+ main.@O@: main.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DVERSION=\"${VERSION}\" \
+diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
+index fd9ca8d..f1c102c 100644
+--- a/bin/named/unix/Makefile.in
++++ b/bin/named/unix/Makefile.in
+@@ -11,6 +11,8 @@ srcdir = @srcdir@
+ VPATH = @srcdir@
+ top_srcdir = @top_srcdir@
+
++EXT_CFLAGS = -fpie
++
+ @BIND9_MAKE_INCLUDES@
+
+ CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
diff --git a/SOURCES/bind-9.5-dlz-64bit.patch b/SOURCES/bind-9.5-dlz-64bit.patch
new file mode 100644
index 0000000..ec064c6
--- /dev/null
+++ b/SOURCES/bind-9.5-dlz-64bit.patch
@@ -0,0 +1,53 @@
+diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
+index 47525af..eefe3c3 100644
+--- a/contrib/dlz/config.dlz.in
++++ b/contrib/dlz/config.dlz.in
+@@ -17,6 +17,13 @@
+ #
+ dlzdir='${DLZ_DRIVER_DIR}'
+
++AC_MSG_CHECKING([for target libdir])
++AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
++ [target_lib=lib64],
++ [target_lib=lib],
++)
++AC_MSG_RESULT(["$target_lib"])
++
+ #
+ # Private autoconf macro to simplify configuring drivers:
+ #
+@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
+ then
+ break
+ fi
+- elif test -f "$dd/lib/lib${d}.so"
++ elif test -f "$dd/${target_lib}/lib${d}.so"
+ then
+- dlz_bdb_libs="-L${dd}/lib -l${d}"
++ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
+ break
+ fi
+ done
+@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
+ *)
+ DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
+ [-I$use_dlz_ldap/include],
+- [-L$use_dlz_ldap/lib -lldap -llber])
++ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
+
+ AC_MSG_RESULT(
+ [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
+@@ -432,11 +439,11 @@ then
+ odbcdirs="/usr /usr/local /usr/pkg"
+ for d in $odbcdirs
+ do
+- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
++ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
+ then
+ use_dlz_odbc=$d
+ dlz_odbc_include="-I$use_dlz_odbc/include"
+- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
++ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
+ break
+ fi
+ done
diff --git a/SOURCES/bind-9.9.1-P2-dlz-libdb.patch b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch
new file mode 100644
index 0000000..866ed8f
--- /dev/null
+++ b/SOURCES/bind-9.9.1-P2-dlz-libdb.patch
@@ -0,0 +1,31 @@
+diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
+--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
++++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
+@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
+ # Check other locations for includes.
+ # Order is important (sigh).
+
+- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
++ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
+ # include a blank element first
+ for d in "" $bdb_incdirs
+ do
+@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
+ bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
+ for d in $bdb_libnames
+ do
+- if test "$dd" = "/usr"
++ if test -f "$dd/${target_lib}/lib${d}.so"
+ then
+- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
+- if test $dlz_bdb_libs != "yes"
+- then
+- break
+- fi
+- elif test -f "$dd/${target_lib}/lib${d}.so"
+- then
+- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
+ break
+ fi
+ done
diff --git a/SOURCES/bind.tmpfiles.d b/SOURCES/bind.tmpfiles.d
new file mode 100644
index 0000000..640a656
--- /dev/null
+++ b/SOURCES/bind.tmpfiles.d
@@ -0,0 +1 @@
+d /run/named 0755 named named -
diff --git a/SOURCES/bind93-rh490837.patch b/SOURCES/bind93-rh490837.patch
new file mode 100644
index 0000000..4b32b4d
--- /dev/null
+++ b/SOURCES/bind93-rh490837.patch
@@ -0,0 +1,34 @@
+diff --git a/lib/isc/lex.c b/lib/isc/lex.c
+index cd44fe3..5b7c539 100644
+--- a/lib/isc/lex.c
++++ b/lib/isc/lex.c
+@@ -27,6 +27,8 @@
+ #include <isc/string.h>
+ #include <isc/util.h>
+
++#include "../errno2result.h"
++
+ typedef struct inputsource {
+ isc_result_t result;
+ bool is_file;
+@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
+ #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
+ if (c == EOF) {
+ if (ferror(stream)) {
+- source->result = ISC_R_IOERROR;
++ source->result = isc__errno2result(errno);
+ result = source->result;
+ goto done;
+ }
+diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
+index e3e2644..5e58600 100644
+--- a/lib/isc/unix/errno2result.c
++++ b/lib/isc/unix/errno2result.c
+@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
+ case EINVAL: /* XXX sometimes this is not for files */
+ case ENAMETOOLONG:
+ case EBADF:
++ case EISDIR:
+ return (ISC_R_INVALIDFILE);
+ case ENOENT:
+ return (ISC_R_FILENOTFOUND);
diff --git a/SOURCES/bind97-rh645544.patch b/SOURCES/bind97-rh645544.patch
new file mode 100644
index 0000000..e2ae978
--- /dev/null
+++ b/SOURCES/bind97-rh645544.patch
@@ -0,0 +1,31 @@
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 31549c6..65a14b6 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) {
+ */
+ dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
+- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
+ "success resolving '%s' (in '%s'?) after %s", fctx->info,
+ domainbuf, fctx->reason);
+ }
+@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
+ dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+ isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
+ "lame server resolving '%s' (in '%s'?): %s", namebuf,
+ domainbuf, addrbuf);
+ }
+@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
+ isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
+
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
++ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
+ "DNS format error from %s resolving %s for %s: %s", nsbuf,
+ fctx->info, fctx->clientstr, msgbuf);
+ }
diff --git a/SOURCES/codesign2021.txt b/SOURCES/codesign2021.txt
new file mode 100644
index 0000000..d021b56
--- /dev/null
+++ b/SOURCES/codesign2021.txt
@@ -0,0 +1,534 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
+r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
+pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
+yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
+ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
+/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
+qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
+UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
+SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
+o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
+LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
+tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
+LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
+EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
+1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
+tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
+5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
+Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
+JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
+hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
+xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
+gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
+pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
+vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
+6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr
+gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF
+FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki
+33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I
+LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X
+gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa
+7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A
+5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu
+8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN
+bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo
+p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus
+HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF
+CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW
+f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi
+wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I
+u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY
+0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87
+RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP
+NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD
+6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL
+llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0
+85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x
+zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF
+1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0
+wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH
+/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo
+dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON
+LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA
+Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj
+cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE
+tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak
+a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX
+THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4
+EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n
+ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ
+A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY
+BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf
+5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv
+29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx
+Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh
+nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS
+odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87
+y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk
+Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr
+FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk
+7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv
+O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k
+IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V
+Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/
+2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o
+NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT
++pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7
+xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym
+JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn
+uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD
+jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06
+3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ
+ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb
+VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF
+SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6
+bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa
+C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc
+VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek
+IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN
+z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2
+jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg
+dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr
+2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB
+jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB
+CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr
+mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy
+4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu
+f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk
+vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO
+JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi
+8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S
+XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY
+TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY
+3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4
+uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM
+x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr
+0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J
+W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD
+4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm
+Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0
+p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW
+QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId
+GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ
+4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo
+VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM
+wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr
+iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1
+H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB
+UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w
+/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI
+/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101
+x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys
+uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM
+npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr
+9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M
+hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA
+DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA
+C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929
+y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln
+EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB
+CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA
+hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS
+BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0
+xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV
+qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4
+W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U
+9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn
+uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se
+mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I
+xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/
+WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV
+cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3
+E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU
+vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2
+LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4
+wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz
+nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq
+SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z
+zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj
+pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf
+7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/
+08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz
+QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ
+ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz
+iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs
+1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ
+z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB
+Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q
+fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg
+EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33
+AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ
+AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc
+bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x
+sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua
+TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO
+vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC
+qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0
+TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu
+8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z
+IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq
+x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw
+t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO
+/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu
+Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon
+UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q
+KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ
+SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN
+cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn
+BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+
+XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71
+e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6
+A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz
+Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR
+63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1
+oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN
+J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima
+chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9
+mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU
+rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv
+EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9
+5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE
+sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot
+s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2
+lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf
+vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu
+MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ
+BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa
+3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx
+W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C
+GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x
+8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo
+Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y
+chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh
+DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx
+l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0
+JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1
+P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi
+1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ
+snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo
+Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN
+iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws
+VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC
+m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa
+4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J
+Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS
+H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+
+g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD
+9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW
+TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o
+uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY
+QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS
+Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ==
+=fX+D
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS
+ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW
+AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/
+41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka
+4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z
+XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u
+/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5
+0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa
+9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM
+uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ
+hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB
+tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
+LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA
+MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+
+ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID
+4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ
+JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J
+QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV
+3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1
+8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/
+/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8
+LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk
+QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH
+sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9
+BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL
+3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj
+IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE
+U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC
+6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G
+LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h
+BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2
+HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ
+kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d
+f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8
+4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b
+8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF
+CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln
+xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/
+LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh
+KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b
+mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya
+8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn
+vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn
+IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7
+VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw
+IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2
+YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C
+L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s
+1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl
+qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj
+nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x
+UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73
+qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc
+IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb
+s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6
+nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl
+8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7
+0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6
+ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf
+7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS
+PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc
+GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh
+nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX
+vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7
+7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo
+bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl
+ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j
+hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH
+Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn
+0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY
+AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP
+PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ
+xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN
+ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+
+oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp
+aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m
+/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY
+ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52
+BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB
+ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4
+GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW
+0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp
+69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA
+qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N
++tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w
+uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql
+yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc
+TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv
+XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f
+yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7
+zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf
+dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V
+XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d
+iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK
+W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY
+UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit
+BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV
+M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I
+EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr
+6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo
+Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb
+HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX
+ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT
++iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1
+iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs
+gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ
+AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP
+/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH
+6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA
+5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA
+ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC
+89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc
+493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb
+jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g
+DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh
+nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m
+5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld
+72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ
+RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc
+lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS
+qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV
+FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH
+eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ
++gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh
+uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN
+5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D
+IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag
+CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL
+ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR
+2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k
+IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n
+D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/
+X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm
+mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v
+zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv
+YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a
+88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id
+pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2
+Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu
+MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88
+h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa
+YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL
+XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4
+MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7
+eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz
+rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy
+5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid
+CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/
+zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6
+Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU
+a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2
+ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+
+GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14
+MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL
+hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe
+16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2
+isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7
+Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW
+NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc
+qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M
+bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt
+zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX
+DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk
+XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu
+ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4
+zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY
+JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi
+qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ
+zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS
+y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh
+qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx
+QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww
+QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH
+X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn
+vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi
+AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ
+aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY
+VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+
+flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p
+NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ
+Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w
+lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q
+se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc
+RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy
+MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE
+RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71
+PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3
+K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT
+Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP
+dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+
+qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe
+MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc
+wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ
+7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC
+PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj
+rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4
+b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g
+dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5
+Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS
+CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+
+96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/
+ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy
+a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT
+YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs
+KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp
+bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ
+la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u
+Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3
+Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ
+BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA
+CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7
+AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu
+9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK
+dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH
+fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II
+XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK
+yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz
+HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv
+SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN
+eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp
+jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv
+DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR
+Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p
+hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0
+rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV
+Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt
+ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ
+i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb
+rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637
+CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD
+LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l
+Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp
+dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF
++6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs
+gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ
+8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf
+nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C
+r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf
+eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD
+VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT
+zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh
+Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU
+JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6
+IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE
+fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB
+dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF
+W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d
+O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK
+jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ
+TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF
+M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39
+oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp
+AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi
+sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI
+ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8
+M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3
+Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A
+0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8
+x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv
+6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw
+QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi
+gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o
+c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb
+1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF
+8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8
+Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr
+rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt
+MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV
+grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l
+QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR
+f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu
+O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb
+SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT
+VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg
+J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di
+ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8
++SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH
+SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5
+8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76
+uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE
+JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4
+ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ
+Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c
+eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E
+dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0
+9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3
+d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526
+tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4
+lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT
+KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz
+iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR
+bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL
+d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r
+aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6
+X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5
+vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV
+4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC
+7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5
+UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa
+8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588
+7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90
+l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ
+4xcYgqlVpv15O7VrD+I=
+=Uugw
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SOURCES/generate-rndc-key.sh b/SOURCES/generate-rndc-key.sh
new file mode 100755
index 0000000..956bb8e
--- /dev/null
+++ b/SOURCES/generate-rndc-key.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [ -r /etc/rc.d/init.d/functions ]; then
+ . /etc/rc.d/init.d/functions
+else
+success() {
+ echo $" OK "
+}
+
+failure() {
+ echo -n " "
+ echo $"FAILED"
+}
+fi
+
+# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
+
+if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
+ echo -n $"Generating /etc/rndc.key:"
+ if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
+ then
+ chmod 640 /etc/rndc.key
+ chown root:named /etc/rndc.key
+ [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
+ success $"/etc/rndc.key generation"
+ echo
+ else
+ rc=$?
+ failure $"/etc/rndc.key generation"
+ echo
+ exit $rc
+ fi
+fi
diff --git a/SOURCES/named-chroot-setup.service b/SOURCES/named-chroot-setup.service
new file mode 100644
index 0000000..237a909
--- /dev/null
+++ b/SOURCES/named-chroot-setup.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named (DNS)
+BindsTo=named-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files
diff --git a/SOURCES/named-chroot.files b/SOURCES/named-chroot.files
new file mode 100644
index 0000000..75e6aa1
--- /dev/null
+++ b/SOURCES/named-chroot.files
@@ -0,0 +1,27 @@
+# Configuration of files used in chroot
+# Following files are made available after named-chroot.service start
+# if they are missing or empty in target directory.
+/etc/localtime
+/etc/named.root.key
+/etc/named.conf
+/etc/named.rfc1912.zones
+/etc/rndc.conf
+/etc/rndc.key
+/etc/named.iscdlv.key
+/etc/crypto-policies/back-ends/bind.config
+/etc/protocols
+/etc/services
+/etc/named.dnssec.keys
+/etc/pki/dnssec-keys
+/etc/named
+/usr/lib64/bind
+/usr/lib/bind
+/usr/lib64/named
+/usr/lib/named
+/usr/share/GeoIP
+/run/named
+/proc/sys/net/ipv4/ip_local_port_range
+# Warning: the order is important
+# If a directory containing $ROOTDIR is listed here,
+# it MUST be listed last. (/var/named contains /var/named/chroot)
+/var/named
diff --git a/SOURCES/named-chroot.service b/SOURCES/named-chroot.service
new file mode 100644
index 0000000..a49df15
--- /dev/null
+++ b/SOURCES/named-chroot.service
@@ -0,0 +1,30 @@
+# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
+# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
+# broken when rsyslogd daemon is restarted (due update, for example).
+
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Requires=named-chroot-setup.service
+Before=nss-lookup.target
+After=named-chroot-setup.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/var/named/chroot/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
+
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=false
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/named-pkcs11.service b/SOURCES/named-pkcs11.service
new file mode 100644
index 0000000..27e0693
--- /dev/null
+++ b/SOURCES/named-pkcs11.service
@@ -0,0 +1,26 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=network.target
+After=named-setup-rndc.service
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
+
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/named-setup-rndc.service b/SOURCES/named-setup-rndc.service
new file mode 100644
index 0000000..ff85e3c
--- /dev/null
+++ b/SOURCES/named-setup-rndc.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Generate rndc key for BIND (DNS)
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/libexec/generate-rndc-key.sh
diff --git a/SOURCES/named.conf b/SOURCES/named.conf
new file mode 100644
index 0000000..c906875
--- /dev/null
+++ b/SOURCES/named.conf
@@ -0,0 +1,59 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+ listen-on port 53 { 127.0.0.1; };
+ listen-on-v6 port 53 { ::1; };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ secroots-file "/var/named/data/named.secroots";
+ recursing-file "/var/named/data/named.recursing";
+ allow-query { localhost; };
+
+ /*
+ - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+ - If you are building a RECURSIVE (caching) DNS server, you need to enable
+ recursion.
+ - If your recursive DNS server has a public IP address, you MUST enable access
+ control to limit queries to your legitimate users. Failing to do so will
+ cause your server to become part of large scale DNS amplification
+ attacks. Implementing BCP38 within your network would greatly
+ reduce such attack surface
+ */
+ recursion yes;
+
+ dnssec-validation yes;
+
+ managed-keys-directory "/var/named/dynamic";
+ geoip-directory "/usr/share/GeoIP";
+
+ pid-file "/run/named/named.pid";
+ session-keyfile "/run/named/session.key";
+
+ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+ include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+ channel default_debug {
+ file "data/named.run";
+ severity dynamic;
+ };
+};
+
+zone "." IN {
+ type hint;
+ file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+
diff --git a/SOURCES/named.conf.sample b/SOURCES/named.conf.sample
new file mode 100644
index 0000000..d2ce6dd
--- /dev/null
+++ b/SOURCES/named.conf.sample
@@ -0,0 +1,243 @@
+/*
+ Sample named.conf BIND DNS server 'named' configuration file
+ for the Red Hat BIND distribution.
+
+ See the BIND Administrator's Reference Manual (ARM) for details, in:
+ file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
+ Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
+ its manual.
+*/
+
+options
+{
+ // Put files that named is allowed to write in the data/ directory:
+ directory "/var/named"; // "Working" directory
+ dump-file "data/cache_dump.db";
+ statistics-file "data/named_stats.txt";
+ memstatistics-file "data/named_mem_stats.txt";
+ secroots-file "data/named.secroots";
+ recursing-file "data/named.recursing";
+
+
+ /*
+ Specify listenning interfaces. You can use list of addresses (';' is
+ delimiter) or keywords "any"/"none"
+ */
+ //listen-on port 53 { any; };
+ listen-on port 53 { 127.0.0.1; };
+
+ //listen-on-v6 port 53 { any; };
+ listen-on-v6 port 53 { ::1; };
+
+ /*
+ Access restrictions
+
+ There are two important options:
+ allow-query { argument; };
+ - allow queries for authoritative data
+
+ allow-query-cache { argument; };
+ - allow queries for non-authoritative data (mostly cached data)
+
+ You can use address, network address or keywords "any"/"localhost"/"none" as argument
+ Examples:
+ allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
+ allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
+ */
+
+ allow-query { localhost; };
+ allow-query-cache { localhost; };
+
+ /* Enable/disable recursion - recursion yes/no;
+
+ - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+ - If you are building a RECURSIVE (caching) DNS server, you need to enable
+ recursion.
+ - If your recursive DNS server has a public IP address, you MUST enable access
+ control to limit queries to your legitimate users. Failing to do so will
+ cause your server to become part of large scale DNS amplification
+ attacks. Implementing BCP38 within your network would greatly
+ reduce such attack surface
+ */
+ recursion yes;
+
+ /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
+
+ /* Enable DNSSEC validation on recursive servers */
+ dnssec-validation yes;
+
+ /* In Fedora we use /run/named instead of default /var/run/named
+ so we have to configure paths properly. */
+ pid-file "/run/named/named.pid";
+ session-keyfile "/run/named/session.key";
+
+ managed-keys-directory "/var/named/dynamic";
+
+ /* In Fedora we use system-wide Crypto Policy */
+ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+ include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging
+{
+/* If you want to enable debugging, eg. using the 'rndc trace' command,
+ * named will try to write the 'named.run' file in the $directory (/var/named).
+ * By default, SELinux policy does not allow named to modify the /var/named directory,
+ * so put the default debug log file in data/ :
+ */
+ channel default_debug {
+ file "data/named.run";
+ severity dynamic;
+ };
+};
+
+/*
+ Views let a name server answer a DNS query differently depending on who is asking.
+
+ By default, if named.conf contains no "view" clauses, all zones are in the
+ "default" view, which matches all clients.
+
+ Views are processed sequentially. The first match is used so the last view should
+ match "any" - it's fallback and the most restricted view.
+
+ If named.conf contains any "view" clause, then all zones MUST be in a view.
+*/
+
+view "localhost_resolver"
+{
+/* This view sets up named to be a localhost resolver ( caching only nameserver ).
+ * If all you want is a caching-only nameserver, then you need only define this view:
+ */
+ match-clients { localhost; };
+ recursion yes;
+
+ # all views must contain the root hints zone:
+ zone "." IN {
+ type hint;
+ file "/var/named/named.ca";
+ };
+
+ /* these are zones that contain definitions for all the localhost
+ * names and addresses, as recommended in RFC1912 - these names should
+ * not leak to the other nameservers:
+ */
+ include "/etc/named.rfc1912.zones";
+};
+view "internal"
+{
+/* This view will contain zones you want to serve only to "internal" clients
+ that connect via your directly attached LAN interfaces - "localnets" .
+ */
+ match-clients { localnets; };
+ recursion yes;
+
+ zone "." IN {
+ type hint;
+ file "/var/named/named.ca";
+ };
+
+ /* these are zones that contain definitions for all the localhost
+ * names and addresses, as recommended in RFC1912 - these names should
+ * not leak to the other nameservers:
+ */
+ include "/etc/named.rfc1912.zones";
+
+ // These are your "authoritative" internal zones, and would probably
+ // also be included in the "localhost_resolver" view above :
+
+ /*
+ NOTE for dynamic DNS zones and secondary zones:
+
+ DO NOT USE SAME FILES IN MULTIPLE VIEWS!
+
+ If you are using views and DDNS/secondary zones it is strongly
+ recommended to read FAQ on ISC site (www.isc.org), section
+ "Configuration and Setup Questions", questions
+ "How do I share a dynamic zone between multiple views?" and
+ "How can I make a server a slave for both an internal and an external
+ view at the same time?"
+ */
+
+ zone "my.internal.zone" {
+ type master;
+ file "my.internal.zone.db";
+ };
+ zone "my.slave.internal.zone" {
+ type slave;
+ file "slaves/my.slave.internal.zone.db";
+ masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
+ // put slave zones in the slaves/ directory so named can update them
+ };
+ zone "my.ddns.internal.zone" {
+ type master;
+ allow-update { key ddns_key; };
+ file "dynamic/my.ddns.internal.zone.db";
+ // put dynamically updateable zones in the slaves/ directory so named can update them
+ };
+};
+
+key ddns_key
+{
+ algorithm hmac-sha256;
+ secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
+};
+
+view "external"
+{
+/* This view will contain zones you want to serve only to "external" clients
+ * that have addresses that are not match any above view:
+ */
+ match-clients { any; };
+
+ zone "." IN {
+ type hint;
+ file "/var/named/named.ca";
+ };
+
+ recursion no;
+ // you'd probably want to deny recursion to external clients, so you don't
+ // end up providing free DNS service to all takers
+
+ // These are your "authoritative" external zones, and would probably
+ // contain entries for just your web and mail servers:
+
+ zone "my.external.zone" {
+ type master;
+ file "my.external.zone.db";
+ };
+};
+
+/* Trusted keys
+
+ This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
+ should configure at least one trusted key.
+
+ Note that no key written below is valid. Especially root key because root zone
+ is not signed yet.
+*/
+/*
+trust-anchors {
+// Root Key
+. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+ R1AkUTV74bU=";
+
+// Key for forward zone
+example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
+ LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
+ LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
+ UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
+ yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
+ Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
+ Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
+ xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
+
+
+// Key for reverse zone.
+2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
+};
+*/
diff --git a/SOURCES/named.empty b/SOURCES/named.empty
new file mode 100644
index 0000000..8e271e7
--- /dev/null
+++ b/SOURCES/named.empty
@@ -0,0 +1,10 @@
+$TTL 3H
+@ IN SOA @ rname.invalid. (
+ 0 ; serial
+ 1D ; refresh
+ 1H ; retry
+ 1W ; expire
+ 3H ) ; minimum
+ NS @
+ A 127.0.0.1
+ AAAA ::1
diff --git a/SOURCES/named.localhost b/SOURCES/named.localhost
new file mode 100644
index 0000000..6fe6a52
--- /dev/null
+++ b/SOURCES/named.localhost
@@ -0,0 +1,10 @@
+$TTL 1D
+@ IN SOA @ rname.invalid. (
+ 0 ; serial
+ 1D ; refresh
+ 1H ; retry
+ 1W ; expire
+ 3H ) ; minimum
+ NS @
+ A 127.0.0.1
+ AAAA ::1
diff --git a/SOURCES/named.logrotate b/SOURCES/named.logrotate
new file mode 100644
index 0000000..5df448f
--- /dev/null
+++ b/SOURCES/named.logrotate
@@ -0,0 +1,12 @@
+/var/named/data/named.run {
+ missingok
+ su named named
+ create 0644 named named
+ postrotate
+ /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
+ /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
+ /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
+ /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
+ /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
+ endscript
+}
diff --git a/SOURCES/named.loopback b/SOURCES/named.loopback
new file mode 100644
index 0000000..7f3d862
--- /dev/null
+++ b/SOURCES/named.loopback
@@ -0,0 +1,11 @@
+$TTL 1D
+@ IN SOA @ rname.invalid. (
+ 0 ; serial
+ 1D ; refresh
+ 1H ; retry
+ 1W ; expire
+ 3H ) ; minimum
+ NS @
+ A 127.0.0.1
+ AAAA ::1
+ PTR localhost.
diff --git a/SOURCES/named.rfc1912.zones b/SOURCES/named.rfc1912.zones
new file mode 100644
index 0000000..fa8caf5
--- /dev/null
+++ b/SOURCES/named.rfc1912.zones
@@ -0,0 +1,45 @@
+// named.rfc1912.zones:
+//
+// Provided by Red Hat caching-nameserver package
+//
+// ISC BIND named zone configuration for zones recommended by
+// RFC 1912 section 4.1 : localhost TLDs and address zones
+// and https://tools.ietf.org/html/rfc6303
+// (c)2007 R W Franks
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// Note: empty-zones-enable yes; option is default.
+// If private ranges should be forwarded, add
+// disable-empty-zone "."; into options
+//
+
+zone "localhost.localdomain" IN {
+ type master;
+ file "named.localhost";
+ allow-update { none; };
+};
+
+zone "localhost" IN {
+ type master;
+ file "named.localhost";
+ allow-update { none; };
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+ type master;
+ file "named.loopback";
+ allow-update { none; };
+};
+
+zone "1.0.0.127.in-addr.arpa" IN {
+ type master;
+ file "named.loopback";
+ allow-update { none; };
+};
+
+zone "0.in-addr.arpa" IN {
+ type master;
+ file "named.empty";
+ allow-update { none; };
+};
diff --git a/SOURCES/named.root b/SOURCES/named.root
new file mode 100644
index 0000000..532d4ff
--- /dev/null
+++ b/SOURCES/named.root
@@ -0,0 +1,61 @@
+
+; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
+; (2 servers found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
+;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1472
+;; QUESTION SECTION:
+;. IN NS
+
+;; ANSWER SECTION:
+. 518400 IN NS a.root-servers.net.
+. 518400 IN NS b.root-servers.net.
+. 518400 IN NS c.root-servers.net.
+. 518400 IN NS d.root-servers.net.
+. 518400 IN NS e.root-servers.net.
+. 518400 IN NS f.root-servers.net.
+. 518400 IN NS g.root-servers.net.
+. 518400 IN NS h.root-servers.net.
+. 518400 IN NS i.root-servers.net.
+. 518400 IN NS j.root-servers.net.
+. 518400 IN NS k.root-servers.net.
+. 518400 IN NS l.root-servers.net.
+. 518400 IN NS m.root-servers.net.
+
+;; ADDITIONAL SECTION:
+a.root-servers.net. 518400 IN A 198.41.0.4
+b.root-servers.net. 518400 IN A 199.9.14.201
+c.root-servers.net. 518400 IN A 192.33.4.12
+d.root-servers.net. 518400 IN A 199.7.91.13
+e.root-servers.net. 518400 IN A 192.203.230.10
+f.root-servers.net. 518400 IN A 192.5.5.241
+g.root-servers.net. 518400 IN A 192.112.36.4
+h.root-servers.net. 518400 IN A 198.97.190.53
+i.root-servers.net. 518400 IN A 192.36.148.17
+j.root-servers.net. 518400 IN A 192.58.128.30
+k.root-servers.net. 518400 IN A 193.0.14.129
+l.root-servers.net. 518400 IN A 199.7.83.42
+m.root-servers.net. 518400 IN A 202.12.27.33
+a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
+b.root-servers.net. 518400 IN AAAA 2001:500:200::b
+c.root-servers.net. 518400 IN AAAA 2001:500:2::c
+d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
+e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
+f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
+g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
+h.root-servers.net. 518400 IN AAAA 2001:500:1::53
+i.root-servers.net. 518400 IN AAAA 2001:7fe::53
+j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
+k.root-servers.net. 518400 IN AAAA 2001:7fd::1
+l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
+m.root-servers.net. 518400 IN AAAA 2001:dc3::35
+
+;; Query time: 24 msec
+;; SERVER: 198.41.0.4#53(198.41.0.4)
+;; WHEN: Thu Apr 05 15:57:34 CEST 2018
+;; MSG SIZE rcvd: 811
+
diff --git a/SOURCES/named.root.key b/SOURCES/named.root.key
new file mode 100644
index 0000000..fbcb5d3
--- /dev/null
+++ b/SOURCES/named.root.key
@@ -0,0 +1,13 @@
+trust-anchors {
+ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+ # for current trust anchor information.
+ #
+ # This key (20326) was published in the root zone in 2017.
+ # Servers which were already using the old key (19036) should
+ # roll seamlessly to this new one via RFC 5011 rollover. Servers
+ # being set up for the first time can use the contents of this
+ # file as initializing keys; thereafter, the keys in the
+ # managed key database will be trusted and maintained
+ # automatically.
+ . initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
+};
diff --git a/SOURCES/named.rwtab b/SOURCES/named.rwtab
new file mode 100644
index 0000000..2cb3a41
--- /dev/null
+++ b/SOURCES/named.rwtab
@@ -0,0 +1,6 @@
+dirs /var/named
+
+files /var/named/named.ca
+files /var/named/named.empty
+files /var/named/named.localhost
+files /var/named/named.loopback
diff --git a/SOURCES/named.service b/SOURCES/named.service
new file mode 100644
index 0000000..7cd6d34
--- /dev/null
+++ b/SOURCES/named.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=named-setup-rndc.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/named.sysconfig b/SOURCES/named.sysconfig
new file mode 100644
index 0000000..5f6f817
--- /dev/null
+++ b/SOURCES/named.sysconfig
@@ -0,0 +1,17 @@
+# BIND named process options
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# OPTIONS="whatever" -- These additional options will be passed to named
+# at startup. Don't add -t here, enable proper
+# -chroot.service unit file.
+#
+# NAMEDCONF=/etc/named/alternate.conf
+# -- Don't use -c to change configuration file.
+# Extend systemd named.service instead or use this
+# variable.
+#
+# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
+# utility for every zone to ensure all zones are
+# valid before named starts. If you set this option
+# to 'yes' then service file doesn't perform those
+# checks.
diff --git a/SOURCES/setup-named-chroot.sh b/SOURCES/setup-named-chroot.sh
new file mode 100755
index 0000000..5e68915
--- /dev/null
+++ b/SOURCES/setup-named-chroot.sh
@@ -0,0 +1,117 @@
+#!/bin/bash
+
+ROOTDIR="$1"
+CONFIG_FILES="${3:-/etc/named-chroot.files}"
+
+usage()
+{
+ echo
+ echo 'This script setups chroot environment for BIND'
+ echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
+}
+
+if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
+ echo 'Wrong number of arguments'
+ usage
+ exit 1
+fi
+
+# Exit if ROOTDIR doesn't exist
+if ! [ -d "$ROOTDIR" ]; then
+ echo "Root directory $ROOTDIR doesn't exist"
+ usage
+ exit 1
+fi
+
+if ! [ -r "$CONFIG_FILES" ]; then
+ echo "Files list $CONFIG_FILES doesn't exist" 2>&1
+ usage
+ exit 1
+fi
+
+dev_create()
+{
+ DEVNAME="$ROOTDIR/dev/$1"
+ shift
+ if ! [ -e "$DEVNAME" ]; then
+ /bin/mknod -m 0664 "$DEVNAME" $@
+ /bin/chgrp named "$DEVNAME"
+ if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
+ /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
+ fi
+ fi
+}
+
+dev_chroot_prep()
+{
+ dev_create random c 1 8
+ dev_create urandom c 1 9
+ dev_create zero c 1 5
+ dev_create null c 1 3
+}
+
+files_comment_filter()
+{
+ if [ -d "$1" ]; then
+ grep -v '^[[:space:]]*#' "$1"/*.files
+ else
+ grep -v '^[[:space:]]*#' "$1"
+ fi
+}
+
+mount_chroot_conf()
+{
+ if [ -n "$ROOTDIR" ]; then
+ # Check devices are prepared
+ dev_chroot_prep
+ files_comment_filter "$CONFIG_FILES" | while read -r all; do
+ # Skip nonexistant files
+ [ -e "$all" ] || continue
+
+ # If mount source is a file
+ if ! [ -d "$all" ]; then
+ # mount it only if it is not present in chroot or it is empty
+ if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
+ touch "$ROOTDIR$all"
+ mount --bind "$all" "$ROOTDIR$all"
+ fi
+ else
+ # Mount source is a directory. Mount it only if directory in chroot is
+ # empty.
+ if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
+ mount --bind --make-private "$all" "$ROOTDIR$all"
+ fi
+ fi
+ done
+ fi
+}
+
+umount_chroot_conf()
+{
+ if [ -n "$ROOTDIR" ]; then
+ files_comment_filter "$CONFIG_FILES" | while read -r all; do
+ # Check if file is mount target. Do not use /proc/mounts because detecting
+ # of modified mounted files can fail.
+ if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
+ umount "$ROOTDIR$all"
+ # Remove temporary created files
+ [ -f "$all" ] && rm -f "$ROOTDIR$all"
+ fi
+ done
+ fi
+}
+
+case "$2" in
+ on)
+ mount_chroot_conf
+ ;;
+ off)
+ umount_chroot_conf
+ ;;
+ *)
+ echo 'Second argument has to be "on" or "off"'
+ usage
+ exit 1
+esac
+
+exit 0
diff --git a/SOURCES/setup-named-softhsm.sh b/SOURCES/setup-named-softhsm.sh
new file mode 100755
index 0000000..c0f8445
--- /dev/null
+++ b/SOURCES/setup-named-softhsm.sh
@@ -0,0 +1,124 @@
+#!/bin/sh
+#
+# This script will initialise token storage of softhsm PKCS11 provider
+# in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Quotes around eval are mandatory!
+# Recommended use:
+# eval "$(bash setup-named-softhsm.sh -A)"
+#
+
+SOFTHSM2_CONF="$1"
+TOKENPATH="$2"
+GROUPNAME="$3"
+# Do not use this script for real keys worth protection
+# This is intended for crypto accelerators using PKCS11 interface.
+# Uninitialized token would fail any crypto operation.
+PIN=1234
+SO_PIN=1234
+LABEL=rpm
+
+set -e
+
+echo_i()
+{
+ echo "#" $@
+}
+
+random()
+{
+ if [ -x "$(which openssl 2>/dev/null)" ]; then
+ openssl rand -base64 $1
+ else
+ dd if=/dev/urandom bs=1c count=$1 | base64
+ fi
+}
+
+usage()
+{
+ echo "Usage: $0 -A [token directory] [group]"
+ echo " or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+ TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
+if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
+ usage >&2
+ exit 1
+fi
+
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+ # Automagic mode instead
+ MODE=secure
+ SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+ PIN_SOURCE="$TOKENPATH/pin"
+ SOPIN_SOURCE="$TOKENPATH/so-pin"
+ TOKENPATH="$TOKENPATH/tokens"
+else
+ MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
+if ! [ -f "$SOFTHSM2_CONF" ]; then
+cat << SED > "$SOFTHSM2_CONF"
+# SoftHSM v2 configuration file
+
+directories.tokendir = ${TOKENPATH}
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+SED
+else
+ echo_i "Config file $SOFTHSM2_CONF already exists" >&2
+fi
+
+if [ -n "$PIN_SOURCE" ]; then
+ touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+ chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+ if [ -n "$GROUPNAME" ]; then
+ chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+ chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+ fi
+fi
+
+export SOFTHSM2_CONF
+
+if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
+then
+ echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+ [ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+ [ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
+else
+ PIN=$(random 6)
+ SO_PIN=$(random 18)
+ if [ -n "$PIN_SOURCE" ]; then
+ echo -n "$PIN" > "$PIN_SOURCE"
+ echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+ fi
+
+ echo_i "Initializing tokens to ${TOKENPATH}..."
+ softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
+
+ if [ -n "$GROUPNAME" ]; then
+ chgrp -R -- "$GROUPNAME" "$TOKENPATH"
+ chmod -R -- g=rX,o= "$TOKENPATH"
+ fi
+fi
+
+echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""
diff --git a/SOURCES/trusted-key.key b/SOURCES/trusted-key.key
new file mode 100644
index 0000000..7b845f3
--- /dev/null
+++ b/SOURCES/trusted-key.key
@@ -0,0 +1 @@
+. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
new file mode 100644
index 0000000..6e30f0a
--- /dev/null
+++ b/SPECS/bind.spec
@@ -0,0 +1,3955 @@
+#
+# Red Hat BIND9 package .spec file
+#
+# vim:expandtab ts=2:
+
+# bcond_without is built by default, unless --without X is passed
+# bcond_with is built only when --with X is passed to build
+%bcond_with SYSTEMTEST
+%bcond_without GSSTSIG
+# it is not possible to build the package without PKCS11 sub-package
+# due to extensive changes to Makefiles
+%bcond_with PKCS11
+%bcond_without JSON
+%bcond_with DLZ
+# New MaxMind GeoLite support
+%bcond_without GEOIP2
+# kyua no longer in buildroot in RHEL9
+%bcond_with UNITTEST
+%bcond_without DNSTAP
+%bcond_without LMDB
+%bcond_without DOC
+# Because of issues with PDF rebuild, include only HTML pages
+%bcond_with DOCPDF
+%bcond_with TSAN
+
+%{?!bind_uid: %global bind_uid 25}
+%{?!bind_gid: %global bind_gid 25}
+%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
+%global bind_dir /var/named
+%global chroot_prefix %{bind_dir}/chroot
+%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
+ %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
+ %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4
+
+%global selinuxbooleans named_write_master_zones=1
+## The order of libs is important. See lib/Makefile.in for details
+%define bind_export_libs isc dns isccfg irs
+%{!?_export_dir:%global _export_dir /bind9-export/}
+# libisc-nosym requires to be linked with unresolved symbols
+# When libisc-nosym linking is fixed, it can be defined to 1
+# Visit https://bugzilla.redhat.com/show_bug.cgi?id=1540300
+%undefine _strict_symbol_defs_build
+#
+# significant changes:
+# no more isc-config.sh and bind9-config
+# lib*.so.X versions of selected libraries no longer provided,
+# lib*-%%{version}-RH.so is provided as an internal implementation detail
+
+
+Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
+Name: bind
+License: MPLv2.0
+Version: 9.16.23
+Release: 1%{?dist}
+Epoch: 32
+Url: https://www.isc.org/downloads/bind/
+#
+Source0: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
+Source1: named.sysconfig
+Source2: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.asc
+Source3: named.logrotate
+Source4: https://downloads.isc.org/isc/pgpkeys/codesign2021.txt
+Source16: named.conf
+# Refresh by command: dig @a.root-servers.net. +tcp +norec
+# or from URL
+Source17: https://www.internic.net/domain/named.root
+Source18: named.localhost
+Source19: named.loopback
+Source20: named.empty
+Source23: named.rfc1912.zones
+Source25: named.conf.sample
+Source27: named.root.key
+Source35: bind.tmpfiles.d
+Source36: trusted-key.key
+Source37: named.service
+Source38: named-chroot.service
+Source41: setup-named-chroot.sh
+Source42: generate-rndc-key.sh
+Source43: named.rwtab
+Source44: named-chroot-setup.service
+Source46: named-setup-rndc.service
+Source47: named-pkcs11.service
+Source48: setup-named-softhsm.sh
+Source49: named-chroot.files
+
+# Common patches
+Patch10: bind-9.5-PIE.patch
+Patch16: bind-9.16-redhat_doc.patch
+Patch72: bind-9.5-dlz-64bit.patch
+Patch106:bind93-rh490837.patch
+Patch112:bind97-rh645544.patch
+Patch130:bind-9.9.1-P2-dlz-libdb.patch
+# Make PKCS11 used only for pkcs11 parts
+Patch135:bind-9.14-config-pkcs11.patch
+# Fedora specific patch to distribute native-pkcs#11 functionality
+Patch136:bind-9.10-dist-native-pkcs11.patch
+# Do not use isc-pkcs11.
+Patch149:bind-9.11-kyua-pkcs11.patch
+
+Patch157:bind-9.11-fips-tests.patch
+Patch164:bind-9.11-rh1666814.patch
+Patch170:bind-9.11-feature-test-named.patch
+Patch171:bind-9.11-tests-variants.patch
+
+%{?systemd_ordering}
+Requires: coreutils
+Requires(pre): shadow-utils
+Requires(post): shadow-utils
+Requires(post): glibc-common
+Requires(post): grep
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+# This wild require should satisfy %%selinux_set_boolean macro only
+# in case it needs to be used
+Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
+Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
+Recommends: bind-utils bind-dnssec-utils
+BuildRequires: gcc, make
+BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
+BuildRequires: libidn2-devel, libxml2-devel
+BuildRequires: systemd-rpm-macros
+BuildRequires: selinux-policy
+# needed for %%{__python3} macro
+BuildRequires: python3-devel
+BuildRequires: python3-ply
+BuildRequires: findutils sed
+%if 0%{?fedora}
+BuildRequires: gnupg2
+%endif
+BuildRequires: libuv-devel
+%if %{with DLZ}
+BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-devel
+%endif
+%if %{with UNITTEST}
+# make unit dependencies
+BuildRequires: libcmocka-devel kyua
+%endif
+%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
+BuildRequires: softhsm
+%endif
+%if %{with SYSTEMTEST}
+# bin/tests/system dependencies
+BuildRequires: perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long)
+# manual configuration requires this tool
+BuildRequires: iproute
+%endif
+%if %{with GSSTSIG}
+BuildRequires: krb5-devel
+%endif
+%if %{with LMDB}
+BuildRequires: lmdb-devel
+%endif
+%if %{with JSON}
+BuildRequires: json-c-devel
+%endif
+%if %{with GEOIP2}
+BuildRequires: libmaxminddb-devel
+%endif
+%if %{with DNSTAP}
+BuildRequires: fstrm-devel protobuf-c-devel
+%endif
+# Needed to regenerate dig.1 manpage
+%if %{with DOC}
+BuildRequires: python3-sphinx python3-sphinx_rtd_theme
+BuildRequires: doxygen
+%endif
+%if %{with DOCPDF}
+# Because remaining issues with COPR, allow turning off PDF (re)generation
+BuildRequires: python3-sphinx-latex latexmk texlive-xetex texlive-xindy
+%endif
+%if %{with TSAN}
+BuildRequires: libtsan
+%endif
+
+%description
+BIND (Berkeley Internet Name Domain) is an implementation of the DNS
+(Domain Name System) protocols. BIND includes a DNS server (named),
+which resolves host names to IP addresses; a resolver library
+(routines for applications to use when interfacing with DNS); and
+tools for verifying that the DNS server is operating properly.
+
+%if %{with PKCS11}
+%package pkcs11
+Summary: Bind with native PKCS#11 functionality for crypto
+Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Recommends: softhsm
+
+%description pkcs11
+This is a version of BIND server built with native PKCS#11 functionality.
+It is important to have SoftHSM v2+ installed and some token initialized.
+For other supported HSM modules please check the BIND documentation.
+
+%package pkcs11-utils
+Summary: Bind tools with native PKCS#11 for using DNSSEC
+Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2
+Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}
+
+%description pkcs11-utils
+This is a set of PKCS#11 utilities that when used together create rsa
+keys in a PKCS11 keystore. Also utilities for working with DNSSEC
+compiled with native PKCS#11 functionality are included.
+
+%package pkcs11-libs
+Summary: Bind libraries compiled with native PKCS#11
+Requires: bind-license = %{epoch}:%{version}-%{release}
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description pkcs11-libs
+This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
+functionality.
+
+%package pkcs11-devel
+Summary: Development files for Bind libraries compiled with native PKCS#11
+Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-devel%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description pkcs11-devel
+This a set of development files for BIND libraries (dns, isc) compiled
+with native PKCS#11 functionality.
+%endif
+
+%package libs
+Summary: Libraries used by the BIND DNS packages
+Requires: bind-license = %{epoch}:%{version}-%{release}
+Provides: bind-libs-lite = %{epoch}:%{version}-%{release}
+Obsoletes: bind-libs-lite < 32:9.16.13
+
+%description libs
+Contains heavyweight version of BIND suite libraries used by both named DNS
+server and utilities in bind-utils package.
+
+%package license
+Summary: License of the BIND DNS suite
+BuildArch:noarch
+
+%description license
+Contains license of the BIND DNS suite.
+
+%package utils
+Summary: Utilities for querying DNS name servers
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+# For compatibility with Debian package
+Provides: dnsutils = %{epoch}:%{version}-%{release}
+
+%description utils
+Bind-utils contains a collection of utilities for querying DNS (Domain
+Name System) name servers to find out information about Internet
+hosts. These tools will provide you with the IP addresses for given
+host names, as well as other information about registered domains and
+network addresses.
+
+You should install bind-utils if you need to get information from DNS name
+servers.
+
+%package dnssec-utils
+Summary: DNSSEC keys and zones management utilities
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Recommends: bind-utils
+Requires: python3-bind = %{epoch}:%{version}-%{release}
+Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}
+
+%description dnssec-utils
+Bind-dnssec-utils contains a collection of utilities for editing
+DNSSEC keys and BIND zone files. These tools provide generation,
+revocation and verification of keys and DNSSEC signatures in zone files.
+
+You should install bind-dnssec-utils if you need to sign a DNS zone
+or maintain keys for it.
+
+%package dnssec-doc
+Summary: Manual pages of DNSSEC utilities
+Requires: bind-license = %{epoch}:%{version}-%{release}
+BuildArch:noarch
+
+%description dnssec-doc
+Bind-dnssec-doc contains manual pages for bind-dnssec-utils.
+
+%package devel
+Summary: Header files and libraries needed for bind-dyndb-ldap
+Provides: bind-lite-devel = %{epoch}:%{version}-%{release}
+Obsoletes: bind-lite-devel < 32:9.16.6-3
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
+Requires: libcap-devel%{?_isa}
+%if %{with GSSTSIG}
+Requires: krb5-devel%{?_isa}
+%endif
+%if %{with LMDB}
+Requires: lmdb-devel%{?_isa}
+%endif
+%if %{with JSON}
+Requires: json-c-devel%{?_isa}
+%endif
+%if %{with DNSTAP}
+Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa}
+%endif
+%if %{with GEOIP2}
+Requires: libmaxminddb-devel%{?_isa}
+
+%description devel
+The bind-devel package contains full version of the header files and libraries
+required for building bind-dyndb-ldap. Upstream no longer supports nor recommends
+bind libraries for third party applications.
+%endif
+
+%package chroot
+Summary: A chroot runtime environment for the ISC BIND DNS server, named(8)
+Prefix: %{chroot_prefix}
+# grep is required due to setup-named-chroot.sh script
+Requires: grep
+Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description chroot
+This package contains a tree of files which can be used as a
+chroot(2) jail for the named(8) program from the BIND package.
+Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
+
+
+%if %{with DLZ}
+%package dlz-filesystem
+Summary: BIND server filesystem DLZ module
+Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description dlz-filesystem
+Dynamic Loadable Zones filesystem module for BIND server.
+
+%package dlz-ldap
+Summary: BIND server ldap DLZ module
+Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description dlz-ldap
+Dynamic Loadable Zones LDAP module for BIND server.
+
+%package dlz-mysql
+Summary: BIND server mysql and mysqldyn DLZ modules
+Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release}
+Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3
+
+%description dlz-mysql
+Dynamic Loadable Zones MySQL module for BIND server.
+Contains also mysqldyn module with dynamic DNS updates (DDNS) support.
+
+%package dlz-sqlite3
+Summary: BIND server sqlite3 DLZ module
+Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description dlz-sqlite3
+Dynamic Loadable Zones sqlite3 module for BIND server.
+%endif
+
+
+%package -n python3-bind
+Summary: A module allowing rndc commands to be sent from Python programs
+Requires: bind-license = %{epoch}:%{version}-%{release}
+Requires: python3 python3-ply %{?py3_dist:%py3_dist ply}
+BuildArch: noarch
+%{?python_provide:%python_provide python3-bind}
+%{?python_provide:%python_provide python3-isc}
+
+%description -n python3-bind
+This package provides a module which allows commands to be sent to rndc directly from Python programs.
+
+%if %{with DOC}
+%package doc
+Summary: BIND 9 Administrator Reference Manual
+Requires: bind-license = %{epoch}:%{version}-%{release}
+Requires: python3-sphinx_rtd_theme
+BuildArch: noarch
+
+%description doc
+BIND (Berkeley Internet Name Domain) is an implementation of the DNS
+(Domain Name System) protocols. BIND includes a DNS server (named),
+which resolves host names to IP addresses; a resolver library
+(routines for applications to use when interfacing with DNS); and
+tools for verifying that the DNS server is operating properly.
+
+This package contains BIND 9 Administrator Reference Manual
+in HTML and PDF format.
+%end
+
+%endif
+
+%prep
+%if 0%{?fedora}
+# RHEL does not yet support this verification
+%{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}'
+%endif
+%setup -q
+
+# Common patches
+%patch10 -p1 -b .PIE
+%patch16 -p1 -b .redhat_doc
+%patch72 -p1 -b .64bit
+%patch106 -p1 -b .rh490837
+%patch112 -p1 -b .rh645544
+%patch130 -p1 -b .libdb
+%patch157 -p1 -b .fips-tests
+%patch164 -p1 -b .rh1666814
+%patch170 -p1 -b .featuretest-named
+%patch171 -p1 -b .test-variant
+
+%if %{with PKCS11}
+%patch135 -p1 -b .config-pkcs11
+cp -r bin/named{,-pkcs11}
+cp -r bin/dnssec{,-pkcs11}
+cp -r lib/dns{,-pkcs11}
+cp -r lib/ns{,-pkcs11}
+%patch136 -p1 -b .dist_pkcs11
+%patch149 -p1 -b .kyua-pkcs11
+%endif
+
+# Sparc and s390 arches need to use -fPIE
+%ifarch sparcv9 sparc64 s390 s390x
+for i in bin/named/{,unix}/Makefile.in; do
+ sed -i 's|fpie|fPIE|g' $i
+done
+%endif
+
+sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh
+:;
+
+
+%build
+## We use out of tree configure/build for export libs
+%define _configure "../configure"
+
+# normal and pkcs11 unit tests
+%define unit_prepare_build() \
+ cp -uv Kyuafile "%{1}/" \
+ find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \
+ find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \
+ find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
+ find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
+
+%define systemtest_prepare_build() \
+ cp -Tuav bin/tests "%{1}/bin/tests/" \
+ cp -uv version "%{1}" \
+
+CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
+%if %{with TSAN}
+ CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
+%endif
+export CFLAGS
+export STD_CDEFINES="$CPPFLAGS"
+
+
+sed -i -e \
+'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \
+version
+
+libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
+
+mkdir build
+
+%if %{with DLZ}
+# DLZ modules do not support oot builds. Copy files into build
+mkdir -p build/contrib/dlz
+cp -frp contrib/dlz/modules build/contrib/dlz/modules
+%endif
+
+pushd build
+LIBDIR_SUFFIX=
+export LIBDIR_SUFFIX
+%configure \
+ --with-python=%{__python3} \
+ --with-libtool \
+ --localstatedir=%{_var} \
+ --with-pic \
+ --disable-static \
+ --includedir=%{_includedir}/bind9 \
+ --with-tuning=large \
+ --with-libidn2 \
+%if %{with GEOIP2}
+ --with-maxminddb \
+%endif
+%if %{with PKCS11}
+ --enable-native-pkcs11 \
+ --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
+%endif
+ --with-dlopen=yes \
+%if %{with GSSTSIG}
+ --with-gssapi=yes \
+%endif
+%if %{with LMDB}
+ --with-lmdb=yes \
+%else
+ --with-lmdb=no \
+%endif
+%if %{with JSON}
+ --without-libjson --with-json-c \
+%endif
+%if %{with DNSTAP}
+ --enable-dnstap \
+%endif
+%if %{with UNITTEST}
+ --with-cmocka \
+%endif
+ --enable-fixed-rrset \
+ --enable-full-report \
+;
+%if %{with DNSTAP}
+ pushd lib
+ SRCLIB="../../../lib"
+ (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
+%if %{with PKCS11}
+ (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
+%endif
+ popd
+%endif
+
+%if %{with DOCPDF}
+# avoid using home for pdf latex files
+export TEXMFVAR="`pwd`"
+export TEXMFCONFIG="`pwd`"
+fmtutil-user --listcfg || :
+fmtutil-user --missing || :
+%endif
+
+%make_build
+
+# Regenerate dig.1 manpage
+pushd bin/dig
+make man
+popd
+pushd bin/python
+make man
+popd
+
+%if %{with DOC}
+ make doc
+%endif
+
+%if %{with DLZ}
+ pushd contrib/dlz/modules
+ for DIR in mysql mysqldyn; do
+ sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \
+ -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \
+ $DIR/Makefile.in > $DIR/Makefile
+ done
+ for DIR in filesystem ldap mysql mysqldyn sqlite3; do
+ make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
+ done
+ popd
+%endif
+popd # build
+
+%unit_prepare_build build
+%systemtest_prepare_build build
+
+%check
+%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
+ # Tests require initialization of pkcs11 token
+ eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
+%endif
+
+%if %{with TSAN}
+export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
+%endif
+
+%if %{with UNITTEST}
+ pushd build
+ CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l)
+ if [ "$CPUS" -gt 16 ]; then
+ ORIGFILES=$(ulimit -n)
+ ulimit -n 4096 || : # Requires on some machines with many cores
+ fi
+ make unit
+ e=$?
+ if [ "$e" -ne 0 ]; then
+ echo "ERROR: this build of BIND failed 'make unit'. Aborting."
+ exit $e;
+ fi;
+ [ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || :
+ popd
+## End of UNITTEST
+%endif
+
+%if %{with SYSTEMTEST}
+# Runs system test if ip addresses are already configured
+# or it is able to configure them
+if perl bin/tests/system/testsock.pl
+then
+ CONFIGURED=already
+else
+ CONFIGURED=
+ sh bin/tests/system/ifconfig.sh up
+ perl bin/tests/system/testsock.pl && CONFIGURED=build
+fi
+if [ -n "$CONFIGURED" ]
+then
+ set -e
+ pushd build/bin/tests
+ chown -R ${USER} . # Can be unknown user
+ %make_build test 2>&1 | tee test.log
+ e=$?
+ popd
+ [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down
+ if [ "$e" -ne 0 ]; then
+ echo "ERROR: this build of BIND failed 'make test'. Aborting."
+ exit $e;
+ fi;
+else
+ echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.'
+fi
+%endif
+:
+
+%install
+# Build directory hierarchy
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
+mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/{bind,named}
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic}
+mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8}
+mkdir -p ${RPM_BUILD_ROOT}/run/named
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log
+
+#chroot
+for D in %{chroot_create_directories}
+do
+ mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D}
+done
+
+# create symlink as it is on real filesystem
+pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var
+ln -s ../run run
+popd
+
+# these are required to prevent them being erased during upgrade of previous
+touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf
+#end chroot
+
+pushd build
+%make_install
+popd
+
+# Remove unwanted files
+rm -f ${RPM_BUILD_ROOT}/etc/bind.keys
+
+# Systemd unit files
+mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
+install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
+
+%if %{with PKCS11}
+install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
+%else
+# Not packaged without PKCS11
+find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \
+ -name '*.h' \! -name site.h -delete
+
+%endif
+
+mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
+install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
+install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh
+
+%if %{with PKCS11}
+install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
+%endif
+
+install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
+install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
+install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
+
+%if %{with DLZ}
+ pushd build
+ pushd contrib/dlz/modules
+ for DIR in filesystem ldap mysql mysqldyn sqlite3; do
+ %make_install -C $DIR libdir=%{_libdir}/named
+ done
+ pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind
+ cp -s ../named/dlz_*.so .
+ popd
+ mkdir -p doc/{mysql,mysqldyn}
+ cp -p mysqldyn/testing/README doc/mysqldyn/README.testing
+ cp -p mysqldyn/testing/* doc/mysqldyn
+ cp -p mysql/testing/* doc/mysql
+ popd
+ popd
+%endif
+
+# Install isc/errno2result.h header
+install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc
+
+# Remove libtool .la files:
+find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
+
+# PKCS11 versions manpages
+%if %{with PKCS11}
+pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
+ln -s named.8.gz named-pkcs11.8.gz
+ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
+ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
+ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
+ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
+ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
+ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
+ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
+ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
+ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
+popd
+%endif
+
+# 9.16.4 installs even manual pages for tools not generated
+%if %{without DNSTAP}
+rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
+%endif
+%if %{without LMDB}
+rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true
+%endif
+
+pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
+ln -s ddns-confgen.8.gz tsig-keygen.8.gz
+ln -s named-checkzone.8.gz named-compilezone.8.gz
+popd
+
+%if %{with DOC}
+mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
+cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir}
+rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees}
+# Backward compatible link to 9.11 documentation
+(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html)
+# Share static data from original sphinx package
+for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/*
+do
+ BASE=$(basename -- "$DIR")
+ BINDTHEMEDIR="${RPM_BUILD_ROOT}%{_pkgdocdir}/html/_static/$BASE"
+ if [ -d "$BINDTHEMEDIR" ]; then
+ rm -rf "$BINDTHEMEDIR"
+ ln -s "$DIR" "$BINDTHEMEDIR"
+ fi
+done
+%endif
+%if %{with DOCPDF}
+cp -a build/doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
+%endif
+
+# Ghost config files:
+touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
+
+# configuration files:
+install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
+touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
+install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
+install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
+
+# data files:
+mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
+install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
+install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
+install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
+install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
+install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
+
+# sample bind configuration files for %%doc:
+mkdir -p sample/etc sample/var/named/{data,slaves}
+install -m 644 %{SOURCE25} sample/etc/named.conf
+# Copy default configuration to %%doc to make it usable from system-config-bind
+install -m 644 %{SOURCE16} named.conf.default
+install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones
+install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named
+install -m 644 %{SOURCE17} sample/var/named/named.ca
+for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do
+ echo '@ in soa localhost. root 1 3H 15M 1W 1D
+ ns localhost.' > sample/var/named/$f;
+done
+:;
+
+mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
+install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
+
+mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
+install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
+
+%pre
+if [ "$1" -eq 1 ]; then
+ /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
+ /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
+fi;
+:;
+
+%post
+%?ldconfig
+if [ -e "%{_sysconfdir}/selinux/config" ]; then
+ %selinux_set_booleans -s targeted %{selinuxbooleans}
+ %selinux_set_booleans -s mls %{selinuxbooleans}
+fi
+if [ "$1" -eq 1 ]; then
+ # Initial installation
+ [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
+ # rndc.key has to have correct perms and ownership, CVE-2007-6283
+ [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
+ [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
+else
+ # Upgrade, use invalid shell
+ if getent passwd named | grep ':/bin/false$' >/dev/null; then
+ /sbin/usermod -s /sbin/nologin named
+ fi
+ # Checkconf will parse out comments
+ if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
+ then
+ echo "Replacing obsolete named.iscdlv.key with named.root.key..."
+ if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then
+ sed -e 's/named\.iscdlv\.key/named.root.key/' \
+ /etc/named.conf.rpmbackup > /etc/named.conf || \
+ mv /etc/named.conf.rpmbackup /etc/named.conf
+ fi
+ fi
+fi
+%systemd_post named.service
+:;
+
+%preun
+# Package removal, not upgrade
+%systemd_preun named.service
+
+%postun
+%?ldconfig
+# Package upgrade, not uninstall
+%systemd_postun_with_restart named.service
+if [ -e "%{_sysconfdir}/selinux/config" ]; then
+ %selinux_unset_booleans -s targeted %{selinuxbooleans}
+ %selinux_unset_booleans -s mls %{selinuxbooleans}
+fi
+
+%if %{with PKCS11}
+%post pkcs11
+# Initial installation
+%systemd_post named-pkcs11.service
+
+%preun pkcs11
+# Package removal, not upgrade
+%systemd_preun named-pkcs11.service
+
+%postun pkcs11
+# Package upgrade, not uninstall
+%systemd_postun_with_restart named-pkcs11.service
+%endif
+
+# Fix permissions on existing device files on upgrade
+%define chroot_fix_devices() \
+if [ $1 -gt 1 ]; then \
+ for DEV in "%{1}/dev"/{null,random,zero}; do \
+ if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; \
+ then \
+ /bin/chmod 0664 "$DEV" \
+ /bin/chgrp named "$DEV" \
+ fi \
+ done \
+fi
+
+%triggerun -- bind < 32:9.9.0-0.6.rc1
+/sbin/chkconfig --del named >/dev/null 2>&1 || :
+/bin/systemctl try-restart named.service >/dev/null 2>&1 || :
+
+%ldconfig_scriptlets libs
+
+%if %{with PKCS11}
+%ldconfig_scriptlets pkcs11-libs
+%endif
+
+%post chroot
+%systemd_post named-chroot.service
+%chroot_fix_devices %{chroot_prefix}
+:;
+
+%posttrans chroot
+if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+ [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1;
+fi;
+
+%preun chroot
+# wait for stop of both named-chroot and named-chroot-setup services
+# on uninstall
+%systemd_preun named-chroot.service named-chroot-setup.service
+:;
+
+%postun chroot
+# Package upgrade, not uninstall
+%systemd_postun_with_restart named-chroot.service
+
+
+%files
+# TODO: Move from lib/bind to lib/named, as used by upstream
+%dir %{_libdir}/bind
+%dir %{_libdir}/named
+%{_libdir}/named/*.so
+%exclude %{_libdir}/named/dlz_*.so
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
+%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
+%config(noreplace) %{_sysconfdir}/logrotate.d/named
+%{_tmpfilesdir}/named.conf
+%{_sysconfdir}/rwtab.d/named
+%{_unitdir}/named.service
+%{_unitdir}/named-setup-rndc.service
+%{_sbindir}/named-journalprint
+%{_sbindir}/named-checkconf
+%{_bindir}/named-rrchecker
+%{_bindir}/mdig
+%{_sbindir}/named
+%{_sbindir}/rndc*
+%{_libexecdir}/generate-rndc-key.sh
+%{_mandir}/man1/mdig.1*
+%{_mandir}/man1/named-rrchecker.1*
+%{_mandir}/man5/named.conf.5*
+%{_mandir}/man5/rndc.conf.5*
+%{_mandir}/man8/rndc.8*
+%{_mandir}/man8/named.8*
+%{_mandir}/man8/named-checkconf.8*
+%{_mandir}/man8/rndc-confgen.8*
+%{_mandir}/man8/named-journalprint.8*
+%{_mandir}/man8/filter-aaaa.8.gz
+%doc CHANGES README named.conf.default
+%doc sample/
+
+# Hide configuration
+%defattr(0640,root,named,0750)
+%dir %{_sysconfdir}/named
+%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf
+%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones
+%defattr(0660,root,named,01770)
+%dir %{_localstatedir}/named
+%defattr(0660,named,named,0770)
+%dir %{_localstatedir}/named/slaves
+%dir %{_localstatedir}/named/data
+%dir %{_localstatedir}/named/dynamic
+%ghost %{_localstatedir}/log/named.log
+%defattr(0640,root,named,0750)
+%config %verify(not link) %{_localstatedir}/named/named.ca
+%config %verify(not link) %{_localstatedir}/named/named.localhost
+%config %verify(not link) %{_localstatedir}/named/named.loopback
+%config %verify(not link) %{_localstatedir}/named/named.empty
+%ghost %config(noreplace) %{_sysconfdir}/rndc.key
+# ^- rndc.key now created on first install only if it does not exist
+%ghost %config(noreplace) %{_sysconfdir}/rndc.conf
+# ^- The default rndc.conf which uses rndc.key is in named's default internal config -
+# so rndc.conf is not necessary.
+%defattr(-,named,named,-)
+%dir /run/named
+
+%files libs
+%{_libdir}/libbind9-%{version}*.so
+%{_libdir}/libisccc-%{version}*.so
+%{_libdir}/libns-%{version}*.so
+%{_libdir}/libdns-%{version}*.so
+%{_libdir}/libirs-%{version}*.so
+%{_libdir}/libisc-%{version}*.so
+%{_libdir}/libisccfg-%{version}*.so
+
+%files license
+%{!?_licensedir:%global license %%doc}
+%license COPYRIGHT
+
+%files utils
+%{_bindir}/dig
+%{_bindir}/delv
+%{_bindir}/host
+%{_bindir}/nslookup
+%{_bindir}/nsupdate
+%{_bindir}/arpaname
+%{_sbindir}/ddns-confgen
+%{_sbindir}/tsig-keygen
+%{_sbindir}/nsec3hash
+%{_sbindir}/named-checkzone
+%{_sbindir}/named-compilezone
+%if %{with DNSTAP}
+%{_bindir}/dnstap-read
+%{_mandir}/man1/dnstap-read.1*
+%endif
+%if %{with LMDB}
+%{_sbindir}/named-nzd2nzf
+%{_mandir}/man8/named-nzd2nzf.8*
+%endif
+%{_mandir}/man1/host.1*
+%{_mandir}/man1/nsupdate.1*
+%{_mandir}/man1/dig.1*
+%{_mandir}/man1/delv.1*
+%{_mandir}/man1/nslookup.1*
+%{_mandir}/man1/arpaname.1*
+%{_mandir}/man8/ddns-confgen.8*
+%{_mandir}/man8/tsig-keygen.8*
+%{_mandir}/man8/nsec3hash.8*
+%{_mandir}/man8/named-checkzone.8*
+%{_mandir}/man8/named-compilezone.8*
+%{_sysconfdir}/trusted-key.key
+
+%files dnssec-utils
+%{_sbindir}/dnssec*
+%if %{with PKCS11}
+%exclude %{_sbindir}/dnssec*pkcs11
+%endif
+
+%files dnssec-doc
+%{_mandir}/man8/dnssec*.8*
+%if %{with PKCS11}
+%exclude %{_mandir}/man8/dnssec*-pkcs11.8*
+%endif
+
+%files devel
+%{_libdir}/libbind9.so
+%{_libdir}/libisccc.so
+%{_libdir}/libns.so
+%{_libdir}/libdns.so
+%{_libdir}/libirs.so
+%{_libdir}/libisc.so
+%{_libdir}/libisccfg.so
+%dir %{_includedir}/bind9
+%{_includedir}/bind9/bind9
+%{_includedir}/bind9/isccc
+%{_includedir}/bind9/ns
+%{_includedir}/bind9/dns
+%{_includedir}/bind9/dst
+%{_includedir}/bind9/irs
+%{_includedir}/bind9/isc
+%dir %{_includedir}/bind9/pk11
+%{_includedir}/bind9/pk11/site.h
+%{_includedir}/bind9/isccfg
+
+%files chroot
+%config(noreplace) %{_sysconfdir}/named-chroot.files
+%{_unitdir}/named-chroot.service
+%{_unitdir}/named-chroot-setup.service
+%{_libexecdir}/setup-named-chroot.sh
+%defattr(0664,root,named,-)
+%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
+%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
+%ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom
+%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero
+%defattr(0640,root,named,0750)
+%dir %{chroot_prefix}
+%dir %{chroot_prefix}/dev
+%dir %{chroot_prefix}%{_sysconfdir}
+%dir %{chroot_prefix}%{_sysconfdir}/named
+%dir %{chroot_prefix}%{_sysconfdir}/pki
+%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys
+%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies
+%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends
+%dir %{chroot_prefix}%{_localstatedir}
+%dir %{chroot_prefix}/run
+%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf
+%defattr(-,root,root,-)
+%dir %{chroot_prefix}/usr
+%dir %{chroot_prefix}/%{_libdir}
+%dir %{chroot_prefix}/%{_libdir}/bind
+%dir %{chroot_prefix}/%{_datadir}/GeoIP
+%{chroot_prefix}/proc
+%defattr(0660,root,named,01770)
+%dir %{chroot_prefix}%{_localstatedir}/named
+%defattr(0660,named,named,0770)
+%dir %{chroot_prefix}%{_localstatedir}/tmp
+%dir %{chroot_prefix}%{_localstatedir}/log
+%defattr(-,named,named,-)
+%dir %{chroot_prefix}/run/named
+%{chroot_prefix}%{_localstatedir}/run
+
+%if %{with PKCS11}
+%files pkcs11
+%{_sbindir}/named-pkcs11
+%{_unitdir}/named-pkcs11.service
+%{_mandir}/man8/named-pkcs11.8*
+%{_libexecdir}/setup-named-softhsm.sh
+
+%files pkcs11-utils
+%{_sbindir}/dnssec*pkcs11
+%{_sbindir}/pkcs11-destroy
+%{_sbindir}/pkcs11-keygen
+%{_sbindir}/pkcs11-list
+%{_sbindir}/pkcs11-tokens
+%{_mandir}/man8/pkcs11*.8*
+%{_mandir}/man8/dnssec*-pkcs11.8*
+
+%files pkcs11-libs
+%{_libdir}/libdns-pkcs11-%{version}*.so
+%{_libdir}/libns-pkcs11-%{version}*.so
+
+%files pkcs11-devel
+%{_includedir}/bind9/pk11/*.h
+%exclude %{_includedir}/bind9/pk11/site.h
+%{_includedir}/bind9/pkcs11
+%{_libdir}/libdns-pkcs11.so
+%{_libdir}/libns-pkcs11.so
+%endif
+
+%if %{with DLZ}
+%files dlz-filesystem
+%{_libdir}/{named,bind}/dlz_filesystem_dynamic.so
+
+%files dlz-mysql
+%{_libdir}/{named,bind}/dlz_mysql_dynamic.so
+%doc build/contrib/dlz/modules/doc/mysql
+%{_libdir}/{named,bind}/dlz_mysqldyn_mod.so
+%doc build/contrib/dlz/modules/doc/mysqldyn
+
+%files dlz-ldap
+%{_libdir}/{named,bind}/dlz_ldap_dynamic.so
+%doc contrib/dlz/modules/ldap/testing/*
+
+%files dlz-sqlite3
+%{_libdir}/{named,bind}/dlz_sqlite3_dynamic.so
+%doc contrib/dlz/modules/sqlite3/testing/*
+
+%endif
+
+%files -n python3-bind
+%{python3_sitelib}/*.egg-info
+%{python3_sitelib}/isc/
+
+%if %{with DOC}
+%files doc
+%dir %{_pkgdocdir}
+%doc %{_pkgdocdir}/Bv9ARM.html
+%doc %{_pkgdocdir}/html
+%endif
+%if %{with DOCPDF}
+%doc %{_pkgdocdir}/Bv9ARM.pdf
+%endif
+
+%changelog
+* Fri Nov 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-1
+- Update to 9.16.23 (#2024210)
+
+* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-5
+- Propagate ephemeral port ranges to chroot (#2013595)
+
+* Tue Oct 12 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-4
+- Fixes listening on TCP in some race conditions (#1999691)
+
+* Tue Oct 12 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-3
+- Include documentation of dig return codes (#1989909)
+
+* Thu Aug 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-2
+- Fix map file format incompatibility
+- Actually enable LMDB support
+
+* Tue Aug 17 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-1
+- Update to 9.16.20
+
+* Mon Aug 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-4
+- Do not depend on systemd package
+
+* Mon Aug 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-3
+- Include backward compatible html symlink in doc subpackage
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 32:9.16.19-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Wed Jul 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-1
+- Update to 9.16.19 (#1956777)
+
+* Thu Jun 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.16-1
+- Update to 9.16.16 (#1956777)
+
+* Thu Jun 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.15-3
+- Disable building of DLZ and PKCS11
+- Build HTML documentation into separate bind-doc subpackage
+- Enable DNSTAP feature (#1975268)
+- Enable LMDB support (#1975775)
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 32:9.16.15-2
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+ Related: rhbz#1971065
+
+* Thu Apr 29 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.15-1
+- Update to 9.16.15
+
+* Thu Apr 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.13-1
+- Update to 9.16.13
+- Changed displayed version just to include -RH suffix, not release
+- Version is now part of library names, soname versions are no longer provided
+- Removed bind-libs-lite subpackage
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 32:9.16.11-6
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Fri Feb 26 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-5
+- Make logrotate.d world-readable (#1917061)
+
+* Mon Feb 22 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-4
+- Fix off-by-one bug in ISC SPNEGO implementation (#1929965)
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 32:9.16.11-3
+- rebuild for libpq ABI fix rhbz#1908268
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Jan 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-1
+- Update to 9.16.11 (#1827602)
+- Avoid unit test failures on machines with many cores
+
+* Thu Jan 14 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.10-2
+- Update to 9.16.10
+- Remove bind-sdb package
+- https://fedoraproject.org/wiki/Changes/BIND9.16
+
+* Wed Jan 13 08:55:11 CET 2021 Adrian Reber <adrian@lisas.de> - 32:9.11.26-3
+- Rebuilt for protobuf 3.14
+
+* Wed Jan 06 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Mon Jan 04 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-1
+- Update to 9.11.26
+
+* Mon Nov 30 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.25-2
+- Regenerate all manual pages on build
+
+* Thu Nov 26 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.25-1
+- Update to 9.11.25
+
+* Wed Nov 04 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.24-2
+- Fix crash on NTA recheck failure (#1893761)
+
+* Fri Oct 23 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.24-1
+- Update to 9.11.24
+
+* Wed Sep 23 2020 Adrian Reber <adrian@lisas.de> - 32:9.11.23-2
+- Rebuilt for protobuf 3.13
+
+* Thu Sep 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.23-1
+- Update to 9.11.23
+- Merge bind-lite-devel into devel package
+
+* Tue Sep 01 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.22-2
+- Require libcap from devel package
+
+* Thu Aug 20 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.22-1
+- Update to 9.11.22
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.21-3
+- Second attempt - Rebuilt for
+ https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.21-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.21-1
+- Update to 9.11.21
+
+* Tue Jun 23 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-3
+- Move documentation to separate bind-doc package
+
+* Sat Jun 20 2020 Adrian Reber <adrian@lisas.de> - 32:9.11.20-2
+- Rebuilt for protobuf 3.12
+
+* Wed Jun 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-1
+- Update to 9.11.20
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.19-2
+- Rebuilt for Python 3.9
+
+* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-1
+- Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617)
+- Make initscripts just optional dependency
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 32:9.11.18-2
+- Rebuild (json-c)
+
+* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.18-1
+- Update to 9.11.18
+
+* Tue Mar 31 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.17-1
+- Update to 9.11.17
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.14-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+ * Wed Jan 08 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-4
+- Remove libmaxminddb-devel from devel package dependencies
+
+* Fri Jan 03 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-3
+- Preserve symlinks to named.conf on iscdlv modification (#1786626)
+
+* Thu Dec 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-2
+- Include more Thread Sanitizer detected changes (#1736762)
+
+* Thu Dec 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-1
+- Update to 9.11.14
+
+* Tue Dec 03 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-4
+- Disable Berkeley DB support (#1779190)
+
+* Mon Dec 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-3
+- Backport few thread safety related fixed from upstream (#1736762)
+
+* Tue Nov 26 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-2
+- Complete explicit disabling of RSAMD5 in FIPS mode (#1709553)
+
+* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-1
+- Update to 9.11.13
+
+* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-6
+- Report failures on systemctl reload
+
+* Tue Nov 12 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-5
+- Fix binary compatibility after serve-stale patch (#1770492)
+
+* Wed Nov 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-4
+- Backported serve-stale feature
+
+* Wed Nov 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-3
+- Fix wrong default GeoIP directory (#1768258)
+
+* Mon Nov 04 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-2
+- Move data files outside config archive
+- Specify geoip data directory in config file (#1768258)
+
+* Mon Oct 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-1
+- Update to 9.11.12 (#1557762)
+
+* Wed Sep 25 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.11-1
+- Update to 9.11.11
+
+* Wed Sep 04 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.10-3
+- Share pkcs11-utils and dnssec-utils manuals instead of recommend
+
+* Tue Sep 03 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.10-2
+- Move some administration utilities back to bind-utils (#1720380)
+- Add GeoIP to bind-chroot (#1497646)
+- Recommend bind-dnssec-utils from bind-pkcs11-utils
+
+* Tue Aug 27 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.10-1
+- Update to 9.11.10
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.9-4
+- Rebuilt for Python 3.8
+
+* Fri Aug 09 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-3
+- Display errors from rndc reload (#1739441)
+
+* Thu Aug 08 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-2
+- Permit explicit disabling of RSAMD5 in FIPS mode (#1709553)
+
+* Wed Jul 24 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.9-1
+- Update to 9.11.9
+- Add GeoLite2 support
+- Disable export-libs
+
+* Wed Jul 24 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.8-2
+- Use monotonic time in export library (#1732883)
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.8-1
+- Update to 9.11.8
+
+* Mon Jun 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.7-2
+- Fix OpenSSL random generator initialization
+
+* Mon Jun 10 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.7-1
+- Update to 9.11.7
+
+* Mon May 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-5.P1
+- Fix also postun script
+
+* Mon May 06 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-4.P1
+- Fix error in scriptlet condition
+
+* Thu May 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-3.P1
+- Fix inefective limit of TCP clients (CVE-2018-5743)
+
+* Thu Mar 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-2
+- Fix dnstap and timer issues in unit test
+- Enable DLZ modules
+
+* Tue Mar 05 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.6-1
+- Update to 9.11.6
+
+* Fri Mar 01 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-15.P4
+- Support testing of named variants
+
+* Thu Feb 28 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-14.P4
+- Modify feature-test detection of dlz-filesystem
+
+* Fri Feb 22 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-13.P4
+- Update to 9.11.5-P4
+
+* Fri Feb 22 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-12.P1
+- Enable DNSTAP support (#1564776)
+- Enable LMDB support for rndc addzone
+- Enable json format in statistics-channel
+
+* Thu Feb 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-11.P1
+- Disable often failing unit test random_test
+
+* Thu Feb 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-10.P1
+- Disable autodetected eddsa algorithm ED448
+
+* Thu Jan 31 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-9.P1
+- dig prints ASCII name instead of failure (#1647829)
+- disable IDN output from scripts
+- Update project URL
+- Removed revoked KSK 19164 from trusted keys
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.5-8.P1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sun Jan 27 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-7.P1
+- Update to 9.11.5-P1
+
+* Wed Jan 23 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-6
+- Reenable crypto rand for DHCP, disable just entropy check (#1663318)
+
+* Thu Jan 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-5
+- Move dnssec related tools from bind-utils to bind-dnssec-utils (#1649398)
+
+* Wed Jan 16 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-4
+- Reject invalid binary file (#1666814)
+
+* Mon Jan 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-3
+- Disable crypto rand for DHCP (#1663318)
+
+* Thu Oct 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-2
+- Add optional support for JSON statistics
+- Add optional DNSTAP support (#1564776), new dnstap-read tool
+
+* Wed Oct 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-1
+- Update to 9.11.5
+
+* Tue Oct 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-12.P2
+- Add Requires to devel packages referenced by bind-devel
+
+* Sat Sep 29 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 32:9.11.4-11.P2
+- Fix export-libs macro & scriptlet
+
+* Wed Sep 26 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-10.P2
+- Reenable IDN output but allow turning it off (#1580200)
+
+* Thu Sep 20 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-9.P2
+- Update to bind-9.11.4-P2
+- Add /dev/urandom to chroot (#1631515)
+
+* Fri Aug 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-8.P1
+- Replace unoptimized code by OpenSSL counterparts
+- Fix multilib conflicts of devel package
+- Add versioned depends to all library subpackages
+
+* Fri Aug 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-7.P1
+- Add support for OpenSSL provided random data
+
+* Mon Aug 13 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-6.P1
+- Fix sdb-chroot devices upgrade (#1592873)
+- Automatically replace obsoleted ISC DLV key with root key (#1595782)
+
+* Thu Aug 09 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-5.P1
+- Update to 9.11.4-P1
+- Adds root key sentinel support
+- Large IXFR zone transfers are rejected to prevent journal corruption
+
+* Thu Aug 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-4
+- Support unavailable MD5 in FIPS mode
+
+* Thu Aug 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-3
+- Use OpenSSL for digest operations (#1611537)
+
+* Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-2
+- Install generated manual pages
+
+* Thu Jul 12 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-1
+- Update to 9.11.4
+- Use kyua instead of kyua-cli for unit tests
+
+* Thu Jul 12 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-15
+- Use new config file named-chroot.files for chroot setup (#1429656)
+- Fix chroot devices file verification (#1592873)
+- Prevent errors on bind-chroot uninstall when running (#1600583)
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.3-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.3-13
+- Rebuilt for Python 3.7
+
+* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-12
+- Require utils instead of library
+
+* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-11
+- Remove named.iscdlv.key file (#1595782)
+- Fix CVE-2018-5738
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.3-10
+- Rebuilt for Python 3.7
+
+* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-9
+- Make named home writeable (#1422680)
+- Change named shell to /bin/false
+
+* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-8
+- Require C++ on build when shipped atf library is used
+
+* Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-7
+- Run tests also without kyua
+
+* Thu Apr 05 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-6
+- Do not link libidn2 to all libraries (#1098783)
+- Update named.ca
+
+* Tue Apr 03 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-5
+- Enable libidn2 support (#1098783)
+- Make +noidnout default
+- Compile export libs without GSSAPI
+
+* Wed Mar 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-4
+- Rebase to 9.11.3
+- Add dig support for libidn2 (#1098783)
+
+* Wed Mar 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-3.b1
+- Fix build with disabled unittest
+- Recommend softhsm from pkcs11 variant
+
+* Thu Feb 22 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-2.b1
+- Require openssl-devel and libcap-devel from bind-export-devel
+- Conflict with bind99-devel
+- Change spec globals to rpmbuild --with feature
+
+* Thu Feb 15 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-1.b1
+- Rebase to 9.11.3b1
+
+* Wed Feb 07 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-11.P1
+- Use versioned provides
+- Fix starting of unit tests
+- Forward export libs path to isc-config
+- Rename export devel subpackage to bind-export-devel
+
+* Wed Feb 07 2018 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.2-10.P1
+- Add obsoletes/provides tags for smooth update
+
+* Wed Feb 07 2018 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.2-9.P1
+- Build devel package for export-libs
+
+* Wed Feb 07 2018 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.2-8.P1
+- Build export libraries with disabled threads and selects
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.2-7.P1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Jan 30 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-6.P1
+- Remove ldconfig calls where possible
+- Note -z defs cannot be enabled until more work
+
+* Tue Jan 16 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-5.P1
+- Fix CVE-2017-3145, rebase to 9.11.2-P1
+
+* Tue Jan 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-4
+- Enable unit tests with kyua tool (#1532694)
+- Provide internal tool to prepare softhsm token storage
+- Proper fix for python3-bind subpackage directory ownership (#1522944)
+
+* Fri Dec 15 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-3
+- Own python3-bind isc directory (#1522944)
+- Make tsstsig system test pass again (#1500017)
+
+* Mon Oct 23 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-2
+- Build against mariadb-connector-c-devel (#1493615)
+- Include DNSKEY 20326 also in trusted-key.key (#1505476)
+- Fix dynamic symbols conflict with ldap (#1205168)
+- Use hmac-sha256 for new RNDC keys (#1508003)
+- Include protocols and services in chroot
+
+* Wed Aug 02 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-1
+- Update to 9.11.2
+- Add recursing and secroots file into default and sample config
+- Fix nsupdate GSSAPI auth against AD server (#1484451)
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.1-6.P3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.1-5.P3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jul 14 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-4.P3
+- Simplify change of default configuration file path
+
+* Thu Jul 13 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-3.P3
+- Use mysql_config for SDB variant, build against mariadb-devel
+
+* Mon Jul 10 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-2.P3
+- Update to 9.11.1-P3
+
+* Fri Jun 30 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-2.P2
+- Update to 9.11.1-P2
+
+* Thu Jun 29 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-2.P1
+- dnssec-checkds and dnssec-coverage requires python module (#1466183)
+
+* Thu Jun 15 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.1-1.P1
+- Update to 9.11.1-P1
+
+* Fri Apr 21 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-8.P5
+- Fix queries for TKEY in nsupdate, when using GSSAPI (#1236087)
+
+* Thu Apr 13 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-7.P5
+- Update to 9.11.0-P5
+- Use BINDVERSION for upstream version
+
+* Fri Feb 10 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-7.P3
+- Update to 9.11.0-P3
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.0-7.P2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Jan 18 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-6.P2
+- RTLD_DEEPBIND conflicts with pkcs11 libraries, skip it for dyndb (#1410433)
+- Fix some rpm warnings
+
+* Mon Jan 16 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-5.P2
+- Fix manual pages generated by recent docbook-style-xsl (#1397186)
+
+* Thu Jan 12 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-4.P2
+- Update to 9.11.0-P2
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 32:9.11.0-4.P1
+- Rebuild for Python 3.6
+
+* Tue Nov 22 2016 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-3.P1
+- Split pk11 includes, include real functions only in pkcs11 variant
+
+* Wed Nov 16 2016 Petr Menšík <pemensik@redhat.com> - 32:9.11.0-2.P1
+- Do not change lib permissions in chroot
+
+* Wed Nov 16 2016 Michal Ruprich <mruprich@redhat.com> - 32:9.11.0-1.P1
+- Update to 9.11.0-P1
+
+* Tue Nov 08 2016 Petr Menšík <pemensik@redhat.com> - 32:9.10.4-3.P4
+- Build with OpenSSL 1.1
+
+* Thu Nov 03 2016 Petr Menšík <pemensik@redhat.com> - 32:9.10.4-2.P4
+- Update to 9.10.4-P4
+
+* Thu Sep 29 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.4-2.P3
+- Update to 9.10.4-P3
+
+* Wed Jul 20 2016 Michal Ruprich <mruprich@redhat.com> - 32:9.10.4-1.P2
+- Update to 9.10.4-P2
+
+* Thu May 26 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.4-1.P1
+- Update to 9.10.4-P1
+
+* Fri May 20 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-14.P4
+- (un)mount /var/named in -chroot packages as the last directory (Related: #1279188)
+
+* Thu May 12 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-13.P4
+- Remove NM dispatcher script, since it is not needed any more (#1277257)
+- Replaced After=network-online.target with After=network.target in all unit files
+
+* Fri Mar 11 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-12.P4
+- Update to 9.10.3-P4 due to CVE-2016-1285 CVE-2016-1286 CVE-2016-2088
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.10.3-11.P3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Jan 21 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-10.P3
+- Update to 9.10.3-P3 due to CVE-2015-8704 and CVE-2015-8705 (#1300051)
+
+* Wed Jan 06 2016 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-9.P2
+- Commented out bindkeys-file statement in default configuration (#1223365#c3)
+- Removed unrecognized configure option --enable-developer
+- Added configure option --enable-full-report to get report on enabled features
+
+* Sat Dec 26 2015 Robert Scheck <robert@fedoraproject.org> - 32:9.10.3-8.P2
+- Remove unrecognized build options for %%configure
+- Own %%{_includedir}/bind9 directory in -lite-devel
+- Fixed building without (optional) PKCS#11 support
+
+* Wed Dec 16 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-7.P2
+- bump release to maintain update path
+
+* Wed Dec 16 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-4.P2
+- Update to 9.10.3-P2
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.10.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Wed Nov 04 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-2
+- Fixed named-checkconf call in *-chroot.service files (#1277820)
+
+* Thu Sep 17 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.3-1
+- Update to 9.10.3 stable
+
+* Thu Sep 03 2015 Tomas Hozza <thozza@redhat.com>
+- Update to 9.10.3rc1
+
+* Wed Jul 29 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-9.P3
+- Update to 9.10.2-P3 to fix CVE-2015-5477
+
+* Thu Jul 09 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-8.P2
+- Update to 9.10.2-P2
+
+* Mon Jun 29 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-7.P1
+- Reintroduce the DISABLE_ZONE_CHECKING into /etc/sysconfig/named
+
+* Fri Jun 19 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-6.P1
+- Update to 9.10.2-P1
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.10.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed May 27 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-4
+- Don't copy /etc/localtime on -chroot package installation
+
+* Fri May 22 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-3
+- Don't use ISC's DLV by default (#1223365)
+- Utilize system-wide crypto-policies (#1179925)
+
+* Thu May 21 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-2
+- enable tuning for large systems - increases hardcoded internal limits
+- enable GeoIP access control feature
+
+* Thu Feb 26 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-1
+- update to 9.10.2 stable
+- remove parallel-build patch after discussion with upstream [ISC-Bugs #38739]
+
+* Wed Feb 25 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-0.3.rc1
+- update to 9.10.2rc2
+- call ldconfig for pkcs11-libs
+- Use Python3 by default (#1186791)
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 32:9.10.2-0.2.rc1
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Mon Feb 02 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.2-0.1.rc1
+- update to 9.10.2rc1
+- fix nsupdate server auto-detection (#1184151)
+- drop merged patch bind99-rh985918.patch
+
+* Fri Jan 16 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.1-2.P1
+- Install config for tmpfiles under %%{_tmpfilesdir} (#1181020)
+
+* Tue Jan 13 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.1-1.P1
+- Update to 9.10.1-P1 stable
+
+* Fri Dec 12 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-6.P1
+- Drop downstream patch for nslookup/host rejected by upstream
+
+* Tue Dec 09 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-5.P1
+- Update to 9.9.6-P1 (CVE-2014-8500)
+
+* Fri Nov 14 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-4
+- Fixed systemctl path in logrotate configuration (#1148360)
+- drop engine_pkcs11 dependency, since we use native PKCS#11 implementation
+
+* Wed Oct 22 2014 Petr Spacek <pspacek@redhat.com> - 32:9.9.6-3
+- Fix crash during GSS-TSIG processing (#1155334, #1155127)
+ introduced in 32:9.9.6-2
+
+* Tue Oct 14 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-2
+- Added native PKCS#11 functionality (#1097752)
+- bind-sdb now requires bind due to configuration and other utilities
+- bind-pkcs11 now requires bind due to configuration and other utilities
+
+* Thu Oct 02 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-1
+- Update to 9.9.6
+- drop merged patches and rebase some of existing patches
+- Add architecture specific dependencies.
+- Fix assert in dig when using +sigchase (#985918)
+
+* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.5-9.P1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-8.P1
+- Use network-online.target instead of network.target (#1117086)
+
+* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> 32:9.9.5-7.P1
+- fix license handling
+
+* Thu Jun 12 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-6.P1
+- Update to 9.9.5-P1
+
+* Mon Jun 09 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-5
+- Use /dev/urandom for generation of rndc.key (#1079799)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue Apr 22 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-3
+- configure bind with --with-dlopen=yes to support dynamically loadable DLZ drivers
+
+* Wed Mar 05 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-2
+- dlz_dlopen driver could return the wrong error leading to a segfault (#1052781)
+- Fix race condition when freeing fetch object (ISC-Bugs #35385)
+
+* Thu Feb 13 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-1
+- Update to 9.9.5 stable
+
+* Sun Jan 26 2014 Rex Dieter <rdieter@fedoraproject.org> 32:9.9.5-0.5.rc2
+- -libs, -libs-lite: track sonames, so abi bumps aren't a surprise
+
+* Fri Jan 24 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.4.rc2
+- update to 9.9.5rc2
+- merged patches dropped
+- some patches rebased to the new version
+
+* Wed Jan 15 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.3.b1
+- non-existance of resolv.conf should not be fatal (#1052343)
+
+* Tue Jan 14 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.2.b1
+- Fix CVE-2014-0591
+
+* Mon Jan 06 2014 Tomas Hozza <thozza@redhat.com> 32:9.9.5-0.1.b1
+- Update to bind-9.9.5b1
+- Build bind-sdb against libdb instead of libdb4
+
+* Wed Dec 18 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-11
+- Fix crash in rbtdb after two sucessive getoriginnode() calls
+
+* Tue Dec 17 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-10
+- Split chroot package for named and named-sdb
+- Extract setting-up/destroying of chroot to a separate systemd service (#997030)
+
+* Thu Nov 28 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-9
+- Fixed memory leak in nsupdate if 'realm' was used multiple times (#984687)
+
+* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-8
+- Install configuration for rwtab and fix chroot setup script
+
+* Thu Oct 31 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-7
+- Correct the upstream patch for #794940
+
+* Thu Oct 31 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-6
+- use --enable-filter-aaaa when building bind to enable use of filter-aaaa-on-v4 option
+
+* Wed Oct 30 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-5
+- Create symlink /var/named/chroot/var/run -> /var/named/chroot/run
+- Added session-keyfile statement into default named.conf since we use /run/named
+
+* Tue Oct 29 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-4
+- Use upstream version of patch for previously fixed #794940
+
+* Fri Oct 18 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-3
+- Fix race condition on send buffers in dighost.c (#794940)
+
+* Tue Oct 08 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-2
+- install isc/errno2result.h header
+
+* Fri Sep 20 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-1
+- Update to bind-9.9.4 stable
+
+* Tue Sep 10 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.9.rc2
+- Fix [ISC-Bugs #34738] dns_journal_open() returns a pointer to stack
+
+* Mon Sep 09 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.8.rc2
+- update to bind-9.9.4rc2
+
+* Tue Aug 20 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.7.rc1
+- Move named-checkzone and named-compilezone to bind-utils package
+
+* Tue Aug 20 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.6.rc1
+- Move tools that don't need the server to run, from main package to bind-utils (#964313)
+
+* Fri Aug 16 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.5.rc1
+- Don't generate rndc.key if there exists rndc.conf
+
+* Fri Aug 16 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.4.rc1
+- don't install named-sdb.service if SDB macro is defined to zero
+
+* Mon Aug 05 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.3.rc1
+- Fix setup-named-chroot.sh to mount/umount everything successfully
+- update to bind-9.9.4rc1
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.4-0.2.b1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 15 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.1.b1
+- update to bind-9.9.4b1
+- drop merged RRL patch
+- drop merged stat.h patch
+
+* Wed Jun 05 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-3.P1
+- update to 9.9.3-P1 (fix for CVE-2013-3919)
+- update RRL patch to 9.9.3-P1-rl.156.01
+
+* Mon Jun 03 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-2
+- bump release to prevent update path issues
+
+* Mon Jun 03 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-1
+- update to 9.9.3
+- install dns/update.h header
+- update RRL patch to the latest version 9.9.3-rl.150.20
+
+* Fri May 17 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.7.rc2
+- Fix segfault in host/nslookup (#878139)
+
+* Mon May 13 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.6.rc2
+- update to 9.9.3rc2
+- part of bind97-exportlib.patch not needed any more
+- bind-9.9.1-P2-multlib-conflict.patch modified to reflect latest source
+- rl-9.9.3rc1.patch -> rl-9.9.3rc2.patch
+- bind99-opts.patch merged
+
+* Fri May 03 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.5.rc1
+- Include recursion Warning in named.conf and named.conf.sample (#740894)
+- Include managed-keys-directory statement in named.conf.sample (#948026)
+
+* Thu May 02 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.4.rc1
+- Fix zone2sqlite to quote table names when creating/dropping/inserting (#919417)
+
+* Fri Apr 19 2013 Adam Tkac <atkac redhat com> 32:9.9.3-0.3.rc1
+- fix crash in nsupdate when processing "-r" parameter (#949544)
+
+* Tue Apr 16 2013 Adam Tkac <atkac redhat com> 32:9.9.3-0.2.rc1
+- ship dns/rrl.h in -devel subpkg
+
+* Tue Apr 16 2013 Adam Tkac <atkac redhat com> 32:9.9.3-0.1.rc1
+- update to 9.9.3rc1
+- bind-96-libtool2.patch has been merged
+- fix bind tmpfiles.d for named.pid /run migration (#920713)
+
+* Wed Mar 27 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.2-12.P2
+- New upstream patch version fixing CVE-2013-2266 (#928032)
+
+* Tue Mar 19 2013 Adam Tkac <atkac redhat com> 32:9.9.2-11.P1
+- move pidfile to /run/named/named.pid
+
+* Wed Mar 06 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.2-10.P1
+- Fix Makefile.in to include header added by rate limiting patch (#918330)
+
+* Tue Mar 05 2013 Adam Tkac <atkac redhat com> 32:9.9.2-9.P1
+- drop some developer-only documentation and move ARM to %%docdir
+
+* Mon Feb 18 2013 Adam Tkac <atkac redhat com> 32:9.9.2-8.P1
+- include rate limiting patch
+
+* Tue Jan 29 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.2-7.P1
+- Corrected IP addresses in named.ca (#901741)
+- mount/umount /var/named in setup-named-chroot.sh as the last one (#904666)
+
+* Thu Dec 20 2012 Adam Tkac <atkac redhat com> 32:9.9.2-6.P1
+- generate /etc/rndc.key during named service startup if doesn't exist
+- increase startup timeout in systemd units to 90sec (default)
+- fix IDN related statement in dig.1 manpage
+
+* Wed Dec 05 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.2-5.P1
+- update to bind-9.9.2-P1
+
+* Mon Nov 12 2012 Adam Tkac <atkac redhat com> 32:9.9.2-4
+- document dig exit codes in manpage
+- ignore empty "search" options in resolv.conf
+
+* Mon Nov 12 2012 Adam Tkac <atkac redhat com> 32:9.9.2-3
+- drop PKCS11 support on rhel
+
+* Thu Oct 11 2012 Adam Tkac <atkac redhat com> 32:9.9.2-2
+- install isc/stat.h
+
+* Thu Oct 11 2012 Adam Tkac <atkac redhat com> 32:9.9.2-1
+- update to 9.9.2
+- bind97-rh714049.patch has been dropped
+- patches merged
+ - bind98-rh816164.patch
+
+* Thu Sep 13 2012 Adam Tkac <atkac redhat com> 32:9.9.1-10.P3
+- update to bind-9.9.1-P3
+
+* Wed Aug 22 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-9.P2
+- fixed SPEC file so it comply with new systemd-rpm macros guidelines (#850045)
+- changed %%define macros to %%global and fixed several rpmlint warnings
+
+* Wed Aug 08 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-8.P2
+- Changed PrivateTmp to "false" in *-chroot.service unit files (#825869)
+
+* Wed Aug 01 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-7.P2
+- Fixed bind-devel multilib conflict (#478718)
+
+* Mon Jul 30 2012 Tomas Hozza <thozza@redhat.com> 32:9.9.1-6.P2
+- Fixed bad path to systemctl in /etc/NetworkManager/dispatcher.d/13-named (#844047)
+- Fixed path to libdb.so in config.dlz.in
+
+* Thu Jul 26 2012 Adam Tkac <atkac redhat com> 32:9.9.1-5.P2
+- update to 9.9.1-P2
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.9.1-4.P1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jul 11 2012 Ville Skyttä <ville.skytta@iki.fi> - 32:9.9.1-3.P1
+- Avoid shell invocation and dep for -libs-lite %%postun.
+
+* Mon Jun 04 2012 Adam Tkac <atkac redhat com> 32:9.9.1-2.P1
+- update to 9.9.1-P1 (CVE-2012-1667)
+
+* Thu May 24 2012 Adam Tkac <atkac redhat com> 32:9.9.1-1
+- update to 9.9.1
+- bind99-coverity.patch merged
+- bind-9.5-overflow.patch merged
+
+* Mon May 07 2012 Adam Tkac <atkac redhat com> 32:9.9.0-6
+- nslookup: return non-zero exit code when fail to get answer (#816164)
+
+* Thu Apr 26 2012 Adam Tkac <atkac redhat com> 32:9.9.0-5
+- initscript: don't umount /var/named when didn't mount it
+
+* Tue Apr 24 2012 Adam Tkac <atkac redhat com> 32:9.9.0-4
+- apply all non-SDB patches before SDB ones (#804475)
+- enable Berkeley DB DLZ backend (#804478)
+
+* Thu Apr 12 2012 Adam Tkac <atkac redhat com> 32:9.9.0-3
+- bind97-rh699951.patch is no longer needed (different fix is in 9.9.0)
+
+* Mon Mar 26 2012 Adam Tkac <atkac redhat com> 32:9.9.0-2
+- remove unneeded bind99-v6only.patch
+
+* Mon Mar 05 2012 Adam Tkac <atkac redhat com> 32:9.9.0-1
+- update to 9.9.0
+- load dynamic DBs later (and update dyndb patch)
+- fix memory leak in named during processing of rndc command
+- don't call `rndc-confgen -a` in "post" section
+- fix some packaging bugs in bind-chroot
+
+* Wed Feb 15 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.8.rc2
+- build with "--enable-fixed-rrset"
+
+* Wed Feb 01 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.7.rc2
+- update to 9.9.0rc2
+- doc/rfc and doc/draft are no longer shipped in tarball
+
+* Mon Jan 30 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.6.rc1
+- retire initscript in favour of systemd unit files (#719419)
+
+* Thu Jan 12 2012 Adam Tkac <atkac redhat com> 32:9.9.0-0.5.rc1
+- update to 9.9.0rc1
+
+* Wed Dec 07 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.4.b2
+- ship dns/forward.h in -devel subpkg
+
+* Tue Nov 22 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.3.b2
+- update to 9.9.0b2 (CVE-2011-4313)
+- patches merged
+ - bind97-rh700097.patch
+ - bind99-cinfo.patch
+
+* Mon Nov 14 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.2.b1
+- ship dns/clientinfo.h in bind-devel
+
+* Fri Nov 11 2011 Adam Tkac <atkac redhat com> 32:9.9.0-0.1.b1
+- update to 9.9.0b1
+- bind98-dlz_buildfix.patch merged
+
+* Fri Oct 28 2011 Adam Tkac <atkac redhat com> 32:9.8.1-4
+- nslookup failed to resolve name in certain cases
+
+* Mon Sep 26 2011 Adam Tkac <atkac redhat com> 32:9.8.1-3
+- remove deps filter, it is no longer needed (#739663)
+
+* Fri Sep 09 2011 Adam Tkac <atkac redhat com> 32:9.8.1-2
+- fix logrotate config file (#725256)
+
+* Wed Sep 07 2011 Adam Tkac <atkac redhat com> 32:9.8.1-1
+- update to 9.8.1
+- ship /etc/trusted-key.key (needed by dig)
+- use select instead of epoll in export libs (#735103)
+
+* Wed Aug 31 2011 Adam Tkac <atkac redhat com> 32:9.8.1-0.3.rc1
+- fix DLZ related compilation issues
+- make /etc/named.{root,iscdlv}.key world-readable
+- add bind-libs versioned requires to bind pkg
+
+* Wed Aug 31 2011 Adam Tkac <atkac redhat com> 32:9.8.1-0.2.rc1
+- fix rare race condition in request.c
+- print "the working directory is not writable" as debug message
+- re-add configtest target to initscript
+- initscript: sybsys name is always named, not named-sdb
+- nsupdate returned zero when target zone didn't exist (#700097)
+- nsupdate could have failed if server has multiple IPs and the first
+ was unreachable (#714049)
+
+* Wed Aug 31 2011 Adam Tkac <atkac redhat com> 32:9.8.1-0.1.rc1
+- update to 9.8.1rc1
+- patches merged
+ - bind97-rh674334.patch
+ - bind97-cleanup.patch
+ - bind98-includes.patch
+
+* Wed Aug 03 2011 Adam Tkac <atkac redhat com> 32:9.8.0-9.P4
+- improve patch for #725741
+
+* Tue Jul 26 2011 Adam Tkac <atkac redhat com> 32:9.8.0-8.P4
+- named could have crashed during reload when dyndb module is used (#725741)
+
+* Tue Jul 05 2011 Adam Tkac <atkac redhat com> 32:9.8.0-7.P4
+- update to 9.8.0-P4
+ - bind98-libdns-export.patch merged
+
+* Thu Jun 02 2011 Adam Tkac <atkac redhat com> 32:9.8.0-6.P2
+- update the dyndb patch
+
+* Fri May 27 2011 Adam Tkac <atkac redhat com> 32:9.8.0-5.P2
+- fix compilation of libdns-export.so
+
+* Fri May 27 2011 Adam Tkac <atkac redhat com> 32:9.8.0-4.P2
+- update to 9.8.0-P2 (CVE-2011-1910)
+
+* Fri May 06 2011 Adam Tkac <atkac redhat com> 32:9.8.0-3.P1
+- update to 9.8.0-P1 (CVE-2011-1907)
+
+* Wed Mar 23 2011 Dan Horák <dan@danny.cz> - 32:9.8.0-2
+- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient)
+
+* Thu Mar 03 2011 Adam Tkac <atkac redhat com> 32:9.8.0-1
+- update to 9.8.0
+- bind97-rh665971.patch merged
+
+* Thu Mar 03 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.4.rc1
+- revert previous change (integration with libnmserver)
+
+* Tue Feb 22 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.3.rc1
+- integrate named with libnmserver library
+
+* Tue Feb 22 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.2.rc1
+- include dns/rpz.h in -devel subpkg
+
+* Mon Feb 21 2011 Adam Tkac <atkac redhat com> 32:9.8.0-0.1.rc1
+- update to 9.8.0rc1
+
+* Fri Feb 18 2011 Adam Tkac <atkac redhat com> 32:9.7.3-1
+- update to 9.7.3
+- fix dig +trace on dualstack systems (#674334)
+- fix linkage order when building on system with older BIND (#665971)
+- reduce number of gcc warnings
+
+* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.7.3-0.6.rc1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Jan 25 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.5.rc1
+- update to 9.7.3rc1
+ - bind97-krb5-self.patch merged
+
+* Wed Jan 12 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.4.b1
+- fix typo in initscript
+
+* Thu Jan 06 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.3.b1
+- fix "service named status" when used with named-sdb
+- don't check MD5, size and mtime of sysconfig/named
+
+* Wed Jan 05 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.2.b1
+- add new option DISABLE_ZONE_CHECKING to sysconfig/named
+
+* Wed Jan 05 2011 Adam Tkac <atkac redhat com> 32:9.7.3-0.1.b1
+- update to 9.7.3b1
+
+* Wed Jan 05 2011 Adam Tkac <atkac redhat com> 32:9.7.2-10.P3
+- initscript should terminate only the correct "named" process (#622785)
+
+* Mon Dec 20 2010 Adam Tkac <atkac redhat com> 32:9.7.2-9.P3
+- fix "krb5-self" update-policy rule processing
+
+* Thu Dec 02 2010 Adam Tkac <atkac redhat com> 32:9.7.2-8.P3
+- update to 9.7.2-P3
+
+* Mon Nov 29 2010 Jan Görig <jgorig redhat com> 32:9.7.2-7.P2
+- added tmpfiles.d support (#656550)
+- removed old PID checking in initscript
+
+* Mon Nov 08 2010 Adam Tkac <atkac redhat com> 32:9.7.2-6.P2
+- don't emit various informational messages by default (#645544)
+
+* Wed Oct 20 2010 Adam Tkac <atkac redhat com> 32:9.7.2-5.P2
+- move BIND9 internal libs back to %%{_libdir}
+- add "-export" suffix to public libraries (-lite subpkg)
+
+* Thu Oct 07 2010 Adam Tkac <atkac redhat com> 32:9.7.2-4.P2
+- ship -devel subpkg for internal libs, dnsperf needs it
+
+* Thu Oct 07 2010 Adam Tkac <atkac redhat com> 32:9.7.2-3.P2
+- new bind-libs-lite and bind-lite-devel subpkgs which contain
+ public version of BIND 9 libraries
+- don't ship devel files for internal version of BIND 9 libraries
+
+* Wed Sep 29 2010 Adam Tkac <atkac redhat com> 32:9.7.2-2.P2
+- update to 9.7.2-P2
+
+* Thu Sep 16 2010 Adam Tkac <atkac redhat com> 32:9.7.2-1
+- update to 9.7.2
+
+* Fri Aug 27 2010 Adam Tkac <atkac redhat com> 32:9.7.2-0.3.rc1
+- update to 9.7.2rc1
+
+* Tue Aug 10 2010 Adam Tkac <atkac redhat com> 32:9.7.2-0.2.b1
+- host: handle "debug", "attempts" and "timeout" options in resolv.conf well
+
+* Tue Aug 03 2010 Adam Tkac <atkac redhat com> 32:9.7.2-0.1.b1
+- update to 9.7.2b1
+- patches merged
+ - bind97-rh507429.patch
+
+* Mon Jul 19 2010 Adam Tkac <atkac redhat com> 32:9.7.1-5.P2
+- supply root zone DNSKEY in default configuration
+
+* Mon Jul 19 2010 Adam Tkac <atkac redhat com> 32:9.7.1-4.P2
+- update to 9.7.1-P2 (CVE-2010-0213)
+
+* Mon Jul 12 2010 Adam Tkac <atkac redhat com> 32:9.7.1-3.P1
+- remove outdated Copyright.caching-nameserver file
+- remove rfc1912.txt, it is already located in %%doc/rfc directory
+- move COPYRIGHT to the bind-libs subpkg
+- add COPYRIGHT to the -pkcs11 subpkg
+
+* Fri Jul 09 2010 Adam Tkac <atkac redhat com> 32:9.7.1-2.P1
+- update to 9.7.1-P1
+
+* Mon Jun 28 2010 Adam Tkac <atkac redhat com> 32:9.7.1-1
+- update to 9.7.1
+- improve the "dnssec-conf" trigger
+
+* Wed Jun 09 2010 Adam Tkac <atkac redhat com> 32:9.7.1-0.2.rc1
+- update to 9.7.1rc1
+- patches merged
+ - bind97-keysdir.patch
+
+* Mon May 31 2010 Adam Tkac <atkac redhat com> 32:9.7.1-0.1.b1
+- update to 9.7.1b1
+- make /var/named/dynamic as a default directory for managed DNSSEC keys
+- add patch to get "managed-keys-directory" option working
+- patches merged
+ - bind97-managed-keyfile.patch
+ - bind97-rh554316.patch
+
+* Fri May 21 2010 Adam Tkac <atkac redhat com> 32:9.7.0-11.P2
+- update dnssec-conf Obsoletes/Provides
+
+* Thu May 20 2010 Adam Tkac <atkac redhat com> 32:9.7.0-10.P2
+- update to 9.7.0-P2
+
+* Fri Mar 26 2010 Adam Tkac <atkac redhat com> 32:9.7.0-9.P1
+- added lost patch for #554316 (occasional crash in keytable.c)
+
+* Fri Mar 26 2010 Adam Tkac <atkac redhat com> 32:9.7.0-8.P1
+- active query might be destroyed in resume_dslookup() which triggered REQUIRE
+ failure (#507429)
+
+* Mon Mar 22 2010 Adam Tkac <atkac redhat com> 32:9.7.0-7.P1
+- install SDB related manpages only when build with SDB
+
+* Fri Mar 19 2010 Adam Tkac <atkac redhat com> 32:9.7.0-6.P1
+- update to 9.7.0-P1
+
+* Tue Mar 16 2010 Jan Görig <jgorig redhat com> 32:9.7.0-5
+- bind-sdb now requires bind
+
+* Mon Mar 15 2010 Jan Görig <jgorig redhat com> 32:9.7.0-4
+- add man-pages ldap2zone.1 zonetodb.1 zone2sqlite.1 named-sdb.8 (#525655)
+
+* Mon Mar 01 2010 Adam Tkac <atkac redhat com> 32:9.7.0-3
+- fix multilib issue (#478718) [jgorig]
+
+* Mon Mar 01 2010 Adam Tkac <atkac redhat com> 32:9.7.0-2
+- improve automatic DNSSEC reconfiguration trigger
+- initscript now returns 2 in case that action doesn't exist (#523435)
+- enable/disable chroot when bind-chroot is installed/uninstalled
+
+* Wed Feb 17 2010 Adam Tkac <atkac redhat com> 32:9.7.0-1
+- update to 9.7.0 final
+
+* Mon Feb 15 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.14.rc2
+- obsolete dnssec-conf
+- automatically update configuration from old dnssec-conf based
+- improve default configuration; enable DLV by default
+- remove obsolete triggerpostun from bind-libs subpackage
+
+* Thu Jan 28 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.13.rc2
+- update to 9.7.0rc2
+
+* Wed Jan 27 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.12.rc1
+- initscript LSB related fixes (#523435)
+
+* Wed Jan 27 2010 Adam Tkac <atkac redhat com> 32:9.7.0-0.11.rc1
+- revert the "DEBUG" feature (#510283), it causes too many problems (#545128)
+
+* Tue Dec 15 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.10.rc1
+- update to 9.7.0rc1
+- bind97-headers.patch merged
+- update default configuration
+
+* Tue Dec 01 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.9.b3
+- update to 9.7.0b3
+
+* Thu Nov 26 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.8.b2
+- install isc/namespace.h header
+
+* Fri Nov 06 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.7.b2
+- update to 9.7.0b2
+
+* Tue Nov 03 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.6.b1
+- update to 9.7.0b1
+- add bind-pkcs11 subpackage to support PKCS11 compatible keystores for DNSSEC
+ keys
+
+* Thu Oct 08 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.5.a3
+- don't package named-bootconf utility, it is very outdated and unneeded
+
+* Mon Sep 21 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.4.a3
+- determine file size via `stat` instead of `ls` (#523682)
+
+* Wed Sep 16 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.3.a3
+- update to 9.7.0a3
+
+* Tue Sep 15 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.2.a2
+- improve chroot related documentation (#507795)
+- add NetworkManager dispatcher script to reload named when network interface is
+ activated/deactivated (#490275)
+- don't set/unset named_write_master_zones SELinux boolean every time in
+ initscript, modify it only when it's actually needed
+
+* Tue Sep 15 2009 Adam Tkac <atkac redhat com> 32:9.7.0-0.1.a2
+- update to 9.7.0a2
+- merged patches
+ - bind-96-db_unregister.patch
+ - bind96-rh507469.patch
+
+* Tue Sep 01 2009 Adam Tkac <atkac redhat com> 32:9.6.1-9.P1
+- next attempt to fix the postun trigger (#520385)
+- remove obsolete bind-9.3.1rc1-fix_libbind_includedir.patch
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 32:9.6.1-8.P1
+- rebuilt with new openssl
+
+* Tue Aug 04 2009 Martin Nagy <mnagy redhat com> 32:9.6.1-7.P1
+- update the patch for dynamic loading of database backends
+
+* Wed Jul 29 2009 Adam Tkac <atkac redhat com> 32:9.6.1-6.P1
+- 9.6.1-P1 release (CVE-2009-0696)
+- fix postun trigger (#513016, hopefully)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.6.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jul 20 2009 Adam Tkac <atkac redhat com> 32:9.6.1-4
+- remove useless bind-9.3.3rc2-rndckey.patch
+
+* Mon Jul 13 2009 Adam Tkac <atkac redhat com> 32:9.6.1-3
+- fix broken symlinks in bind-libs (#509635)
+- fix typos in /etc/sysconfig/named (#509650)
+- add DEBUG option to /etc/sysconfig/named (#510283)
+
+* Wed Jun 24 2009 Adam Tkac <atkac redhat com> 32:9.6.1-2
+- improved "chroot automount" patches (#504596)
+- host should fail if specified server doesn't respond (#507469)
+
+* Wed Jun 17 2009 Adam Tkac <atkac redhat com> 32:9.6.1-1
+- 9.6.1 release
+- simplify chroot maintenance. Important files and directories are mounted into
+ chroot (see /etc/sysconfig/named for more info, #504596)
+- fix doc/named.conf.default perms
+
+* Wed May 27 2009 Adam Tkac <atkac redhat com> 32:9.6.1-0.4.rc1
+- 9.6.1rc1 release
+
+* Wed Apr 29 2009 Martin Nagy <mnagy redhat com> 32:9.6.1-0.3.b1
+- update the patch for dynamic loading of database backends
+- create %%{_libdir}/bind directory
+- copy default named.conf to doc directory, shared with s-c-bind (atkac)
+
+* Fri Apr 24 2009 Martin Nagy <mnagy redhat com> 32:9.6.1-0.2.b1
+- update the patch for dynamic loading of database backends
+- fix dns_db_unregister()
+- useradd now takes "-N" instead of "-n" (atkac, #495726)
+- print nicer error msg when zone file is actually a directory (atkac, #490837)
+
+* Mon Mar 30 2009 Adam Tkac <atkac redhat com> 32:9.6.1-0.1.b1
+- 9.6.1b1 release
+- patches merged
+ - bind-96-isc_header.patch
+ - bind-95-rh469440.patch
+ - bind-96-realloc.patch
+ - bind9-fedora-0001.diff
+- use -version-number instead of -version-info libtool param
+
+* Mon Mar 23 2009 Adam Tkac <atkac redhat com> 32:9.6.0-11.1.P1
+- logrotate configuration file now points to /var/named/data/named.run by
+ default (#489986)
+
+* Tue Mar 17 2009 Adam Tkac <atkac redhat com> 32:9.6.0-11.P1
+- fall back to insecure mode when no supported DNSSEC algorithm is found
+ instead of SERVFAIL
+- don't fall back to non-EDNS0 queries when DO bit is set
+
+* Tue Mar 10 2009 Adam Tkac <atkac redhat com> 32:9.6.0-10.P1
+- enable DNSSEC only if it is enabled in sysconfig/dnssec
+
+* Mon Mar 09 2009 Adam Tkac <atkac redhat com> 32:9.6.0-9.P1
+- add DNSSEC support to initscript, enabled it per default
+- add requires dnssec-conf
+
+* Mon Mar 09 2009 Adam Tkac <atkac redhat com> 32:9.6.0-8.P1
+- fire away libbind, it is now separate package
+
+* Wed Mar 04 2009 Adam Tkac <atkac redhat com> 32:9.6.0-7.P1
+- fixed some read buffer overflows (upstream)
+
+* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 32:9.6.0-6.P1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Feb 12 2009 Martin Nagy <mnagy redhat com> 32:9.6.0-5.P1
+- update the patch for dynamic loading of database backends
+- include iterated_hash.h
+
+* Sat Jan 24 2009 Caolán McNamara <caolanm@redhat.com> 32:9.6.0-4.P1
+- rebuild for dependencies
+
+* Wed Jan 21 2009 Adam Tkac <atkac redhat com> 32:9.6.0-3.P1
+- rebuild against new openssl
+
+* Thu Jan 08 2009 Adam Tkac <atkac redhat com> 32:9.6.0-2.P1
+- 9.6.0-P1 release (CVE-2009-0025)
+
+* Mon Jan 05 2009 Adam Tkac <atkac redhat com> 32:9.6.0-1
+- Happy new year
+- 9.6.0 release
+
+* Thu Dec 18 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.7.rc2
+- 9.6.0rc2 release
+- bind-96-rh475120.patch merged
+
+* Tue Dec 16 2008 Martin Nagy <mnagy redhat com> 32:9.6.0-0.6.rc1
+- add patch for dynamic loading of database backends
+
+* Tue Dec 09 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.5.1.rc1
+- allow to reuse address for non-random query-source ports (#475120)
+
+* Wed Dec 03 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.5.rc1
+- 9.6.0rc1 release
+- patches merged
+ - bind-9.2.0rc3-varrun.patch
+ - bind-95-sdlz-include.patch
+ - bind-96-libxml2.patch
+- fixed rare use-after-free problem in host utility (#452060)
+- enabled chase of DNSSEC signature chains in dig
+
+* Mon Dec 01 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.4.1.b1
+- improved sample config file (#473586)
+
+* Wed Nov 26 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.4.b1
+- reverted previous change, koji doesn't like it
+
+* Wed Nov 26 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.3.b1
+- build bind-chroot as noarch
+
+* Mon Nov 24 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.2.1.b1
+- updates due libtool 2.2.6
+- don't pass -DLDAP_DEPRECATED to cpp, handle it directly in sources
+
+* Tue Nov 11 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.2.b1
+- make statistics http server working, patch backported from 9.6 HEAD
+
+* Mon Nov 10 2008 Adam Tkac <atkac redhat com> 32:9.6.0-0.1.b1
+- 9.6.0b1 release
+- don't build ODBC and Berkeley DB DLZ drivers
+- end of bind-chroot-admin script, copy config files to chroot manually
+- /proc doesn't have to be mounted to chroot
+- temporary use libbind from 9.5 series, noone has been released for 9.6 yet
+
+* Mon Nov 03 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.4.b2
+- dig/host: use only IPv4 addresses when -4 option is specified (#469440)
+
+* Thu Oct 30 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.2.b2
+- removed unneeded bind-9.4.1-ldap-api.patch
+
+* Thu Oct 30 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.1.b2
+- ship dns/{s,}dlz.h and isc/radix.h in bind-devel
+
+* Tue Oct 07 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.8.b2
+- removed bind-9.4.0-dnssec-directory.patch, it is wrong
+
+* Wed Sep 24 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.7.b2
+- 9.5.1b2 release
+- patches merged
+ - bind95-rh454783.patch
+ - bind-9.5-edns.patch
+ - bind95-rh450995.patch
+ - bind95-rh457175.patch
+
+* Wed Sep 17 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.6.b1
+- IDN output strings didn't honour locale settings (#461409)
+
+* Tue Aug 05 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.5.b1
+- disable transfer stats on DLZ zones (#454783)
+
+* Mon Aug 04 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.4.b1
+- add forgotten patch for #457175
+- build with -O2
+
+* Thu Jul 31 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.3.b1
+- static libraries are no longer supported
+- IP acls weren't merged correctly (#457175)
+- use fPIE on sparcv9/sparc64 (Dennis Gilmore)
+- add sparc64 to list of 64bit arches in spec (Dennis Gilmore)
+
+* Mon Jul 21 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.2.b1
+- updated patches due new rpm (--fuzz=0 patch parameter)
+
+* Mon Jul 14 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.1.1.b1
+- use %%patch0 for Patch0 (#455061)
+- correct source address (#455118)
+
+* Tue Jul 08 2008 Adam Tkac <atkac redhat com> 32:9.5.1-0.1.b1
+- 9.5.1b1 release (CVE-2008-1447)
+- dropped bind-9.5-recv-race.patch because upstream doesn't want it
+
+* Mon Jun 30 2008 Adam Tkac <atkac redhat com> 32:9.5.0-37.1
+- update default named.conf statements (#452708)
+
+* Thu Jun 26 2008 Adam Tkac <atkac redhat com> 32:9.5.0-37
+- some compat changes to fix building on RHEL4
+
+* Mon Jun 23 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36.3
+- fixed typo in %%posttrans script
+
+* Wed Jun 18 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36.2
+- parse inner acls correctly (#450995)
+
+* Mon Jun 02 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36.1
+- removed dns-keygen utility in favour of rndc-confgen -a (#449287)
+- some minor sample fixes (#449274)
+
+* Thu May 29 2008 Adam Tkac <atkac redhat com> 32:9.5.0-36
+- updated to 9.5.0 final
+- use getifaddrs to find available interfaces
+
+* Mon May 26 2008 Adam Tkac <atkac redhat com> 32:9.5.0-35.rc1
+- make /var/run/named writable by named (#448277)
+- fixed one non-utf8 file
+
+* Thu May 22 2008 Adam Tkac <atkac redhat com> 32:9.5.0-34.rc1
+- fixes needed to pass package review (#225614)
+
+* Wed May 21 2008 Adam Tkac <atkac redhat com> 32:9.5.0-33.1.rc1
+- bind-chroot now depends on bind (#446477)
+
+* Wed May 14 2008 Adam Tkac <atkac redhat com> 32:9.5.0-33.rc1
+- updated to 9.5.0rc1
+- merged patches
+ - bind-9.5-libcap.patch
+- make binaries readable by others (#427826)
+
+* Tue May 13 2008 Adam Tkac <atkac redhat com> 32:9.5.0-32.b3
+- reverted "any" patch, upstream says not needed
+- log EDNS failure only when we really switch to plain EDNS (#275091)
+- detect configuration file better
+
+* Tue May 06 2008 Adam Tkac <atkac redhat com> 32:9.5.0-31.1.b3
+- addresses 0.0.0.0 and ::0 really match any (#275091, comment #28)
+
+* Mon May 05 2008 Adam Tkac <atkac redhat com> 32:9.5.0-31.b3
+- readded bind-9.5-libcap.patch
+- added bind-9.5-recv-race.patch from F8 branch (#400461)
+
+* Wed Apr 23 2008 Adam Tkac <atkac redhat com> 32:9.5.0-30.1.b3
+- build Berkeley DB DLZ backend
+
+* Mon Apr 21 2008 Adam Tkac <atkac redhat com> 32:9.5.0-30.b3
+- 9.5.0b3 release
+- dropped patches (upstream)
+ - bind-9.5-transfer-segv.patch
+ - bind-9.5-mudflap.patch
+ - bind-9.5.0-generate-xml.patch
+ - bind-9.5-libcap.patch
+
+* Wed Apr 02 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.3.b2
+- fixed named.conf.sample file (#437569)
+
+* Fri Mar 14 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.2.b2
+- fixed URLs
+
+* Mon Feb 25 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.1.b2
+- BuildRequires cleanup
+
+* Sun Feb 24 2008 Adam Tkac <atkac redhat com> 32:9.5.0-29.b2
+- rebuild without mudflap (#434159)
+
+* Wed Feb 20 2008 Adam Tkac <atkac redhat com> 32:9.5.0-28.b2
+- port named to use libcap library, enable threads (#433102)
+- removed some unneeded Requires
+
+* Tue Feb 19 2008 Adam Tkac <atkac redhat com> 32:9.5.0-27.b2
+- removed conditional build with libefence (use -fmudflapth instead)
+- fixed building of DLZ stuff (#432497)
+- do not build Berkeley DB DLZ backend
+- temporary build with --disable-linux-caps and without threads (#433102)
+- update named.ca file to affect IPv6 changes in root zone
+
+* Mon Feb 11 2008 Adam Tkac <atkac redhat com> 32:9.5.0-26.b2
+- build with -D_GNU_SOURCE (#431734)
+- improved fix for #253537, posttrans script is now used
+- improved fix for #400461
+- 9.5.0b2
+ - bind-9.3.2b1-PIE.patch replaced by bind-9.5-PIE.patch
+ - only named, named-sdb and lwresd are PIE
+ - bind-9.5-sdb.patch has been updated
+ - bind-9.5-libidn.patch has been updated
+ - bind-9.4.0-sdb-sqlite-bld.patch replaced by bind-9.5-sdb-sqlite-bld.patch
+ - removed bind-9.5-gssapi-header.patch (upstream)
+ - removed bind-9.5-CVE-2008-0122.patch (upstream)
+- removed bind-9.2.2-nsl.patch
+- improved sdb_tools Makefile.in
+
+* Mon Feb 04 2008 Adam Tkac <atkac redhat com> 32:9.5.0-25.b1
+- fixed segfault during sending notifies (#400461)
+- rebuild with gcc 4.3 series
+
+* Tue Jan 22 2008 Adam Tkac <atkac redhat com> 32:9.5.0-24.b1
+- removed bind-9.3.2-prctl_set_dumpable.patch (upstream)
+- allow parallel building of libdns library
+- CVE-2008-0122
+
+* Thu Dec 27 2007 Adam Tkac <atkac redhat com> 32:9.5.0-23.b1
+- fixed initscript wait loop (#426382)
+- removed dependency on policycoreutils and libselinux (#426515)
+
+* Thu Dec 20 2007 Adam Tkac <atkac redhat com> 32:9.5.0-22.b1
+- fixed regression caused by libidn2 patch (#426348)
+
+* Wed Dec 19 2007 Adam Tkac <atkac redhat com> 32:9.5.0-21.b1
+- fixed typo in post section (CVE-2007-6283)
+
+* Wed Dec 19 2007 Adam Tkac <atkac redhat com> 32:9.5.0-20.b1
+- removed obsoleted triggers
+- CVE-2007-6283
+
+* Wed Dec 12 2007 Adam Tkac <atkac redhat com> 32:9.5.0-19.2.b1
+- added dst/gssapi.h to -devel subpackage (#419091)
+- improved fix for (#417431)
+
+* Mon Dec 10 2007 Adam Tkac <atkac redhat com> 32:9.5.0-19.1.b1
+- fixed shutdown with initscript when rndc doesn't work (#417431)
+- fixed IDN patch (#412241)
+
+* Thu Dec 06 2007 Adam Tkac <atkac redhat com> 32:9.5.0-19.b1
+- 9.5.0b1 (#405281, #392491)
+
+* Thu Dec 06 2007 Release Engineering <rel-eng at fedoraproject dot org> 32:9.5.0-18.6.a7
+- Rebuild for deps
+
+* Wed Dec 05 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.5.a7
+- build with -O0
+
+* Mon Dec 03 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.4.a7
+- bind-9.5-random_ports.patch was removed because upstream doesn't
+ like it. query-source{,v6} options are sufficient (#391931)
+- bind-chroot-admin called restorecon on /proc filesystem (#405281)
+
+* Mon Nov 26 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.3.a7
+- removed edns patch to keep compatibility with vanilla bind
+ (#275091, comment #20)
+
+* Wed Nov 21 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.2.a7
+- use system port selector instead ISC's (#391931)
+
+* Mon Nov 19 2007 Adam Tkac <atkac redhat com> 32:9.5.0-18.a7
+- removed statement from initscript which passes -D to named
+
+* Thu Nov 15 2007 Adam Tkac <atkac redhat com> 32:9.5.0-17.a7
+- 9.5.0a7
+- dropped patches (upstream)
+ - bind-9.5-update.patch
+ - bind-9.5-pool_badfree.patch
+ - bind-9.5-_res_errno.patch
+
+* Thu Nov 15 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.5.a6
+- added bind-sdb again, contains SDB modules and DLZ modules
+- bind-9.3.1rc1-sdb.patch replaced by bind-9.5-sdb.patch
+
+* Mon Nov 12 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.4.a6
+- removed Requires: openldap, postgresql, mysql, db4, unixODBC
+- new L.ROOT-SERVERS.NET address
+
+* Mon Oct 29 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.3.a6
+- completely disable DBUS
+
+* Fri Oct 26 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.2.a6
+- minor cleanup in bind-chroot-admin
+
+* Thu Oct 25 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.1.a6
+- fixed typo in initscript
+
+* Tue Oct 23 2007 Adam Tkac <atkac redhat com> 32:9.5.0-16.a6
+- disabled DBUS (dhcdbd doesn't exist & #339191)
+
+* Thu Oct 18 2007 Adam Tkac <atkac redhat com> 32:9.5.0-15.1.a6
+- fixed missing va_end () functions (#336601)
+- fixed memory leak when dbus initialization fails
+
+* Tue Oct 16 2007 Adam Tkac <atkac redhat com> 32:9.5.0-15.a6
+- corrected named.5 SDB statement (#326051)
+
+* Mon Sep 24 2007 Adam Tkac <atkac redhat com> 32:9.5.0-14.a6
+- added edns patch again (#275091)
+
+* Mon Sep 24 2007 Adam Tkac <atkac redhat com> 32:9.5.0-13.a6
+- removed bind-9.3.3-edns.patch patch (see #275091 for reasons)
+
+* Thu Sep 20 2007 Adam Tkac <atkac redhat com> 32:9.5.0-12.4.a6
+- build with O2
+- removed "autotools" patch
+- bugfixing in bind-chroot-admin (#279901)
+
+* Thu Sep 06 2007 Adam Tkac <atkac redhat com> 32:9.5.0-12.a6
+- bind-9.5-2119_revert.patch and bind-9.5-fix_h_errno.patch are
+ obsoleted by upstream bind-9.5-_res_errno.patch
+
+* Wed Sep 05 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.9.a6
+- fixed wrong resolver's dispatch pool cleanup (#275011, patch from
+ tmraz redhat com)
+
+* Wed Sep 05 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.3.a6
+- initscript failure message is now printed correctly (#277981,
+ Quentin Armitage (quentin armitage org uk) )
+
+* Mon Sep 03 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.2.a6
+- temporary revert ISC 2119 change and add "libbind-errno" patch
+ (#254501) again
+
+* Thu Aug 23 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.1.a6
+- removed end dots from Summary sections (skasal@redhat.com)
+- fixed wrong file creation by autotools patch (skasal@redhat.com)
+
+* Thu Aug 23 2007 Adam Tkac <atkac redhat com> 32:9.5.0-11.a6
+- start using --disable-isc-spnego configure option
+ - remove bind-9.5-spnego-memory_management.patch (source isn't
+ compiled)
+
+* Wed Aug 22 2007 Adam Tkac <atkac redhat com> 32:9.5.0-10.2.a6
+- added new initscript option KEYTAB_FILE which specified where
+ is located kerberos .keytab file for named service
+- obsolete temporary bind-9.5-spnego-memory_management.patch by
+ bind-9.5-gssapictx-free.patch which conforms BIND coding standards
+ (#251853)
+
+* Tue Aug 21 2007 Adam Tkac <atkac redhat com> 32:9.5.0-10.a6
+- dropped direct dependency to /etc/openldap/schema directory
+- changed hardcoded paths to macros
+- fired away code which configure LDAP server
+
+* Tue Aug 14 2007 Adam Tkac <atkac redhat com> 32:9.5.0-9.1.a6
+- named could crash with SRV record UPDATE (#251336)
+
+* Mon Aug 13 2007 Adam Tkac <atkac redhat com> 32:9.5.0-9.a6
+- disable 64bit dlz driver patch on alpha and ia64 (#251298)
+- remove wrong malloc functions from lib/dns/spnego.c (#251853)
+
+* Mon Aug 06 2007 Adam Tkac <atkac redhat com> 32:9.5.0-8.2.a6
+- changed licence from BSD-like to ISC
+
+* Tue Jul 31 2007 Adam Tkac <atkac redhat com> 32:9.5.0-8.1.a6
+- disabled named on all runlevels by default
+
+* Mon Jul 30 2007 Adam Tkac <atkac redhat com> 32:9.5.0-8.a6
+- minor next improvements on autotools patch
+- dig and host utilities now using libidn instead idnkit for
+ IDN support
+
+* Wed Jul 25 2007 Warren Togami <wtogami@redhat.com> 32:9.5.0-7.a6
+- binutils/gcc bug rebuild (#249435)
+
+* Tue Jul 24 2007 Adam Tkac <atkac redhat com> 32:9.5.0-6.a6
+- updated to 9.5.0a6 which contains fixes for CVE-2007-2925 and
+ CVE-2007-2926
+- fixed building on 64bits
+
+* Mon Jul 23 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-5
+- integrated "autotools" patch for testing purposes (upstream will
+ accept it in future, for easier building)
+
+* Mon Jul 23 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-4.1
+- fixed DLZ drivers building on 64bit systems
+
+* Fri Jul 20 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-4
+- fixed relation between logrotated and chroot-ed named
+
+* Wed Jul 18 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-3.9
+- removed bind-sdb package (default named has compiled SDB backend now)
+- integrated DLZ (Dynamically loadable zones) drivers
+- integrated GSS-TSIG support (RFC 3645)
+- build with -O0 (many new features, potential core dumps will be more useful)
+
+* Tue Jul 17 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-3.2
+- initscript should be ready for parallel booting (#246878)
+
+* Tue Jul 17 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-3
+- handle integer overflow in isc_time_secondsastimet function gracefully (#247856)
+
+* Mon Jul 16 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-2.2
+- moved chroot configfiles into chroot subpackage (#248306)
+
+* Mon Jul 02 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-2
+- minor changes in default configuration
+- fix h_errno assigment during resolver initialization (unbounded recursion, #245857)
+- removed wrong patch to #150288
+
+* Tue Jun 19 2007 Adam Tkac <atkac redhat com> 31:9.5.0a5-1
+- updated to latest upstream
+
+* Wed Jun 13 2007 Adam Tkac <atkac redhat com> 31:9.4.1-7
+- marked caching-nameserver as obsolete (#244604)
+- fixed typo in initscript (causes that named doesn't detect NetworkManager
+ correctly)
+- next cleanup in configuration - moved configfiles into config.tar
+- removed delay between start & stop in restart function in named.init
+
+* Tue Jun 12 2007 Adam Tkac <atkac redhat com> 31:9.4.1-6
+- major changes in initscript. Could be LSB compatible now
+- removed caching-nameserver subpackage. Move configs from this
+ package to main bind package as default configuration and major
+ configuration cleanup
+
+* Mon Jun 04 2007 Adam Tkac <atkac redhat com> 31:9.4.1-5
+- very minor compatibility change in bind-chroot-admin (line 215)
+- enabled IDN support by default and don't distribute IDN libraries
+- specfile cleanup
+- add dynamic directory to /var/named. This directory will be primarily used for
+ dynamic DNS zones. ENABLE_ZONE_WRITE and SELinux's named_write_master_zones no longer exist
+
+* Thu May 24 2007 Adam Tkac <atkac redhat com> 31:9.4.1-4
+- removed ldap-api patch and start using deprecated API
+- fixed minor problem in bind-chroot-admin script (#241103)
+
+* Tue May 22 2007 Adam Tkac <atkac redhat com> 31:9.4.1-3
+- fixed bind-chroot-admin dynamic DNS handling (#239149)
+- updated zone-freeze patch to latest upstream
+- ldap sdb has been rewriten to latest api (#239802)
+
+* Mon May 07 2007 Adam Tkac <atkac redhat com> 31:9.4.1-2.fc7
+- test build on new build system
+
+* Wed May 02 2007 Adam Tkac <atkac redhat com> 31:9.4.1-1.fc7
+- updated to 9.4.1 which contains fix to CVE-2007-2241
+
+* Fri Apr 27 2007 Adam Tkac <atkac redhat com> 31:9.4.0-8.fc7
+- improved "zone freeze patch" - if multiple zone with same name exists
+ no zone is freezed
+- minor cleanup in caching-nameserver's config file
+- fixed race-condition in dbus code (#235809)
+- added forgotten restorecon statement in bind-chroot-admin
+
+* Tue Apr 17 2007 Adam Tkac <atkac redhat com> 31:9.4.0-7.fc7
+- removed DEBUGINFO option because with this option (default) was bind
+ builded with -O0 and without this flag no debuginfo package was produced.
+ (I want faster bind => -O2 + debuginfo)
+- fixed zone finding (#236426)
+
+* Mon Apr 16 2007 Adam Tkac <atkac redhat com> 31:9.4.0-6.fc7
+- added idn support (still under development with upstream, disabled by default)
+
+* Wed Apr 11 2007 Adam Tkac <atkac redhat com> 31:9.4.0-5.fc7
+- dnssec-signzone utility now doesn't ignore -d parameter
+
+* Tue Apr 10 2007 Adam Tkac <atkac redhat com> 31:9.4.0-4.fc7
+- removed query-source[-v6] options from caching-nameserver config
+ (#209954, increase security)
+- throw away idn. It won't be ready in fc7
+
+* Tue Mar 13 2007 Adam Tkac <atkac redhat com> 31:9.4.0-3.fc7
+- prepared bind to merge review
+- added experimental idn support to bind-utils utils (not enabled by default yet)
+- change chroot policy in caching-nameserver post section
+- fixed bug in bind-chroot-admin - rootdir function is called properly now
+
+* Mon Mar 12 2007 Adam Tkac <atkac redhat com> 31:9.4.0-2.fc7
+- added experimental SQLite support (written by John Boyd <jaboydjr@netwalk.com>)
+- moved bind-chroot-admin script to chroot package
+- bind-9.3.2-redhat_doc.patch is always applied (#231738)
+
+* Tue Mar 06 2007 Adam Tkac <atkac@redhat.com> 31:9.4.0-1.fc7
+- updated to 9.4.0
+- bind-chroot-admin now sets EAs correctly (#213926)
+- throw away next_server_on_referral and no_servfail_stops patches (fixed in 9.4.0)
+
+* Thu Feb 15 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-7.fc7
+- minor cleanup in bind-chroot-admin script
+
+* Fri Feb 09 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-6.fc7
+- fixed broken bind-chroot-admin script (#227995)
+
+* Wed Feb 07 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-5.fc7
+- bind-chroot-admin now uses correct chroot path (#227600)
+
+* Mon Feb 05 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-4.fc7
+- fixed conflict between bind-sdb and ldap
+- removed duplicated bind directory in bind-libs
+
+* Thu Feb 01 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-3.fc7
+- fixed building without libbind
+- fixed post section (selinux commands is now in if-endif statement)
+- prever macro has been removed from version
+
+* Mon Jan 29 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-2.fc7
+- redirected output from bind-chroot prep and %%preun stages to /dev/null
+
+* Thu Jan 25 2007 Adam Tkac <atkac@redhat.com> 31:9.3.4-1.fc7
+- updated to version 9.3.4 which contains security bugfixes
+
+* Tue Jan 23 2007 Adam Tkac <atkac@redhat.com> 31:9.3.3-5.fc7
+- package bind-libbind-devel has been marked as obsolete
+
+* Mon Jan 22 2007 Adam Tkac <atkac@redhat.com> 31:9.3.3-4.fc7
+- package bind-libbind-devel has beed removed (libs has been moved to bind-devel & bind-libs)
+- Resolves: #214208
+
+* Tue Jan 16 2007 Martin Stransky <stransky@redhat.com> - 31:9.3.3-3
+- fixed a multi-lib issue
+- Resolves: rhbz#222717
+
+* Thu Jan 4 2007 Martin Stransky <stransky@redhat.com> - 31:9.3.3-2
+- added namedGetForwarders written in shell (#176100),
+ created by Baris Cicek <baris@nerd.com.tr>.
+
+* Sun Dec 10 2006 Martin Stransky <stransky@redhat.com> - 31:9.3.3-1
+- update to 9.3.3 final
+- fix for #219069: file included twice in src.rpm
+
+* Wed Dec 6 2006 Martin Stransky <stransky@redhat.com> - 31:9.3.3-0.1.rc3
+- added back an interval to restart
+- renamed package, it should meet the N-V-R criteria
+- fix for #216185: bind-chroot-admin able to change root mode 750
+- added fix from #215997: incorrect permissions on dnszone.schema
+- added a notice to init script when /etc/named.conf doesn't exist (#216075)
+
+* Mon Oct 30 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-6
+- fix for #200465: named-checkzone and co. cannot be run as non-root user
+- fix for #212348: chroot'd named causes df permission denied error
+- fix for #211249, #211083 - problems with stopping named
+- fix for #212549: init script does not unmount /proc filesystem
+- fix for #211282: EDNS is globally enabled, crashing CheckPoint FW-1,
+ added edns-enable options to named configuration file which can suppress
+ EDNS in queries to DNS servers (see /usr/share/doc/bind-9.3.3/misc/options)
+- fix for #212961: bind-chroot doesn't clean up its mess on %%preun
+- update to 9.3.3rc3, removed already merged patches
+
+* Fri Oct 13 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-5
+- fix for #209359: bind-libs from compatlayer CD will not
+ install on ia64
+
+* Tue Oct 10 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-4
+- added fix for #210096: warning: group named does not exist - using root
+
+* Thu Oct 5 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-3
+- added fix from #209400 - Bind Init Script does not create
+ the PID file always, created by Jeff Means
+- added timeout to stop section of init script.
+ The default is 100 sec. and can be adjusted by NAMED_SHUTDOWN_TIMEOUT
+ shell variable.
+
+* Mon Oct 2 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-2
+- removed chcon from %%post script, replaced by restorecon
+ (Bug 202547, comment no. 37)
+
+* Fri Sep 15 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.3-1
+- updated to the latest upstream (9.3.3rc2)
+
+* Wed Sep 6 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-41
+- added upstream patch for correct SIG handling - CVE-2006-4095
+
+* Tue Sep 5 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-40
+- suppressed messages from bind-chroot-admin
+- cleared notes about bind-config
+
+* Tue Aug 22 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-39
+- added fix for #203522 - "bind-chroot-admin -e" command fails
+
+* Mon Aug 21 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-38
+- fix for #203194 - tmpfile usage
+
+* Thu Aug 17 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-37
+- fix for #202542 - /usr/sbin/bind-chroot-admin: No such file or directory
+- fix for #202547 - file_contexts: invalid context
+
+* Fri Aug 11 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-36
+- added Provides: bind-config
+
+* Fri Aug 11 2006 Martin Stransky <stransky@redhat.com> - 30:9.3.2-35
+- fix bug 197493: renaming subpackage bind-config to caching-nameserver
+
+* Mon Jul 24 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-34
+- fix bug 199876: make '%%exclude libbbind.*' conditional on %%{LIBBIND}
+
+* Mon Jul 24 2006 Florian La Roche <laroche@redhat.com> - 30:9.3.2-33
+- fix #195881, perms are not packaged correctly
+
+* Fri Jul 21 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-32
+- fix addenda to bug 189789:
+ determination of selinux enabled was still not 100% correct in bind-chroot-admin
+- fix addenda to bug 196398:
+ make named.init test for NetworkManager being enabled AFTER testing for -D absence;
+ named.init now supports a 'DISABLE_NAMED_DBUS' /etc/sysconfig/named setting to disable
+ auto-enable of named dbus support if NetworkManager enabled.
+
+* Wed Jul 19 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-30
+- fix bug 196398 - Enable -D option automatically in initscript
+ if NetworkManager enabled in any runlevel.
+- fix namedGetForwarders for new dbus
+- fix bug 195881 - libbind.so should be owned by bind-libbind-devel
+
+* Wed Jul 19 2006 Matthias Clasen <mclasen@redhat.com> - 30:9.3.2-28.FC6
+- Rebuild against new dbus
+
+* Wed Jul 12 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-27.FC6
+- rebuild with fixed glibc-kernheaders
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 30:9.3.2-26.FC6.1
+- rebuild
+
+* Wed Jun 14 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-26.FC6
+- fix bugs 191093, 189789
+- backport selected fixes from upstream bind9 'v9_3_3b1' CVS version:
+ ( see http://www.isc.org/sw/bind9.3.php "Fixes" ):
+ o change 2024 / bug 16027:
+ named emitted spurious "zone serial unchanged" messages on reload
+ o change 2013 / bug 15941:
+ handle unexpected TSIGs on unsigned AXFR/IXFR responses more gracefully
+ o change 2009 / bug 15808: coverity fixes
+ o change 1997 / bug 15818:
+ named was failing to replace negative cache entries when a positive one
+ for the type was learnt
+ o change 1994 / bug 15694: OpenSSL 0.9.8 support
+ o change 1991 / bug 15813:
+ The configuration data, once read, should be treated as readonly.
+ o misc. validator fixes
+ o misc. resolver fixes
+ o misc. dns fixes
+ o misc. isc fixes
+ o misc. libbind fixes
+ o misc. isccfg fix
+ o misc. lwres fix
+ o misc. named fixes
+ o misc. dig fixes
+ o misc. nsupdate fix
+ o misc. tests fixes
+
+* Wed Jun 7 2006 Jeremy Katz <katzj@redhat.com> - 30:9.3.2-24.FC6
+- and actually put the devel symlinks in the right subpackage
+
+* Thu May 25 2006 Jeremy Katz <katzj@redhat.com> - 30:9.3.2-23.FC6
+- rebuild for -devel deps
+
+* Tue Apr 18 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-22
+- apply upstream patch for ncache_adderesult segfault bug 173961 addenda
+- fix bug 188382: rpm --verify permissions inconsistencies
+- fix bug 189186: use /sbin/service instead of initscript
+- rebuild for new gcc, glibc-kernheaders
+
+* Tue Apr 04 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-20
+- fix resolver.c ncache_adderesult segfault reported in addenda to bug 173961
+ (upstream bugs #15642, #15528 ?)
+- allow named ability to generate core dumps after setuid (upstream bug #15753)
+
+* Mon Apr 03 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-18
+- fix bug 187529: make bind-chroot-admin deal with subdirectories properly
+
+* Thu Mar 30 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-16
+- fix bug 187286:
+ prevent host(1) printing duplicate 'is an alias for' messages
+ for the default AAAA and MX lookups as well as for the A lookup
+ (it now uses the CNAME returned for the A lookup for the AAAA and MX lookups).
+ This is upstream bug #15702 fixed in the unreleased bind-9.3.3
+- fix bug 187333: fix SOURCE24 and SOURCE25 transposition
+
+* Wed Mar 29 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-14
+- fix bug 186577: remove -L/usr/lib from libbind.pc and more .spec file cleanup
+- add '%%doc' sample configuration files in /usr/share/doc/bind*/sample
+- rebuild with new gcc and glibc
+
+* Wed Mar 22 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-12
+- fix typo in initscript
+- fix Requires(post): policycoreutils in sub-packages
+
+* Mon Mar 20 2006 Jason Vas Dias <jvdias@redhat.com> - 30.9.3.2-10
+- fix bug 185969: more .spec file cleanup
+
+* Wed Mar 08 2006 Jason Vas Dias <jvdias@redhat.com> - 30.9.3.2-8
+- Do not allow package to be installed if named:25 userid creation fails
+- Give libbind a pkg-config file
+- remove restorecon from bind-chroot-admin (not required).
+- fix named.caching-nameserver.conf (listen-on-v6 port 53 { ::1 };)
+
+* Tue Mar 07 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-7
+- fix issues with bind-chroot-admin
+
+* Mon Mar 06 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-6
+- replace caching-nameserver with bind-config sub-package
+- fix bug 177595: handle case where $ROOTDIR is a link in initscript
+- fix bug 177001: bind-config creates symlinks OK now
+- fix bug 176388: named.conf is now never replaced by any RPM
+- fix bug 176248: remove unecessary creation of rpmsave links
+- fix bug 174925: no replacement of named.conf
+- fix bug 173963: existing named.conf never modified
+- major .spec file cleanup
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 30:9.3.2-4.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-4
+- regenerate redhat_doc patch for non-DBUS builds
+- allow dbus builds to work with dbus version < 0.6 (bz #179816)
+
+* Tue Feb 07 2006 Florian La Roche <laroche@redhat.com> 30:9.3.2-3
+- try supporting without dbus support
+
+* Mon Feb 06 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-2.1
+- Rebuild for new gcc, glibc, glibc-kernheaders
+
+* Mon Jan 16 2006 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-2
+- fix bug 177854: temporary fix for broken kernel-2.6.15-1854+
+ /proc/net/if_inet6 format
+
+* Wed Dec 21 2005 Jason Vas Dias <jvdias@redhat.com> - 30:9.3.2-1
+- Upgrade to 9.3.2, released today
+
+* Tue Dec 20 2005 Jason Vas Dias <jvdias@redhat.com> - 28:9.3.2rc1-2
+- fix bug 176100: do not Require: perl just for namedGetForwarders !
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Fri Dec 02 2005 Jason Vas Dias <jvdias@redhat.com> - 28:9.3.2rc-1
+- Upgrade to upstream version 9.3.2rc1
+- fix namedSetForwarders -> namedGetForwarders SOURCE14 typo
+
+* Thu Dec 01 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-26
+- rebuild for new dbus 0.6 dependency; remove use of
+ DBUS_NAME_FLAG_PROHIBIT_REPLACEMENT
+
+* Wed Nov 23 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-24
+- allow D-BUS support to work in bind-chroot environment:
+ workaround latest selinux policy by mounting /var/run/dbus/
+ under chroot instead of /var/run/dbus/system-bus-socket
+
+* Sun Nov 13 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-22
+- fix bug 172632 - remove .la files
+- ship namedGetForwarders and namedSetForwarders scripts
+- fix detection of -D option in chroot
+
+* Tue Nov 8 2005 Tomas Mraz <tmraz@redhat.com> - 24:9.3.1-21
+- rebuilt with new openssl
+
+* Wed Oct 19 2005 Jason Vas Dias <jvdias@redhat.com> - 24.9.3.1-20
+- Allow the -D enable D-BUS option to be used within bind-chroot .
+- fix bug 171226: supply some documentation for pgsql SDB .
+
+* Thu Oct 06 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-18
+- fix bug 169969: do NOT call dbus_svc_dispatch() in dbus_mgr_init_dbus() -
+ task->state != task_ready and will cause Abort in task.c if process
+ is waiting for NameOwnerChanged to do a SetForwarders
+
+* Wed Oct 05 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-16
+- Fix reconnecting to dbus-daemon after it stops & restarts .
+
+* Tue Sep 27 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-14
+- When forwarder nameservers are changed with D-BUS, flush the cache.
+
+* Mon Sep 26 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-12
+- fix bug 168302: use %%{__cc} for compiling dns-keygen
+- fix bug 167682: bind-chroot directory permissions
+- fix issues with -D dbus option when dbus service not running or disabled
+
+* Tue Aug 30 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-12
+- fix bug 167062: named should be started after syslogd by default
+
+* Mon Aug 22 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-11
+- fix bug 166227: host: don't do default AAAA and MX lookups with '-t a' option
+
+* Tue Aug 16 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-10
+- Build with D-BUS patch by default; D-BUS support enabled with named -D option
+- Enable D-BUS for named_sdb also
+- fix sdb pgsql's zonetodb.c: must use isc_hash_create() before dns_db_create()
+- update fix for bug 160914 : test for RD=1 and ARCOUNT=0 also before trying next server
+- fix named.init script to handle named_sdb properly
+- fix named.init script checkconfig() to handle named '-c' option
+ and make configtest, test, check configcheck synonyms
+
+* Tue Jul 19 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-8
+- fix named.init script bugs 163598, 163409, 151852(addendum)
+
+* Tue Jul 12 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-7
+- fix bug 160914: resolver utilities should try next server on empty referral
+ (now that glibc bug 162625 is fixed)
+ host and nslookup now by default try next server on SERVFAIL
+ (host now has '-s' option to disable, and nslookup given
+ '[no]fail' option similar to dig's [no]fail option).
+- rebuild and re-test with new glibc & gcc (all tests passed).
+
+* Tue May 31 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-6
+- fix bug 157950: dig / host / nslookup should reject invalid resolv.conf
+ files and not use uninitialized garbage nameserver values
+ (ISC bug 14841 raised).
+
+* Mon May 23 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-4_FC4
+- Fix SDB LDAP
+
+* Mon May 16 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-4
+- Fix bug 157601: give named.init a configtest function
+- Fix bug 156797: named.init should check SELinux booleans.local before booleans
+- Fix bug 154335: if no controls in named.conf, stop named with -TERM sig, not rndc
+- Fix bug 155848: add NOTES section to named.8 man-page with info on all Red Hat
+ BIND quirks and SELinux DDNS / slave zone file configuration
+- D-BUS patches NOT applied until dhcdbd is in FC
+
+* Sun May 15 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-4_dbus
+- Enhancement to allow dynamic forwarder table management and
+- DHCP forwarder auto-configuration with D-BUS
+
+* Thu Apr 14 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-2_FC4
+- Rebuild for bind-sdb libpq.so.3 dependency
+- fix bug 150981: don't install libbind man-pages if no libbind
+- fix bug 151852: mount proc on $ROOTDIR/proc to allow sysconf(...)
+ to work and correct number of CPUs to be determined
+
+* Fri Mar 11 2005 Jason Vas Dias <jvdias@redhat.com> - 24:9.3.1-1_FC4
+- Upgrade to ISC BIND 9.3.1 (final release) released today.
+
+* Wed Mar 9 2005 Jason Vas Dias <jvdias@redhat.com> - 22.9.3.1rc1-5
+- fix bug 150288: h_errno not being accessed / set correctly in libbind
+- add libbind man-pages from bind-8.4.6
+
+* Mon Mar 7 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.1rc1-4
+- Rebuild with gcc4 / glibc-2.3.4-14.
+
+* Tue Mar 1 2005 Nalin Dahyabhai <nalin@redhat.com> - 22:9.3.1rc1-3
+- configure with --with-pic to get PIC libraries
+
+* Sun Feb 20 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.1rc1-2
+- fix bug 149183: don't use getifaddrs() .
+
+* Wed Feb 16 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.1rc1-1
+- Upgrade to 9.3.1rc1
+- Add Simplified Database Backend (SDB) sub-package ( bind-sdb )
+- add named_sdb - ldap + pgsql + dir database backend support with
+- 'ENABLE_SDB' named.sysconfig option
+- Add BIND resolver library & includes sub-package ( libbind-devel)
+- fix bug 147824 / 147073 / 145664: ENABLE_ZONE_WRITE in named.init
+- fix bug 146084 : shutup restorecon
+
+* Tue Jan 11 2005 Jason Vas Dias <jvdias@redhat.com> - 22:9.3.0-2
+- Fix bug 143438: named.init will now make correct ownership of $ROOTDIR/var/named
+- based on 'named_write_master_zones' SELinux boolean.
+- Fix bug 143744: dig & nsupdate IPv6 timeout (dup of 140528)
+
+* Mon Nov 29 2004 Jason Vas Dias <jvdias@redhat.com> - 9.3.0-1
+- Upgrade BIND to 9.3.0 in Rawhide / FC4 (bugs 134529, 133654...)
+
+* Mon Nov 29 2004 Jason Vas Dias <jvdias@redhat.com> - 20:9.2.4-4
+- Fix bugs 140528 and 141113:
+- 2 second timeouts when IPv6 not configured and root nameserver's
+- AAAA addresses are queried
+
+* Mon Oct 18 2004 Jason Vas Dias <jvdias@redhat.com> - 20:9.2.4-2
+- Fix bug 136243: bind-chroot %%post must run restorecon -R %%{prefix}
+- Fix bug 135175: named.init must return non-zero if named is not run
+- Fix bug 134060: bind-chroot %%post must use mktemp, not /tmp/named
+- Fix bug 133423: bind-chroot %%files entries should have been %%dirs
+
+* Thu Sep 23 2004 Jason Vas Dias <jvdias@redhat.com> - 20:9.2.4-1
+- BIND 9.2.4 (final release) released - source code actually
+- identical to 9.2.4rc8, with only version number change.
+
+* Mon Sep 20 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc8-14
+- Upgrade to upstream bind-9.2.4rc8 .
+- Progress: Finally! Hooray! ISC bind now distributes:
+- o named.conf(5) and nslookup(8) manpages
+- 'bind-manpages.bz2' source can now disappear
+- (could this have something to do with ISC bug I raised about this?)
+- o 'deprecation_msg' global has vanished
+- bind-9.2.3rc3-deprecation_msg_shut_up.diff.bz2 can disappear
+
+* Mon Sep 20 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc8-14
+- Fix bug 106572/132385: copy /etc/localtime to chroot on start
+
+* Fri Sep 10 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-12_EL3
+- Fix bug 132303: if ROOTDIR line was replaced after upgrade from
+- bind-chroot-9.2.2-21, restart named
+
+* Wed Sep 8 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-11_EL3
+- Fix bug 131803: replace ROOTDIR line removed by broken
+- bind-chroot 9.2.2-21's '%%postun'; added %%triggerpostun for bind-chroot
+
+* Tue Sep 7 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-10_EL3
+- Fix bugs 130121 & 130981 for RHEL-3
+
+* Mon Aug 30 2004 Jason Vas Dias <jvdias@redhat.com> - 10:9.2.4rc7-10
+- Fix bug 130121: add '%%ghost' entries for files included in previous
+- bind-chroot & not in current - ie. named.conf, rndc.key, dev/* -
+- that RPM removed after upgrade .
+
+* Thu Aug 26 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fix bug 130981: add '-t' option to named-checkconf invocation in
+- named.init if chroot installed.
+
+* Wed Aug 25 2004 Jason Vas Dias <jvdias@redhat.com>
+- Remove resolver(5) manpage now in man-pages (bug 130792);
+- Don't create /dev/ entries in bind-chroot if already there (bug 127556);
+- fix bind-devel Requires (bug 130919)
+- Set default location for dumpdb & stats files to /var/named/data
+
+* Tue Aug 24 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fix devel Requires for bug 130738 & fix version
+
+* Tue Aug 24 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fix errors on clean install if named group does not exist
+- (bug 130777)
+
+* Thu Aug 19 2004 Jason Vas Dias <jvdias@redhat.com>
+- Upgrade to bind-9.2.4rc7; applied initscript fix
+- for bug 102035.
+
+* Mon Aug 9 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fixed bug 129289: bind-chroot install / deinstall
+- on install, existing config files 'safe_replace'd
+- with links to chroot copies; on uninstall, moved back.
+
+* Fri Aug 6 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fixed bug 129258: "${prefix}/var/tmp" typo in spec
+
+* Wed Jul 28 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fixed bug 127124 : 'Requires: kernel >= 2.4'
+- causes problems with Linux VServers
+
+* Tue Jul 27 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fixed bug 127555 : chroot tar missing var/named/slaves
+
+* Fri Jul 16 2004 Jason Vas Dias <jvdias@redhat.com>
+- Upgraded to ISC version 9.2.4rc6
+
+* Fri Jul 16 2004 Jason Vas Dias <jvdias@redhat.com>
+- Fixed named.init generation of error messages on
+- 'service named stop' and 'service named reload'
+- as per bug 127775
+
+* Wed Jun 23 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-19
+- Bump for rhel 3.0 U3
+
+* Wed Jun 23 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-18
+- remove disable-linux-caps
+
+* Wed Jun 16 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-17
+- Update RHEL3 to latest bind
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Jun 8 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-15
+- Remove device files from chroot, Named uses the system one
+
+* Fri Mar 26 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-14
+- Move RFC to devel package
+
+* Fri Mar 26 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-13
+- Fix location of restorecon
+
+* Thu Mar 25 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-12
+- Tighten security on config files. Should be owned by root
+
+* Thu Mar 25 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-11
+- Update key patch to include conf-keygen
+
+* Tue Mar 23 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-10
+- fix chroot to only happen once.
+- fix init script to do kill insteall of killall
+
+* Mon Mar 15 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-9
+- Add fix for SELinux security context
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sat Feb 28 2004 Florian La Roche <Florian.LaRoche@redhat.de>
+- run ldconfig for libs subrpm
+
+* Mon Feb 23 2004 Tim Waugh <twaugh@redhat.com>
+- Use ':' instead of '.' as separator for chown.
+
+* Tue Feb 17 2004 Daniel Walsh <dwalsh@redhat.com> 9.2.3-7
+- Add COPYRIGHT
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Dec 30 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-5
+- Add defattr to libs
+
+* Mon Dec 29 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-4
+- Break out library package
+
+* Mon Dec 22 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-3
+- Fix condrestart
+
+* Wed Nov 12 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-2
+- Move libisc and libdns to bind from bind-util
+
+* Tue Nov 11 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.3-1
+- Move to 9.2.3
+
+* Mon Oct 27 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-10
+- Add PIE support
+
+* Fri Oct 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-9
+- Add /var/named/slaves directory
+
+* Sun Oct 12 2003 Florian La Roche <Florian.LaRoche@redhat.de>
+- do not link against libnsl, not needed for Linux
+
+* Wed Oct 8 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-6
+- Fix local time in log file
+
+* Tue Oct 7 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-5
+- Try again
+
+* Mon Oct 6 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-4
+- Fix handling of chroot -/dev/random
+
+* Thu Oct 2 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-3
+- Stop hammering stuff on update of chroot environment
+
+* Mon Sep 29 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-2
+- Fix chroot directory to grab all subdirectories
+
+* Wed Sep 24 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2.P3-1
+- New patch to support for "delegation-only"
+
+* Wed Sep 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-23
+- patch support for "delegation-only"
+
+* Wed Jul 30 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-22
+- Update to build on RHL
+
+* Wed Jul 30 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-21
+- Install libraries as exec so debug info will be pulled
+
+* Sat Jul 19 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-20
+- Remove BSDCOMPAT (BZ 99454)
+
+* Tue Jul 15 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-19
+- Update to build on RHL
+
+* Tue Jul 15 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-18
+- Change protections on /var/named and /var/chroot/named
+
+* Tue Jun 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-17
+- Update to build on RHL
+
+* Tue Jun 17 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-16
+- Update to build on RHEL
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Apr 22 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-14
+- Update to build on RHEL
+
+* Tue Apr 22 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-13
+- Fix config description of named.conf in chroot
+- Change named.init script to check for existence of /etc/sysconfig/network
+
+* Fri Apr 18 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-12
+- Update to build on RHEL
+
+* Fri Apr 18 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-11
+- Update to build on RHEL
+
+* Fri Apr 18 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-10
+- Fix echo OK on starting/stopping service
+
+* Fri Mar 28 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-9
+- Update to build on RHEL
+
+* Fri Mar 28 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-8
+- Fix echo on startup
+
+* Tue Mar 25 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-7
+- Fix problems with chroot environment
+- Eliminate posix threads
+
+* Mon Mar 24 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-6
+- Fix build problems
+
+* Fri Mar 14 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-5
+- Fix build on beehive
+
+* Thu Mar 13 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-4
+- build bind-chroot kit
+
+* Tue Mar 11 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-3
+- Change configure to use proper threads model
+
+* Fri Mar 7 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-2
+- update to 9.2.2
+
+* Tue Mar 4 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.2-1
+- update to 9.2.2
+
+* Fri Jan 24 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.1-16
+- Put a sleep in restart to make sure stop completes
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Jan 7 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.1-14
+- Separate /etc/rndc.key to separate file
+
+* Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 9.2.1-13
+- Use openssl's pkgconfig data, if available, at build-time.
+
+* Mon Jan 6 2003 Daniel Walsh <dwalsh@redhat.com> 9.2.1-12
+- Fix log rotate to use service named reload
+- Change service named reload to give success/failure message [73770]
+- Fix File checking [75710]
+- Begin change to automatically run in CHROOT environment
+
+* Tue Dec 24 2002 Daniel Walsh <dwalsh@redhat.com> 9.2.1-10
+- Fix startup script to work like all others.
+
+* Mon Dec 16 2002 Daniel Walsh <dwalsh@redhat.com> 9.2.1-9
+- Fix configure to build on x86_64 platforms
+
+* Wed Aug 07 2002 Karsten Hopp <karsten@redhat.de>
+- fix #70583, doesn't build on IA64
+
+* Tue Jul 30 2002 Karsten Hopp <karsten@redhat.de> 9.2.1-8
+- bind-utils shouldn't require bind
+
+* Mon Jul 22 2002 Karsten Hopp <karsten@redhat.de> 9.2.1-7
+- fix name of pidfine in logrotate script (#68842)
+- fix owner of logfile in logrotate script (#41391)
+- fix nslookup and named.conf man pages (output on stderr)
+ (#63553, #63560, #63561, #54889, #57457)
+- add rfc1912 (#50005)
+- gzip all rfc's
+- fix typo in keygen.c (#54870)
+- added missing manpages (#64065)
+- shutdown named properly with rndc stop (#62492)
+- /sbin/nologin instead of /bin/false (#68607)
+- move nsupdate to bind-utils (where the manpage already was) (#66209, #66381)
+- don't kill initscript when rndc fails (reload) (#58750)
+
+
+* Mon Jun 24 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.1-5
+- Fix #65975
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 23 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 9 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.1-2
+- Move libisccc, lib isccfg and liblwres from bind-utils to bind,
+ they're not required if you aren't running a nameserver.
+
+* Fri May 03 2002 Florian La Roche <Florian.LaRoche@redhat.de>
+- update to 9.2.1 release
+
+* Thu Mar 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-8
+- Merge 30+ bug fixes from 9.2.1rc1 code
+
+* Mon Mar 11 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-7
+- Don't exit if /etc/named.conf doesn't exist if we're running
+ chroot (#60868)
+- Revert Elliot's changes, we do require specific glibc/glibc-kernheaders
+ versions or bug #58335 will be back. "It compiles, therefore it works"
+ isn't always true.
+
+* Thu Feb 28 2002 Elliot Lee <sopwith@redhat.com> 9.2.0-6
+- Fix BuildRequires (we don't need specific glibc/glibc-kernheaders
+versions).
+- Use _smp_mflags
+
+* Wed Feb 20 2002 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-4
+- rebuild, require recent autoconf, automake (#58335)
+
+* Fri Jan 25 2002 Tim Powers <timp@redhat.com>
+- rebuild against new libssl
+
+* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Tue Nov 27 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-1
+- 9.2.0
+
+* Thu Nov 22 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc10.2
+- 9.2.0rc10
+
+* Mon Nov 5 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc8.2
+- Fix up rndc.conf (#55574)
+
+* Thu Oct 25 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc8.1
+- rc8
+- Enforce --enable-threads
+
+* Mon Oct 22 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc7.1
+- 9.2.0rc7
+- Use rndc status for "service named status", it's supposed to actually
+ work in 9.2.x.
+
+* Wed Oct 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc5.1
+- 9.2.0rc5
+- Fix rpm --rebuild with ancient libtool versions (#53938, #54257)
+
+* Tue Sep 25 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc4.1
+- 9.2.0rc4
+
+* Fri Sep 14 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.2.0-0.rc3.1
+- 9.2.0rc3
+- remove ttl patch, I don't think we need this for 8.0.
+- remove dig.1.bz2 from the bind8-manpages tar file, 9.2 has a new dig man page
+- add lwres* man pages to -devel
+
+* Mon Sep 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-4
+- Make sure /etc/rndc.conf isn't world-readable even after the
+ %%post script inserted a random key (#53009)
+
+* Thu Jul 19 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-3
+- Add build dependencies (#49368)
+- Make sure running service named start several times doesn't create
+ useless processes (#47596)
+- Work around the named parent process returning 0 even if the config
+ file is broken (it's parsed later by the child processes) (#45484)
+
+* Mon Jul 16 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-2
+- Don't use rndc status, it's not yet implemented (#48839)
+
+* Sun Jul 08 2001 Florian La Roche <Florian.LaRoche@redhat.de>
+- update to 9.1.3 release
+
+* Tue Jul 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc3.1
+- Fix up rndc configuration and improve security (#46586)
+
+* Tue Jun 26 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc2.2
+- Sync with caching-nameserver-7.1-6
+
+* Mon Jun 25 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc2.1
+- Update to rc2
+
+* Fri Jun 1 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc1.3
+- Remove resolv.conf(5) man page, it's now in man-pages
+
+* Thu May 31 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc1.2
+- Add named.conf man page from bind 8.x (outdated, but better than nothing,
+ #42732)
+- Rename the rndc key (#42895)
+- Add dnssec* man pages
+
+* Mon May 28 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.3-0.rc1.1
+- 9.1.3rc1
+- s/Copyright/License/
+
+* Mon May 7 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.2-1
+- 9.1.2 final. No changes between 9.1.2-0.rc1.1 and this one, except for
+ the version number, though.
+
+* Thu May 3 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.2-0.rc1.1
+- 9.1.2rc1
+
+* Thu Mar 29 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.1-1
+- 9.1.1
+
+* Thu Mar 15 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.0-10
+- Merge fixes from 9.1.1rc5
+
+* Sun Mar 11 2001 Bernhard Rosenkraenzer <bero@redhat.com> 9.1.0-9
+- Work around bind 8 -> bind 9 migration problem when using buggy zone files:
+ accept zones without a TTL, but spew out a big fat warning. (#31393)
+
+* Thu Mar 8 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Add fixes from rc4
+
+* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Thu Mar 1 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- killall -HUP named if rndc reload fails (#30113)
+
+* Tue Feb 27 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Merge some fixes from 9.1.1rc3
+
+* Tue Feb 20 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Don't use the standard rndc key from the documentation, instead, create a random one
+ at installation time (#26358)
+- Make /etc/rndc.conf readable by user named only, it contains secret keys
+
+* Tue Feb 20 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.1.1 probably won't be out in time, revert to 9.1.0 and apply fixes
+ from 9.1.1rc2
+- bind requires bind-utils (#28317)
+
+* Tue Feb 13 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Update to rc2, fixes 2 more bugs
+- Fix build with glibc >= 2.2.1-7
+
+* Thu Feb 8 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Update to 9.1.1rc1; fixes 17 bugs (14 of them affecting us;
+ 1 was fixed in a Red Hat patch already, 2 others are portability
+ improvements)
+
+* Wed Feb 7 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Remove initscripts 5.54 requirement (#26489)
+
+* Mon Jan 29 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Add named-checkconf, named-checkzone (#25170)
+
+* Mon Jan 29 2001 Trond Eivind Glomsrod <teg@redhat.com>
+- use echo, not gprintf
+
+* Wed Jan 24 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Fix problems with $GENERATE
+ Patch from Daniel Roesen <droesen@entire-systems.com>
+ Bug #24890
+
+* Thu Jan 18 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.1.0 final
+
+* Sat Jan 13 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.1.0rc1
+- i18nify init script
+- bzip2 source to save space
+
+* Thu Jan 11 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Fix %%postun script
+
+* Tue Jan 9 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.1.0b3
+
+* Mon Jan 8 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Add named.conf man page from bind8 (#23503)
+
+* Sun Jan 7 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Make /etc/rndc.conf and /etc/sysconfig/named noreplace
+- Make devel require bind = %%{version} rather than just bind
+
+* Sun Jan 7 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Fix init script for real
+
+* Sat Jan 6 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Fix init script when ROOTDIR is not set
+
+* Thu Jan 4 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- Add hooks for setting up named to run chroot (RFE #23246)
+- Fix up requirements
+
+* Fri Dec 29 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.1.0b2
+
+* Wed Dec 20 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- Move run files to /var/run/named/ - /var/run isn't writable
+ by the user we're running as. (Bug #20665)
+
+* Tue Dec 19 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- Fix reverse lookups (#22272)
+- Run ldconfig in %%post utils
+
+* Tue Dec 12 2000 Karsten Hopp <karsten@redhat.de>
+- fixed logrotate script (wrong path to kill)
+- include header files in -devel package
+- bugzilla #22049, #19147, 21606
+
+* Fri Dec 8 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.1.0b1 (9.1.0 is in our timeframe and less buggy)
+
+* Mon Nov 13 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.0.1
+
+* Mon Oct 30 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- Fix initscript (Bug #19956)
+- Add sample rndc.conf (Bug #19956)
+- Fix build with tar 1.13.18
+
+* Tue Oct 10 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- Add some missing man pages (taken from bind8) (Bug #18794)
+
+* Sun Sep 17 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.0.0 final
+
+* Wed Aug 30 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- rc5
+- fix up nslookup
+
+* Thu Aug 24 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- rc4
+
+* Thu Jul 13 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 9.0.0rc1
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Sun Jul 9 2000 Florian La Roche <Florian.LaRoche@redhat.de>
+- add "exit 0" for uninstall case
+
+* Fri Jul 7 2000 Florian La Roche <Florian.LaRoche@redhat.de>
+- add prereq init.d and cleanup install section
+
+* Fri Jun 30 2000 Trond Eivind Glomsrod <teg@redhat.com>
+- fix the init script
+
+* Wed Jun 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make libbind.a and nslookup.help readable again by setting INSTALL_LIB to ""
+
+* Mon Jun 26 2000 Bernhard Rosenkranzer <bero@redhat.com>
+- Fix up the initscript (Bug #13033)
+- Fix build with current glibc (Bug #12755)
+- /etc/rc.d/init.d -> /etc/init.d
+- use %%{_mandir} rather than /usr/share/man
+
+* Mon Jun 19 2000 Bill Nottingham <notting@redhat.com>
+- fix conflict with man-pages
+- remove compatibilty chkconfig links
+- initscript munging
+
+* Wed Jun 14 2000 Nalin Dahyabhai <nalin@redhat.com>
+- modify logrotate setup to use PID file
+- temporarily disable optimization by unsetting $RPM_OPT_FLAGS at build-time
+- actually bump the release this time
+
+* Sun Jun 4 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- FHS compliance
+
+* Mon Apr 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- clean up restart patch
+
+* Mon Apr 10 2000 Nalin Dahyabhai <nalin@redhat.com>
+- provide /var/named (fix for bugs #9847, #10205)
+- preserve args when restarted via ndc(8) (bug #10227)
+- make resolv.conf(5) a link to resolver(5) (bug #10245)
+- fix SYSTYPE bug in all makefiles
+- move creation of named user from %%post into %%pre
+
+* Mon Feb 28 2000 Bernhard Rosenkranzer <bero@redhat.com>
+- Fix TTL (patch from ISC, Bug #9820)
+
+* Wed Feb 16 2000 Bernhard Rosenkranzer <bero@redhat.com>
+- fix typo in spec (it's %%post, without a leading blank) introduced in -6
+- change SYSTYPE to linux
+
+* Fri Feb 11 2000 Bill Nottingham <notting@redhat.com>
+- pick a standard < 100 uid/gid for named
+
+* Fri Feb 04 2000 Elliot Lee <sopwith@redhat.com>
+- Pass named a '-u named' parameter by default, and add/remove user.
+
+* Thu Feb 3 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- fix host mx bug (Bug #9021)
+
+* Mon Jan 31 2000 Cristian Gafton <gafton@redhat.com>
+- rebuild to fix dependencies
+- man pages are compressed
+
+* Wed Jan 19 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- It's /usr/bin/killall, not /usr/sbin/killall (Bug #8063)
+
+* Mon Jan 17 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- Fix up location of named-bootconf.pl and make it executable
+ (Bug #8028)
+- bind-devel requires bind
+
+* Mon Nov 15 1999 Bernhard Rosenkraenzer <bero@redhat.com>
+- update to 8.2.2-P5
+
+* Wed Nov 10 1999 Bill Nottingham <notting@redhat.com>
+- update to 8.2.2-P3
+
+* Tue Oct 12 1999 Cristian Gafton <gafton@redhat.com>
+- add patch to stop a cache only server from complaining about lame servers
+ on every request.
+
+* Fri Sep 24 1999 Preston Brown <pbrown@redhat.com>
+- use real stop and start in named.init for restart, not ndc restart, it has
+ problems when named has changed during a package update... (# 4890)
+
+* Fri Sep 10 1999 Bill Nottingham <notting@redhat.com>
+- chkconfig --del in %%preun, not %%postun
+
+* Mon Aug 16 1999 Bill Nottingham <notting@redhat.com>
+- initscript munging
+
+* Mon Jul 26 1999 Bill Nottingham <notting@redhat.com>
+- fix installed chkconfig links to match init file
+
+* Sat Jul 3 1999 Jeff Johnson <jbj@redhat.com>
+- conflict with new (in man-1.24) man pages (#3876,#3877).
+
+* Tue Jun 29 1999 Bill Nottingham <notting@redhat.com>
+- fix named.logrotate (wrong %%SOURCE)
+
+* Fri Jun 25 1999 Jeff Johnson <jbj@redhat.com>
+- update to 8.2.1.
+- add named.logrotate (#3571).
+- hack around egcs-1.1.2 -m486 bug (#3413, #3485).
+- vet file list.
+
+* Fri Jun 18 1999 Bill Nottingham <notting@redhat.com>
+- don't run by default
+
+* Sun May 30 1999 Jeff Johnson <jbj@redhat.com>
+- nslookup fixes (#2463).
+- missing files (#3152).
+
+* Sat May 1 1999 Stepan Kasal <kasal@math.cas.cz>
+- nslookup patched:
+ to count numRecords properly
+ to fix subsequent calls to ls -d
+ to parse "view" and "finger" commands properly
+ the view hack updated for bind-8 (using sed)
+
+* Wed Mar 31 1999 Bill Nottingham <notting@redhat.com>
+- add ISC patch
+- add quick hack to make host not crash
+- add more docs
+
+* Fri Mar 26 1999 Cristian Gafton <gafton@redhat.com>
+- add probing information in the init file to keep linuxconf happy
+- dont strip libbind
+
+* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com>
+- auto rebuild in the new build environment (release 3)
+
+* Wed Mar 17 1999 Preston Brown <pbrown@redhat.com>
+- removed 'done' output at named shutdown.
+
+* Tue Mar 16 1999 Cristian Gafton <gafton@redhat.com>
+- version 8.2
+
+* Wed Dec 30 1998 Cristian Gafton <gafton@redhat.com>
+- patch to use the __FDS_BITS macro
+- build for glibc 2.1
+
+* Wed Sep 23 1998 Jeff Johnson <jbj@redhat.com>
+- change named.restart to /usr/sbin/ndc restart
+
+* Sat Sep 19 1998 Jeff Johnson <jbj@redhat.com>
+- install man pages correctly.
+- change K10named to K45named.
+
+* Wed Aug 12 1998 Jeff Johnson <jbj@redhat.com>
+- don't start if /etc/named.conf doesn't exist.
+
+* Sat Aug 8 1998 Jeff Johnson <jbj@redhat.com>
+- autmagically create /etc/named.conf from /etc/named.boot in %%post
+- remove echo in %%post
+
+* Wed Jun 10 1998 Jeff Johnson <jbj@redhat.com>
+- merge in 5.1 mods
+
+* Sun Apr 12 1998 Manuel J. Galan <manolow@step.es>
+- Several essential modifications to build and install correctly.
+- Modified 'ndc' to avoid deprecated use of '-'
+
+* Mon Dec 22 1997 Scott Lampert <fortunato@heavymetal.org>
+- Used buildroot
+- patched bin/named/ns_udp.c to use <libelf/nlist.h> for include
+ on Redhat 5.0 instead of <nlist.h>