diff --git a/SOURCES/bind-9.11-CVE-2020-8616-test.patch b/SOURCES/bind-9.11-CVE-2020-8616-test.patch
new file mode 100644
index 0000000..a1d2823
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2020-8616-test.patch
@@ -0,0 +1,292 @@
+From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
+From: Stephen Morris <stephen@isc.org>
+Date: Thu, 5 Mar 2020 18:46:46 +0000
+Subject: [PATCH] Add test for reduction in number of fetches
+
+Add a system test that counts how many address fetches are made
+for different numbers of NS records and checks that the number
+are successfully limited.
+
+(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
+---
+ bin/tests/system/resolver/clean.sh          |  4 +-
+ bin/tests/system/resolver/ns4/named.conf.in |  5 ++
+ bin/tests/system/resolver/ns4/root.db       |  4 +
+ bin/tests/system/resolver/ns4/sourcens.db   | 89 +++++++++++++++++++++
+ bin/tests/system/resolver/ns5/named.conf.in |  9 ++-
+ bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
+ bin/tests/system/resolver/ns6/targetns.db   | 23 ++++++
+ bin/tests/system/resolver/tests.sh          | 34 ++++++++
+ 8 files changed, 180 insertions(+), 3 deletions(-)
+ create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
+ create mode 100644 bin/tests/system/resolver/ns6/targetns.db
+
+diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
+index 4dfde1f3e7..b3e4bc0b5d 100644
+--- a/bin/tests/system/resolver/clean.sh
++++ b/bin/tests/system/resolver/clean.sh
+@@ -17,8 +17,7 @@ rm -f */named.memstats
+ rm -f */named.run
+ rm -f */ans.run
+ rm -f */*.jdb
+-rm -f dig.out dig.out.*
+-rm -f dig.*.out.*
++rm -f dig.out dig.out.* dig.*.out.*
+ rm -f dig.*.foo.*
+ rm -f dig.*.bar.*
+ rm -f dig.*.prime.*
+@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
+ rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
+ rm -f ns6/dsset-ds.example.net*
+ rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
++rm -f ns6/named.stats*
+ rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
+ rm -f ns7/server.db ns7/server.db.jnl
+ rm -f resolve.out.*.test*
+diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
+index c679dc3151..56fe5d0dd8 100644
+--- a/bin/tests/system/resolver/ns4/named.conf.in
++++ b/bin/tests/system/resolver/ns4/named.conf.in
+@@ -50,6 +50,11 @@ zone "broken" {
+ 	file "broken.db";
+ };
+ 
++zone "sourcens" {
++    type master;
++    file "sourcens.db";
++};
++
+ key rndc_key {
+ 	secret "1234abcd8765";
+ 	algorithm hmac-sha256;
+diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
+index 721765d1be..ae541340da 100644
+--- a/bin/tests/system/resolver/ns4/root.db
++++ b/bin/tests/system/resolver/ns4/root.db
+@@ -24,3 +24,7 @@ example.net.		NS	ns.example.net.
+ ns.example.net.		A	10.53.0.6
+ no-questions.		NS	ns.no-questions.
+ ns.no-questions.	A	10.53.0.8
++sourcens.		NS	ns.sourcens.
++ns.sourcens.		A	10.53.0.4
++targetns. 		NS	ns.targetns.
++ns.targetns.		A	10.53.0.6
+diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
+new file mode 100644
+index 0000000000..b02cc6e835
+--- /dev/null
++++ b/bin/tests/system/resolver/ns4/sourcens.db
+@@ -0,0 +1,89 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++; This zone contains a set of delegations with varying numbers of NS
++; records.  This is used to check that BIND is limiting the number of
++; NS records it follows when resolving a delegation.  It tests all
++; numbers of NS records up to twice the number followed.
++
++$TTL 60
++@ 			IN SOA	marka.isc.org. ns.server. (
++				2010   	; serial
++				600         	; refresh
++				600         	; retry
++				1200    	; expire
++				600       	; minimum
++				)
++@			NS	ns
++ns			A	10.53.0.4
++
++target1  		NS	ns.fake11.targetns.
++
++target2  		NS	ns.fake21.targetns.
++			NS	ns.fake22.targetns.
++
++target3  		NS	ns.fake31.targetns.
++			NS	ns.fake32.targetns.
++			NS	ns.fake33.targetns.
++
++target4  		NS	ns.fake41.targetns.
++			NS	ns.fake42.targetns.
++			NS	ns.fake43.targetns.
++			NS	ns.fake44.targetns.
++
++target5  		NS	ns.fake51.targetns.
++			NS	ns.fake52.targetns.
++			NS	ns.fake53.targetns.
++			NS	ns.fake54.targetns.
++			NS	ns.fake55.targetns.
++
++target6  		NS	ns.fake61.targetns.
++			NS	ns.fake62.targetns.
++			NS	ns.fake63.targetns.
++			NS	ns.fake64.targetns.
++			NS	ns.fake65.targetns.
++			NS	ns.fake66.targetns.
++
++target7  		NS	ns.fake71.targetns.
++			NS	ns.fake72.targetns.
++			NS	ns.fake73.targetns.
++			NS	ns.fake74.targetns.
++			NS	ns.fake75.targetns.
++			NS	ns.fake76.targetns.
++			NS	ns.fake77.targetns.
++
++target8  		NS	ns.fake81.targetns.
++			NS	ns.fake82.targetns.
++			NS	ns.fake83.targetns.
++			NS	ns.fake84.targetns.
++			NS	ns.fake85.targetns.
++			NS	ns.fake86.targetns.
++			NS	ns.fake87.targetns.
++			NS	ns.fake88.targetns.
++
++target9  		NS	ns.fake91.targetns.
++			NS	ns.fake92.targetns.
++			NS	ns.fake93.targetns.
++			NS	ns.fake94.targetns.
++			NS	ns.fake95.targetns.
++			NS	ns.fake96.targetns.
++			NS	ns.fake97.targetns.
++			NS	ns.fake98.targetns.
++			NS	ns.fake99.targetns.
++
++target10  		NS	ns.fake101.targetns.
++			NS	ns.fake102.targetns.
++			NS	ns.fake103.targetns.
++			NS	ns.fake104.targetns.
++			NS	ns.fake105.targetns.
++			NS	ns.fake106.targetns.
++			NS	ns.fake107.targetns.
++			NS	ns.fake108.targetns.
++			NS	ns.fake109.targetns.
++			NS	ns.fake1010.targetns.
+diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
+index 07205c9938..90818e4556 100644
+--- a/bin/tests/system/resolver/ns5/named.conf.in
++++ b/bin/tests/system/resolver/ns5/named.conf.in
+@@ -46,4 +46,11 @@ zone "delegation-only" {
+        type delegation-only;
+ };
+ 
+-include "trusted.conf";
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
+diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
+index 7df48558b8..4b01f9ba14 100644
+--- a/bin/tests/system/resolver/ns6/named.conf.in
++++ b/bin/tests/system/resolver/ns6/named.conf.in
+@@ -22,6 +22,7 @@ options {
+ 	recursion no;
+ 	// minimal-responses yes;
+ 	querylog yes;
++	statistics-file "named.stats";
+ 	/*
+ 	 * test that named loads with root-delegation-only that
+ 	 * has a exclude list.
+@@ -67,3 +68,17 @@ zone "delegation-only" {
+ 	type master;
+ 	file "delegation-only.db";
+ };
++
++zone "targetns" {
++	type master;
++	file "targetns.db";
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
+diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
+new file mode 100644
+index 0000000000..036e64580b
+--- /dev/null
++++ b/bin/tests/system/resolver/ns6/targetns.db
+@@ -0,0 +1,23 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++; In the test for checking how many NS records BIND will follow, this
++; zone marks the server as the one to which the NS lookups will be
++; directed.
++
++$TTL 300
++@ 			IN SOA	marka.isc.org. ns.server. (
++				2010   	; serial
++				600         	; refresh
++				600         	; retry
++				1200    	; expire
++				600       	; minimum
++				)
++			NS	ns
++ns			A	10.53.0.6
+diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
+index 12d2819e30..178ba4d79b 100755
+--- a/bin/tests/system/resolver/tests.sh
++++ b/bin/tests/system/resolver/tests.sh
+@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
+     status=`expr $status + $ret`
+ fi
+ 
++n=`expr $n + 1`
++echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
++# ns5 is the recusor being tested.  ns4 holds the sourcens zone containing names with varying numbers of NS
++# records pointing to non-existent nameservers in the targetns zone on ns6.
++ret=0
++$RNDCCMD 10.53.0.5 flush || ret=1   # Ensure cache is empty before doing this test
++for nscount in 1 2 3 4 5 6 7 8 9 10
++do
++        # Verify number of NS records at source server
++        $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
++        sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
++        test $sourcerecs -eq $nscount || ret=1
++        test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
++        # Expected queries = 2 * number of NS records, up to a maximum of 10.
++        expected=`expr 2 \* $nscount`
++        if [ $expected -gt 10 ]; then expected=10; fi
++        # Work out the queries made by checking statistics on the target before and after the test
++        $RNDCCMD 10.53.0.6 stats || ret=1
++        initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
++        mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
++        $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
++        $RNDCCMD 10.53.0.6 stats || ret=1
++        final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
++        mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
++        # Check number of queries during the test is as expected
++        actual=`expr $final_count - $initial_count`
++        if [ $actual -ne $expected ]; then
++                echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
++                ret=1
++        fi
++done
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
+ n=`expr $n + 1`
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+-- 
+2.21.1
+
diff --git a/SOURCES/bind-9.11-CVE-2020-8617-test.patch b/SOURCES/bind-9.11-CVE-2020-8617-test.patch
new file mode 100644
index 0000000..1d81c73
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2020-8617-test.patch
@@ -0,0 +1,78 @@
+From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 25 Mar 2020 17:44:51 +1100
+Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
+ request
+
+(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
+---
+ bin/tests/system/tsig/badtime  | 37 ++++++++++++++++++++++++++++++++++
+ bin/tests/system/tsig/tests.sh |  9 +++++++++
+ 2 files changed, 46 insertions(+)
+ create mode 100644 bin/tests/system/tsig/badtime
+
+diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
+new file mode 100644
+index 0000000000..7926404cfb
+--- /dev/null
++++ b/bin/tests/system/tsig/badtime
+@@ -0,0 +1,37 @@
++# Transaction ID
++1122
++# Standard query
++0000
++# Questions: 1, Additional: 1
++0001 0000 0000 0001
++# QNAME: isc.org
++03 69 73 63 03 6F 72 67 00
++# Type: A (Host Address)
++0001
++# Class: IN
++0001
++# Specially crafted TSIG Resource Record
++# Name: "sha256"
++06 73 68 61 32 35 36 00
++# Type: TSIG (Transaction Signature)
++00fa
++# Class: ANY
++00ff
++# TTL: 0
++00000000
++# RdLen: 29
++001d
++# Algorithm Name: hmac-sha256
++0b 68 6D 61 63 2D 73 68 61 32 35 36 00
++# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
++00 00 00 00 00 00
++# Fudge: 300
++012c
++# MAC Size: 0; MAC: empty
++0000
++# Original ID: 0
++0000
++# Error: BADSIG
++0010
++# Other Data Length: 0
++0000
+diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
+index cade35bc1d..284aea1056 100644
+--- a/bin/tests/system/tsig/tests.sh
++++ b/bin/tests/system/tsig/tests.sh
+@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
+ 	echo "I: failed"; status=1
+ fi
+ 
++echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
++ret=0
++$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
++$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
++grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
++if [ $ret -eq 1 ] ; then
++    echo_i "failed"; status=1
++fi
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+-- 
+2.21.1
+
diff --git a/SOURCES/bind-9.11-edns512-tcp-loops.patch b/SOURCES/bind-9.11-edns512-tcp-loops.patch
new file mode 100644
index 0000000..7c66164
--- /dev/null
+++ b/SOURCES/bind-9.11-edns512-tcp-loops.patch
@@ -0,0 +1,78 @@
+From b2822c93b89588bceb5213ab7c2e8c30d91e5e6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 31 Oct 2019 08:48:35 +0100
+Subject: [PATCH] Prevent query loops for misbehaving servers
+
+If a TCP connection fails while attempting to send a query to a server,
+the fetch context will be restarted without marking the target server as
+a bad one.  If this happens for a server which:
+
+  - was already marked with the DNS_FETCHOPT_EDNS512 flag,
+  - responds to EDNS queries with the UDP payload size set to 512 bytes,
+  - does not send response packets larger than 512 bytes,
+
+and the response for the query being sent is larger than 512 byes, then
+named will pointlessly alternate between sending UDP queries with EDNS
+UDP payload size set to 512 bytes (which are responded to with truncated
+answers) and TCP connections until the fetch context retry limit is
+reached.  Prevent such query loops by marking the server as bad for a
+given fetch context if the advertised EDNS UDP payload size for that
+server gets reduced to 512 bytes and it is impossible to reach it using
+TCP.
+
+(cherry picked from commit 6cd115994e0d10631172c56a7dab1ace83e946b4)
+(cherry picked from commit a6331686a8e3a5a2b0d1313de84978cd6d9ef65c)
+---
+ bin/tests/system/legacy/tests.sh | 11 +++++++++++
+ lib/dns/resolver.c               | 13 +++++++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh
+index c4356f2456..7c30dcbc12 100755
+--- a/bin/tests/system/legacy/tests.sh
++++ b/bin/tests/system/legacy/tests.sh
+@@ -142,6 +142,17 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++n=`expr $n + 1`
++echo_i "checking recursive lookup to edns 512 + no tcp server does not cause query loops ($n)"
++ret=0
++sent=`grep -c -F "sending packet to 10.53.0.7" ns1/named.run`
++if [ $sent -ge 10 ]; then
++	echo_i "ns1 sent $sent queries to ns7, expected less than 10"
++	ret=1
++fi
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
+ if $SHELL ../testcrypto.sh > /dev/null 2>&1
+ then
+     $PERL $SYSTEMTESTTOP/stop.pl . ns1
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index e13d684a4a..93ba77056e 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -2744,6 +2744,19 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
+ 			 * No route to remote.
+ 			 */
+ 			isc_socket_detach(&query->tcpsocket);
++			/*
++			 * Do not query this server again in this fetch context
++			 * if we already tried reducing the advertised EDNS UDP
++			 * payload size to 512 bytes and the server is
++			 * unavailable over TCP.  This prevents query loops
++			 * lasting until the fetch context restart limit is
++			 * reached when attempting to get answers whose size
++			 * exceeds 512 bytes from broken servers.
++			 */
++			if ((query->options & DNS_FETCHOPT_EDNS512) != 0) {
++				add_bad(fctx, query->addrinfo, sevent->result,
++					badns_unreachable);
++			}
+ 			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE, ISC_FALSE);
+ 			retry = ISC_TRUE;
+ 			break;
+-- 
+2.21.3
+
diff --git a/SOURCES/bind-9.11.13-CVE-2020-8616.patch b/SOURCES/bind-9.11.13-CVE-2020-8616.patch
new file mode 100644
index 0000000..bf79ec4
--- /dev/null
+++ b/SOURCES/bind-9.11.13-CVE-2020-8616.patch
@@ -0,0 +1,169 @@
+From e2aed3e1885bbc6d94d8845edbd9a8dfb869eb67 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 15 May 2020 14:55:26 +0200
+Subject: [PATCH] CVE-2020-8616
+
+5395.	[security]	Further limit the number of queries that can be
+			triggered from a request.  Root and TLD servers
+			are no longer exempt from max-recursion-queries.
+			Fetches for missing name server address records
+			are limited to 4 for any domain. (CVE-2020-8616)
+			[GL #1388]
+---
+ lib/dns/adb.c             | 18 ++++++++--------
+ lib/dns/include/dns/adb.h |  4 ++++
+ lib/dns/resolver.c        | 45 ++++++++++++++++++++++++++-------------
+ 3 files changed, 43 insertions(+), 24 deletions(-)
+
+diff --git a/lib/dns/adb.c b/lib/dns/adb.c
+index 1eb00c2..ea06a95 100644
+--- a/lib/dns/adb.c
++++ b/lib/dns/adb.c
+@@ -402,14 +402,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
+  */
+ #define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+ #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+-#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
+-				 != 0)
+-#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
+-				 != 0)
+-#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+-#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+-#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
+-#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
++#define FIND_AVOIDFETCHES(fn)	(((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
++#define FIND_STARTATZONE(fn)	(((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
++#define FIND_HINTOK(fn)		(((fn)->options & DNS_ADBFIND_HINTOK) != 0)
++#define FIND_GLUEOK(fn)		(((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
++#define FIND_HAS_ADDRS(fn)	(!ISC_LIST_EMPTY((fn)->list))
++#define FIND_RETURNLAME(fn)	(((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
++#define FIND_NOFETCH(fn)	(((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
+ 
+ /*
+  * These are currently used on simple unsigned ints, so they are
+@@ -3167,7 +3166,8 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ 	else
+ 		have_address = ISC_FALSE;
+ 	if (wanted_fetches != 0 &&
+-	    ! (FIND_AVOIDFETCHES(find) && have_address)) {
++	    ! (FIND_AVOIDFETCHES(find) && have_address) &&
++	    ! FIND_NOFETCH(find)) {
+ 		/*
+ 		 * We're missing at least one address family.  Either the
+ 		 * caller hasn't instructed us to avoid fetches, or we don't
+diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
+index bfc8e43..0efaf89 100644
+--- a/lib/dns/include/dns/adb.h
++++ b/lib/dns/include/dns/adb.h
+@@ -204,6 +204,10 @@ struct dns_adbfind {
+  *      lame for this query.
+  */
+ #define DNS_ADBFIND_OVERQUOTA		0x00000400
++/*%
++ *	Don't perform a fetch even if there are no address records available.
++ */
++#define DNS_ADBFIND_NOFETCH		0x00000800
+ 
+ /*%
+  * The answers to queries come back as a list of these.
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 9df33c7..e13d684 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -175,6 +175,14 @@
+ #define DEFAULT_MAX_QUERIES 75
+ #endif
+ 
++/*
++ * After NS_FAIL_LIMIT attempts to fetch a name server address,
++ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
++ * stop trying to fetch, in order to avoid wasting resources.
++ */
++#define NS_FAIL_LIMIT 4
++#define NS_RR_LIMIT   5
++
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+ #define RES_DOMAIN_BUCKETS	523
+@@ -3086,8 +3094,8 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
+ static void
+ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+ 	 unsigned int options, unsigned int flags, isc_stdtime_t now,
+-	 isc_boolean_t *overquota, isc_boolean_t *need_alternate)
+-{
++	 isc_boolean_t *overquota, isc_boolean_t *need_alternate,
++	 unsigned int *no_addresses) {
+ 	dns_adbaddrinfo_t *ai;
+ 	dns_adbfind_t *find;
+ 	dns_resolver_t *res;
+@@ -3176,6 +3184,9 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+ 			     (res->dispatches6 == NULL &&
+ 			      find->result_v4 != DNS_R_NXDOMAIN)))
+ 				*need_alternate = ISC_TRUE;
++			if (no_addresses != NULL) {
++				(*no_addresses)++;
++			}
+ 		} else {
+ 			if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
+ 				if (overquota != NULL)
+@@ -3226,6 +3237,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
+ 	dns_rdata_ns_t ns;
+ 	isc_boolean_t need_alternate = ISC_FALSE;
+ 	isc_boolean_t all_spilled = ISC_TRUE;
++	unsigned int no_addresses = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3384,8 +3396,13 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
+ 		if (result != ISC_R_SUCCESS)
+ 			continue;
+ 
+-		findname(fctx, &ns.name, 0, stdoptions, 0, now,
+-			 &overquota, &need_alternate);
++		if (no_addresses > NS_FAIL_LIMIT &&
++		    dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
++		{
++			stdoptions |= DNS_ADBFIND_NOFETCH;
++		}
++		findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
++			 &need_alternate, &no_addresses);
+ 
+ 		if (!overquota)
+ 			all_spilled = ISC_FALSE;
+@@ -3409,7 +3426,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
+ 			if (!a->isaddress) {
+ 				findname(fctx, &a->_u._n.name, a->_u._n.port,
+ 					 stdoptions, FCTX_ADDRINFO_FORWARDER,
+-					 now, NULL, NULL);
++					 now, NULL, NULL, NULL);
+ 				continue;
+ 			}
+ 			if (isc_sockaddr_pf(&a->_u.addr) != family)
+@@ -3771,16 +3788,14 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
+ 		}
+ 	}
+ 
+-	if (dns_name_countlabels(&fctx->domain) > 2) {
+-		result = isc_counter_increment(fctx->qc);
+-		if (result != ISC_R_SUCCESS) {
+-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+-				      "exceeded max queries resolving '%s'",
+-				      fctx->info);
+-			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+-			return;
+-		}
++	result = isc_counter_increment(fctx->qc);
++	if (result != ISC_R_SUCCESS) {
++		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
++			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
++			      "exceeded max queries resolving '%s'",
++			      fctx->info);
++		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
++		return;
+ 	}
+ 
+ 	bucketnum = fctx->bucketnum;
+-- 
+2.21.1
+
diff --git a/SOURCES/bind-9.11.13-CVE-2020-8617.patch b/SOURCES/bind-9.11.13-CVE-2020-8617.patch
new file mode 100644
index 0000000..a6b83df
--- /dev/null
+++ b/SOURCES/bind-9.11.13-CVE-2020-8617.patch
@@ -0,0 +1,40 @@
+From f6ca6392adf7f5a94c804d8a8a1233d90170f490 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 15 May 2020 14:56:33 +0200
+Subject: [PATCH] CVE-2020-8617
+
+5390.	[security]	Replaying a TSIG BADTIME response as a request could
+			trigger an assertion failure. (CVE-2020-8617)
+			[GL #1703]
+---
+ lib/dns/tsig.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index c6f9d1b..aee8eb0 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -1431,8 +1431,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 			goto cleanup_context;
+ 		}
+ 		msg->verified_sig = 1;
+-	} else if (tsig.error != dns_tsigerror_badsig &&
+-		   tsig.error != dns_tsigerror_badkey) {
++	} else if (!response || (tsig.error != dns_tsigerror_badsig &&
++				 tsig.error != dns_tsigerror_badkey))
++	{
+ 		tsig_log(msg->tsigkey, 2, "signature was empty");
+ 		return (DNS_R_TSIGVERIFYFAILURE);
+ 	}
+@@ -1488,7 +1489,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ 		}
+ 	}
+ 
+-	if (tsig.error != dns_rcode_noerror) {
++	if (response && tsig.error != dns_rcode_noerror) {
+ 		msg->tsigstatus = tsig.error;
+ 		if (tsig.error == dns_tsigerror_badtime)
+ 			ret = DNS_R_CLOCKSKEW;
+-- 
+2.21.1
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index aec0105..9f6f81f 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -64,7 +64,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.4
-Release:  16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.3
+Release:  16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.6
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 #
@@ -163,6 +163,11 @@ Patch176: bind-9.11-rh1753259.patch
 Patch177: bind-9.11-rh1743572-2.patch
 Patch178: bind-9.11-rh1781576.patch
 Patch179: bind-9.11-disab-timer-test.patch
+Patch180: bind-9.11.13-CVE-2020-8616.patch
+Patch181: bind-9.11.13-CVE-2020-8617.patch
+Patch185: bind-9.11-CVE-2020-8616-test.patch
+Patch186: bind-9.11-CVE-2020-8617-test.patch
+Patch187: bind-9.11-edns512-tcp-loops.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -519,6 +524,11 @@ are used for building ISC DHCP.
 %patch176 -p1 -b .rh1753259
 %patch177 -p1 -b .rh1743572
 %patch178 -p1 -b .rh1781576
+%patch180 -p1 -b .CVE-2020-8616
+%patch181 -p1 -b .CVE-2020-8617
+%patch185 -p1 -b .CVE-2020-8616-test
+%patch186 -p1 -b .CVE-2020-8616-test
+%patch187 -p1 -b .edns512-loops
 
 # Override upstream builtin keys
 cp -fp %{SOURCE29} bind.keys
@@ -1500,6 +1510,16 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Wed May 27 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2.6
+- Fix EDNS512 loops on broken servers
+
+* Fri May 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2.5
+- Add CVE tests to codebase
+
+* Tue May 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2.4
+- Limit number of queries triggered by a request (CVE-2020-8616)
+- Fix invalid tsig request (CVE-2020-8617)
+
 * Wed Mar 04 2020 Miroslav Lichvar <mlichvar@redhat.com> - 32:9.11.4-16.P2.3
 - Disable atomic operations on ppc64, ppc64le, aarch64, ppc (#1779589)