diff --git a/SOURCES/bind-9.11-CVE-2018-5745-testfix.patch b/SOURCES/bind-9.11-CVE-2018-5745-testfix.patch
new file mode 100644
index 0000000..f4dd863
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2018-5745-testfix.patch
@@ -0,0 +1,455 @@
+From aea8a7bab922a8793f6c50af30bdfa424a7f706d Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 5 Sep 2019 20:24:25 +0200
+Subject: [PATCH] Fix mkeys test changes backported
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Squashed commit of the following:
+
+commit a6cbd45fcfe2b1dc5339da72eed0ffeb27afdf81
+Author: Petr Mensik <pemensik@redhat.com>
+Date: Thu Sep 5 20:01:21 2019 +0200
+
+ Backport fixes to mkeys test
+
+ It relied on some features backported in more recent versions, but not
+ present in our version. Make test pass with current features. Fixes some
+ mistakes when backporting original upstream commits.
+
+commit be97d4d9d9f9568aa497e618ffbe2aba0841d035
+Author: Michał Kępień <michal@isc.org>
+Date: Tue Mar 26 10:51:16 2019 +0100
+
+ Add "-r $RANDFILE" where it is missing
+
+ If the path to the source of random data is not passed explicitly to
+ dnssec-keygen or dnssec-signzone and the --with-randomdev compile-time
+ switch is not used, the aforementioned utilities will hang if the
+ default source of random data (/dev/random) runs out of entropy. Use
+ "-r $RANDFILE" to prevent that from happening in affected system tests.
+
+ (cherry picked from commit 59e1329e9b3aff72d8e36db8d0ca980d540decb3)
+
+commit fd651e87b9bddcae7ef894b165d209a9693dc204
+Author: Matthijs Mekking <matthijs@isc.org>
+Date: Thu Dec 20 15:23:07 2018 +0100
+
+ Remove dig_with_opts
+
+ (cherry picked from commit bb2c242c396d3c6893eb6a27e59af5a3b53452bc)
+
+commit 84264e082ffe0c5439a0c789ceb7f8308d1b9b7e
+Author: Matthijs Mekking <github@pletterpet.nl>
+Date: Wed Dec 19 10:16:10 2018 +0100
+
+ Replace DSA with Reserved algorithm
+
+ (cherry picked from commit 17cdde1e56abae5c3bf5256ecbdacbd8cbef05b6)
+ (cherry picked from commit 0e9a8da68c89cb99b1892e8b0705b71c92532844)
+
+commit e335f239aca4bdbf8160fe9bc1ef3cfba15ae06f
+Author: Matthijs Mekking <github@pletterpet.nl>
+Date: Tue Dec 18 12:14:04 2018 +0100
+
+ Allow unsupported alg in zone /w dnssec-signzone
+
+ dnssec-signzone should sign a zonefile that contains a DNSKEY record
+ with an unsupported algorithm. Current behavior is that it will
+ fail, hitting a fatal error. The fix detects unsupported algorithms
+ and will not try to add it to the keylist.
+
+ Also when determining the maximum iterations for NSEC3, don't take
+ into account DNSKEY records in the zonefile with an unsupported
+ algorithm.
+
+ (cherry picked from commit 1dd11fc754baf396bb3040527087b14f0678dd83)
+ (cherry picked from commit 040e132f1692ce8bb1ac83032ee761b3278f0272)
+
+commit a1c345c8ab39201fe6e0cd7f19696d6a2f8b5522
+Author: Matthijs Mekking <github@pletterpet.nl>
+Date: Tue Dec 18 12:10:05 2018 +0100
+
+ Add dnssec-signzone tests with unsupported alg
+
+ dnssec-signzone should sign a zonefile that contains a DNSKEY record
+ with an unsupported algorithm.
+
+ (cherry picked from commit 6d976b37c1b2b2c4bcede89252cf26b6f170c142)
+ (cherry picked from commit 8619318a1e6207e487438a93bd7a620967091347)
+ (cherry picked from commit 9f81119c0256378683c20e8e01a874378cabfcbc)
+---
+ bin/tests/system/dnssec/clean.sh | 4 ++
+ bin/tests/system/dnssec/ns2/example.db.in | 5 ++-
+ .../ns3/dnskey-unsupported-2.example.db.in | 27 ++++++++++++
+ .../ns3/dnskey-unsupported.example.db.in | 27 ++++++++++++
+ bin/tests/system/dnssec/ns3/named.conf.in | 10 +++++
+ bin/tests/system/dnssec/ns3/sign.sh | 42 ++++++++++++++++++-
+ .../dnssec/ns3/unsupported-algorithm.key | 1 +
+ bin/tests/system/dnssec/tests.sh | 20 +++++++++
+ bin/tests/system/dupsigs/ns1/reset_keys.sh | 2 +
+ bin/tests/system/mkeys/ns6/setup.sh | 2 +-
+ bin/tests/system/mkeys/setup.sh | 2 +
+ bin/tests/system/mkeys/tests.sh | 6 +--
+ lib/dns/dnssec.c | 8 ++++
+ lib/dns/include/dns/dnssec.h | 2 +-
+ lib/dns/nsec3.c | 11 ++++-
+ 15 files changed, 161 insertions(+), 8 deletions(-)
+ create mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
+ create mode 100644 bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
+ create mode 100644 bin/tests/system/dnssec/ns3/unsupported-algorithm.key
+
+diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
+index 1873c4b586..0fcff23797 100644
+--- a/bin/tests/system/dnssec/clean.sh
++++ b/bin/tests/system/dnssec/clean.sh
+@@ -55,6 +55,10 @@ rm -f ns3/future.example.db ns3/trusted-future.key
+ rm -f ns3/inline.example.db.signed
+ rm -f ns3/kskonly.example.db
+ rm -f ns3/lower.example.db ns3/upper.example.db ns3/upper.example.db.lower
++rm -f ./ns3/dnskey-unsupported.example.db
++rm -f ./ns3/dnskey-unsupported.example.db.tmp
++rm -f ./ns3/dnskey-unsupported-2.example.db
++rm -f ./ns3/dnskey-unsupported-2.example.db.tmp
+ rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db
+ rm -f ns3/nsec3.nsec3.example.db
+ rm -f ns3/nsec3.optout.example.db
+diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
+index 0b831ec94e..6afffe00f3 100644
+--- a/bin/tests/system/dnssec/ns2/example.db.in
++++ b/bin/tests/system/dnssec/ns2/example.db.in
+@@ -97,6 +97,9 @@ ns.optout-unknown A 10.53.0.3
+ dnskey-unknown NS ns.dnskey-unknown
+ ns.dnskey-unknown A 10.53.0.3
+
++dnskey-unsupported NS ns.dnskey-unsupported
++ns.dnskey-unsupported A 10.53.0.3
++
+ dnskey-nsec3-unknown NS ns.dnskey-nsec3-unknown
+ ns.dnskey-nsec3-unknown A 10.53.0.3
+
+@@ -111,7 +114,7 @@ ns.rsasha256 A 10.53.0.3
+ rsasha512 NS ns.rsasha512
+ ns.rsasha512 A 10.53.0.3
+
+-kskonly NS ns.kskonly
++kskonly NS ns.kskonly
+ ns.kskonly A 10.53.0.3
+
+ update-nsec3 NS ns.update-nsec3
+diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
+new file mode 100644
+index 0000000000..c9e7c2b3da
+--- /dev/null
++++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported-2.example.db.in
+@@ -0,0 +1,27 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300 ; 5 minutes
++@ IN SOA mname1. . (
++ 2000042407 ; serial
++ 20 ; refresh (20 seconds)
++ 20 ; retry (20 seconds)
++ 1814400 ; expire (3 weeks)
++ 3600 ; minimum (1 hour)
++ )
++ NS ns
++ns A 10.53.0.3
++
++a A 10.0.0.1
++b A 10.0.0.2
++d A 10.0.0.4
++z A 10.0.0.26
++a.a.a.a A 10.0.0.3
++*.e A 10.0.0.6
++child NS ns2.example.
+diff --git a/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
+new file mode 100644
+index 0000000000..c9e7c2b3da
+--- /dev/null
++++ b/bin/tests/system/dnssec/ns3/dnskey-unsupported.example.db.in
+@@ -0,0 +1,27 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300 ; 5 minutes
++@ IN SOA mname1. . (
++ 2000042407 ; serial
++ 20 ; refresh (20 seconds)
++ 20 ; retry (20 seconds)
++ 1814400 ; expire (3 weeks)
++ 3600 ; minimum (1 hour)
++ )
++ NS ns
++ns A 10.53.0.3
++
++a A 10.0.0.1
++b A 10.0.0.2
++d A 10.0.0.4
++z A 10.0.0.26
++a.a.a.a A 10.0.0.3
++*.e A 10.0.0.6
++child NS ns2.example.
+diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
+index 14ebbc8ea8..6aa5d5350d 100644
+--- a/bin/tests/system/dnssec/ns3/named.conf.in
++++ b/bin/tests/system/dnssec/ns3/named.conf.in
+@@ -150,6 +150,16 @@ zone "dnskey-unknown.example" {
+ file "dnskey-unknown.example.db.signed";
+ };
+
++zone "dnskey-unsupported.example" {
++ type master;
++ file "dnskey-unsupported.example.db.signed";
++};
++
++zone "dnskey-unsupported-2.example" {
++ type master;
++ file "dnskey-unsupported-2.example.db.signed";
++};
++
+ zone "dnskey-nsec3-unknown.example" {
+ type master;
+ nsec3-test-zone yes;
+diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
+index f95a6b7ea8..99e9b4958f 100644
+--- a/bin/tests/system/dnssec/ns3/sign.sh
++++ b/bin/tests/system/dnssec/ns3/sign.sh
+@@ -12,6 +12,12 @@
+ SYSTEMTESTTOP=../..
+ . $SYSTEMTESTTOP/conf.sh
+
++# Default algorithm for testing
++# In more recent versions set in conf.sh, include here for backward copatibility
++DEFAULT_ALGORITHM=RSASHA256
++DEFAULT_ALGORITHM_NUMBER=8
++DEFAULT_BITS=1280
++
+ zone=secure.example.
+ infile=secure.example.db.in
+ zonefile=secure.example.db
+@@ -193,7 +199,7 @@ cat $infile $keyname.key >$zonefile
+ $SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+ #
+-# A zone with a unknown DNSKEY algorithm.
++# A zone that is signed with an unknown DNSKEY algorithm.
+ # Algorithm 7 is replaced by 100 in the zone and dsset.
+ #
+ zone=dnskey-unknown.example.
+@@ -211,6 +217,40 @@ awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { prin
+ DSFILE=dsset-`echo ${zone} |sed -e "s/\.$//g"`$TP
+ $DSFROMKEY -A -f ${zonefile}.signed $zone > $DSFILE
+
++#
++# A zone that is signed with an unsupported DNSKEY algorithm (3).
++# Algorithm 7 is replaced by 255 in the zone and dsset.
++#
++zone=dnskey-unsupported.example.
++infile=dnskey-unsupported.example.db.in
++zonefile=dnskey-unsupported.example.db
++
++keyname=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
++
++cat "$infile" "$keyname.key" > "$zonefile"
++
++"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null 2>&1
++
++awk '$4 == "DNSKEY" { $7 = 255; print } $4 == "RRSIG" { $6 = 255; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
++
++DSFILE="dsset-$(echo ${zone} |sed -e "s/\\.$//g")$TP"
++$DSFROMKEY -A -f ${zonefile}.signed "$zone" > "$DSFILE"
++
++#
++# A zone with a published unsupported DNSKEY algorithm (Reserved).
++# Different from above because this key is not intended for signing.
++#
++zone=dnskey-unsupported-2.example.
++infile=dnskey-unsupported-2.example.db.in
++zonefile=dnskey-unsupported-2.example.db
++
++ksk=$("$KEYGEN" -f KSK -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
++zsk=$("$KEYGEN" -q -r $RANDFILE -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
++
++cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
++
++"$SIGNER" -P -3 - -r $RANDFILE -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
++
+ #
+ # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
+ # Algorithm 7 is replaced by 100 in the zone and dsset.
+diff --git a/bin/tests/system/dnssec/ns3/unsupported-algorithm.key b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
+new file mode 100644
+index 0000000000..cc8bb9a51d
+--- /dev/null
++++ b/bin/tests/system/dnssec/ns3/unsupported-algorithm.key
+@@ -0,0 +1 @@
++dnskey-unsupported-2.example. IN DNSKEY 257 3 255 BJ0eV4dQC0pihdFXiVdlXjPDkzbv4fC+opEvK0RaDU7LLwFXPAi6DOc6tm7vcSr5Tgdnpoal3S4WqHuVw6I1pzy5mPPIZ3OpLSY/QeOyGc2QRAZtOXxiGxERHRjyAk7emlgGscM0Vty2oJVYRgTPX0lTwKX/V2H+mjEgp7u3tyG3cj5XBUQ8J0KUoqkrn1ZKrizH27aWiDaBUvqxJUcotaDhnydkNtcHoQIedm2b4qbyTQsdRkddJiSWxpveEcj3AMdt2PjU6Q4rgSWOc5ylPnW/O+GqqCEAkalGSF7ud0Nl3FVVR9iGwV/73FHzpBLawfkcHaODFmKRjzGqok8giKCih2vdNsxlx7gdJWJIPYYx/ZqNGc2ewzuAnnleJpZdXFo8uL3HYk6Pl51sSkfVUmcn/SM+ ;{id = 38688 (ksk), size = 768b}
+diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
+index b1907c73a5..fdbfbdb779 100644
+--- a/bin/tests/system/dnssec/tests.sh
++++ b/bin/tests/system/dnssec/tests.sh
+@@ -3347,6 +3347,26 @@ n=`expr $n + 1`
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
++echo_i "checking that unsupported DNSKEY algorithm validates as insecure ($n)"
++ret=0
++$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported.example A > dig.out.ns3.test$n
++$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.4 dnskey-unsupported.example A > dig.out.ns4.test$n
++grep "status: NOERROR," dig.out.ns3.test$n > /dev/null || ret=1
++grep "status: NOERROR," dig.out.ns4.test$n > /dev/null || ret=1
++grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
++n=$((n+1))
++test "$ret" -eq 0 || echo_i "failed"
++status=$((status+ret))
++
++echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)"
++ret=0
++$DIG $DIGOPTS +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY > dig.out.test$n
++grep "status: NOERROR," dig.out.test$n > /dev/null || ret=1
++grep "dnskey-unsupported-2\.example\..*IN.*DNSKEY.*257 3 255" dig.out.test$n > /dev/null || ret=1
++n=$((n+1))
++test "$ret" -eq 0 || echo_i "failed"
++status=$((status+ret))
++
+ echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
+ ret=0
+ (
+diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh
+index f03503f762..42ce8ac20b 100644
+--- a/bin/tests/system/dupsigs/ns1/reset_keys.sh
++++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh
+@@ -22,6 +22,8 @@ timetodnssec() {
+ }
+
+ KEYDIR=keys/signing.test
++KEYGEN="$KEYGEN -r $RANDFILE"
++
+ KSK=`$KEYGEN -a RSASHA256 -b 1024 -K $KEYDIR -q -f KSK $zone`
+
+ ZSK0=`$KEYGEN -a RSASHA256 -b 1024 -K $KEYDIR -q $zone`
+diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh
+index 5ba1647da5..6f196c20db 100644
+--- a/bin/tests/system/mkeys/ns6/setup.sh
++++ b/bin/tests/system/mkeys/ns6/setup.sh
+@@ -16,7 +16,7 @@ zone=.
+ zonefile=root.db
+
+ # an RSA key
+-rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
++rsakey=`$KEYGEN -a rsasha256 -b 2048 -r $RANDFILE -qfk rsasha256.`
+
+ # a key with unsupported algorithm
+ unsupportedkey=Kunknown.+255+00000
+diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
+index 100a86959b..79c877f85d 100644
+--- a/bin/tests/system/mkeys/setup.sh
++++ b/bin/tests/system/mkeys/setup.sh
+@@ -21,6 +21,8 @@ copy_setports ns1/named1.conf.in ns1/named.conf
+ copy_setports ns2/named.conf.in ns2/named.conf
+ copy_setports ns3/named.conf.in ns3/named.conf
+ copy_setports ns5/named.conf.in ns5/named.conf
++copy_setports ns6/named.conf.in ns6/named.conf
++copy_setports ns7/named.conf.in ns7/named.conf
+
+ cp ns5/named1.args ns5/named.args
+
+diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
+index b8410902d7..3533dbadbb 100644
+--- a/bin/tests/system/mkeys/tests.sh
++++ b/bin/tests/system/mkeys/tests.sh
+@@ -297,7 +297,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
+ echo_i "reinitialize trust anchors"
+-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns2
++$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} . ns2
+ rm -f ns2/managed-keys.bind*
+ nextpart ns2/named.run > /dev/null
+ $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns2
+@@ -714,10 +714,10 @@ status=`expr $status + $ret`
+
+ echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
+ ret=0
+-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
++$PERL $SYSTEMTESTTOP/stop.pl --port ${CONTROLPORT} . ns6
+ rm -f ns6/managed-keys.bind*
+ nextpart ns6/named.run > /dev/null
+-$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns6
+ # log when an unsupported algorithm is encountered during startup
+ wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
+index 1045f8ff21..984f28be26 100644
+--- a/lib/dns/dnssec.c
++++ b/lib/dns/dnssec.c
+@@ -1681,6 +1681,14 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
+ result = dns_rdataset_next(&keys)) {
+ dns_rdata_reset(&rdata);
+ dns_rdataset_current(&keys, &rdata);
++
++ /* Skip unsupported algorithms */
++ REQUIRE(rdata.type == dns_rdatatype_key ||
++ rdata.type == dns_rdatatype_dnskey);
++ REQUIRE(rdata.length > 3);
++ if (!dst_algorithm_supported(rdata.data[3]))
++ goto skip;
++
+ RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
+ dst_key_setttl(pubkey, keys.ttl);
+
+diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
+index 75e32202a9..9a638852d7 100644
+--- a/lib/dns/include/dns/dnssec.h
++++ b/lib/dns/include/dns/dnssec.h
+@@ -299,7 +299,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
+ /*%<
+ * Search 'directory' for K* key files matching the name in 'origin'.
+ * Append all such keys, along with use hints gleaned from their
+- * metadata, onto 'keylist'.
++ * metadata, onto 'keylist'. Skip any unsupported algorithms.
+ *
+ * Requires:
+ *\li 'keylist' is not NULL
+diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
+index 37b6a8a7fe..0729886c9f 100644
+--- a/lib/dns/nsec3.c
++++ b/lib/dns/nsec3.c
+@@ -1801,8 +1801,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(&rdataset)) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+-
+ dns_rdataset_current(&rdataset, &rdata);
++
++ /* Skip unsupported algorithms when
++ * calculating the maximum iterations.
++ */
++ REQUIRE(rdata.type == dns_rdatatype_key ||
++ rdata.type == dns_rdatatype_dnskey);
++ REQUIRE(rdata.length > 3);
++ if (!dst_algorithm_supported(rdata.data[3]))
++ continue;
++
+ isc_buffer_init(&buffer, rdata.data, rdata.length);
+ isc_buffer_add(&buffer, rdata.length);
+ CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
+--
+2.20.1
+
diff --git a/SOURCES/bind-9.11-CVE-2018-5745.patch b/SOURCES/bind-9.11-CVE-2018-5745.patch
new file mode 100644
index 0000000..1ea50c6
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2018-5745.patch
@@ -0,0 +1,474 @@
+From c705a3eac69286b47a70b851aa5dd9119d04512f Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 23 Jul 2019 16:43:55 +0200
+Subject: [PATCH] Fix CVE-2018-5745
+
+Squashed commit of the following:
+
+commit c38e1dd10567e246bb802d889c3b2d2d286c7616
+Author: Evan Hunt <each@isc.org>
+Date: Fri Dec 21 17:24:47 2018 -0800
+
+ use algorithm 255 for both unsupported keys
+
+ (cherry picked from commit de8b2d4a6a97bb2ddf19024918581e70512ebc41)
+
+commit caf8a62270c850fbc59cfa6bb9dcedb2ef7228c2
+Author: Matthijs Mekking <matthijs@isc.org>
+Date: Wed Dec 19 18:45:43 2018 +0100
+
+ Add tests for mkeys with unsupported algorithm
+
+ These tests check if a key with an unsupported algorithm in
+ managed-keys is ignored and when seeing an algorithm rollover to
+ an unsupported algorithm, the new key will be ignored too.
+
+ (cherry picked from commit 144cb53d0ae3aa5e6e3123720b603f9ab2bd1fa9)
+ (cherry picked from commit 8c2a8ca50946449bf26a7e0843cc5e54e36071ae)
+
+commit 634655f38385595fb9a35e93ec3a72ed4c48bda6
+Author: Matthijs Mekking <matthijs@isc.org>
+Date: Wed Dec 19 18:47:43 2018 +0100
+
+ Update keyfetch_done compute_tag check
+
+ If in keyfetch_done the compute_tag fails (because for example the
+ algorithm is not supported), don't crash, but instead ignore the
+ key.
+
+ (cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)
+ (cherry picked from commit 8f64928e2eb9395d8cdcd62183a1eaec3b1c5256)
+
+commit e5cb28c3f3df4c37d528665e67fb460cc1662259
+Author: Matthijs Mekking <github@pletterpet.nl>
+Date: Wed Dec 12 14:06:10 2018 +0100
+
+ Don't free key in compute_tag in case of failure
+
+ If `dns_dnssec_keyfromrdata` failed we don't need to call
+ `dst_key_free` because no `dstkey` was created. Doing so
+ nevertheless will result in an assertion failure.
+
+ This can happen if the key uses an unsupported algorithm.
+
+ (cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69)
+ (cherry picked from commit acae423ef4274c5535da324da78ce1441628d5f6)
+---
+ bin/tests/system/mkeys/README | 3 +
+ bin/tests/system/mkeys/clean.sh | 2 +
+ bin/tests/system/mkeys/ns1/root.db | 20 +++----
+ bin/tests/system/mkeys/ns1/sign.sh | 7 ++-
+ bin/tests/system/mkeys/ns1/unsupported.key | 1 +
+ bin/tests/system/mkeys/ns6/named.args | 1 +
+ bin/tests/system/mkeys/ns6/named.conf.in | 43 +++++++++++++++
+ bin/tests/system/mkeys/ns6/setup.sh | 30 ++++++++++
+ .../system/mkeys/ns6/unsupported-managed.key | 1 +
+ bin/tests/system/mkeys/ns7/named.conf.in | 50 +++++++++++++++++
+ bin/tests/system/mkeys/setup.sh | 1 +
+ bin/tests/system/mkeys/tests.sh | 55 +++++++++++++++++++
+ lib/dns/include/dst/dst.h | 3 +-
+ lib/dns/zone.c | 27 ++++++++-
+ 14 files changed, 229 insertions(+), 15 deletions(-)
+ create mode 100644 bin/tests/system/mkeys/ns1/unsupported.key
+ create mode 100644 bin/tests/system/mkeys/ns6/named.args
+ create mode 100644 bin/tests/system/mkeys/ns6/named.conf.in
+ create mode 100644 bin/tests/system/mkeys/ns6/setup.sh
+ create mode 100644 bin/tests/system/mkeys/ns6/unsupported-managed.key
+ create mode 100644 bin/tests/system/mkeys/ns7/named.conf.in
+
+diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README
+index 700e6c21ca..257ef5406f 100644
+--- a/bin/tests/system/mkeys/README
++++ b/bin/tests/system/mkeys/README
+@@ -16,3 +16,6 @@ ns3 is a validator with a broken key in managed-keys.
+
+ ns5 is a validator which is prevented from getting a response from the
+ root server, causing key refresh queries to fail.
++
++ns6 is a validator which has unsupported algorithms, one at start up,
++one because of an algorithm rollover.
+diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh
+index 17bd50f273..844d813eb4 100644
+--- a/bin/tests/system/mkeys/clean.sh
++++ b/bin/tests/system/mkeys/clean.sh
+@@ -11,6 +11,7 @@
+
+ rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
+ rm -f dsset-. ns1/dsset-.
++rm -f ns1/zone.key
+ rm -f ns*/named.lock
+ rm -f */managed-keys.bind* */named.secroots
+ rm -f */managed.conf ns1/managed.key ns1/managed.key.id
+@@ -19,3 +20,4 @@ rm -f dig.out* delv.out* rndc.out* signer.out*
+ rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
+ rm -f */named.conf
+ rm -f ns5/named.args
++rm -f ns7/view1.mkeys ns7/view2.mkeys
+diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db
+index 6ba922af09..0070f13942 100644
+--- a/bin/tests/system/mkeys/ns1/root.db
++++ b/bin/tests/system/mkeys/ns1/root.db
+@@ -8,16 +8,16 @@
+ ; information regarding copyright ownership.
+
+ $TTL 20
+-. IN SOA gson.nominum.com. a.root.servers.nil. (
+- 2000042100 ; serial
+- 600 ; refresh
+- 600 ; retry
+- 1200 ; expire
+- 2 ; minimum
+- )
+-. NS a.root-servers.nil.
+-a.root-servers.nil. A 10.53.0.1
++. IN SOA gson.nominum.com. a.root.servers.nil. (
++ 2000042100 ; serial
++ 600 ; refresh
++ 600 ; retry
++ 1200 ; expire
++ 2 ; minimum
++ )
++. NS a.root-servers.nil.
++a.root-servers.nil. A 10.53.0.1
+
+ ; no delegation
+
+-example. TXT "This is a test."
++example. TXT "This is a test."
+diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh
+index ccc7889ad9..e5e7ec05d6 100644
+--- a/bin/tests/system/mkeys/ns1/sign.sh
++++ b/bin/tests/system/mkeys/ns1/sign.sh
+@@ -25,13 +25,18 @@ keyfile_to_managed_keys $keyname > managed.conf
+ cp managed.conf ../ns2/managed.conf
+ cp managed.conf ../ns5/managed.conf
+
+-# Configure a trusted key statement (used by delv)
++# Configure a trusted key statement (used by delv).
+ keyfile_to_trusted_keys $keyname > trusted.conf
+
++# Prepare an unsupported algorithm key.
++unsupportedkey=Kunknown.+255+00000
++cp unsupported.key "${unsupportedkey}.key"
++
+ #
+ # Save keyname and keyid for managed key id test.
+ #
+ echo "$keyname" > managed.key
++echo "$zskkeyname" > zone.key
+ keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
+ keyid=`expr $keyid + 0`
+ echo "$keyid" > managed.key.id
+diff --git a/bin/tests/system/mkeys/ns1/unsupported.key b/bin/tests/system/mkeys/ns1/unsupported.key
+new file mode 100644
+index 0000000000..7435d03b63
+--- /dev/null
++++ b/bin/tests/system/mkeys/ns1/unsupported.key
+@@ -0,0 +1 @@
++. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
+diff --git a/bin/tests/system/mkeys/ns6/named.args b/bin/tests/system/mkeys/ns6/named.args
+new file mode 100644
+index 0000000000..02f8f670f6
+--- /dev/null
++++ b/bin/tests/system/mkeys/ns6/named.args
+@@ -0,0 +1 @@
++-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20
+diff --git a/bin/tests/system/mkeys/ns6/named.conf.in b/bin/tests/system/mkeys/ns6/named.conf.in
+new file mode 100644
+index 0000000000..8d76f7f2e7
+--- /dev/null
++++ b/bin/tests/system/mkeys/ns6/named.conf.in
+@@ -0,0 +1,43 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++// NS6
++
++options {
++ query-source address 10.53.0.6;
++ notify-source 10.53.0.6;
++ transfer-source 10.53.0.6;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.6; };
++ listen-on-v6 { none; };
++ recursion yes;
++ notify no;
++ dnssec-enable yes;
++ dnssec-validation yes;
++ trust-anchor-telemetry no;
++};
++
++key rndc_key {
++ secret "1234abcd8765";
++ algorithm hmac-sha256;
++};
++
++controls {
++ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++zone "." {
++ type hint;
++ file "../../common/root.hint";
++};
++
++include "managed.conf";
+diff --git a/bin/tests/system/mkeys/ns6/setup.sh b/bin/tests/system/mkeys/ns6/setup.sh
+new file mode 100644
+index 0000000000..5ba1647da5
+--- /dev/null
++++ b/bin/tests/system/mkeys/ns6/setup.sh
+@@ -0,0 +1,30 @@
++#!/bin/sh -e
++#
++# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++#
++# See the COPYRIGHT file distributed with this work for additional
++# information regarding copyright ownership.
++
++SYSTEMTESTTOP=../..
++. $SYSTEMTESTTOP/conf.sh
++
++zone=.
++zonefile=root.db
++
++# an RSA key
++rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
++
++# a key with unsupported algorithm
++unsupportedkey=Kunknown.+255+00000
++cp unsupported-managed.key "${unsupportedkey}.key"
++
++# root key
++rootkey=`cat ../ns1/managed.key`
++cp "../ns1/${rootkey}.key" .
++
++# Configure the resolving server with a managed trusted key.
++keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf
+diff --git a/bin/tests/system/mkeys/ns6/unsupported-managed.key b/bin/tests/system/mkeys/ns6/unsupported-managed.key
+new file mode 100644
+index 0000000000..be872a00f0
+--- /dev/null
++++ b/bin/tests/system/mkeys/ns6/unsupported-managed.key
+@@ -0,0 +1 @@
++unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
+diff --git a/bin/tests/system/mkeys/ns7/named.conf.in b/bin/tests/system/mkeys/ns7/named.conf.in
+new file mode 100644
+index 0000000000..a9aba00733
+--- /dev/null
++++ b/bin/tests/system/mkeys/ns7/named.conf.in
+@@ -0,0 +1,50 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++// NS7
++
++options {
++ query-source address 10.53.0.7;
++ notify-source 10.53.0.7;
++ transfer-source 10.53.0.7;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.7; };
++ listen-on-v6 { none; };
++ recursion yes;
++ notify no;
++ dnssec-enable yes;
++ dnssec-validation auto;
++ bindkeys-file "managed.conf";
++};
++
++key rndc_key {
++ secret "1234abcd8765";
++ algorithm hmac-sha256;
++};
++
++controls {
++ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++view view1 {
++ zone "." {
++ type hint;
++ file "../../common/root.hint";
++ };
++};
++
++view view2 {
++ zone "." {
++ type hint;
++ file "../../common/root.hint";
++ };
++};
+diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
+index bd3169f9b6..100a86959b 100644
+--- a/bin/tests/system/mkeys/setup.sh
++++ b/bin/tests/system/mkeys/setup.sh
+@@ -25,3 +25,4 @@ copy_setports ns5/named.conf.in ns5/named.conf
+ cp ns5/named1.args ns5/named.args
+
+ ( cd ns1 && $SHELL sign.sh )
++( cd ns6 && $SHELL setup.sh )
+diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
+index f65f49e98d..b8410902d7 100644
+--- a/bin/tests/system/mkeys/tests.sh
++++ b/bin/tests/system/mkeys/tests.sh
+@@ -701,6 +701,8 @@ rm -f ns1/root.db.signed.jnl
+ nextpart ns5/named.run > /dev/null
+ mkeys_reconfig_on 1
+ wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
++#mkeys_secroots_on 5
++#grep '; managed' ns5/named.secroots > /dev/null || ret=1
+ # ns1 should not longer REFUSE queries from ns5, so managed keys should be
+ # correctly refreshed and resolving should succeed
+ $DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
+@@ -710,5 +712,58 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
++echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
++ret=0
++$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
++rm -f ns6/managed-keys.bind*
++nextpart ns6/named.run > /dev/null
++$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
++# log when an unsupported algorithm is encountered during startup
++wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
++n=`expr $n + 1`
++echo_i "skipping unsupported algorithm in managed-keys ($n)"
++ret=0
++mkeys_status_on 6 > rndc.out.$n 2>&1
++# there should still be only two keys listed (for . and rsasha256.)
++count=`grep -c "keyid: " rndc.out.$n`
++[ "$count" -eq 2 ] || ret=1
++# two lines indicating trust status
++count=`grep -c "trust" rndc.out.$n`
++[ "$count" -eq 2 ] || ret=1
++
++n=`expr $n + 1`
++echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
++ret=0
++cp ns1/root.db ns1/root.db.orig
++ksk=`cat ns1/managed.key`
++zsk=`cat ns1/zone.key`
++cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
++grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
++$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
++grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
++cp ns1/root.db.orig ns1/root.db
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
++n=`expr $n + 1`
++echo_i "skipping unsupported algorithm in rollover ($n)"
++ret=0
++mkeys_reload_on 1
++mkeys_refresh_on 6
++mkeys_status_on 6 > rndc.out.$n 2>&1
++# there should still be only two keys listed (for . and rsasha256.)
++count=`grep -c "keyid: " rndc.out.$n`
++[ "$count" -eq 2 ] || ret=1
++# two lines indicating trust status
++count=`grep -c "trust" rndc.out.$n`
++[ "$count" -eq 2 ] || ret=1
++# log when an unsupported algorithm is encountered during rollover
++wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
+index e8c1a3c287..91f4a6e300 100644
+--- a/lib/dns/include/dst/dst.h
++++ b/lib/dns/include/dst/dst.h
+@@ -67,8 +67,7 @@ typedef struct dst_context dst_context_t;
+ #define DST_ALG_HMACSHA512 165 /* XXXMPA */
+ #define DST_ALG_INDIRECT 252
+ #define DST_ALG_PRIVATE 254
+-#define DST_ALG_EXPAND 255
+-#define DST_MAX_ALGS 255
++#define DST_MAX_ALGS 256
+
+ /*% A buffer of this size is large enough to hold any key */
+ #define DST_KEY_MAXSIZE 1280
+diff --git a/lib/dns/zone.c b/lib/dns/zone.c
+index 055b2417eb..96c98d585c 100644
+--- a/lib/dns/zone.c
++++ b/lib/dns/zone.c
+@@ -3903,9 +3903,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
+ dns_rdatatype_dnskey, dnskey, &buffer);
+
+ result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
+- if (result == ISC_R_SUCCESS)
++ if (result == ISC_R_SUCCESS) {
+ *tag = dst_key_id(dstkey);
+- dst_key_free(&dstkey);
++ dst_key_free(&dstkey);
++ }
+
+ return (result);
+ }
+@@ -9364,6 +9365,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
+
+ dns_keydata_todnskey(&keydata, &dnskey, NULL);
+ result = compute_tag(keyname, &dnskey, mctx, &keytag);
++ if (result != ISC_R_SUCCESS) {
++ /*
++ * Skip if we cannot compute the key tag.
++ * This may happen if the algorithm is unsupported
++ */
++ dns_zone_log(zone, ISC_LOG_ERROR,
++ "Cannot compute tag for key in zone %s: %s "
++ "(skipping)",
++ namebuf, dns_result_totext(result));
++ continue;
++ }
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ /*
+@@ -9475,6 +9487,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
+ continue;
+
+ result = compute_tag(keyname, &dnskey, mctx, &keytag);
++ if (result != ISC_R_SUCCESS) {
++ /*
++ * Skip if we cannot compute the key tag.
++ * This may happen if the algorithm is unsupported
++ */
++ dns_zone_log(zone, ISC_LOG_ERROR,
++ "Cannot compute tag for key in zone %s: %s "
++ "(skipping)",
++ namebuf, dns_result_totext(result));
++ continue;
++ }
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
+--
+2.20.1
+
diff --git a/SOURCES/bind-9.11-CVE-2019-6465.patch b/SOURCES/bind-9.11-CVE-2019-6465.patch
new file mode 100644
index 0000000..0657aa3
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2019-6465.patch
@@ -0,0 +1,100 @@
+From 3824a600a51188c713e900115d6af129b54706df Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 6 Feb 2019 11:35:21 -0800
+Subject: [PATCH] denied axfr requests were not effective for writable DLZ
+ zones
+
+(cherry picked from commit d9077cd0038e59726e1956de18b4b7872038a283)
+(cherry picked from commit 34348d9ee4db15307c6c42db294419b4df569f76)
+---
+ bin/named/xfrout.c | 8 ++++----
+ bin/tests/system/dlzexternal/driver.c | 18 +++++++++++++++---
+ bin/tests/system/dlzexternal/tests.sh | 16 ++++++++++++----
+ 3 files changed, 31 insertions(+), 11 deletions(-)
+
+diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
+index c531e0acef..f6e57d889e 100644
+--- a/bin/named/xfrout.c
++++ b/bin/named/xfrout.c
+@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
+ result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
+ &zone);
+
+- if (result != ISC_R_SUCCESS) {
++ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
+ /*
+- * Normal zone table does not have a match.
+- * Try the DLZ database
++ * The normal zone table does not have a match, or this is
++ * marked in the zone table as a DLZ zone. Check the DLZ
++ * databases for a match.
+ */
+- // Temporary: only searching the first DLZ database
+ if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
+ result = dns_dlzallowzonexfr(client->view,
+ question_name,
+diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
+index 37a62622da..dfa7847984 100644
+--- a/bin/tests/system/dlzexternal/driver.c
++++ b/bin/tests/system/dlzexternal/driver.c
+@@ -542,10 +542,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
+ */
+ isc_result_t
+ dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+- UNUSED(client);
++ isc_result_t result;
++
++ result = dlz_findzonedb(dbdata, name, NULL, NULL);
++ if (result != ISC_R_SUCCESS) {
++ return (result);
++ }
+
+- /* Just say yes for all our zones */
+- return (dlz_findzonedb(dbdata, name, NULL, NULL));
++ /*
++ * Exception for 10.53.0.5 so we can test that allow-transfer
++ * is effective.
++ */
++ if (strcmp(client, "10.53.0.5") == 0) {
++ return (ISC_R_NOPERM);
++ }
++
++ return (ISC_R_SUCCESS);
+ }
+
+ /*
+diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh
+index 87dd13b10e..1754aaa57c 100644
+--- a/bin/tests/system/dlzexternal/tests.sh
++++ b/bin/tests/system/dlzexternal/tests.sh
+@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
+ status=`expr $status + $ret`
+
+ newtest "testing AXFR from DLZ drivers"
+-$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n
+-lines=`cat dig.out.ns1.test$n | wc -l`
++$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
++lines=`cat dig.out.example.ns1.test$n | wc -l`
+ [ ${lines:-0} -eq 4 ] || ret=1
+-$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n
+-lines=`cat dig.out.ns1.test$n | wc -l`
++$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
++lines=`cat dig.out.alternate.ns1.test$n | wc -l`
+ [ ${lines:-0} -eq 5 ] || ret=1
+ [ "$ret" -eq 0 ] || echo_i "failed"
+ status=`expr $status + $ret`
+
++newtest "testing AXFR denied from DLZ drivers"
++$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
++grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
++$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
++grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
++[ "$ret" -eq 0 ] || echo_i "failed"
++status=`expr $status + $ret`
++
+ newtest "testing unsearched/unregistered DLZ zone is not found"
+ $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
+ grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
+--
+2.20.1
+
diff --git a/SOURCES/bind-9.11-rh1732883.patch b/SOURCES/bind-9.11-rh1732883.patch
new file mode 100644
index 0000000..5afea78
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1732883.patch
@@ -0,0 +1,181 @@
+diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
+index 246aefb..0007543 100644
+--- a/lib/isc/include/isc/result.h
++++ b/lib/isc/include/isc/result.h
+@@ -83,9 +83,9 @@
+ #define ISC_R_UNSET 61 /*%< unset */
+ #define ISC_R_MULTIPLE 62 /*%< multiple */
+ #define ISC_R_WOULDBLOCK 63 /*%< would block */
+-
++#define ISC_R_TIMESHIFTED 64 /*%< system time changed */
+ /*% Not a result code: the number of results. */
+-#define ISC_R_NRESULTS 64
++#define ISC_R_NRESULTS 66
+
+ ISC_LANG_BEGINDECLS
+
+diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
+index 332dc0c..f81967d 100644
+--- a/lib/isc/include/isc/util.h
++++ b/lib/isc/include/isc/util.h
+@@ -233,6 +233,10 @@
+ * Time
+ */
+ #define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
++#ifdef CLOCK_BOOTTIME
++#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
++#endif
++
+
+ /*%
+ * Misc
+diff --git a/lib/isc/result.c b/lib/isc/result.c
+index a707c32..6776fc6 100644
+--- a/lib/isc/result.c
++++ b/lib/isc/result.c
+@@ -99,6 +99,7 @@ static const char *description[ISC_R_NRESULTS] = {
+ "unset", /*%< 61 */
+ "multiple", /*%< 62 */
+ "would block", /*%< 63 */
++ "time changed", /*%< 64 */
+ };
+
+ static const char *identifier[ISC_R_NRESULTS] = {
+@@ -166,6 +167,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
+ "ISC_R_UNSET",
+ "ISC_R_MULTIPLE",
+ "ISC_R_WOULDBLOCK",
++ "ISC_R_TIMESHIFTED",
+ };
+
+ #define ISC_RESULT_RESULTSET 2
+diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
+index bace2bd..e9814d2 100644
+--- a/lib/isc/unix/app.c
++++ b/lib/isc/unix/app.c
+@@ -441,15 +441,51 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
+ static isc_result_t
+ evloop(isc__appctx_t *ctx) {
+ isc_result_t result;
++ isc_time_t now;
++#ifdef CLOCK_BOOTTIME
++ isc_time_t monotonic;
++ isc_uint64_t diff = 0;
++#else
++ isc_time_t prev;
++ TIME_NOW(&prev);
++#endif
++
++
++
+
+ while (!ctx->want_shutdown) {
+ int n;
+- isc_time_t when, now;
++ isc_time_t when;
++
+ struct timeval tv, *tvp;
+ isc_socketwait_t *swait;
+ isc_boolean_t readytasks;
+ isc_boolean_t call_timer_dispatch = ISC_FALSE;
+
++ isc_uint64_t us;
++
++#ifdef CLOCK_BOOTTIME
++ // TBD macros for following three lines
++ TIME_NOW(&now);
++ TIME_MONOTONIC(&monotonic);
++ // INSIST(now.seconds > monotonic.seconds)
++ us = isc_time_microdiff (&now, &monotonic);
++ if (us < diff){
++ us = diff - us;
++ if (us > 1000000){ // ignoring shifts less than one second
++ return ISC_R_TIMESHIFTED;
++ };
++ diff = isc_time_microdiff (&now, &monotonic);
++ } else {
++ diff = isc_time_microdiff (&now, &monotonic);
++ // not implemented
++ }
++#else
++ TIME_NOW(&now);
++ if (isc_time_compare (&now, &prev) < 0)
++ return ISC_R_TIMESHIFTED;
++ TIME_NOW(&prev);
++#endif
+ /*
+ * Check the reload (or suspend) case first for exiting the
+ * loop as fast as possible in case:
+@@ -474,9 +510,10 @@ evloop(isc__appctx_t *ctx) {
+ if (result != ISC_R_SUCCESS)
+ tvp = NULL;
+ else {
+- isc_uint64_t us;
++
+
+ TIME_NOW(&now);
++
+ us = isc_time_microdiff(&when, &now);
+ if (us == 0)
+ call_timer_dispatch = ISC_TRUE;
+diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
+index 75e24b9..de8b399 100644
+--- a/lib/isc/unix/include/isc/time.h
++++ b/lib/isc/unix/include/isc/time.h
+@@ -129,6 +129,26 @@ isc_time_isepoch(const isc_time_t *t);
+ *\li 't' is a valid pointer.
+ */
+
++#ifdef CLOCK_BOOTTIME
++isc_result_t
++isc_time_boottime(isc_time_t *t);
++/*%<
++ * Set 't' to monotonic time from previous boot
++ * it's not affected by system time change. It also
++ * includes the time system was suspended
++ *
++ * Requires:
++ *\li 't' is a valid pointer.
++ *
++ * Returns:
++ *
++ *\li Success
++ *\li Unexpected error
++ * Getting the time from the system failed.
++ */
++#endif /* CLOCK_BOOTTIME */
++
++
+ isc_result_t
+ isc_time_now(isc_time_t *t);
+ /*%<
+diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
+index 2210240..d7613b8 100644
+--- a/lib/isc/unix/time.c
++++ b/lib/isc/unix/time.c
+@@ -496,3 +496,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
+ t->nanoseconds / NS_PER_MS);
+ }
+ }
++
++
++#ifdef CLOCK_BOOTTIME
++isc_result_t
++isc_time_boottime(isc_time_t *t) {
++ struct timespec ts;
++
++ char strbuf[ISC_STRERRORSIZE];
++
++ if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
++ isc__strerror(errno, strbuf, sizeof(strbuf));
++ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
++ return (ISC_R_UNEXPECTED);
++ }
++
++ t->seconds = ts.tv_sec;
++ t->nanoseconds = ts.tv_nsec;
++
++ return (ISC_R_SUCCESS);
++
++};
++#endif
diff --git a/SOURCES/bind-9.11-rh1743572-2.patch b/SOURCES/bind-9.11-rh1743572-2.patch
new file mode 100644
index 0000000..a46c8ec
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1743572-2.patch
@@ -0,0 +1,29 @@
+From 908b71224037745db3d1420a37e99ee9cbb3b3b3 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 12 Dec 2019 16:05:25 +0100
+Subject: [PATCH] Terminate query if both setup_lookup and next_origin failed
+
+That happens in case searched name plus search domain is too long and no
+shorted origin would follow.
+---
+ bin/dig/dighost.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index 6302a98..ed9625e 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -2053,6 +2053,10 @@ start_lookup(void) {
+ do_lookup(current_lookup);
+ else if (next_origin(current_lookup))
+ check_next_lookup(current_lookup);
++ else {
++ cancel_lookup(current_lookup);
++ check_next_lookup(current_lookup);
++ }
+ } else {
+ check_if_done();
+ }
+--
+2.21.0
+
diff --git a/SOURCES/bind-9.11-rh1743572.patch b/SOURCES/bind-9.11-rh1743572.patch
new file mode 100644
index 0000000..23690e4
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1743572.patch
@@ -0,0 +1,76 @@
+From ba56e64560c5907e99186116623f2899b8520b68 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 2 Oct 2019 14:00:13 +0200
+Subject: [PATCH] Revert "3640. [bug] ndots was not being checked
+ when searching. Only"
+
+This reverts commit 8afea636ab0c07399aa3e2410b2cfbd41099df98.
+
+Revert is only partial. Absolute names does not search. Name with dots
+tries first absolute, then relative with search appended.
+---
+ bin/dig/dighost.c | 8 +++-----
+ bin/dig/nslookup.c | 3 ++-
+ bin/dig/nslookup.docbook | 2 +-
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index d46379ddc2..30b19b3121 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -2273,14 +2273,12 @@ next_origin(dig_lookup_t *oldlookup) {
+ return (ISC_FALSE);
+
+ /*
+- * Check for a absolute name or ndots being met.
++ * Check for a absolute name.
+ */
+ name = dns_fixedname_initname(&fixed);
+ result = dns_name_fromstring2(name, oldlookup->textname, NULL,
+ 0, NULL);
+- if (result == ISC_R_SUCCESS &&
+- (dns_name_isabsolute(name) ||
+- (int)dns_name_countlabels(name) > ndots))
++ if (result == ISC_R_SUCCESS && dns_name_isabsolute(name))
+ return (ISC_FALSE);
+
+ if (oldlookup->origin == NULL && !oldlookup->need_search)
+@@ -4215,7 +4213,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
+ } else if (l->sendcookie && msg->opt != NULL)
+ process_opt(l, msg);
+ if (!l->doing_xfr || l->xfr_q == query) {
+- if (msg->rcode == dns_rcode_nxdomain &&
++ if (msg->rcode != dns_rcode_noerror &&
+ (l->origin != NULL || l->need_search)) {
+ if (!next_origin(query->lookup) || showsearch) {
+ dighost_printmessage(query, msg, ISC_TRUE);
+diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
+index 89a615bf1c..5c8aa51a48 100644
+--- a/bin/dig/nslookup.c
++++ b/bin/dig/nslookup.c
+@@ -472,7 +472,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+ dns_name_format(query->lookup->name,
+ nametext, sizeof(nametext));
+ printf("** server can't find %s: %s\n",
+- nametext, rcode_totext(msg->rcode));
++ (msg->rcode != dns_rcode_nxdomain) ? nametext :
++ query->lookup->textname, rcode_totext(msg->rcode));
+ debug("returning with rcode == 0");
+
+ /* the lookup failed */
+diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
+index 86a09c658e..e3e8869e33 100644
+--- a/bin/dig/nslookup.docbook
++++ b/bin/dig/nslookup.docbook
+@@ -412,7 +412,7 @@ nslookup -query=hinfo -timeout=10
+ <listitem>
+ <para>
+ Set the number of dots (label separators) in a domain
+- that will disable searching. Absolute names always
++ that will reverse order of searching. Absolute names always
+ stop searching.
+ </para>
+ </listitem>
+--
+2.20.1
+
diff --git a/SOURCES/bind-9.11-rh1753259.patch b/SOURCES/bind-9.11-rh1753259.patch
new file mode 100644
index 0000000..8bf9f47
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1753259.patch
@@ -0,0 +1,34 @@
+From f968f649e7e57eb097fb766be805a2d976d2dcc6 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 27 Nov 2019 16:06:12 +0100
+Subject: [PATCH] Disable listening on IPV6 by default
+
+If configuration file does not mention listen-on-v6, for backward
+compatibility assume none; Upstream changed default value to any; but
+previous RHEL7 version did not have it.
+---
+ bin/named/server.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 93f9417..eac467f 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -7781,11 +7781,13 @@ load_configuration(const char *filename, ns_server_t *server,
+ ns_g_mctx, AF_INET6,
+ &listenon);
+ } else if (!ns_g_lwresdonly) {
++ isc_boolean_t enable;
+ /*
+ * Not specified, use default.
+ */
++ enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
+ CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
+- -1, ISC_TRUE, &listenon));
++ -1, enable, &listenon));
+ }
+ if (listenon != NULL) {
+ ns_interfacemgr_setlistenon6(server->interfacemgr,
+--
+2.20.1
+
diff --git a/SOURCES/bind-9.11.4-CVE-2019-6477.patch b/SOURCES/bind-9.11.4-CVE-2019-6477.patch
new file mode 100644
index 0000000..0a7e554
--- /dev/null
+++ b/SOURCES/bind-9.11.4-CVE-2019-6477.patch
@@ -0,0 +1,157 @@
+From c3314d0fa0756d39cab1e9d9e3cf2e36dd6273da Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 18 Nov 2019 16:44:58 +0100
+Subject: [PATCH] Limit number of queries per TCP connection
+
+5306. [security] Set a limit on the number of concurrently served
+ pipelined TCP queries. (CVE-2019-6477) [GL #1264]
+---
+ bin/named/client.c | 73 ++++++++++++++++++++------------
+ bin/named/include/named/client.h | 5 ++-
+ 2 files changed, 50 insertions(+), 28 deletions(-)
+
+diff --git a/bin/named/client.c b/bin/named/client.c
+index f21a77ba52..23f70edaff 100644
+--- a/bin/named/client.c
++++ b/bin/named/client.c
+@@ -98,7 +98,15 @@
+ #define SEND_BUFFER_SIZE 4096
+ #define RECV_BUFFER_SIZE 4096
+
++#define TCP_CLIENTS_PER_CONN 23
++/*%<
++ * Number of simultaneous ns_clients_t (queries in flight) for one
++ * TCP connection. The number was arbitrarily picked and might be
++ * changed in the future.
++ */
++
+ #ifdef ISC_PLATFORM_USETHREADS
++
+ #define NMCTXS 100
+ /*%<
+ * Number of 'mctx pools' for clients. (Should this be configurable?)
+@@ -333,7 +341,7 @@ tcpconn_init(ns_client_t *client, isc_boolean_t force) {
+ */
+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
+
+- isc_refcount_init(&tconn->refs, 1);
++ isc_refcount_init(&tconn->clients, 1); /* Current client */
+ tconn->tcpquota = quota;
+ quota = NULL;
+ tconn->pipelined = ISC_FALSE;
+@@ -350,14 +358,14 @@ tcpconn_init(ns_client_t *client, isc_boolean_t force) {
+ */
+ static void
+ tcpconn_attach(ns_client_t *source, ns_client_t *target) {
+- int refs;
++ int old_clients;
+
+ REQUIRE(source->tcpconn != NULL);
+ REQUIRE(target->tcpconn == NULL);
+ REQUIRE(source->tcpconn->pipelined);
+
+- isc_refcount_increment(&source->tcpconn->refs, &refs);
+- INSIST(refs > 1);
++ isc_refcount_increment(&source->tcpconn->clients, &old_clients);
++ INSIST(old_clients > 1);
+ target->tcpconn = source->tcpconn;
+ }
+
+@@ -370,15 +378,15 @@ tcpconn_attach(ns_client_t *source, ns_client_t *target) {
+ static void
+ tcpconn_detach(ns_client_t *client) {
+ ns_tcpconn_t *tconn = NULL;
+- int refs;
++ int old_clients;
+
+ REQUIRE(client->tcpconn != NULL);
+
+ tconn = client->tcpconn;
+ client->tcpconn = NULL;
+
+- isc_refcount_decrement(&tconn->refs, &refs);
+- if (refs == 0) {
++ isc_refcount_decrement(&tconn->clients, &old_clients);
++ if (old_clients == 0) {
+ isc_quota_detach(&tconn->tcpquota);
+ isc_mem_free(ns_g_mctx, tconn);
+ }
+@@ -2629,28 +2637,39 @@ client_request(isc_task_t *task, isc_event_t *event) {
+ /*
+ * Pipeline TCP query processing.
+ */
+- if (TCP_CLIENT(client) &&
+- client->message->opcode != dns_opcode_query)
+- {
+- client->tcpconn->pipelined = ISC_FALSE;
+- }
+- if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
+- /*
+- * We're pipelining. Replace the client; the
+- * replacement can read the TCP socket looking
+- * for new messages and this one can process the
+- * current message asynchronously.
+- *
+- * There will now be at least three clients using this
+- * TCP socket - one accepting new connections,
+- * one reading an existing connection to get new
+- * messages, and one answering the message already
+- * received.
+- */
+- result = ns_client_replace(client);
+- if (result != ISC_R_SUCCESS) {
++ if (TCP_CLIENT(client)) {
++ if (client->message->opcode != dns_opcode_query) {
+ client->tcpconn->pipelined = ISC_FALSE;
+ }
++
++ /*
++ * Limit the maximum number of simultaneous pipelined
++ * queries on TCP connection to TCP_CLIENTS_PER_CONN.
++ */
++ if ((isc_refcount_current(&client->tcpconn->clients)
++ > TCP_CLIENTS_PER_CONN))
++ {
++ client->tcpconn->pipelined = ISC_FALSE;
++ }
++
++ if (client->tcpconn->pipelined) {
++ /*
++ * We're pipelining. Replace the client; the
++ * replacement can read the TCP socket looking
++ * for new messages and this one can process the
++ * current message asynchronously.
++ *
++ * There will now be at least three clients using this
++ * TCP socket - one accepting new connections,
++ * one reading an existing connection to get new
++ * messages, and one answering the message already
++ * received.
++ */
++ result = ns_client_replace(client);
++ if (result != ISC_R_SUCCESS) {
++ client->tcpconn->pipelined = ISC_FALSE;
++ }
++ }
+ }
+
+ dns_opcodestats_increment(ns_g_server->opcodestats,
+diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
+index 0f54d2267b..86437ade22 100644
+--- a/bin/named/include/named/client.h
++++ b/bin/named/include/named/client.h
+@@ -77,7 +77,10 @@
+
+ /*% reference-counted TCP connection object */
+ typedef struct ns_tcpconn {
+- isc_refcount_t refs;
++ isc_refcount_t clients; /* Number of clients using
++ * this connection. Conn can
++ * be freed if goes to 0
++ */
+ isc_quota_t *tcpquota;
+ isc_boolean_t pipelined;
+ } ns_tcpconn_t;
+--
+2.20.1
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 62616c6..b684a5e 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.4
-Release: 9%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
#
@@ -153,6 +153,14 @@ Patch166:bind-9.11-rh1685940.patch
Patch167:bind-9.11-CVE-2018-5743.patch
Patch168:bind-9.11-CVE-2018-5743-atomic.patch
Patch169:bind-9.11-CVE-2019-6471.patch
+Patch170:bind-9.11-CVE-2018-5745.patch
+Patch171:bind-9.11-CVE-2019-6465.patch
+Patch172:bind-9.11-rh1732883.patch
+Patch173: bind-9.11-CVE-2018-5745-testfix.patch
+Patch174: bind-9.11-rh1743572.patch
+Patch175: bind-9.11.4-CVE-2019-6477.patch
+Patch176: bind-9.11-rh1753259.patch
+Patch177: bind-9.11-rh1743572-2.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -500,6 +508,14 @@ are used for building ISC DHCP.
%patch167 -p1 -b .CVE-2018-5743
%patch168 -p1 -b .CVE-2018-5743-atomic
%patch169 -p1 -b .CVE-2019-6471
+%patch170 -p1 -b .CVE-2018-5745
+%patch171 -p1 -b .CVE-2019-6465
+%patch172 -p1 -b .rh1732883
+%patch173 -p1 -b .CVE-2018-5745-testfix
+%patch174 -p1 -b .rh1743572
+%patch175 -p1 -b .CVE-2019-6477
+%patch176 -p1 -b .rh1753259
+%patch177 -p1 -b .rh1743572
# Override upstream builtin keys
cp -fp %{SOURCE29} bind.keys
@@ -1474,6 +1490,28 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Thu Dec 12 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2
+- Finish dig query when name is too long (#1743572)
+
+* Wed Nov 27 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-15.P2
+- Stop listening on IPv6 by default (#1753259)
+
+* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-14.P2
+- Limit number of queries per TCP connection (CVE-2019-6477)
+
+* Wed Oct 02 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-13.P2
+- Revert not searching names with dot (#1743572)
+
+* Thu Sep 05 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-12.P2
+- Fix mkeys test validating CVE-2018-5745 fix
+
+* Tue Aug 6 2019 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.4-11.P2
+- Use monotonic time in export library (#1093803)
+
+* Wed Jul 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-10.P2
+- Fix CVE-2018-5745
+- Fix CVE-2019-6465
+
* Wed Jun 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-9.P2
- Fix CVE-2019-6471