diff --git a/SOURCES/bind-9.11-CVE-2021-25220-test.patch b/SOURCES/bind-9.11-CVE-2021-25220-test.patch
deleted file mode 100644
index a13f81a..0000000
--- a/SOURCES/bind-9.11-CVE-2021-25220-test.patch
+++ /dev/null
@@ -1,1171 +0,0 @@
-From 800ef75553881527e2406f22887e976bb1ba3bfe Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 18 Jan 2022 00:19:47 +1100
-Subject: [PATCH] Add tests for forwarder cache poisoning scenarios
-
-- Check that an NS in an authority section returned from a forwarder
- which is above the name in a configured "forward first" or "forward
- only" zone (i.e., net/NS in a response from a forwarder configured for
- local.net) is not cached.
-- Test that a DNAME for a parent domain will not be cached when sent
- in a response from a forwarder configured to answer for a child.
-- Check that glue is rejected if its name falls below that of zone
- configured locally.
-- Check that an extra out-of-bailiwick data in the answer section is
- not cached (this was already working correctly, but was not explicitly
- tested before).
-
-- v9_11 backport: Revert primary/secondary to master/slave,
- backport rndc helper, backport ns8 config.
-
-(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604)
-(cherry picked from commit 29f08170f05c2c96fb67f3b561b46aa0bae356f7)
----
- bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++
- bin/tests/system/forward/clean.sh | 2 +
- bin/tests/system/forward/ns1/diditwork.net.db | 20 +++
- bin/tests/system/forward/ns1/named.conf.in | 20 +++
- bin/tests/system/forward/ns1/net.example.lll | 13 ++
- bin/tests/system/forward/ns1/spoofed.net.db | 20 +++
- bin/tests/system/forward/ns1/sub.local.net.db | 20 +++
- bin/tests/system/forward/ns10/fakenet.zone | 15 ++
- bin/tests/system/forward/ns10/fakenet2.zone | 13 ++
- .../system/forward/ns10/fakesublocalnet.zone | 13 ++
- .../system/forward/ns10/fakesublocaltld.zone | 13 ++
- bin/tests/system/forward/ns10/named.conf.in | 51 +++++++
- bin/tests/system/forward/ns10/net.example.lll | 13 ++
- bin/tests/system/forward/ns10/spoofednet.zone | 14 ++
- bin/tests/system/forward/ns4/named.conf.in | 5 +
- bin/tests/system/forward/ns4/sibling.tld.db | 20 +++
- bin/tests/system/forward/ns8/named.conf.in | 33 +++++
- bin/tests/system/forward/ns8/root.db | 11 ++
- bin/tests/system/forward/ns8/sub.local.tld.db | 13 ++
- bin/tests/system/forward/ns9/local.net.db | 14 ++
- bin/tests/system/forward/ns9/local.tld.db | 13 ++
- bin/tests/system/forward/ns9/named1.conf.in | 65 +++++++++
- bin/tests/system/forward/ns9/named2.conf.in | 68 +++++++++
- bin/tests/system/forward/ns9/named3.conf.in | 48 +++++++
- bin/tests/system/forward/ns9/named4.conf.in | 45 ++++++
- bin/tests/system/forward/ns9/root.db | 11 ++
- bin/tests/system/forward/prereq.sh | 14 ++
- bin/tests/system/forward/setup.sh | 3 +
- bin/tests/system/forward/tests.sh | 126 ++++++++++++++++
- bin/tests/system/ifconfig.sh | 8 +-
- 30 files changed, 856 insertions(+), 4 deletions(-)
- create mode 100644 bin/tests/system/forward/ans11/ans.py
- create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db
- create mode 100644 bin/tests/system/forward/ns1/net.example.lll
- create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db
- create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db
- create mode 100644 bin/tests/system/forward/ns10/fakenet.zone
- create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone
- create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone
- create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone
- create mode 100644 bin/tests/system/forward/ns10/named.conf.in
- create mode 100644 bin/tests/system/forward/ns10/net.example.lll
- create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone
- create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db
- create mode 100644 bin/tests/system/forward/ns8/named.conf.in
- create mode 100644 bin/tests/system/forward/ns8/root.db
- create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db
- create mode 100644 bin/tests/system/forward/ns9/local.net.db
- create mode 100644 bin/tests/system/forward/ns9/local.tld.db
- create mode 100644 bin/tests/system/forward/ns9/named1.conf.in
- create mode 100644 bin/tests/system/forward/ns9/named2.conf.in
- create mode 100644 bin/tests/system/forward/ns9/named3.conf.in
- create mode 100644 bin/tests/system/forward/ns9/named4.conf.in
- create mode 100644 bin/tests/system/forward/ns9/root.db
-
-diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py
-new file mode 100644
-index 0000000000..2956cf6eff
---- /dev/null
-+++ b/bin/tests/system/forward/ans11/ans.py
-@@ -0,0 +1,136 @@
-+############################################################################
-+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+#
-+# This Source Code Form is subject to the terms of the Mozilla Public
-+# License, v. 2.0. If a copy of the MPL was not distributed with this
-+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+#
-+# See the COPYRIGHT file distributed with this work for additional
-+# information regarding copyright ownership.
-+############################################################################
-+
-+from __future__ import print_function
-+import os
-+import sys
-+import signal
-+import socket
-+import select
-+from datetime import datetime, timedelta
-+import time
-+import functools
-+
-+import dns, dns.message, dns.query, dns.flags
-+from dns.rdatatype import *
-+from dns.rdataclass import *
-+from dns.rcode import *
-+from dns.name import *
-+
-+# Log query to file
-+def logquery(type, qname):
-+ with open("qlog", "a") as f:
-+ f.write("%s %s\n", type, qname)
-+
-+############################################################################
-+# Respond to a DNS query.
-+############################################################################
-+def create_response(msg):
-+ m = dns.message.from_wire(msg)
-+ qname = m.question[0].name.to_text()
-+ rrtype = m.question[0].rdtype
-+ typename = dns.rdatatype.to_text(rrtype)
-+
-+ with open("query.log", "a") as f:
-+ f.write("%s %s\n" % (typename, qname))
-+ print("%s %s" % (typename, qname), end=" ")
-+
-+ r = dns.message.make_response(m)
-+ r.set_rcode(NOERROR)
-+ if rrtype == A:
-+ tld=qname.split('.')[-2] + '.'
-+ ns="local." + tld
-+ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11"))
-+ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld))
-+ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11"))
-+ elif rrtype == NS:
-+ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, "."))
-+ elif rrtype == SOA:
-+ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
-+ else:
-+ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
-+ r.flags |= dns.flags.AA
-+ return r
-+
-+def sigterm(signum, frame):
-+ print ("Shutting down now...")
-+ os.remove('ans.pid')
-+ running = False
-+ sys.exit(0)
-+
-+############################################################################
-+# Main
-+#
-+# Set up responder and control channel, open the pid file, and start
-+# the main loop, listening for queries on the query channel or commands
-+# on the control channel and acting on them.
-+############################################################################
-+ip4 = "10.53.0.11"
-+ip6 = "fd92:7065:b8e:ffff::11"
-+
-+try: port=int(os.environ['PORT'])
-+except: port=5300
-+
-+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-+query4_socket.bind((ip4, port))
-+havev6 = True
-+try:
-+ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
-+ try:
-+ query6_socket.bind((ip6, port))
-+ except:
-+ query6_socket.close()
-+ havev6 = False
-+except:
-+ havev6 = False
-+signal.signal(signal.SIGTERM, sigterm)
-+
-+f = open('ans.pid', 'w')
-+pid = os.getpid()
-+print (pid, file=f)
-+f.close()
-+
-+running = True
-+
-+print ("Listening on %s port %d" % (ip4, port))
-+if havev6:
-+ print ("Listening on %s port %d" % (ip6, port))
-+print ("Ctrl-c to quit")
-+
-+if havev6:
-+ input = [query4_socket, query6_socket]
-+else:
-+ input = [query4_socket]
-+
-+while running:
-+ try:
-+ inputready, outputready, exceptready = select.select(input, [], [])
-+ except select.error as e:
-+ break
-+ except socket.error as e:
-+ break
-+ except KeyboardInterrupt:
-+ break
-+
-+ for s in inputready:
-+ if s == query4_socket or s == query6_socket:
-+ print ("Query received on %s" %
-+ (ip4 if s == query4_socket else ip6), end=" ")
-+ # Handle incoming queries
-+ msg = s.recvfrom(65535)
-+ rsp = create_response(msg[0])
-+ if rsp:
-+ print(dns.rcode.to_text(rsp.rcode()))
-+ s.sendto(rsp.to_wire(), msg[1])
-+ else:
-+ print("NO RESPONSE")
-+ if not running:
-+ break
-diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
-index 26e4e76db6..26a550db49 100644
---- a/bin/tests/system/forward/clean.sh
-+++ b/bin/tests/system/forward/clean.sh
-@@ -10,8 +10,10 @@
- #
- # Clean up after forward tests.
- #
-+rm -f ./ans11/query.log
- rm -f ./dig.out.*
- rm -f ./*/named.conf
- rm -f ./*/named.memstats
- rm -f ./*/named.run ./*/named.run.prev
-+rm -f ./*/named_dump.db
- rm -f ./ns*/named.lock
-diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db
-new file mode 100644
-index 0000000000..be9a7f72bc
---- /dev/null
-+++ b/bin/tests/system/forward/ns1/diditwork.net.db
-@@ -0,0 +1,20 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 300 ; 5 minutes
-+@ IN SOA ns root (
-+ 2000082401 ; serial
-+ 1800 ; refresh (30 minutes)
-+ 1800 ; retry (30 minutes)
-+ 1814400 ; expire (3 weeks)
-+ 3600 ; minimum (1 hour)
-+ )
-+ NS ns
-+ TXT "recursed"
-+ns A 10.53.0.1
-diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in
-index 9904f37ef5..1c31d84608 100644
---- a/bin/tests/system/forward/ns1/named.conf.in
-+++ b/bin/tests/system/forward/ns1/named.conf.in
-@@ -54,3 +54,23 @@ zone "example5." {
- zone "example6" {
- type forward;
- };
-+
-+zone "diditwork.net" {
-+ type master;
-+ file "diditwork.net.db";
-+};
-+
-+zone "spoofed.net" {
-+ type master;
-+ file "spoofed.net.db";
-+};
-+
-+zone "sub.local.net" {
-+ type master;
-+ file "sub.local.net.db";
-+};
-+
-+zone "net.example.lll" {
-+ type master;
-+ file "net.example.lll";
-+};
-diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll
-new file mode 100644
-index 0000000000..d179853fa5
---- /dev/null
-+++ b/bin/tests/system/forward/ns1/net.example.lll
-@@ -0,0 +1,13 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 86400
-+net.example.lll. SOA . . 0 0 0 0 0
-+net.example.lll. NS attackSecureDomain.net.
-+didItWork.net.example.lll. TXT "if you can see this record the attack worked"
-diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db
-new file mode 100644
-index 0000000000..d498d5fa0d
---- /dev/null
-+++ b/bin/tests/system/forward/ns1/spoofed.net.db
-@@ -0,0 +1,20 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 300 ; 5 minutes
-+@ IN SOA ns root (
-+ 2000082401 ; serial
-+ 1800 ; refresh (30 minutes)
-+ 1800 ; retry (30 minutes)
-+ 1814400 ; expire (3 weeks)
-+ 3600 ; minimum (1 hour)
-+ )
-+ NS ns
-+ns A 10.53.0.1
-+sub TXT "recursed"
-diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db
-new file mode 100644
-index 0000000000..be9a7f72bc
---- /dev/null
-+++ b/bin/tests/system/forward/ns1/sub.local.net.db
-@@ -0,0 +1,20 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 300 ; 5 minutes
-+@ IN SOA ns root (
-+ 2000082401 ; serial
-+ 1800 ; refresh (30 minutes)
-+ 1800 ; retry (30 minutes)
-+ 1814400 ; expire (3 weeks)
-+ 3600 ; minimum (1 hour)
-+ )
-+ NS ns
-+ TXT "recursed"
-+ns A 10.53.0.1
-diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone
-new file mode 100644
-index 0000000000..14e5c777cb
---- /dev/null
-+++ b/bin/tests/system/forward/ns10/fakenet.zone
-@@ -0,0 +1,15 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 86400
-+net. SOA . . 0 0 0 0 0
-+net. NS attackSecureDomain.net.
-+attackSecureDomain.net. A 10.53.0.10
-+didItWork.net. TXT "if you can see this record the attack worked"
-+ns.spoofed.net. A 10.53.0.10
-diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone
-new file mode 100644
-index 0000000000..7ca28a934e
---- /dev/null
-+++ b/bin/tests/system/forward/ns10/fakenet2.zone
-@@ -0,0 +1,13 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 86400
-+net2. SOA . . 0 0 0 0 0
-+net2. NS attackSecureDomain.net.
-+net2. DNAME net.example.lll.
-diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone
-new file mode 100644
-index 0000000000..6caa071891
---- /dev/null
-+++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone
-@@ -0,0 +1,13 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 86400
-+sub.local.net. SOA . . 0 0 0 0 0
-+sub.local.net. NS ns.spoofed.net.
-+sub.local.net. TXT "if you see this attacker overrode local delegation"
-diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone
-new file mode 100644
-index 0000000000..6a431de47f
---- /dev/null
-+++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone
-@@ -0,0 +1,13 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0
-+sub.local.tld. 3600 IN NS ns.sub.local.tld.
-+sub.local.tld. 3600 IN TXT bad
-+ns.sub.local.tld. 3600 IN A 10.53.0.8
-diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in
-new file mode 100644
-index 0000000000..025c108418
---- /dev/null
-+++ b/bin/tests/system/forward/ns10/named.conf.in
-@@ -0,0 +1,51 @@
-+/*
-+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+ *
-+ * This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+ *
-+ * See the COPYRIGHT file distributed with this work for additional
-+ * information regarding copyright ownership.
-+ */
-+
-+options {
-+ query-source address 10.53.0.10;
-+ notify-source 10.53.0.10;
-+ transfer-source 10.53.0.10;
-+ port @PORT@;
-+ pid-file "named.pid";
-+ listen-on { 10.53.0.10; };
-+ listen-on-v6 { none; };
-+ minimal-responses no;
-+};
-+
-+zone "net." {
-+ type master;
-+ file "fakenet.zone";
-+};
-+
-+zone "spoofed.net." {
-+ type master;
-+ file "spoofednet.zone";
-+};
-+
-+zone "sub.local.net." {
-+ type master;
-+ file "fakesublocalnet.zone";
-+};
-+
-+zone "net2" {
-+ type master;
-+ file "fakenet2.zone";
-+};
-+
-+zone "net.example.lll" {
-+ type master;
-+ file "net.example.lll";
-+};
-+
-+zone "sub.local.tld." {
-+ type master;
-+ file "fakesublocaltld.zone";
-+};
-diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll
-new file mode 100644
-index 0000000000..d179853fa5
---- /dev/null
-+++ b/bin/tests/system/forward/ns10/net.example.lll
-@@ -0,0 +1,13 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 86400
-+net.example.lll. SOA . . 0 0 0 0 0
-+net.example.lll. NS attackSecureDomain.net.
-+didItWork.net.example.lll. TXT "if you can see this record the attack worked"
-diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone
-new file mode 100644
-index 0000000000..13921a08cd
---- /dev/null
-+++ b/bin/tests/system/forward/ns10/spoofednet.zone
-@@ -0,0 +1,14 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 86400
-+spoofed.net. SOA . . 0 0 0 0 0
-+spoofed.net. NS ns.spoofed.net.
-+ns.spoofed.net. A 10.53.0.10
-+spoofed.net. TXT "this record is clearly spoofed"
-diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
-index d42a9eb797..6db65e71bc 100644
---- a/bin/tests/system/forward/ns4/named.conf.in
-+++ b/bin/tests/system/forward/ns4/named.conf.in
-@@ -60,3 +60,8 @@ zone "malicious." {
- type master;
- file "malicious.db";
- };
-+
-+zone "sibling.tld" {
-+ type master;
-+ file "sibling.tld.db";
-+};
-diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db
-new file mode 100644
-index 0000000000..58037d093b
---- /dev/null
-+++ b/bin/tests/system/forward/ns4/sibling.tld.db
-@@ -0,0 +1,20 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+$TTL 86400
-+@ IN SOA malicious. admin.malicious. (
-+ 1 ; Serial
-+ 604800 ; Refresh
-+ 86400 ; Retry
-+ 2419200 ; Expire
-+ 86400 ) ; Negative Cache TTL
-+
-+@ IN NS ns
-+
-+ns IN A 10.53.0.4
-diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in
-new file mode 100644
-index 0000000000..9260f69ded
---- /dev/null
-+++ b/bin/tests/system/forward/ns8/named.conf.in
-@@ -0,0 +1,33 @@
-+/*
-+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+ *
-+ * This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+ *
-+ * See the COPYRIGHT file distributed with this work for additional
-+ * information regarding copyright ownership.
-+ */
-+
-+options {
-+ query-source address 10.53.0.8;
-+ notify-source 10.53.0.8;
-+ transfer-source 10.53.0.8;
-+ port @PORT@;
-+ pid-file "named.pid";
-+ listen-on { 10.53.0.8; };
-+ listen-on-v6 { none; };
-+ forwarders { 10.53.0.2; }; // returns referrals
-+ forward first;
-+ dnssec-validation yes;
-+};
-+
-+zone "." {
-+ type hint;
-+ file "root.db";
-+};
-+
-+zone "sub.local.tld" {
-+ type master;
-+ file "sub.local.tld.db";
-+};
-diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db
-new file mode 100644
-index 0000000000..4f30322270
---- /dev/null
-+++ b/bin/tests/system/forward/ns8/root.db
-@@ -0,0 +1,11 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+. NS a.root-servers.nil.
-+a.root-servers.nil. A 10.53.0.1
-diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db
-new file mode 100644
-index 0000000000..eb20683ae9
---- /dev/null
-+++ b/bin/tests/system/forward/ns8/sub.local.tld.db
-@@ -0,0 +1,13 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0
-+sub.local.tld. 3600 IN NS ns.sub.local.tld.
-+sub.local.tld. 3600 IN TXT good
-+ns.sub.local.tld. 3600 IN A 10.53.0.8
-diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db
-new file mode 100644
-index 0000000000..2c971e1e93
---- /dev/null
-+++ b/bin/tests/system/forward/ns9/local.net.db
-@@ -0,0 +1,14 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+local.net. 3600 IN SOA . . 0 0 0 0 0
-+local.net. 3600 IN NS localhost.
-+ns.local.net. 3600 IN A 10.53.0.9
-+txt.local.net. 3600 IN TXT "something in the local auth zone"
-+sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this
-diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db
-new file mode 100644
-index 0000000000..59403915fb
---- /dev/null
-+++ b/bin/tests/system/forward/ns9/local.tld.db
-@@ -0,0 +1,13 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+local.tld. 3600 IN SOA . . 0 0 0 0 0
-+local.tld. 3600 IN NS localhost.
-+sub.local.tld. 3600 IN NS ns.sub.local.tld.
-+ns.sub.local.tld. 3600 IN A 10.53.0.8
-diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in
-new file mode 100644
-index 0000000000..943e037d09
---- /dev/null
-+++ b/bin/tests/system/forward/ns9/named1.conf.in
-@@ -0,0 +1,65 @@
-+/*
-+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+ *
-+ * This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+ *
-+ * See the COPYRIGHT file distributed with this work for additional
-+ * information regarding copyright ownership.
-+ */
-+
-+options {
-+ query-source address 10.53.0.9;
-+ notify-source 10.53.0.9;
-+ transfer-source 10.53.0.9;
-+ port @PORT@;
-+ pid-file "named.pid";
-+ listen-on { 10.53.0.9; };
-+ listen-on-v6 { none; };
-+ dnssec-validation no;
-+ edns-udp-size 1232;
-+};
-+
-+key rndc_key {
-+ secret "1234abcd8765";
-+ algorithm hmac-sha256;
-+};
-+
-+controls {
-+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-+};
-+
-+server 10.53.0.10 {
-+ edns no;
-+};
-+
-+server 10.53.0.11 {
-+ edns no;
-+};
-+
-+zone "." {
-+ type hint;
-+ file "root.db";
-+};
-+
-+zone "attacksecuredomain.net." {
-+ type forward;
-+ forwarders { 10.53.0.10; };
-+};
-+
-+zone "attacksecuredomain.net2." {
-+ type forward;
-+ forwarders { 10.53.0.10; };
-+};
-+
-+zone "attacksecuredomain.net3." {
-+ type forward;
-+ forwarders { 10.53.0.11; };
-+};
-+
-+zone "local.net." {
-+ type master;
-+ file "local.net.db";
-+ forwarders {};
-+};
-diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in
-new file mode 100644
-index 0000000000..5a17d1998a
---- /dev/null
-+++ b/bin/tests/system/forward/ns9/named2.conf.in
-@@ -0,0 +1,68 @@
-+/*
-+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+ *
-+ * This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+ *
-+ * See the COPYRIGHT file distributed with this work for additional
-+ * information regarding copyright ownership.
-+ */
-+
-+options {
-+ query-source address 10.53.0.9;
-+ notify-source 10.53.0.9;
-+ transfer-source 10.53.0.9;
-+ port @PORT@;
-+ pid-file "named.pid";
-+ listen-on { 10.53.0.9; };
-+ listen-on-v6 { none; };
-+ dnssec-validation no;
-+ edns-udp-size 1232;
-+};
-+
-+key rndc_key {
-+ secret "1234abcd8765";
-+ algorithm hmac-sha256;
-+};
-+
-+controls {
-+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-+};
-+
-+server 10.53.0.10 {
-+ edns no;
-+};
-+
-+server 10.53.0.11 {
-+ edns no;
-+};
-+
-+zone "." {
-+ type hint;
-+ file "root.db";
-+};
-+
-+zone "attacksecuredomain.net." {
-+ type forward;
-+ forward only;
-+ forwarders { 10.53.0.10; };
-+};
-+
-+zone "attacksecuredomain.net2." {
-+ type forward;
-+ forward only;
-+ forwarders { 10.53.0.10; };
-+};
-+
-+zone "attacksecuredomain.net3." {
-+ type forward;
-+ forward only;
-+ forwarders { 10.53.0.11; };
-+};
-+
-+zone "local.net." {
-+ type master;
-+ file "local.net.db";
-+ forwarders {};
-+};
-diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in
-new file mode 100644
-index 0000000000..1e70d1ae51
---- /dev/null
-+++ b/bin/tests/system/forward/ns9/named3.conf.in
-@@ -0,0 +1,48 @@
-+/*
-+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+ *
-+ * This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+ *
-+ * See the COPYRIGHT file distributed with this work for additional
-+ * information regarding copyright ownership.
-+ */
-+
-+options {
-+ query-source address 10.53.0.9;
-+ notify-source 10.53.0.9;
-+ transfer-source 10.53.0.9;
-+ port @PORT@;
-+ pid-file "named.pid";
-+ listen-on { 10.53.0.9; };
-+ listen-on-v6 { none; };
-+ dnssec-validation no;
-+ edns-udp-size 1232;
-+ forward only;
-+ forwarders { 10.53.0.10; };
-+};
-+
-+key rndc_key {
-+ secret "1234abcd8765";
-+ algorithm hmac-sha256;
-+};
-+
-+controls {
-+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-+};
-+
-+server 10.53.0.10 {
-+ edns no;
-+};
-+
-+zone "." {
-+ type hint;
-+ file "root.db";
-+};
-+
-+zone "local.net." {
-+ type master;
-+ file "local.net.db";
-+ forwarders {};
-+};
-diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in
-new file mode 100644
-index 0000000000..6f7b1075b5
---- /dev/null
-+++ b/bin/tests/system/forward/ns9/named4.conf.in
-@@ -0,0 +1,45 @@
-+/*
-+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+ *
-+ * This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+ *
-+ * See the COPYRIGHT file distributed with this work for additional
-+ * information regarding copyright ownership.
-+ */
-+
-+options {
-+ query-source address 10.53.0.9;
-+ notify-source 10.53.0.9;
-+ transfer-source 10.53.0.9;
-+ port @PORT@;
-+ pid-file "named.pid";
-+ listen-on { 10.53.0.9; };
-+ listen-on-v6 { none; };
-+ dnssec-validation no;
-+ edns-udp-size 1232;
-+};
-+
-+key rndc_key {
-+ secret "1234abcd8765";
-+ algorithm hmac-sha256;
-+};
-+
-+controls {
-+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-+};
-+
-+server 10.53.0.10 {
-+ edns no;
-+};
-+
-+zone "." {
-+ type hint;
-+ file "root.db";
-+};
-+
-+zone "local.tld." {
-+ type master;
-+ file "local.tld.db";
-+};
-diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db
-new file mode 100644
-index 0000000000..4f30322270
---- /dev/null
-+++ b/bin/tests/system/forward/ns9/root.db
-@@ -0,0 +1,11 @@
-+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-+;
-+; See the COPYRIGHT file distributed with this work for additional
-+; information regarding copyright ownership.
-+
-+. NS a.root-servers.nil.
-+a.root-servers.nil. A 10.53.0.1
-diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh
-index d2ca8fc2bf..53fb5817df 100644
---- a/bin/tests/system/forward/prereq.sh
-+++ b/bin/tests/system/forward/prereq.sh
-@@ -12,6 +12,20 @@
- SYSTEMTESTTOP=..
- . $SYSTEMTESTTOP/conf.sh
-
-+if test -n "$PYTHON"
-+then
-+ if $PYTHON -c "import dns" 2> /dev/null
-+ then
-+ :
-+ else
-+ echo_i "This test requires the dnspython module." >&2
-+ exit 1
-+ fi
-+else
-+ echo_i "This test requires Python and the dnspython module." >&2
-+ exit 1
-+fi
-+
- if $PERL -e 'use Net::DNS;' 2>/dev/null
- then
- :
-diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
-index 87452b9a88..18e81d277d 100644
---- a/bin/tests/system/forward/setup.sh
-+++ b/bin/tests/system/forward/setup.sh
-@@ -18,3 +18,6 @@ copy_setports ns3/named.conf.in ns3/named.conf
- copy_setports ns4/named.conf.in ns4/named.conf
- copy_setports ns5/named.conf.in ns5/named.conf
- copy_setports ns7/named.conf.in ns7/named.conf
-+copy_setports ns8/named.conf.in ns8/named.conf
-+copy_setports ns9/named1.conf.in ns9/named.conf
-+copy_setports ns10/named.conf.in ns10/named.conf
-diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
-index e3549c5bc7..ce9b309a27 100644
---- a/bin/tests/system/forward/tests.sh
-+++ b/bin/tests/system/forward/tests.sh
-@@ -19,6 +19,10 @@ sendcmd() (
- "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1"
- )
-
-+rndccmd() {
-+ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
-+}
-+
- root=10.53.0.1
- hidden=10.53.0.2
- f1=10.53.0.3
-@@ -223,5 +227,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
- status=$((status+ret))
-
-
-+#
-+# Check various spoofed response scenarios. The same tests will be
-+# run twice, with "forward first" and "forward only" configurations.
-+#
-+run_spooftests () {
-+ n=$((n+1))
-+ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
-+ ret=0
-+ # prime
-+ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
-+ # check 'net' is not poisoned.
-+ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
-+ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
-+ # check 'sub.local.net' is not poisoned.
-+ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
-+ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
-+ if [ $ret != 0 ]; then echo_i "failed"; fi
-+ status=$((status+ret))
-+
-+ n=$((n+1))
-+ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
-+ ret=0
-+ # prime
-+ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
-+ # check that net2/DNAME is not cached
-+ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
-+ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
-+ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
-+ if [ $ret != 0 ]; then echo_i "failed"; fi
-+ status=$((status+ret))
-+
-+ n=$((n+1))
-+ echo_i "checking spoofed response scenario 3 - extra answer ($n)"
-+ ret=0
-+ # prime
-+ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
-+ # check extra net3 records are not cached
-+ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
-+ for try in 1 2 3 4 5; do
-+ lines=$(grep "net3" ns9/named_dump.db | wc -l)
-+ if [ ${lines} -eq 0 ]; then
-+ sleep 1
-+ continue
-+ fi
-+ [ ${lines} -eq 1 ] || ret=1
-+ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
-+ grep -q '^local.net3' ns9/named_dump.db && ret=1
-+ done
-+ if [ $ret != 0 ]; then echo_i "failed"; fi
-+ status=$((status+ret))
-+}
-+
-+echo_i "checking spoofed response scenarios with forward first zones"
-+run_spooftests
-+
-+copy_setports ns9/named2.conf.in ns9/named.conf
-+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
-+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
-+sleep 1
-+
-+echo_i "rechecking spoofed response scenarios with forward only zones"
-+run_spooftests
-+
-+#
-+# This scenario expects the spoofed response to succeed. The tests are
-+# similar to the ones above, but not identical.
-+#
-+echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
-+copy_setports ns9/named3.conf.in ns9/named.conf
-+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
-+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
-+sleep 1
-+
-+n=$((n+1))
-+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
-+ret=0
-+# prime
-+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
-+# check 'net' is poisoned.
-+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
-+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
-+# check 'sub.local.net' is poisoned.
-+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
-+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
-+if [ $ret != 0 ]; then echo_i "failed"; fi
-+status=$((status+ret))
-+
-+n=$((n+1))
-+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
-+ret=0
-+# prime
-+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
-+# check that net2/DNAME is cached
-+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
-+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
-+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
-+if [ $ret != 0 ]; then echo_i "failed"; fi
-+status=$((status+ret))
-+
-+#
-+# This test doesn't use any forwarder clauses but is here because it
-+# is similar to forwarders, as the set of servers that can populate
-+# the namespace is defined by the zone content.
-+#
-+echo_i "rechecking spoofed response scenarios glue below local zone"
-+copy_setports ns9/named4.conf.in ns9/named.conf
-+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
-+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
-+sleep 1
-+
-+n=$((n+1))
-+echo_i "checking sibling glue below zone ($n)"
-+ret=0
-+# prime
-+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
-+# check for glue A record for sub.local.tld is not used
-+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
-+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
-+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
-+if [ $ret != 0 ]; then echo_i "failed"; fi
-+status=$((status+ret))
-+
- echo_i "exit status: $status"
- [ $status -eq 0 ] || exit 1
-diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
-index d0eb9fa61d..8b9212c3e0 100755
---- a/bin/tests/system/ifconfig.sh
-+++ b/bin/tests/system/ifconfig.sh
-@@ -12,10 +12,10 @@
- #
- # Set up interface aliases for bind9 system tests.
- #
--# IPv4: 10.53.0.{1..10} RFC 1918
-+# IPv4: 10.53.0.{1..11} RFC 1918
- # 10.53.1.{1..2}
- # 10.53.2.{1..2}
--# IPv6: fd92:7065:b8e:ffff::{1..10} ULA
-+# IPv6: fd92:7065:b8e:ffff::{1..11} ULA
- # fd92:7065:b8e:99ff::{1..2}
- # fd92:7065:b8e:ff::{1..2}
- #
-@@ -65,7 +65,7 @@ case "$1" in
- 2) ipv6="00" ;;
- *) ipv6="" ;;
- esac
-- for ns in 1 2 3 4 5 6 7 8 9 10
-+ for ns in 1 2 3 4 5 6 7 8 9 10 11
- do
- [ $i -gt 0 -a $ns -gt 2 ] && break
- int=`expr $i \* 10 + $ns`
-@@ -165,7 +165,7 @@ case "$1" in
- 2) ipv6="00" ;;
- *) ipv6="" ;;
- esac
-- for ns in 10 9 8 7 6 5 4 3 2 1
-+ for ns in 11 10 9 8 7 6 5 4 3 2 1
- do
- [ $i -gt 0 -a $ns -gt 2 ] && continue
- int=`expr $i \* 10 + $ns - 1`
---
-2.34.1
-
diff --git a/SOURCES/bind-9.11-CVE-2021-25220.patch b/SOURCES/bind-9.11-CVE-2021-25220.patch
deleted file mode 100644
index 37f3c41..0000000
--- a/SOURCES/bind-9.11-CVE-2021-25220.patch
+++ /dev/null
@@ -1,254 +0,0 @@
-From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 1 Mar 2022 09:48:05 +1100
-Subject: [PATCH] Add additional name checks when using a forwarder
-
-When using a forwarder, check that the owner name of response
-records are within the bailiwick of the forwarded name space.
-
-(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028)
-
-Check that the forward declaration is unchanged and not overridden
-
-If we are using a fowarder, in addition to checking that names to
-be cached are subdomains of the forwarded namespace, we must also
-check that there are no subsidiary forwarded namespaces which would
-take precedence. To be safe, we don't cache any responses if the
-forwarding configuration has changed since the query was sent.
-
-(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972)
-
-Check cached names for possible "forward only" clause
-
-When caching additional and glue data *not* from a forwarder, we must
-check that there is no "forward only" clause covering the owner name
-that would take precedence. Such names would normally be allowed by
-baliwick rules, but a "forward only" zone introduces a new baliwick
-scope.
-
-(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe)
-
-Look for zones deeper than the current domain or forward name
-
-When caching glue, we need to ensure that there is no closer
-source of truth for the name. If the owner name for the glue
-record would be answered by a locally configured zone, do not
-cache.
-
-(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754)
-
-Avoid use of compound literals
-
-Compound literals are not used in BIND 9.11, in order to ensure backward
-compatibility with ancient compilers. Rework the relevant parts of the
-BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
-are not used.
-
-(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15)
----
- lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 125 insertions(+), 5 deletions(-)
-
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index c912f3aea8..2c68973899 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -63,6 +63,7 @@
- #include <dns/stats.h>
- #include <dns/tsig.h>
- #include <dns/validator.h>
-+#include <dns/zone.h>
-
- #ifdef WANT_QUERYTRACE
- #define RTRACE(m) isc_log_write(dns_lctx, \
-@@ -312,6 +313,8 @@ struct fetchctx {
- bool ns_ttl_ok;
- uint32_t ns_ttl;
- isc_counter_t * qc;
-+ dns_fixedname_t fwdfname;
-+ dns_name_t *fwdname;
-
- /*%
- * The number of events we're waiting for.
-@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
- if (result == ISC_R_SUCCESS) {
- fwd = ISC_LIST_HEAD(forwarders->fwdrs);
- fctx->fwdpolicy = forwarders->fwdpolicy;
-+ dns_name_copy(domain, fctx->fwdname, NULL);
- if (fctx->fwdpolicy == dns_fwdpolicy_only &&
- isstrictsubdomain(domain, &fctx->domain)) {
- fcount_decr(fctx);
-@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
- fctx->restarts = 0;
- fctx->querysent = 0;
- fctx->referrals = 0;
-+
-+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
-+
- TIME_NOW(&fctx->start);
- fctx->timeouts = 0;
- fctx->lamecount = 0;
-@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
- domain = dns_fixedname_initname(&fixed);
- result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
- domain, &forwarders);
-- if (result == ISC_R_SUCCESS)
-+ if (result == ISC_R_SUCCESS) {
- fctx->fwdpolicy = forwarders->fwdpolicy;
-+ dns_name_copy(domain, fctx->fwdname, NULL);
-+ }
-
- if (fctx->fwdpolicy != dns_fwdpolicy_only) {
- /*
-@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
- rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
- }
-
-+/*
-+ * Returns true if 'name' is external to the namespace for which
-+ * the server being queried can answer, either because it's not a
-+ * subdomain or because it's below a forward declaration or a
-+ * locally served zone.
-+ */
-+static inline bool
-+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
-+ isc_result_t result;
-+ dns_forwarders_t *forwarders = NULL;
-+ dns_fixedname_t fixed, zfixed;
-+ dns_name_t *fname = dns_fixedname_initname(&fixed);
-+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
-+ dns_name_t *apex = NULL;
-+ dns_name_t suffix;
-+ dns_zone_t *zone = NULL;
-+ unsigned int labels;
-+ dns_namereln_t rel;
-+ /*
-+ * The following two variables do not influence code flow; they are
-+ * only necessary for calling dns_name_fullcompare().
-+ */
-+ int _orderp = 0;
-+ unsigned int _nlabelsp = 0;
-+
-+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
-+
-+ /*
-+ * The name is outside the queried namespace.
-+ */
-+ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
-+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
-+ return (true);
-+ }
-+
-+ /*
-+ * If the record lives in the parent zone, adjust the name so we
-+ * look for the correct zone or forward clause.
-+ */
-+ labels = dns_name_countlabels(name);
-+ if (dns_rdatatype_atparent(type) && labels > 1U) {
-+ dns_name_init(&suffix, NULL);
-+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
-+ name = &suffix;
-+ } else if (rel == dns_namereln_equal) {
-+ /* If 'name' is 'apex', no further checking is needed. */
-+ return (false);
-+ }
-+
-+ /*
-+ * If there is a locally served zone between 'apex' and 'name'
-+ * then don't cache.
-+ */
-+ LOCK(&fctx->res->view->lock);
-+ if (fctx->res->view->zonetable != NULL) {
-+ unsigned int options = DNS_ZTFIND_NOEXACT;
-+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
-+ zfname, &zone);
-+ if (zone != NULL) {
-+ dns_zone_detach(&zone);
-+ }
-+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-+ if (dns_name_fullcompare(zfname, apex, &_orderp,
-+ &_nlabelsp) ==
-+ dns_namereln_subdomain)
-+ {
-+ UNLOCK(&fctx->res->view->lock);
-+ return (true);
-+ }
-+ }
-+ }
-+ UNLOCK(&fctx->res->view->lock);
-+
-+ /*
-+ * Look for a forward declaration below 'name'.
-+ */
-+ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
-+ &forwarders);
-+
-+ if (ISFORWARDER(fctx->addrinfo)) {
-+ /*
-+ * See if the forwarder declaration is better.
-+ */
-+ if (result == ISC_R_SUCCESS) {
-+ return (!dns_name_equal(fname, fctx->fwdname));
-+ }
-+
-+ /*
-+ * If the lookup failed, the configuration must have
-+ * changed: play it safe and don't cache.
-+ */
-+ return (true);
-+ } else if (result == ISC_R_SUCCESS &&
-+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
-+ !ISC_LIST_EMPTY(forwarders->fwdrs))
-+ {
-+ /*
-+ * If 'name' is covered by a 'forward only' clause then we
-+ * can't cache this repsonse.
-+ */
-+ return (true);
-+ }
-+
-+ return (false);
-+}
-+
- static isc_result_t
- check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
- dns_section_t section)
-@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
- result = dns_message_findname(rmessage, section, addname,
- dns_rdatatype_any, 0, &name, NULL);
- if (result == ISC_R_SUCCESS) {
-- external = !dns_name_issubdomain(name, &fctx->domain);
-+ external = name_external(name, type, fctx);
- if (type == dns_rdatatype_a) {
- for (rdataset = ISC_LIST_HEAD(name->list);
- rdataset != NULL;
-@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
- break;
-
- case dns_namereln_subdomain:
-+ /*
-+ * Don't accept DNAME from parent namespace.
-+ */
-+ if (name_external(name, dns_rdatatype_dname, fctx)) {
-+ continue;
-+ }
-+
- /*
- * In-scope DNAME records must have at least
- * as many labels as the domain being queried.
-@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
- */
- result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
- while (!done && result == ISC_R_SUCCESS) {
-- bool external;
- name = NULL;
- dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-- external = !dns_name_issubdomain(name, &fctx->domain);
-- if (!external) {
-+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
- /*
- * We expect to find NS or SIG NS rdatasets, and
- * nothing else.
---
-2.34.1
-
diff --git a/SOURCES/bind-9.11-rh2101712.patch b/SOURCES/bind-9.11-rh2101712.patch
new file mode 100644
index 0000000..e519e97
--- /dev/null
+++ b/SOURCES/bind-9.11-rh2101712.patch
@@ -0,0 +1,232 @@
+From fff2960981a3294ac641968a17558c8d7eecf74d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 24 Aug 2022 12:21:50 +1000
+Subject: [PATCH] Have dns_zt_apply lock the zone table
+
+There where a number of places where the zone table should have
+been locked, but wasn't, when dns_zt_apply was called.
+
+Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
+all calls to using it. Removed locks in callers.
+
+Modified upstream commit for v9_11
+---
+ bin/named/server.c | 11 ++++++-----
+ bin/named/statschannel.c | 8 ++++----
+ lib/dns/include/dns/zt.h | 4 ++--
+ lib/dns/tests/zt_test.c | 3 ++-
+ lib/dns/view.c | 3 ++-
+ lib/dns/zt.c | 34 +++++++++++++++++++---------------
+ 6 files changed, 35 insertions(+), 28 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 9826588e6d..0b4b309461 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -8723,8 +8723,8 @@ load_configuration(const char *filename, ns_server_t *server,
+ strcmp(view->name, "_bind") != 0)
+ {
+ dns_view_setviewrevert(view);
+- (void)dns_zt_apply(view->zonetable, false,
+- removed, view);
++ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++ false, removed, view);
+ }
+ dns_view_detach(&view);
+ }
+@@ -10090,8 +10090,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
+ ISC_LIST_INIT(vle->zonelist);
+ ISC_LIST_APPEND(dctx->viewlist, vle, link);
+ if (dctx->dumpzones)
+- result = dns_zt_apply(view->zonetable, true,
+- add_zone_tolist, dctx);
++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++ true, add_zone_tolist, dctx);
+ return (result);
+ }
+
+@@ -11367,7 +11367,8 @@ ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
+ for (view = ISC_LIST_HEAD(server->viewlist);
+ view != NULL;
+ view = ISC_LIST_NEXT(view, link)) {
+- result = dns_zt_apply(view->zonetable, false,
++ result = dns_zt_apply(view->zonetable,
++ isc_rwlocktype_none, false,
+ synczone, &cleanup);
+ if (result != ISC_R_SUCCESS &&
+ tresult == ISC_R_SUCCESS)
+diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
+index 12ab048469..9828df0f4e 100644
+--- a/bin/named/statschannel.c
++++ b/bin/named/statschannel.c
+@@ -1833,8 +1833,8 @@ generatexml(ns_server_t *server, uint32_t flags,
+ if ((flags & STATS_XML_ZONES) != 0) {
+ TRY0(xmlTextWriterStartElement(writer,
+ ISC_XMLCHAR "zones"));
+- result = dns_zt_apply(view->zonetable, true,
+- zone_xmlrender, writer);
++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++ true, zone_xmlrender, writer);
+ if (result != ISC_R_SUCCESS)
+ goto error;
+ TRY0(xmlTextWriterEndElement(writer)); /* /zones */
+@@ -2489,8 +2489,8 @@ generatejson(ns_server_t *server, size_t *msglen,
+ CHECKMEM(za);
+
+ if ((flags & STATS_JSON_ZONES) != 0) {
+- result = dns_zt_apply(view->zonetable, true,
+- zone_jsonrender, za);
++ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
++ true, zone_jsonrender, za);
+ if (result != ISC_R_SUCCESS) {
+ goto error;
+ }
+diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
+index e658e5bb67..94212250da 100644
+--- a/lib/dns/include/dns/zt.h
++++ b/lib/dns/include/dns/zt.h
+@@ -177,11 +177,11 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze);
+ */
+
+ isc_result_t
+-dns_zt_apply(dns_zt_t *zt, bool stop,
++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
+ isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+
+ isc_result_t
+-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
+ isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+ /*%<
+ * Apply a given 'action' to all zone zones in the table.
+diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
+index 3f1e812d60..ee75303a50 100644
+--- a/lib/dns/tests/zt_test.c
++++ b/lib/dns/tests/zt_test.c
+@@ -145,7 +145,8 @@ apply(void **state) {
+ assert_non_null(view->zonetable);
+
+ assert_int_equal(nzones, 0);
+- result = dns_zt_apply(view->zonetable, false, count_zone, &nzones);
++ result = dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
++ count_zone, &nzones);
+ assert_int_equal(result, ISC_R_SUCCESS);
+ assert_int_equal(nzones, 1);
+
+diff --git a/lib/dns/view.c b/lib/dns/view.c
+index f01b4dea0f..bd1ced2863 100644
+--- a/lib/dns/view.c
++++ b/lib/dns/view.c
+@@ -676,7 +676,8 @@ dns_view_dialup(dns_view_t *view) {
+ REQUIRE(DNS_VIEW_VALID(view));
+ REQUIRE(view->zonetable != NULL);
+
+- (void)dns_zt_apply(view->zonetable, false, dialup, NULL);
++ (void)dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
++ dialup, NULL);
+ }
+
+ void
+diff --git a/lib/dns/zt.c b/lib/dns/zt.c
+index 3f12e247e0..af65740325 100644
+--- a/lib/dns/zt.c
++++ b/lib/dns/zt.c
+@@ -202,7 +202,8 @@ flush(dns_zone_t *zone, void *uap) {
+ static void
+ zt_destroy(dns_zt_t *zt) {
+ if (zt->flush) {
+- (void)dns_zt_apply(zt, false, flush, NULL);
++ (void)dns_zt_apply(zt, isc_rwlocktype_none,
++ false, flush, NULL);
+ }
+ isc_refcount_destroy(&zt->references);
+ dns_rbt_destroy(&zt->table);
+@@ -249,9 +250,7 @@ dns_zt_load(dns_zt_t *zt, bool stop) {
+
+ REQUIRE(VALID_ZT(zt));
+
+- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+- result = dns_zt_apply(zt, stop, load, NULL);
+- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
++ result = dns_zt_apply2(zt, isc_rwlocktype_read, stop, NULL, load, NULL);
+ return (result);
+ }
+
+@@ -293,7 +292,7 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
+ * Prevent loads_pending going to zero while kicking off the loads.
+ */
+ zt->loads_pending++;
+- result = dns_zt_apply2(zt, false, NULL, asyncload, ¶ms);
++ result = dns_zt_apply2(zt, isc_rwlocktype_none, false, NULL, asyncload, ¶ms);
+ pending = --zt->loads_pending;
+ if (pending != 0) {
+ zt->loaddone = alldone;
+@@ -342,9 +341,7 @@ dns_zt_loadnew(dns_zt_t *zt, bool stop) {
+
+ REQUIRE(VALID_ZT(zt));
+
+- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+- result = dns_zt_apply(zt, stop, loadnew, NULL);
+- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
++ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, loadnew, NULL);
+ return (result);
+ }
+
+@@ -366,9 +363,7 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze) {
+
+ REQUIRE(VALID_ZT(zt));
+
+- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+- result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze);
+- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
++ result = dns_zt_apply2(zt, isc_rwlocktype_read, false, &tresult, freezezones, &freeze);
+ if (tresult == ISC_R_NOTFOUND)
+ tresult = ISC_R_SUCCESS;
+ return ((result == ISC_R_SUCCESS) ? tresult : result);
+@@ -490,14 +485,14 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
+ }
+
+ isc_result_t
+-dns_zt_apply(dns_zt_t *zt, bool stop,
++dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
+ isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+ {
+- return (dns_zt_apply2(zt, stop, NULL, action, uap));
++ return (dns_zt_apply2(zt, lock, stop, NULL, action, uap));
+ }
+
+ isc_result_t
+-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
++dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
+ isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+ {
+ dns_rbtnode_t *node;
+@@ -508,6 +503,10 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
+ REQUIRE(VALID_ZT(zt));
+ REQUIRE(action != NULL);
+
++ if (lock != isc_rwlocktype_none) {
++ RWLOCK(&zt->rwlock, lock);
++ }
++
+ dns_rbtnodechain_init(&chain, zt->mctx);
+ result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+ if (result == ISC_R_NOTFOUND) {
+@@ -538,8 +537,13 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
+
+ cleanup:
+ dns_rbtnodechain_invalidate(&chain);
+- if (sub != NULL)
++ if (sub != NULL) {
+ *sub = tresult;
++ }
++
++ if (lock != isc_rwlocktype_none) {
++ RWUNLOCK(&zt->rwlock, lock);
++ }
+
+ return (result);
+ }
+--
+2.37.2
+
diff --git a/SOURCES/bind-9.11-rh2133889.patch b/SOURCES/bind-9.11-rh2133889.patch
new file mode 100644
index 0000000..c61d902
--- /dev/null
+++ b/SOURCES/bind-9.11-rh2133889.patch
@@ -0,0 +1,26 @@
+From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 13 Oct 2022 15:35:46 +0200
+Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h
+
+It got broken as part of bug #2101712 fix. Introduced new definition,
+which passes during bind build, but breaks bind-dyndb-ldap build.
+---
+ lib/dns/include/dns/zt.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
+index 9421225..64c24d6 100644
+--- a/lib/dns/include/dns/zt.h
++++ b/lib/dns/include/dns/zt.h
+@@ -18,6 +18,7 @@
+ #include <stdbool.h>
+
+ #include <isc/lang.h>
++#include <isc/rwlock.h>
+
+ #include <dns/types.h>
+
+--
+2.37.3
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 300114c..84c42cf 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.36
-Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.3
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@@ -158,10 +158,11 @@ Patch178:bind-9.11-dhcp-time-monotonic.patch
Patch183:bind-9.11-rh1980757.patch
# modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067
Patch184: bind-9.15-resolver-ntasks.patch
-Patch185: bind-9.11-CVE-2021-25220.patch
-Patch186: bind-9.11-CVE-2021-25220-test.patch
Patch188: bind-9.16-CVE-2022-38177.patch
Patch189: bind-9.16-CVE-2022-38178.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695
+Patch190: bind-9.11-rh2101712.patch
+Patch192: bind-9.11-rh2133889.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -557,10 +558,10 @@ are used for building ISC DHCP.
%patch178 -p1 -b .time-monotonic
%patch183 -p1 -b .rh1980757
%patch184 -p1 -b .rh2030239
-%patch185 -p1 -b .CVE-2021-25220
-%patch186 -p1 -b .CVE-2021-25220-test
%patch188 -p1 -b .CVE-2022-38177
%patch189 -p1 -b .CVE-2022-38178
+%patch190 -p1 -b .rh2101712
+%patch192 -p1 -b .rh2133889
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1613,15 +1614,17 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
-* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5
+* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3.3
+- Correct regression preventing bind-dyndb-ldap build (#2101712)
+
+* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3.2
+- Prevent freeing zone during statistics rendering (#2101712)
+
+* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3.1
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)
- Fix memory leak in EdDSA verify processing (CVE-2022-38178)
-* Wed Apr 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-4
-- Tighten cache protection against record from forwarders (CVE-2021-25220)
-- Include test of forwarders
-
-* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
+* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-3
- Reduce memory used per-view on machine with few processors (#2030239)
* Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2