diff --git a/.bind.metadata b/.bind.metadata
index c07b294..6031674 100644
--- a/.bind.metadata
+++ b/.bind.metadata
@@ -1,2 +1,2 @@
-550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
+ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
diff --git a/.gitignore b/.gitignore
index 8008e19..e7ad81f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/bind-9.11.13.tar.gz
+SOURCES/bind-9.11.20.tar.gz
SOURCES/random.data
diff --git a/SOURCES/bind-9.10-sdb.patch b/SOURCES/bind-9.10-sdb.patch
index 5524daa..f36e156 100644
--- a/SOURCES/bind-9.10-sdb.patch
+++ b/SOURCES/bind-9.10-sdb.patch
@@ -79,10 +79,10 @@ index 03a72d5..4c1cb6d 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index 108b8d6..a943421 100644
+index c9fc3cc..148ebb3 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
-@@ -93,6 +93,10 @@
+@@ -97,6 +97,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
@@ -93,7 +93,7 @@ index 108b8d6..a943421 100644
#ifdef CONTRIB_DLZ
/*
-@@ -1069,6 +1073,11 @@ setup(void) {
+@@ -1134,6 +1138,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@@ -105,7 +105,7 @@ index 108b8d6..a943421 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
-@@ -1269,6 +1278,75 @@ setup(void) {
+@@ -1334,6 +1343,75 @@ setup(void) {
isc_result_totext(result));
#endif
@@ -181,7 +181,7 @@ index 108b8d6..a943421 100644
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
-@@ -1311,6 +1389,11 @@ cleanup(void) {
+@@ -1376,6 +1454,11 @@ cleanup(void) {
dns_name_destroy();
@@ -288,10 +288,10 @@ index c7e0868..95ab742 100644
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.ac b/configure.ac
-index eff9f05..d05ad1f 100644
+index f85f45f..7d28c52 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
+@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@@ -300,9 +300,9 @@ index eff9f05..d05ad1f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
-@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
- bin/python/isc/tests/dnskey_test.py
+@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/policy_test.py
+ bin/python/isc/utils.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile
diff --git a/SOURCES/bind-9.11-export-isc-config.patch b/SOURCES/bind-9.11-export-isc-config.patch
deleted file mode 100644
index fd5622c..0000000
--- a/SOURCES/bind-9.11-export-isc-config.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-diff --git a/export-libs/Makefile b/export-libs/Makefile
-index df15ea8..13f416b 100644
---- a/export-libs/Makefile
-+++ b/export-libs/Makefile
-@@ -404,20 +404,18 @@ installdirs:
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-
- install:: isc-config.sh installdirs
-- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
-- rm -f ${DESTDIR}${bindir}/bind9-config
-- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
-- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
-- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
-- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
-- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
-+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
-+ rm -f ${DESTDIR}${bindir}/bind9-export-config
-+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
-+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
-+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
-+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
-
- uninstall::
-- rm -f ${DESTDIR}${sysconfdir}/bind.keys
-- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
-- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
-- rm -f ${DESTDIR}${bindir}/bind9-config
-- rm -f ${DESTDIR}${bindir}/isc-config.sh
-+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
-+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
-+ rm -f ${DESTDIR}${bindir}/bind9-export-config
-+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
-
- tags:
- rm -f TAGS
diff --git a/SOURCES/bind-9.11-kyua-pkcs11.patch b/SOURCES/bind-9.11-kyua-pkcs11.patch
index ac15d22..9cfa618 100644
--- a/SOURCES/bind-9.11-kyua-pkcs11.patch
+++ b/SOURCES/bind-9.11-kyua-pkcs11.patch
@@ -1,4 +1,4 @@
-From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001
+From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
6 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/configure.ac b/configure.ac
-index 0532feb..a83ddd5 100644
+index 62ecf56..0940a7d 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([
+@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
-index 7671e1d..e237d5c 100644
+index 22a06a8..5df5b15 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
- @DST_OPENSSL_INC@
+ @DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
@@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
-index 4dbfd82..a383b8e 100644
+index a5bf46c..9ff2b76 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
-@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
+@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
@@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644
dst_key_free(&key);
}
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
-index 2fdee0b..a263b35 100644
+index 36d2207..00dfbc9 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
-index 9c4d299..d9deba2 100644
+index 4fafc38..5eb2be2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
-@@ -85,7 +85,7 @@ typedef struct hash_testcase {
+@@ -84,7 +84,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644
} hash_test_key_t;
/* non-hmac tests */
-@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
+@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha1_update(&hmacsha1,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
+@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha224_update(&hmacsha224,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
+@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha256_update(&hmacsha256,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
+@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha384_update(&hmacsha384,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
+@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha512_update(&hmacsha512,
(const uint8_t *) testcase->input,
testcase->input_len);
-@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
+@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644
(const uint8_t *) testcase->input,
testcase->input_len);
--
-2.20.1
+2.21.1
diff --git a/SOURCES/bind-9.11-rh1624100.patch b/SOURCES/bind-9.11-rh1624100.patch
index 5764ed7..0775820 100644
--- a/SOURCES/bind-9.11-rh1624100.patch
+++ b/SOURCES/bind-9.11-rh1624100.patch
@@ -1,4 +1,4 @@
-From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
+From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@@ -24,10 +24,10 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
-index 6ddaebe..d921870 100644
+index 6dded0c..a9c5557 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
-@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
+@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
@@ -81,7 +81,7 @@ index ad77f24..670982a 100644
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
-index 0fd0837..8ad54bb 100644
+index 149552a..8529a86 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
@@ -91,7 +91,7 @@ index 0fd0837..8ad54bb 100644
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
- tm.@O@ timer.@O@ version.@O@ \
+ tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
@@ -100,7 +100,7 @@ index 0fd0837..8ad54bb 100644
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
- tm.c version.c
+ tm.c utf8.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@@ -284,5 +284,5 @@ index 266ac75..60e9181 100644
return (cmocka_run_group_tests(tests, NULL, NULL));
--
-2.20.1
+2.26.2
diff --git a/SOURCES/bind-9.11-rt31459.patch b/SOURCES/bind-9.11-rt31459.patch
index ea25abe..266f78c 100644
--- a/SOURCES/bind-9.11-rt31459.patch
+++ b/SOURCES/bind-9.11-rt31459.patch
@@ -1,4 +1,4 @@
-From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001
+From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c
@@ -71,10 +71,10 @@ index 5015abb..295e16f 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
-index 2c0c308..3e585af 100644
+index d9d6bb9..de4b15f 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
-@@ -494,14 +494,14 @@ main(int argc, char **argv) {
+@@ -498,14 +498,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -92,7 +92,7 @@ index 2c0c308..3e585af 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
-@@ -571,8 +571,8 @@ main(int argc, char **argv) {
+@@ -574,8 +574,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@@ -103,10 +103,10 @@ index 2c0c308..3e585af 100644
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
-index 0d1e7f8..79c4d74 100644
+index d65a514..04b3094 100644
--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c
-@@ -407,14 +407,14 @@ main(int argc, char **argv) {
+@@ -404,14 +404,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -124,7 +124,7 @@ index 0d1e7f8..79c4d74 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
-@@ -458,8 +458,8 @@ main(int argc, char **argv) {
+@@ -455,8 +455,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
-index f355903..6a2ca59 100644
+index 7afcaee..1cfa511 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
-@@ -382,14 +382,14 @@ main(int argc, char **argv) {
+@@ -380,14 +380,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@@ -188,7 +188,7 @@ index f355903..6a2ca59 100644
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
-@@ -674,8 +674,8 @@ main(int argc, char **argv) {
+@@ -672,8 +672,8 @@ main(int argc, char **argv) {
if (prevkey != NULL)
dst_key_free(&prevkey);
dst_key_free(&key);
@@ -199,7 +199,7 @@ index f355903..6a2ca59 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
-index c6a0313..6ddaebe 100644
+index 319a805..27ae4d4 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
@@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644
rdclass = strtoclass(classname);
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index fbc7ece..31a99e7 100644
+index 618ec5b..5654435 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -34,6 +34,7 @@
@@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644
usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c
-index 7d85d3b..c782073 100644
+index 4e503e5..f27071f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@@ -304,7 +304,7 @@ index 7d85d3b..c782073 100644
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
-@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
@@ -315,7 +315,7 @@ index 7d85d3b..c782073 100644
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
-@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644
parse_args(false, argc, argv);
if (server == NULL)
diff --git a/configure b/configure
-index ed002e0..a578874 100755
+index 6d05371..33689c9 100755
--- a/configure
+++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@@ -699,7 +699,7 @@ index ed002e0..a578874 100755
BUILD_LIBS
BUILD_LDFLAGS
BUILD_CPPFLAGS
-@@ -821,6 +822,7 @@ XMLSTATS
+@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
NZDTARGETS
NZDSRCS
NZD_TOOLS
@@ -707,7 +707,7 @@ index ed002e0..a578874 100755
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
-@@ -1045,6 +1047,7 @@ with_eddsa
+@@ -1047,6 +1049,7 @@ with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
@@ -715,7 +715,7 @@ index ed002e0..a578874 100755
with_lmdb
with_libxml2
with_libjson
-@@ -1744,6 +1747,7 @@ Optional Features:
+@@ -1749,6 +1752,7 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
@@ -723,7 +723,7 @@ index ed002e0..a578874 100755
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
-@@ -17115,6 +17119,7 @@ case "$use_openssl" in
+@@ -17144,6 +17148,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@@ -731,7 +731,7 @@ index ed002e0..a578874 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
+@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
@@ -739,7 +739,7 @@ index ed002e0..a578874 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; }
+@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -747,7 +747,7 @@ index ed002e0..a578874 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; }
+@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@@ -756,7 +756,7 @@ index ed002e0..a578874 100755
;;
*)
if test "yes" = "$want_native_pkcs11"
-@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; }
+@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
fi
CRYPTO='-DOPENSSL'
@@ -764,7 +764,7 @@ index ed002e0..a578874 100755
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
-@@ -17806,8 +17814,6 @@ fi
+@@ -17835,8 +17843,6 @@ fi
# Use OpenSSL for hash functions
#
@@ -773,7 +773,7 @@ index ed002e0..a578874 100755
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
-@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then
+@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@@ -860,7 +860,7 @@ index ed002e0..a578874 100755
#
# was --with-lmdb specified?
#
-@@ -20264,9 +20350,12 @@ _ACEOF
+@@ -20441,9 +20527,12 @@ _ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
$as_echo "size_t for buflen; int for flags" >&6; }
@@ -875,7 +875,7 @@ index ed002e0..a578874 100755
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
-@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@@ -889,7 +889,7 @@ index ed002e0..a578874 100755
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
-@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF
+@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
@@ -901,7 +901,7 @@ index ed002e0..a578874 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -21627,39 +21716,6 @@ _ACEOF
+@@ -21804,39 +21893,6 @@ _ACEOF
fi
;;
x86_64-*|amd64-*)
@@ -941,7 +941,7 @@ index ed002e0..a578874 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
+@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
$as_echo "$arch" >&6; }
fi
@@ -952,7 +952,7 @@ index ed002e0..a578874 100755
if test "yes" = "$have_atomic"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
-@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
+@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
#
dlzdir='${DLZ_DRIVER_DIR}'
@@ -983,7 +983,7 @@ index ed002e0..a578874 100755
#
# Private autoconf macro to simplify configuring drivers:
#
-@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; }
+@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; }
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
;;
*)
@@ -998,7 +998,7 @@ index ed002e0..a578874 100755
fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
-@@ -24663,7 +24747,7 @@ $as_echo "" >&6; }
+@@ -24840,7 +24924,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).
@@ -1007,7 +1007,7 @@ index ed002e0..a578874 100755
# include a blank element first
for d in "" $bdb_incdirs
do
-@@ -24688,57 +24772,9 @@ $as_echo "" >&6; }
+@@ -24865,57 +24949,9 @@ $as_echo "" >&6; }
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
@@ -1067,7 +1067,7 @@ index ed002e0..a578874 100755
break
fi
done
-@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; }
+@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; }
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
fi
@@ -1081,7 +1081,7 @@ index ed002e0..a578874 100755
fi
-@@ -24986,11 +25022,11 @@ fi
+@@ -25163,11 +25199,11 @@ fi
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
@@ -1095,7 +1095,7 @@ index ed002e0..a578874 100755
break
fi
done
-@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
+@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@@ -1104,7 +1104,7 @@ index ed002e0..a578874 100755
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
-@@ -27644,6 +27682,8 @@ report() {
+@@ -27819,6 +27857,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@@ -1113,7 +1113,7 @@ index ed002e0..a578874 100755
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
-@@ -27684,6 +27724,8 @@ report() {
+@@ -27859,6 +27899,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@@ -1122,7 +1122,7 @@ index ed002e0..a578874 100755
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
-@@ -27731,6 +27773,8 @@ report() {
+@@ -27906,6 +27948,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@@ -1132,10 +1132,10 @@ index ed002e0..a578874 100755
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/configure.ac b/configure.ac
-index 45a8126..bb1345b 100644
+index d10cde5..68bead8 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1537,6 +1537,7 @@ case "$use_openssl" in
+@@ -1550,6 +1550,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@@ -1143,7 +1143,7 @@ index 45a8126..bb1345b 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1550,6 +1551,7 @@ case "$use_openssl" in
+@@ -1563,6 +1564,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -1151,7 +1151,7 @@ index 45a8126..bb1345b 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1562,6 +1564,7 @@ case "$use_openssl" in
+@@ -1575,6 +1577,7 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@@ -1159,7 +1159,7 @@ index 45a8126..bb1345b 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
-@@ -1572,7 +1575,7 @@ case "$use_openssl" in
+@@ -1585,7 +1588,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@@ -1168,7 +1168,7 @@ index 45a8126..bb1345b 100644
;;
*)
if test "yes" = "$want_native_pkcs11"
-@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl])
+@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi
CRYPTO='-DOPENSSL'
@@ -1176,7 +1176,7 @@ index 45a8126..bb1345b 100644
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
-@@ -2037,7 +2041,6 @@ fi
+@@ -2050,7 +2054,6 @@ fi
# Use OpenSSL for hash functions
#
@@ -1184,7 +1184,7 @@ index 45a8126..bb1345b 100644
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
-@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then
+@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@@ -1252,7 +1252,7 @@ index 45a8126..bb1345b 100644
#
# was --with-lmdb specified?
#
-@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@@ -1266,7 +1266,7 @@ index 45a8126..bb1345b 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then
+@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then
fi
;;
x86_64-*|amd64-*)
@@ -1274,7 +1274,7 @@ index 45a8126..bb1345b 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
-@@ -5527,6 +5590,8 @@ report() {
+@@ -5518,6 +5581,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@@ -1283,7 +1283,7 @@ index 45a8126..bb1345b 100644
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
-@@ -5567,6 +5632,8 @@ report() {
+@@ -5558,6 +5623,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@@ -1292,7 +1292,7 @@ index 45a8126..bb1345b 100644
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
-@@ -5614,6 +5681,8 @@ report() {
+@@ -5605,6 +5672,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@@ -1302,7 +1302,7 @@ index 45a8126..bb1345b 100644
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index ec6e00e..1614afa 100644
+index 65bf25d..1eccbe7 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@@ -1440,7 +1440,7 @@ index 304814b..60543c4 100644
isc_hash_destroy();
cleanup_db:
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index d65ce26..6849732 100644
+index 13e838f..ffe0a69 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
@@ -1476,7 +1476,7 @@ index d65ce26..6849732 100644
#endif
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
- #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
isc_result_t
@@ -1845,10 +1845,10 @@ index 0000000..bd3d164
+
+#endif
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
-index 5c45d59..34b660c 100644
+index 63be973..40b21fa 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
-@@ -1484,6 +1484,13 @@ dst_lib_destroy
+@@ -1485,6 +1485,13 @@ dst_lib_destroy
dst_lib_init
dst_lib_init2
dst_lib_initmsgcat
@@ -1863,7 +1863,7 @@ index 5c45d59..34b660c 100644
dst_region_computerid
dst_result_register
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
-index ab2f617..ed05ed6 100644
+index 907e470..451544d 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
@@ -104,11 +104,15 @@ struct isc_entropy {
@@ -1921,10 +1921,10 @@ index ab2f617..ed05ed6 100644
+ hook = myhook;
+}
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index 4bba8e1..632166a 100644
+index e8733db..c40a18c 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
-@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
* isc_entropy_createcallbacksource().
*/
@@ -1944,10 +1944,10 @@ index 4bba8e1..632166a 100644
#endif /* ISC_ENTROPY_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index 9c7c342..ee8dc3e 100644
+index 61960f1..d22993d 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
-@@ -341,6 +341,11 @@
+@@ -359,6 +359,11 @@
*/
@ISC_PLATFORM_HAVESTRINGSH@
@@ -1960,10 +1960,10 @@ index 9c7c342..ee8dc3e 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
-index 42ff7e0..8d87c44 100644
+index da9d66f..4205400 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
-@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
+@@ -97,6 +97,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
typedef struct isc_timer isc_timer_t; /*%< Timer */
typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */
@@ -1973,7 +1973,7 @@ index 42ff7e0..8d87c44 100644
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index 8e6ed93..ceb5a2c 100644
+index 68aebdc..4b85527 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
@@ -1999,10 +1999,10 @@ index 8e6ed93..ceb5a2c 100644
cleanup:
if (stream != NULL)
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
-index 5b8a2c9..913a2ce 100644
+index 8ade705..fa72f9d 100644
--- a/lib/isc/win32/include/isc/platform.h.in
+++ b/lib/isc/win32/include/isc/platform.h.in
-@@ -69,6 +69,11 @@
+@@ -73,6 +73,11 @@
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
#define ISC_PLATFORM_NORETURN_POST
@@ -2015,7 +2015,7 @@ index 5b8a2c9..913a2ce 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/win32utils/Configure b/win32utils/Configure
-index ccaf067..240fb80 100644
+index 79d682e..6c78cb2 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
@@ -2036,15 +2036,15 @@ index ccaf067..240fb80 100644
"fixed-rrset",
"intrinsics",
"isc-spnego",
-@@ -581,6 +583,7 @@ my @help = (
+@@ -580,6 +582,7 @@ my @help = (
"\nOptional Features:\n",
- " enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
+ " enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
-@@ -630,7 +633,9 @@ my $want_clean = "no";
+@@ -628,7 +631,9 @@ my $want_clean = "no";
my $want_unknown = "no";
my $unknown_value;
my $enable_intrinsics = "yes";
@@ -2054,7 +2054,7 @@ index ccaf067..240fb80 100644
my $enable_openssl_hash = "auto";
my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes";
-@@ -850,6 +855,10 @@ sub myenable {
+@@ -847,6 +852,10 @@ sub myenable {
if ($val =~ /^yes$/i) {
$enable_native_pkcs11 = "yes";
}
@@ -2065,7 +2065,7 @@ index ccaf067..240fb80 100644
} elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes";
-@@ -1158,6 +1167,11 @@ if ($verbose) {
+@@ -1153,6 +1162,11 @@ if ($verbose) {
} else {
print "native-pkcs11: disabled\n";
}
@@ -2077,7 +2077,7 @@ index ccaf067..240fb80 100644
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
-@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") {
+@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") {
@@ -2085,7 +2085,7 @@ index ccaf067..240fb80 100644
if ($use_openssl eq "auto") {
$use_openssl = "no";
}
-@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") {
+@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
}
@@ -2093,7 +2093,7 @@ index ccaf067..240fb80 100644
$configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
-@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") {
+@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") {
}
@@ -2109,7 +2109,7 @@ index ccaf067..240fb80 100644
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") {
-@@ -3671,6 +3696,7 @@ exit 0;
+@@ -3665,6 +3690,7 @@ exit 0;
# --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported
@@ -2118,5 +2118,5 @@ index ccaf067..240fb80 100644
# --enable-openssl-hash supported
# --enable-threads included without a way to disable it
--
-2.20.1
+2.21.1
diff --git a/SOURCES/bind-9.11-rt46047.patch b/SOURCES/bind-9.11-rt46047.patch
index 8f413f6..ee9bae8 100644
--- a/SOURCES/bind-9.11-rt46047.patch
+++ b/SOURCES/bind-9.11-rt46047.patch
@@ -1,4 +1,4 @@
-From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001
+From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@@ -39,15 +39,15 @@ Subject: [PATCH] completed and corrected the crypto-random change
bin/tests/system/tkey/keycreate.c | 4 +-
bin/tests/system/tkey/keydelete.c | 5 +--
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
- doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++
+ doc/arm/notes-rh-changes.xml | 42 ++++++++++++++++++
doc/arm/notes.xml | 1 +
lib/dns/dst_api.c | 4 +-
lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
- lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
+ lib/isc/include/isc/entropy.h | 48 +++++++++++++++------
lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
- 23 files changed, 241 insertions(+), 106 deletions(-)
+ 23 files changed, 240 insertions(+), 104 deletions(-)
create mode 100644 doc/arm/notes-rh-changes.xml
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
@@ -78,10 +78,10 @@ index 295e16f..0f79aa8 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
-index 0ae6b41..4562430 100644
+index 1826919..96543fc 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
-@@ -348,15 +348,23 @@
+@@ -349,15 +349,23 @@
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
@@ -114,7 +114,7 @@ index 0ae6b41..4562430 100644
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index 31a99e7..38c83ed 100644
+index 5654435..24c0d5a 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@@ -142,10 +142,10 @@ index 31a99e7..38c83ed 100644
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
-index 50fa2cd..524d9a3 100644
+index 9a0d3c8..c573177 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
-@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@@ -223,7 +223,7 @@ index d955c2f..40621f2 100644
} else
eresult = ns_control_docommand(request, listener->readonly, &text);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
-index 7ee8f66..8982d26 100644
+index 3f96b7b..c92922e 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -20,6 +20,7 @@
@@ -255,7 +255,7 @@ index 9dea7c1..272d300 100644
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
-index c9e5469..0940714 100644
+index 203f1e6..25eeced 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -19,6 +19,7 @@
@@ -267,10 +267,10 @@ index c9e5469..0940714 100644
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
-index 36fc047..3c1eec0 100644
+index f27071f..f132c19 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
-@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
@@ -312,7 +312,7 @@ index 36fc047..3c1eec0 100644
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
-@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
@@ -323,7 +323,7 @@ index 36fc047..3c1eec0 100644
randomdev,
isc_result_totext(result));
}
-@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@@ -331,7 +331,7 @@ index 36fc047..3c1eec0 100644
#endif
}
-@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
server->in_roothints = NULL;
server->blackholeacl = NULL;
server->keepresporder = NULL;
@@ -339,7 +339,7 @@ index 36fc047..3c1eec0 100644
/* Must be first. */
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
-@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
@@ -349,7 +349,7 @@ index 36fc047..3c1eec0 100644
/*
* Setup the server task, which is responsible for coordinating
-@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
@@ -359,7 +359,7 @@ index 36fc047..3c1eec0 100644
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
-@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
@@ -372,7 +372,7 @@ index 36fc047..3c1eec0 100644
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
-@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
@@ -455,10 +455,10 @@ index 2146f9b..64b8e74 100644
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index 33e06e6..539973c 100644
+index 93c7a08..bb1e81d 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
-@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>random-device</command></term>
<listitem>
<para>
@@ -522,11 +522,10 @@ index 33e06e6..539973c 100644
</varlistentry>
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
new file mode 100644
-index 0000000..11c3a7c
+index 0000000..89a4961
--- /dev/null
+++ b/doc/arm/notes-rh-changes.xml
-@@ -0,0 +1,43 @@
-+
+@@ -0,0 +1,42 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
@@ -570,10 +569,10 @@ index 0000000..11c3a7c
+</section>
+
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index b16dab6..763ff7e 100644
+index 589a347..052a0bd 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
-@@ -36,6 +36,7 @@
+@@ -40,6 +40,7 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
@@ -582,7 +581,7 @@ index b16dab6..763ff7e 100644
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
</section>
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 1614afa..0f52df9 100644
+index 1eccbe7..1933993 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
@@ -625,7 +624,7 @@ index 6813c96..665574d 100644
bool
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index 6849732..e00a0e4 100644
+index ffe0a69..5e48686 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
@@ -639,19 +638,10 @@ index 6849732..e00a0e4 100644
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index 632166a..c7cb17d 100644
+index c40a18c..c7cb17d 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
-@@ -9,8 +9,6 @@
- * information regarding copyright ownership.
- */
-
--/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
--
- #ifndef ISC_ENTROPY_H
- #define ISC_ENTROPY_H 1
-
-@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
+@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
/*!<
* \brief Create an entropy source that is polled via a callback.
*
@@ -663,18 +653,23 @@ index 632166a..c7cb17d 100644
*
* Samples are added via isc_entropy_addcallbacksample(), below.
* _addcallbacksample() is the only function which may be called from
-@@ -234,15 +231,32 @@ isc_result_t
+@@ -232,15 +231,32 @@ isc_result_t
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*!<
- * \brief Extract data from the entropy pool. This may load the pool from various
- * sources.
+ * \brief Get random data from entropy pool 'ent'.
-+ *
+ *
+- * Do this by stirring the pool and returning a part of hash as randomness.
+- * Note that no secrets are given away here since parts of the hash are
+- * xored together before returned.
+ * If a hook has been set up using isc_entropy_sethook() and
+ * isc_entropy_usehook(), then the hook function will be called to get
+ * random data.
-+ *
+ *
+- * Honor the request from the caller to only return good data, any data,
+- * etc.
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
+ * This may cause the pool to be loaded from various sources. Ths is done
+ * by stirring the pool and returning a part of hash as randomness.
@@ -685,17 +680,12 @@ index 632166a..c7cb17d 100644
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
+ * not in use. If it is, the flags will be passed to the hook function
+ * but it may ignore them.
- *
-- * Do this by stiring the pool and returning a part of hash as randomness.
-- * Note that no secrets are given away here since parts of the hash are
-- * xored together before returned.
++ *
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
+ * number of bytes copied will be stored in *returned.)
- *
-- * Honor the request from the caller to only return good data, any data,
-- * etc.
++ *
+ * Returns:
+ * \li ISC_R_SUCCESS on success
+ * \li ISC_R_NOENTROPY if entropy pool is empty
@@ -703,7 +693,7 @@ index 632166a..c7cb17d 100644
*/
void
-@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
void
isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
/*!<
@@ -782,7 +772,7 @@ index f8aed34..17c551b 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index 03890a3..7bad989 100644
+index 1c45d5c..91693b5 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1109,7 +1109,7 @@ options_clauses[] = {
@@ -795,5 +785,5 @@ index 03890a3..7bad989 100644
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
--
-2.20.1
+2.21.1
diff --git a/SOURCES/bind-9.11-serve-stale.patch b/SOURCES/bind-9.11-serve-stale.patch
index 350fe62..724a57b 100644
--- a/SOURCES/bind-9.11-serve-stale.patch
+++ b/SOURCES/bind-9.11-serve-stale.patch
@@ -1,4 +1,4 @@
-From 2bdcb7159b1ac097355e95864e979b4f68bc1a4e Mon Sep 17 00:00:00 2001
+From 521fc8dcc0ac064ae8bc521418f5b03f0ceec657 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 7 Nov 2019 14:31:03 +0100
Subject: [PATCH] Implement serve-stale in 9.11
@@ -257,13 +257,13 @@ Signed-off-by: Petr Menšík <pemensik@redhat.com>
lib/dns/master.c | 14 +-
lib/dns/masterdump.c | 23 +
lib/dns/rbtdb.c | 207 ++++++-
- lib/dns/resolver.c | 78 ++-
+ lib/dns/resolver.c | 79 ++-
lib/dns/sdb.c | 4 +-
lib/dns/sdlz.c | 4 +-
lib/dns/tests/db_test.c | 198 ++++++-
lib/dns/view.c | 3 +
lib/isccfg/namedconf.c | 5 +
- 48 files changed, 2121 insertions(+), 102 deletions(-)
+ 48 files changed, 2122 insertions(+), 102 deletions(-)
create mode 100644 bin/tests/system/serve-stale/.gitignore
create mode 100644 bin/tests/system/serve-stale/ans2/ans.pl.in
create mode 100644 bin/tests/system/serve-stale/clean.sh
@@ -389,22 +389,22 @@ index 9661f56..445b578 100644
bool root_key_sentinel_is_ta;
bool root_key_sentinel_not_ta;
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
-index 8982d26..919ac28 100644
+index c92922e..588bf2d 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
-@@ -224,7 +224,10 @@ enum {
+@@ -226,7 +226,10 @@ enum {
- dns_nsstatscounter_tcphighwater = 57,
+ dns_nsstatscounter_reclimitdropped = 58,
-- dns_nsstatscounter_max = 58
-+ dns_nsstatscounter_trystale = 58,
-+ dns_nsstatscounter_usedstale = 59,
+- dns_nsstatscounter_max = 59
++ dns_nsstatscounter_trystale = 59,
++ dns_nsstatscounter_usedstale = 60,
+
-+ dns_nsstatscounter_max = 60
++ dns_nsstatscounter_max = 61
};
/*%
-@@ -763,4 +766,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
+@@ -765,4 +768,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
isc_result_t
ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
@@ -430,7 +430,7 @@ index 3aa25e9..12f178b 100644
};
diff --git a/bin/named/query.c b/bin/named/query.c
-index 0940714..882d69c 100644
+index 25eeced..162e4ea 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -125,10 +125,14 @@
@@ -733,10 +733,10 @@ index 0940714..882d69c 100644
(!PARTIALANSWER(client) || WANTRECURSION(client)
|| eresult == DNS_R_DROP)) {
diff --git a/bin/named/server.c b/bin/named/server.c
-index 0c1f08b..d195bca 100644
+index 1f23cf0..1fa836f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
-@@ -1722,7 +1722,8 @@ static bool
+@@ -1720,7 +1720,8 @@ static bool
cache_sharable(dns_view_t *originview, dns_view_t *view,
bool new_zero_no_soattl,
unsigned int new_cleaning_interval,
@@ -746,7 +746,7 @@ index 0c1f08b..d195bca 100644
{
/*
* If the cache cannot even reused for the same view, it cannot be
-@@ -1737,6 +1738,7 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
+@@ -1735,6 +1736,7 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
*/
if (dns_cache_getcleaninginterval(originview->cache) !=
new_cleaning_interval ||
@@ -754,7 +754,7 @@ index 0c1f08b..d195bca 100644
dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
return (false);
}
-@@ -3292,6 +3294,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+@@ -3290,6 +3292,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
size_t max_acache_size;
size_t max_adb_size;
uint32_t lame_ttl, fail_ttl;
@@ -762,7 +762,7 @@ index 0c1f08b..d195bca 100644
dns_tsig_keyring_t *ring = NULL;
dns_view_t *pview = NULL; /* Production view */
isc_mem_t *cmctx = NULL, *hmctx = NULL;
-@@ -3320,6 +3323,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+@@ -3318,6 +3321,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
bool old_rpz_ok = false;
isc_dscp_t dscp4 = -1, dscp6 = -1;
dns_dyndbctx_t *dctx = NULL;
@@ -770,7 +770,7 @@ index 0c1f08b..d195bca 100644
REQUIRE(DNS_VIEW_VALID(view));
-@@ -3734,6 +3738,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+@@ -3732,6 +3736,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
if (view->maxncachettl > 7 * 24 * 3600)
view->maxncachettl = 7 * 24 * 3600;
@@ -795,7 +795,7 @@ index 0c1f08b..d195bca 100644
/*
* Configure the view's cache.
*
-@@ -3767,7 +3789,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+@@ -3765,7 +3787,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
nsc = cachelist_find(cachelist, cachename, view->rdclass);
if (nsc != NULL) {
if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
@@ -805,7 +805,7 @@ index 0c1f08b..d195bca 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"views %s and %s can't share the cache "
-@@ -3866,9 +3889,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+@@ -3864,9 +3887,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_cache_setcleaninginterval(cache, cleaning_interval);
dns_cache_setcachesize(cache, max_cache_size);
@@ -821,7 +821,7 @@ index 0c1f08b..d195bca 100644
/*
* Resolver.
*
-@@ -4057,6 +4086,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+@@ -4055,6 +4084,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
maxbits = 4096;
view->maxbits = maxbits;
@@ -843,7 +843,7 @@ index 0c1f08b..d195bca 100644
/*
* Set supported DNSSEC algorithms.
*/
-@@ -14423,3 +14467,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
+@@ -14456,3 +14500,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
return (ISC_R_NOTIMPLEMENTED);
#endif
}
@@ -977,13 +977,13 @@ index 0c1f08b..d195bca 100644
+ return (result);
+}
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
-index 4cdf7d6..5b413e7 100644
+index 4b8d972..8c68737 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
-@@ -297,6 +297,12 @@ init_desc(void) {
- "QryNXRedirRLookup");
- SET_NSSTATDESC(badcookie, "sent badcookie response", "QryBADCOOKIE");
- SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt");
+@@ -300,6 +300,12 @@ init_desc(void) {
+ SET_NSSTATDESC(reclimitdropped,
+ "queries dropped due to recursive client limit",
+ "RecLimitDropped");
+ SET_NSSTATDESC(trystale,
+ "attempts to use stale cache data after lookup failure",
+ "QryTryStale");
@@ -1007,10 +1007,10 @@ index 8083654..d519983 100644
Print a zone's configuration.\n\
sign zone [class [view]]\n\
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
-index 06b073a..6ae8e5d 100644
+index e14a17e..eaf32d3 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
-@@ -688,6 +688,25 @@
+@@ -689,6 +689,25 @@
</listitem>
</varlistentry>
@@ -1052,10 +1052,10 @@ index f3f1939..9ff3f07 100644
+ exit 1
+fi
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
-index f781966..d20a830 100644
+index 22749b9..a247fd5 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
-@@ -125,7 +125,7 @@ PARALLELDIRS="dnssec rpzrecurse \
+@@ -128,7 +128,7 @@ PARALLELDIRS="dnssec rpzrecurse \
reclimit redirect resolver rndc rootkeysentinel rpz \
rrchecker rrl rrsetorder rsabigexponent runtime \
sfcache smartsign sortlist \
@@ -2039,10 +2039,10 @@ index 0000000..201c996
+echo "I:exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index 539973c..8528649 100644
+index bb1e81d..6dbbfad 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
-@@ -4376,6 +4376,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -4381,6 +4381,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
statement in the <filename>named.conf</filename> file:
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="options.grammar.xml"/>
@@ -2052,7 +2052,7 @@ index 539973c..8528649 100644
</section>
<section xml:id="options"><info><title><command>options</command> Statement Definition and
-@@ -4469,6 +4472,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -4474,6 +4477,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<command>dnssec-validation</command>,
<command>max-cache-ttl</command>,
<command>max-ncache-ttl</command>,
@@ -2060,7 +2060,7 @@ index 539973c..8528649 100644
<command>max-cache-size</command>, and
<command>zero-no-soa-ttl</command>.
</para>
-@@ -5480,7 +5484,6 @@ options {
+@@ -5485,7 +5489,6 @@ options {
</listitem>
</varlistentry>
@@ -2068,7 +2068,7 @@ index 539973c..8528649 100644
<varlistentry>
<term><command>max-zone-ttl</command></term>
<listitem>
-@@ -5516,6 +5519,21 @@ options {
+@@ -5521,6 +5524,21 @@ options {
</listitem>
</varlistentry>
@@ -2090,7 +2090,7 @@ index 539973c..8528649 100644
<varlistentry>
<term><command>serial-update-method</command></term>
<listitem>
-@@ -6275,6 +6293,22 @@ options {
+@@ -6280,6 +6298,22 @@ options {
</listitem>
</varlistentry>
@@ -2113,7 +2113,7 @@ index 539973c..8528649 100644
<varlistentry>
<term><command>nocookie-udp-size</command></term>
<listitem>
-@@ -7483,14 +7517,20 @@ options {
+@@ -7501,14 +7535,20 @@ options {
<term><command>resolver-query-timeout</command></term>
<listitem>
<para>
@@ -2137,7 +2137,7 @@ index 539973c..8528649 100644
</listitem>
</varlistentry>
</variablelist>
-@@ -8976,6 +9016,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+@@ -8994,6 +9034,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</listitem>
</varlistentry>
@@ -2188,10 +2188,10 @@ index 181def7..59f6afb 100644
<entry colname="1">
<para><command>spill</command></para>
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
-index 11c3a7c..ba3c2cc 100644
+index 89a4961..80b7dee 100644
--- a/doc/arm/notes-rh-changes.xml
+++ b/doc/arm/notes-rh-changes.xml
-@@ -13,6 +13,9 @@
+@@ -12,6 +12,9 @@
<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
<itemizedlist>
<listitem>
@@ -2201,7 +2201,7 @@ index 11c3a7c..ba3c2cc 100644
<para>
By default, BIND now uses the random number generation functions
in the cryptographic library (i.e., OpenSSL or a PKCS#11
-@@ -37,7 +40,16 @@
+@@ -36,7 +39,16 @@
case <filename>/dev/random</filename> will be the default
entropy source. [RT #31459] [RT #46047]
</para>
@@ -2278,7 +2278,7 @@ index e11beed..fde93c7 100644
topology { <address_match_element>; ... }; // not implemented
transfer-format ( many-answers | one-answer );
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
-index 5c057a4..7b82618 100644
+index eaac5ba..a89d78f 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -99,7 +99,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
@@ -2379,7 +2379,7 @@ index 5c057a4..7b82618 100644
}
}
}
-@@ -1267,7 +1276,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1271,7 +1280,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"auto-dnssec may only be activated at the "
"zone level");
@@ -2389,7 +2389,7 @@ index 5c057a4..7b82618 100644
}
}
-@@ -1287,7 +1297,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1291,7 +1301,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
{
obj = cfg_listelt_value(element);
tresult = mustbesecure(obj, symtab, logctx, mctx);
@@ -2398,7 +2398,7 @@ index 5c057a4..7b82618 100644
result = tresult;
}
if (symtab != NULL)
-@@ -1306,7 +1316,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1310,7 +1320,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s: invalid name '%s'",
server_contact[i], str);
@@ -2408,7 +2408,7 @@ index 5c057a4..7b82618 100644
}
}
}
-@@ -1326,7 +1337,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1330,7 +1341,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"disable-empty-zone: invalid name '%s'",
str);
@@ -2418,7 +2418,7 @@ index 5c057a4..7b82618 100644
}
}
-@@ -1340,11 +1352,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1344,11 +1356,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
strlen(cfg_obj_asstring(obj)) > 1024U) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'server-id' too big (>1024 bytes)");
@@ -2433,7 +2433,7 @@ index 5c057a4..7b82618 100644
result = tresult;
obj = NULL;
-@@ -1354,11 +1367,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1358,11 +1371,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (lifetime > 604800) { /* 7 days */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'nta-lifetime' cannot exceed one week");
@@ -2449,7 +2449,7 @@ index 5c057a4..7b82618 100644
}
}
-@@ -1369,7 +1384,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1373,7 +1388,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (recheck > 604800) { /* 7 days */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'nta-recheck' cannot exceed one week");
@@ -2459,7 +2459,7 @@ index 5c057a4..7b82618 100644
}
if (recheck > lifetime)
-@@ -1387,7 +1403,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1391,7 +1407,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (strcasecmp(ccalg, "aes") == 0) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"cookie-algorithm: '%s' not supported", ccalg);
@@ -2469,7 +2469,7 @@ index 5c057a4..7b82618 100644
}
#endif
-@@ -1476,7 +1493,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1480,7 +1497,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s out of range (%u < %u)",
fstrm[i].name, value, fstrm[i].min);
@@ -2479,7 +2479,7 @@ index 5c057a4..7b82618 100644
}
if (strcmp(fstrm[i].name, "fstrm-set-input-queue-size") == 0) {
-@@ -1490,7 +1508,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1494,7 +1512,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"%s '%u' not a power-of-2",
fstrm[i].name,
cfg_obj_asuint32(obj));
@@ -2489,7 +2489,7 @@ index 5c057a4..7b82618 100644
}
}
}
-@@ -1508,7 +1527,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1512,7 +1531,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"%" PRId64 "' "
"is too small",
mapsize);
@@ -2499,7 +2499,7 @@ index 5c057a4..7b82618 100644
} else if (mapsize > (1ULL << 40)) { /* 1 terabyte */
cfg_obj_log(obj, logctx,
ISC_LOG_ERROR,
-@@ -1516,10 +1536,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+@@ -1520,10 +1540,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"%" PRId64 "' "
"is too large",
mapsize);
@@ -2669,10 +2669,10 @@ index 62797db..714b78e 100644
dns_cache_flush(dns_cache_t *cache);
/*%<
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
-index ae6ae36..5079053 100644
+index 6f0eed0..e3917f2 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
-@@ -197,6 +197,8 @@ typedef struct dns_dbmethods {
+@@ -195,6 +195,8 @@ typedef struct dns_dbmethods {
dns_name_t *name);
isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version,
uint64_t *records, uint64_t *bytes);
@@ -2681,7 +2681,7 @@ index ae6ae36..5079053 100644
} dns_dbmethods_t;
typedef isc_result_t
-@@ -255,6 +257,7 @@ struct dns_dbonupdatelistener {
+@@ -253,6 +255,7 @@ struct dns_dbonupdatelistener {
#define DNS_DBFIND_FORCENSEC3 0x0080
#define DNS_DBFIND_ADDITIONALOK 0x0100
#define DNS_DBFIND_NOZONECUT 0x0200
@@ -2689,7 +2689,7 @@ index ae6ae36..5079053 100644
/*@}*/
/*@{*/
-@@ -1685,6 +1688,38 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
+@@ -1683,6 +1686,38 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
* \li 'db' is a valid database
* \li 'node' and 'name' are not NULL
*/
@@ -2783,7 +2783,7 @@ index 5295d8e..97071ed 100644
/*%
* _OMITDNSSEC:
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
-index 6da41b7..7b397cb 100644
+index 0b66c75..4b4b6bd 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -547,9 +547,12 @@ dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
@@ -2883,7 +2883,7 @@ index c849dec..647ca2a 100644
#define DNS_VIEW_MAGIC ISC_MAGIC('V','i','e','w')
diff --git a/lib/dns/master.c b/lib/dns/master.c
-index 2a87bca..ac4bb19 100644
+index 8edd732..8c9f00e 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -1948,12 +1948,18 @@ load_text(dns_loadctx_t *lctx) {
@@ -2979,10 +2979,10 @@ index 13d1a3e..873b694 100644
RUNTIME_CHECK(result == ISC_R_SUCCESS);
isc_buffer_usedregion(&buffer, &r);
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
-index 738aa20..5055fcb 100644
+index 02f2c84..fda991d 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
-@@ -488,6 +488,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t;
+@@ -490,6 +490,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t;
typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
#define RDATASET_ATTR_NONEXISTENT 0x0001
@@ -2990,7 +2990,7 @@ index 738aa20..5055fcb 100644
#define RDATASET_ATTR_STALE 0x0002
#define RDATASET_ATTR_IGNORE 0x0004
#define RDATASET_ATTR_RETAIN 0x0008
-@@ -500,6 +501,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
+@@ -502,6 +503,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
#define RDATASET_ATTR_CASESET 0x0400
#define RDATASET_ATTR_ZEROTTL 0x0800
#define RDATASET_ATTR_CASEFULLYLOWER 0x1000
@@ -2999,7 +2999,7 @@ index 738aa20..5055fcb 100644
typedef struct acache_cbarg {
dns_rdatasetadditional_t type;
-@@ -550,6 +553,8 @@ struct acachectl {
+@@ -552,6 +555,8 @@ struct acachectl {
(((header)->attributes & RDATASET_ATTR_ZEROTTL) != 0)
#define CASEFULLYLOWER(header) \
(((header)->attributes & RDATASET_ATTR_CASEFULLYLOWER) != 0)
@@ -3008,7 +3008,7 @@ index 738aa20..5055fcb 100644
#define ACTIVE(header, now) \
-@@ -609,6 +614,12 @@ typedef enum {
+@@ -611,6 +616,12 @@ typedef enum {
expire_flush
} expire_t;
@@ -3021,7 +3021,7 @@ index 738aa20..5055fcb 100644
typedef struct rbtdb_version {
/* Not locked */
rbtdb_serial_t serial;
-@@ -676,6 +687,12 @@ struct dns_rbtdb {
+@@ -678,6 +689,12 @@ struct dns_rbtdb {
dns_dbnode_t *soanode;
dns_dbnode_t *nsnode;
@@ -3034,7 +3034,7 @@ index 738aa20..5055fcb 100644
/*
* This is a linked list used to implement the LRU cache. There will
* be node_lock_count linked lists here. Nodes in bucket 1 will be
-@@ -719,6 +736,8 @@ struct dns_rbtdb {
+@@ -721,6 +738,8 @@ struct dns_rbtdb {
#define RBTDB_ATTR_LOADED 0x01
#define RBTDB_ATTR_LOADING 0x02
@@ -3043,7 +3043,7 @@ index 738aa20..5055fcb 100644
/*%
* Search Context
*/
-@@ -1784,15 +1803,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
+@@ -1791,15 +1810,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
}
static inline void
@@ -3063,7 +3063,7 @@ index 738aa20..5055fcb 100644
header->node->dirty = 1;
/*
-@@ -1833,8 +1852,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+@@ -1840,8 +1859,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
/*
* If current is nonexistent or stale, we can clean it up.
*/
@@ -3074,7 +3074,7 @@ index 738aa20..5055fcb 100644
if (top_prev != NULL)
top_prev->next = current->next;
else
-@@ -2076,6 +2095,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+@@ -2086,6 +2105,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
}
}
@@ -3155,7 +3155,7 @@ index 738aa20..5055fcb 100644
/*
* Caller must be holding the node lock.
*/
-@@ -3308,6 +3401,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+@@ -3313,6 +3406,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
rdataset->attributes |= DNS_RDATASETATTR_OPTOUT;
if (PREFETCH(header))
rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
@@ -3168,7 +3168,7 @@ index 738aa20..5055fcb 100644
rdataset->private1 = rbtdb;
rdataset->private2 = node;
raw = (unsigned char *)header + sizeof(*header);
-@@ -4648,6 +4747,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
+@@ -4653,6 +4752,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
#endif
if (!ACTIVE(header, search->now)) {
@@ -3188,7 +3188,7 @@ index 738aa20..5055fcb 100644
/*
* This rdataset is stale. If no one else is using the
* node, we can clean it up right now, otherwise we mark
-@@ -4687,7 +4799,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
+@@ -4692,7 +4804,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
node->data = header->next;
free_rdataset(search->rbtdb, mctx, header);
} else {
@@ -3197,7 +3197,7 @@ index 738aa20..5055fcb 100644
*header_prev = header;
}
} else
-@@ -5125,7 +5237,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+@@ -5130,7 +5242,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
&locktype, lock, &search,
&header_prev)) {
/* Do nothing. */
@@ -3206,7 +3206,7 @@ index 738aa20..5055fcb 100644
/*
* We now know that there is at least one active
* non-stale rdataset at this node.
-@@ -5603,7 +5715,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+@@ -5608,7 +5720,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
* refcurrent(rbtnode) must be non-zero. This is so
* because 'node' is an argument to the function.
*/
@@ -3215,7 +3215,7 @@ index 738aa20..5055fcb 100644
if (log)
isc_log_write(dns_lctx, category, module,
level, "overmem cache: stale %s",
-@@ -5611,7 +5723,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+@@ -5616,7 +5728,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
} else if (force_expire) {
if (! RETAIN(header)) {
set_ttl(rbtdb, header, 0);
@@ -3224,7 +3224,7 @@ index 738aa20..5055fcb 100644
} else if (log) {
isc_log_write(dns_lctx, category, module,
level, "overmem cache: "
-@@ -5868,9 +5980,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+@@ -5873,9 +5985,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
* non-zero. This is so because 'node' is an
* argument to the function.
*/
@@ -3236,7 +3236,7 @@ index 738aa20..5055fcb 100644
if (header->type == matchtype)
found = header;
else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-@@ -6160,7 +6272,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+@@ -6167,7 +6279,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
topheader = topheader->next)
{
set_ttl(rbtdb, topheader, 0);
@@ -3245,7 +3245,7 @@ index 738aa20..5055fcb 100644
}
goto find_header;
}
-@@ -6218,7 +6330,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+@@ -6225,7 +6337,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* ncache entry.
*/
set_ttl(rbtdb, topheader, 0);
@@ -3254,7 +3254,7 @@ index 738aa20..5055fcb 100644
topheader = NULL;
goto find_header;
}
-@@ -6256,8 +6368,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+@@ -6263,8 +6375,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
/*
@@ -3268,7 +3268,7 @@ index 738aa20..5055fcb 100644
*/
if (rbtversion == NULL && trust < header->trust &&
(ACTIVE(header, now) || header_nx)) {
-@@ -6286,6 +6401,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+@@ -6293,6 +6408,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
if ((options & DNS_DBADD_EXACT) != 0)
flags |= DNS_RDATASLAB_EXACT;
@@ -3279,7 +3279,7 @@ index 738aa20..5055fcb 100644
if ((options & DNS_DBADD_EXACTTTL) != 0 &&
newheader->rdh_ttl != header->rdh_ttl)
result = DNS_R_NOTEXACT;
-@@ -6329,11 +6448,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+@@ -6336,11 +6455,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
}
/*
@@ -3297,7 +3297,7 @@ index 738aa20..5055fcb 100644
*/
if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
header->type == dns_rdatatype_ns &&
-@@ -6508,10 +6628,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+@@ -6511,10 +6631,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
changed->dirty = true;
if (rbtversion == NULL) {
set_ttl(rbtdb, header, 0);
@@ -3310,7 +3310,7 @@ index 738aa20..5055fcb 100644
}
}
if (rbtversion != NULL && !header_nx) {
-@@ -8310,6 +8430,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
+@@ -8331,6 +8451,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
return (result);
}
@@ -3341,7 +3341,7 @@ index 738aa20..5055fcb 100644
static dns_dbmethods_t zone_methods = {
attach,
detach,
-@@ -8355,7 +8499,9 @@ static dns_dbmethods_t zone_methods = {
+@@ -8376,7 +8520,9 @@ static dns_dbmethods_t zone_methods = {
NULL,
hashsize,
nodefullname,
@@ -3352,7 +3352,7 @@ index 738aa20..5055fcb 100644
};
static dns_dbmethods_t cache_methods = {
-@@ -8403,7 +8549,9 @@ static dns_dbmethods_t cache_methods = {
+@@ -8424,7 +8570,9 @@ static dns_dbmethods_t cache_methods = {
setcachestats,
hashsize,
nodefullname,
@@ -3363,7 +3363,7 @@ index 738aa20..5055fcb 100644
};
isc_result_t
-@@ -8674,7 +8822,7 @@ dns_rbtdb_create
+@@ -8695,7 +8843,7 @@ dns_rbtdb_create
rbtdb->rpzs = NULL;
rbtdb->load_rpzs = NULL;
rbtdb->rpz_num = DNS_RPZ_INVALID_NUM;
@@ -3372,7 +3372,7 @@ index 738aa20..5055fcb 100644
/*
* Version Initialization.
*/
-@@ -9092,7 +9240,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+@@ -9113,7 +9261,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
* rdatasets to work.
*/
if (NONEXISTENT(header) ||
@@ -3382,7 +3382,7 @@ index 738aa20..5055fcb 100644
header = NULL;
break;
} else
-@@ -10280,7 +10429,7 @@ static inline bool
+@@ -10322,7 +10471,7 @@ static inline bool
need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
if ((header->attributes &
(RDATASET_ATTR_NONEXISTENT |
@@ -3391,7 +3391,7 @@ index 738aa20..5055fcb 100644
RDATASET_ATTR_ZEROTTL)) != 0)
return (false);
-@@ -10386,7 +10535,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+@@ -10428,7 +10577,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
bool tree_locked, expire_t reason)
{
set_ttl(rbtdb, header, 0);
@@ -3401,7 +3401,7 @@ index 738aa20..5055fcb 100644
/*
* Caller must hold the node (write) lock.
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 04a58c0..164fc01 100644
+index 337a2f3..24e14d2 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -141,16 +141,17 @@
@@ -3434,18 +3434,19 @@ index 04a58c0..164fc01 100644
#endif
/* The default maximum number of recursions to follow before giving up. */
-@@ -496,6 +497,10 @@ struct dns_resolver {
- unsigned int maxqueries;
- isc_result_t quotaresp[2];
-
-+ /* Additions for serve-stale feature. */
+@@ -515,6 +516,11 @@ struct dns_resolver {
+ dns_fetch_t * primefetch;
+ /* Locked by nlock. */
+ unsigned int nfctx;
++
++ /* Unlocked. Additions for serve-stale feature. */
+ unsigned int retryinterval; /* in milliseconds */
+ unsigned int nonbackofftries;
+
- /* Locked by lock. */
- unsigned int references;
- bool exiting;
-@@ -1617,14 +1622,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
+ };
+
+ #define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!')
+@@ -1625,14 +1631,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
unsigned int seconds;
unsigned int us;
@@ -3464,7 +3465,7 @@ index 04a58c0..164fc01 100644
/*
* Add a fudge factor to the expected rtt based on the current
-@@ -4481,7 +4484,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+@@ -4494,7 +4498,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
/*
* Compute an expiration time for the entire fetch.
*/
@@ -3474,7 +3475,7 @@ index 04a58c0..164fc01 100644
iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
if (iresult != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
-@@ -8965,6 +8969,8 @@ dns_resolver_create(dns_view_t *view,
+@@ -8983,6 +8988,8 @@ dns_resolver_create(dns_view_t *view,
res->spillattimer = NULL;
res->zspill = 0;
res->zero_no_soa_ttl = false;
@@ -3483,7 +3484,7 @@ index 04a58c0..164fc01 100644
res->query_timeout = DEFAULT_QUERY_TIMEOUT;
res->maxdepth = DEFAULT_RECURSION_DEPTH;
res->maxqueries = DEFAULT_MAX_QUERIES;
-@@ -10291,17 +10297,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) {
+@@ -10317,17 +10324,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) {
}
void
@@ -3512,7 +3513,7 @@ index 04a58c0..164fc01 100644
}
void
-@@ -10398,3 +10407,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which)
+@@ -10424,3 +10434,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which)
return (resolver->quotaresp[which]);
}
@@ -3578,7 +3579,7 @@ index 0b9620c..331992e 100644
/*
diff --git a/lib/dns/tests/db_test.c b/lib/dns/tests/db_test.c
-index 35cf21d..bf39545 100644
+index 2849775..812f750 100644
--- a/lib/dns/tests/db_test.c
+++ b/lib/dns/tests/db_test.c
@@ -28,8 +28,9 @@
@@ -3809,7 +3810,7 @@ index 35cf21d..bf39545 100644
_setup, _teardown),
cmocka_unit_test_setup_teardown(dbtype_test,
diff --git a/lib/dns/view.c b/lib/dns/view.c
-index a1a4301..abf6a4c 100644
+index 0fca1d9..55ede81 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -229,6 +229,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
@@ -3823,7 +3824,7 @@ index a1a4301..abf6a4c 100644
view->maxbits = 0;
view->v4_aaaa = dns_aaaa_ok;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index 7bad989..bbf4b45 100644
+index 91693b5..5771774 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1778,6 +1778,7 @@ view_clauses[] = {
@@ -3854,5 +3855,5 @@ index 7bad989..bbf4b45 100644
{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
{ "transfer-format", &cfg_type_transferformat, 0 },
--
-2.20.1
+2.21.1
diff --git a/SOURCES/bind-9.11-zone2ldap.patch b/SOURCES/bind-9.11-zone2ldap.patch
index a816240..d29656e 100644
--- a/SOURCES/bind-9.11-zone2ldap.patch
+++ b/SOURCES/bind-9.11-zone2ldap.patch
@@ -1,18 +1,18 @@
-From 0430b3ac66169eea7a74aaa8bfca50400d3497cf Mon Sep 17 00:00:00 2001
+From 9683a4d2524b870c4cee09259cb5eb7b8075a507 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 18 Dec 2018 16:06:26 +0100
Subject: [PATCH] Make absolute hostname by dns API instead of strings
Duplicate all strings in dc_list. Free allocated memory on each record.
---
- bin/sdb_tools/zone2ldap.c | 71 +++++++++++++++++++++++++--------------
- 1 file changed, 45 insertions(+), 26 deletions(-)
+ bin/sdb_tools/zone2ldap.c | 70 +++++++++++++++++++++++++--------------
+ 1 file changed, 45 insertions(+), 25 deletions(-)
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
-index 76186b5..28df191 100644
+index d59936c..9ba73b8 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
-@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
+@@ -84,6 +84,10 @@ int get_attr_list_size (char **tmp);
/* Get a DN */
char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
@@ -23,7 +23,7 @@ index 76186b5..28df191 100644
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
unsigned int ttl, unsigned int flags);
-@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL";
+@@ -120,6 +124,7 @@ static char dNSTTL []="dNSTTL";
static char zoneName []="zoneName";
static char dc []="dc";
static char sameZone []="@";
@@ -31,7 +31,7 @@ index 76186b5..28df191 100644
/* LDAPMod mod_values: */
static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
-@@ -396,6 +401,8 @@ main (int argc, char **argv)
+@@ -391,6 +396,8 @@ main (int argc, char **argv)
}
}
@@ -40,7 +40,7 @@ index 76186b5..28df191 100644
}
else
{
-@@ -451,12 +458,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
+@@ -446,12 +453,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
char data[2048];
char **dc_list;
char *dn;
@@ -59,7 +59,7 @@ index 76186b5..28df191 100644
isc_result_check (result, "dns_name_totext");
name[isc_buffer_usedlength (&buff)] = 0;
-@@ -478,6 +491,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
+@@ -473,6 +486,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
@@ -67,7 +67,7 @@ index 76186b5..28df191 100644
}
-@@ -538,12 +552,9 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -533,12 +547,9 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs == (LDAPMod **) NULL)
fatal("calloc");
@@ -83,7 +83,7 @@ index 76186b5..28df191 100644
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
tmp->attrs[0]->mod_type = objectClass;
-@@ -559,9 +570,18 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -554,9 +565,18 @@ add_to_rr_list (char *dn, char *name, char *type,
return;
}
@@ -103,12 +103,11 @@ index 76186b5..28df191 100644
if (tmp->attrs[1]->mod_values == (char **)NULL)
fatal("calloc");
-@@ -705,25 +725,16 @@ char **
- hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -701,24 +721,16 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
-- int i = 0;
-+ int i = 0, j = 0;
+ int i = 0;
++ int j = 0;
char *hname=0L, *last=0L;
int hlen=strlen(hostname), zlen=(strlen(zone));
@@ -127,11 +126,11 @@ index 76186b5..28df191 100644
{
- if( hname == 0 )
- hname=strdup(hostname);
-+ hname=strdup(hostname);
- last = strdup(sameZone);
++ hname= strdup(hostname);
+ last = strdup(sameZone);
}else
- {
-@@ -731,8 +742,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+ {
+@@ -726,8 +738,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
||( strcmp( hostname + (hlen - zlen), zone ) != 0)
)
{
@@ -140,7 +139,7 @@ index 76186b5..28df191 100644
hname=(char*)malloc( hlen + zlen + 1);
if( *zone == '.' )
sprintf(hname, "%s%s", hostname, zone);
-@@ -740,8 +749,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -735,8 +745,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
sprintf(hname,"%s",zone);
}else
{
@@ -150,7 +149,7 @@ index 76186b5..28df191 100644
}
last = hname;
}
-@@ -754,18 +762,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -749,18 +758,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
tmp = strrchr (hname, '.'))
{
@@ -167,7 +166,7 @@ index 76186b5..28df191 100644
+ dn_buffer[i++] = dot;
if( tmp == hname )
break;
- }
+ }
}
+ for (j=0; j<i; j++)
+ {
@@ -176,7 +175,7 @@ index 76186b5..28df191 100644
if( ( last != hname ) && (tmp != hname) )
dn_buffer[i++] = hname;
dn_buffer[i++] = last;
-@@ -825,6 +836,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
+@@ -820,6 +832,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
return dn;
}
@@ -192,5 +191,5 @@ index 76186b5..28df191 100644
/* Initialize LDAP Conn */
void
--
-2.20.1
+2.21.1
diff --git a/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch b/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
index 35c8542..e5a418e 100644
--- a/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
+++ b/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
@@ -1,5 +1,5 @@
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
-index 95ab742..6069f09 100644
+index 95ab742..5059a17 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -7,49 +7,46 @@ index 95ab742..6069f09 100644
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
++TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
-+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
++OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
-+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
++SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
MANPAGES = zone2ldap.1
-@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
- zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+@@ -47,6 +47,9 @@ EXT_CFLAGS =
+ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
+
- clean distclean manclean maintainer-clean::
- rm -f ${TARGETS} ${OBJS}
+ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
-@@ -62,6 +65,7 @@ installdirs:
-
- install:: ${TARGETS} installdirs
+@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
-+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
-index aa2c711..76186b5 100644
+index e0e9207..d59936c 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
-@@ -66,6 +66,9 @@ ldap_info;
- /* usage Info */
- void usage (void);
+@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
+ void init_ldap_conn (void);
-+/* Check for existence of (and possibly add) containing dNSZone objects */
-+int lookup_dns_zones( ldap_info *ldinfo);
-+
- /* Add to the ldap dit */
- void add_ldap_values (ldap_info * ldinfo);
+ /* Ldap error checking */
+-void ldap_result_check (const char *msg, char *dn, int err);
++void ldap_result_check (const char *msg, const char *dn, int err);
-@@ -82,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
+ /* Put a hostname into a char ** array */
+ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
+@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
int get_attr_list_size (char **tmp);
/* Get a DN */
@@ -58,7 +55,7 @@ index aa2c711..76186b5 100644
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
-@@ -104,11 +107,27 @@ void
+@@ -104,11 +104,26 @@ void
init_ldap_conn ();
void usage();
@@ -87,11 +84,19 @@ index aa2c711..76186b5 100644
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
+static char *dn_buffer [64]={NULL};
-+
LDAP *conn;
unsigned int debug = 0;
-@@ -132,12 +151,12 @@ main (int argc, char **argv)
+@@ -120,7 +135,7 @@ static void
+ fatal(const char *msg) {
+ perror(msg);
+ if (conn != NULL)
+- ldap_unbind_s(conn);
++ ldap_unbind_ext_s(conn, NULL, NULL);
+ exit(1);
+ }
+
+@@ -132,12 +147,13 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
@@ -102,12 +107,12 @@ index aa2c711..76186b5 100644
isc_buffer_t buff;
char *zonefile=0L;
char fullbasedn[1024];
-- char *ctmp;
-+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
+ char *ctmp;
++ char *zn, *dcp[2], *znp[2], *rdn[2];
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
-@@ -150,7 +169,7 @@ main (int argc, char **argv)
+@@ -150,7 +166,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
@@ -116,7 +121,7 @@ index aa2c711..76186b5 100644
if (argc < 2)
{
-@@ -158,7 +177,7 @@ main (int argc, char **argv)
+@@ -158,7 +174,7 @@ main (int argc, char **argv)
exit (-1);
}
@@ -125,7 +130,7 @@ index aa2c711..76186b5 100644
{
switch (topt)
{
-@@ -181,6 +200,9 @@ main (int argc, char **argv)
+@@ -181,6 +197,9 @@ main (int argc, char **argv)
if (bindpw == NULL)
fatal("strdup");
break;
@@ -135,35 +140,27 @@ index aa2c711..76186b5 100644
case 'b':
ldapbase = strdup (optarg);
if (ldapbase == NULL)
-@@ -300,27 +322,62 @@ main (int argc, char **argv)
- {
- if (debug)
+@@ -302,17 +321,51 @@ main (int argc, char **argv)
printf ("Creating base zone DN %s\n", argzone);
--
-+
+
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
-
-- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
+ if (debug)
+ printf ("base DN %s\n", basedn);
-+
+
+- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
{
-- if ((*ctmp == ',') || (ctmp == &basedn[0]))
-+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
-+
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = (char*)"objectClass";
-- base.mod_values = (char**)topObjectClasses;
+ base.mod_type = objectClass;
-+ base.mod_values = topObjectClasses;
+ base.mod_values = (char**)topObjectClasses;
base_attrs[0] = (void*)&base;
- base_attrs[1] = NULL;
--
-+
++
+ dcBase.mod_op = LDAP_MOD_ADD;
+ dcBase.mod_type = dc;
+ dcp[0]=dc_list[dcn];
@@ -172,13 +169,13 @@ index aa2c711..76186b5 100644
+ base_attrs[1] = (void*)&dcBase;
+
+ znBase.mod_op = LDAP_MOD_ADD;
-+ znBase.mod_type = zoneName;
++ znBase.mod_type = zoneName;
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
+ znlen += strlen(dc_list[zdn])+1;
+ znp[0] = (char*)malloc(znlen+1);
+ znp[1] = 0L;
-+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
-+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
++ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
++ zn+=sprintf(zn,"%s%s",dc_list[zdn],
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
+ );
+
@@ -191,24 +188,15 @@ index aa2c711..76186b5 100644
+ rdn[1] = 0L;
+ rdnBase.mod_values = rdn;
+ base_attrs[3] = (void*)&rdnBase;
-+
++
+ dcn++;
+
+ base.mod_values = topObjectClasses;
-+ base_attrs[4] = NULL;
-+
++ base_attrs[4] = NULL;
+
if (ldapbase)
{
- if (ctmp != &basedn[0])
- sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
- else
-- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
--
-+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
- }
- else
- {
-@@ -329,8 +386,13 @@ main (int argc, char **argv)
+@@ -329,6 +382,10 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
@@ -217,12 +205,9 @@ index aa2c711..76186b5 100644
+ printf("Full base dn: %s\n", fullbasedn);
+
result = ldap_add_s (conn, fullbasedn, base_attrs);
- ldap_result_check ("intial ldap_add_s", fullbasedn, result);
-+
+ ldap_result_check ("initial ldap_add_s", fullbasedn, result);
}
-
- }
-@@ -408,14 +470,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
+@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
@@ -240,7 +225,7 @@ index aa2c711..76186b5 100644
}
-@@ -455,7 +517,8 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
@@ -250,7 +235,7 @@ index aa2c711..76186b5 100644
if ((tmp = locate_by_dn (dn)) == NULL)
{
-@@ -482,13 +545,13 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
@@ -262,12 +247,8 @@ index aa2c711..76186b5 100644
+ tmp->attrs[0]->mod_values = objectClasses;
else
{
-- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
-+ tmp->attrs[0]->mod_values =topObjectClasses;
- tmp->attrs[1] = NULL;
- tmp->attrcnt = 2;
- tmp->next = ldap_info_base;
-@@ -497,7 +560,7 @@ add_to_rr_list (char *dn, char *name, char *type,
+ tmp->attrs[0]->mod_values = (char**)topObjectClasses;
+@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@@ -276,7 +257,7 @@ index aa2c711..76186b5 100644
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
-@@ -526,7 +589,7 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
@@ -285,16 +266,16 @@ index aa2c711..76186b5 100644
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
-@@ -539,14 +602,25 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs[3]->mod_values[0] == NULL)
fatal("strdup");
-+ znlen=strlen(gbl_zone);
-+ if ( *(gbl_zone + (znlen-1)) == '.' )
++ znlen=strlen(gbl_zone);
++ if ( gbl_zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ zn = (char*)malloc(znlen);
-+ strncpy(zn,gbl_zone,znlen-1);
-+ *(zn + (znlen-1))='\0';
++ memcpy(zn, gbl_zone, znlen-1);
++ zn[znlen-1]='\0';
+ }else
+ {
+ zn = gbl_zone;
@@ -313,7 +294,7 @@ index aa2c711..76186b5 100644
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
-@@ -557,7 +631,7 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
else
{
@@ -322,7 +303,7 @@ index aa2c711..76186b5 100644
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
-@@ -631,44 +705,70 @@ char **
+@@ -631,44 +700,70 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
@@ -382,10 +363,10 @@ index aa2c711..76186b5 100644
+ {
+ if( hname == 0 )
+ hname=strdup(hostname);
-+ last = strdup(sameZone);
++ last = strdup(sameZone);
+ }else
-+ {
-+ if( (hlen < zlen)
++ {
++ if( (hlen < zlen)
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
+ )
+ {
@@ -422,7 +403,7 @@ index aa2c711..76186b5 100644
+ *tmp = '\0';
+ if( tmp == hname )
+ break;
-+ }
++ }
+ }
+ if( ( last != hname ) && (tmp != hname) )
+ dn_buffer[i++] = hname;
@@ -430,7 +411,7 @@ index aa2c711..76186b5 100644
dn_buffer[i] = NULL;
return dn_buffer;
-@@ -680,24 +780,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
* exception of "@"/SOA. */
char *
@@ -439,19 +420,21 @@ index aa2c711..76186b5 100644
{
int size;
- int x;
+- static char dn[1024];
+- char tmp[128];
+ int x, znlen;
- static char dn[1024];
- char tmp[128];
++ static char dn[DNS_NAME_MAXTEXT*3/2];
++ char tmp[DNS_NAME_MAXTEXT*3/2];
+ char zn[DNS_NAME_MAXTEXT+1];
bzero (tmp, sizeof (tmp));
bzero (dn, sizeof (dn));
size = get_attr_list_size (dc_list);
+ znlen = strlen(zone);
-+ if ( *(zone + (znlen-1)) == '.' )
++ if ( zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ memcpy(&(zn[0]),zone,znlen-1);
-+ *(zn + (znlen-1))='\0';
++ zn[znlen-1]='\0';
+ zone = zn;
+ }
for (x = size - 2; x > 0; x--)
@@ -460,40 +443,47 @@ index aa2c711..76186b5 100644
{
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
-+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
++ snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else if (x == (size - 2))
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
-+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
++ snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else
- sprintf(tmp,"dc=%s,", dc_list[x]);
+- sprintf(tmp,"dc=%s,", dc_list[x]);
++ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
}
-@@ -723,6 +831,7 @@ void
- init_ldap_conn ()
- {
- int result;
-+ char ldb_tag[]="LDAP Bind";
- conn = ldap_open (ldapsystem, LDAP_PORT);
- if (conn == NULL)
+ else
{
-@@ -732,7 +841,7 @@ init_ldap_conn ()
+- sprintf(tmp, "dc=%s,", dc_list[x]);
++ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
+ }
+
+
+@@ -732,19 +835,18 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
-+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
++ ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
}
/* Like isc_result_check, only for LDAP */
-@@ -749,8 +858,6 @@ ldap_result_check (const char *msg, char *dn, int err)
+ void
+-ldap_result_check (const char *msg, char *dn, int err)
++ldap_result_check (const char *msg, const char *dn, int err)
+ {
+ if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
+ {
+- fprintf(stderr, "Error while adding %s (%s):\n",
+- dn, msg);
+- ldap_perror (conn, dn);
+- ldap_unbind_s (conn);
++ fprintf(stderr, "Error while adding %s (%s):\n%s",
++ dn, msg, ldap_err2string(err));
++ ldap_unbind_ext_s (conn, NULL, NULL);
+ exit (-1);
}
}
-
--
--
- /* For running the ldap_info run queue. */
- void
- add_ldap_values (ldap_info * ldinfo)
-@@ -758,14 +865,14 @@ add_ldap_values (ldap_info * ldinfo)
+@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
@@ -505,12 +495,14 @@ index aa2c711..76186b5 100644
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
- ldap_result_check ("ldap_add_s", dnbuffer, result);
+-}
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
-+
- }
+
++}
+
-@@ -776,5 +883,5 @@ void
+@@ -776,5 +877,5 @@ void
usage ()
{
fprintf (stderr,
diff --git a/SOURCES/bind97-rh645544.patch b/SOURCES/bind97-rh645544.patch
index d1d8429..c15eeb5 100644
--- a/SOURCES/bind97-rh645544.patch
+++ b/SOURCES/bind97-rh645544.patch
@@ -1,7 +1,8 @@
-diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
---- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
-+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
-@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index ecb3ddb..f7f73cd 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
*/
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
@@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
"success resolving '%s' (in '%s'?) after %s",
fctx->info, domainbuf, fctx->reason);
-@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
+@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
@@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
"lame server resolving '%s' (in '%s'?): %s",
namebuf, domainbuf, addrbuf);
}
-@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
- }
+@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
+ isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
- "DNS format error from %s resolving %s%s%s: %s",
- nsbuf, fctx->info, clmsg, clbuf, msgbuf);
+ "DNS format error from %s resolving %s for %s: %s",
+ nsbuf, fctx->info, fctx->clientstr, msgbuf);
}
diff --git a/SOURCES/trusted-key.key b/SOURCES/trusted-key.key
index df2fd0d..7b845f3 100644
--- a/SOURCES/trusted-key.key
+++ b/SOURCES/trusted-key.key
@@ -1,2 +1 @@
-. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index eaafb71..2ba69ee 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -19,6 +19,7 @@
%bcond_with LMDB
%bcond_with DLZ
%bcond_without EXPORT_LIBS
+%bcond_without BDB
# Legacy GeoIP support
%bcond_with GEOIP
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
@@ -26,6 +27,7 @@
%else
%bcond_with UNITTEST
%endif
+%bcond_with TSAN
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
# New MaxMind GeoLite support
%bcond_without GEOIP2
@@ -54,16 +56,16 @@
#
# lib*.so.X versions of selected libraries
-%global sover_dns 1107
-%global sover_isc 1104
+%global sover_dns 1110
+%global sover_isc 1105
%global sover_irs 161
%global sover_isccfg 163
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
-Version: 9.11.13
-Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Version: 9.11.20
+Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
#
@@ -158,9 +160,6 @@ Patch178:bind-9.11-dhcp-time-monotonic.patch
Patch11: bind-9.3.2b2-sdbsrc.patch
Patch12: bind-9.10-sdb.patch
-# export lib patches
-Patch135:bind-9.11-export-isc-config.patch
-
# needs inpection
Patch17: bind-9.3.2b1-fix_sdb_ldap.patch
Patch18: bind-9.11-zone2ldap.patch
@@ -174,6 +173,7 @@ Requires(post): shadow-utils
Requires(post): glibc-common
Requires(post): grep
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: bind-config < 30:9.3.2-34.fc6
Provides: bind-config = 30:9.3.2-34.fc6
Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
@@ -190,6 +190,8 @@ BuildRequires: python3-ply
BuildRequires: findutils sed
%if %{with SDB}
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mariadb-connector-c-devel
+%endif
+%if %{with BDB}
BuildRequires: libdb-devel
%endif
%if %{with UNITTEST}
@@ -219,6 +221,9 @@ BuildRequires: libmaxminddb-devel
%endif
# Needed to regenerate dig.1 manpage
BuildRequires: docbook-style-xsl, libxslt
+%if %{with TSAN}
+BuildRequires: libtsan
+%endif
%description
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
@@ -232,6 +237,8 @@ tools for verifying that the DNS server is operating properly.
Summary: Bind with native PKCS#11 functionality for crypto
Requires: systemd
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: softhsm
@@ -275,6 +282,7 @@ Summary: BIND server with database backends and DLZ support
Requires: systemd
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
%description sdb
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
@@ -316,6 +324,7 @@ Contains license of the BIND DNS suite.
%package utils
Summary: Utilities for querying DNS name servers
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: python3-bind = %{epoch}:%{version}-%{release}
%description utils
@@ -345,12 +354,6 @@ required for development with ISC BIND 9
Summary: Lite version of header files and libraries needed for BIND DNS development
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
-%if %{with GEOIP}
-Requires: GeoIP-devel%{?_isa}
-%endif
-%if %{with GEOIP2}
-Requires: libmaxminddb-devel%{?_isa}
-%endif
%description lite-devel
The bind-lite-devel package contains lite version of the header
@@ -384,6 +387,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
%if %{with DLZ}
+%if %{with BDB}
%package dlz-bdb
Summary: BIND server bdb DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
@@ -391,6 +395,10 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-bdb
Dynamic Loadable Zones module for BIND server.
+%end
+
+%endif
+
%package dlz-filesystem
Summary: BIND server filesystem DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
@@ -431,7 +439,7 @@ Dynamic Loadable Zones module for BIND server.
%package -n python3-bind
Summary: A module allowing rndc commands to be sent from Python programs
Requires: bind-license = %{epoch}:%{version}-%{release}
-Requires: %{?__python3} python3-ply %{py3_dist ply}
+Requires: %{?__python3} python3-ply %{?py3_dist:%py3_dist ply}
BuildArch: noarch
%{?python_provide:%python_provide python3-bind}
%{?python_provide:%python_provide python3-isc}
@@ -576,10 +584,15 @@ done
cp -Tuav bin/tests "%{1}/bin/tests/" \
cp -uv version "%{1}" \
-export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
+CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
+%if %{with TSAN}
+ CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
+%endif
+export CFLAGS
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
export STD_CDEFINES="$CPPFLAGS"
+
sed -i -e \
's/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \
version
@@ -619,6 +632,8 @@ export LIBDIR_SUFFIX
--with-dlz-postgres=yes \
--with-dlz-mysql=yes \
--with-dlz-filesystem=yes \
+%endif
+%if %{with BDB}
--with-dlz-bdb=yes \
%endif
%if %{with GSSTSIG}
@@ -656,14 +671,19 @@ popd
%if %{with DLZ}
pushd contrib/dlz
- pushd bin/dlzbdb
- make
- popd
pushd modules
- for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
+ for DIR in filesystem ldap mysql mysqldyn sqlite3; do
make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
done
popd
+ %if %{with BDB}
+ pushd bin/dlzbdb
+ make
+ popd
+ pushd modules
+ make -C bdbhpt CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
+ popd
+ %endif
popd
%endif
popd # build
@@ -672,6 +692,8 @@ popd # build
%systemtest_prepare_build build
%if %{with EXPORT_LIBS}
+cp isc-config.sh.1 isc-export-config.sh.1
+
## Create export libs ##
mkdir -p export-libs
pushd export-libs
@@ -708,8 +730,12 @@ export LIBDIR_SUFFIX
## FIXME this should be in patch instead of SED'ing
## but do we really like/want to patch generated files?
-sed -i -e \
-'/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
+mv isc-config.sh isc-export-config.sh
+
+sed -i \
+-e '/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
+-e 's/isc-config.sh/isc-export-config.sh/g' \
+-e 's/bind9-config/bind9-export-config/g' \
Makefile
sed -i -e \
@@ -721,9 +747,9 @@ do
find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
sed -e "s/-l${lib}\([^[:alpha:]]\)/-l${lib}-export\1/g" \
-e "s/lib${lib}\./lib${lib}-export\./g" \
- -i isc-config.sh
+ -i isc-export-config.sh
done;
-%{__patch} -p2 -b --suffix .export-isc-config < %{PATCH135}
+
make %{?_smp_mflags}
popd
@@ -749,6 +775,10 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
%endif
+%if %{with TSAN}
+export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
+%endif
+
%if %{with UNITTEST}
pushd build
make unit
@@ -896,15 +926,20 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/
%if %{with DLZ}
pushd contrib/dlz
- pushd bin/dlzbdb
- make DESTDIR=${RPM_BUILD_ROOT} install
- popd
pushd modules
- for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
+ for DIR in filesystem ldap mysql mysqldyn sqlite3; do
make -C $DIR DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
done
mv mysqldyn/testing/README mysqldyn/testing/README.testing
+ %if %{with BDB}
+ make -C bdbhpt DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
+ %endif
popd
+ %if %{with BDB}
+ pushd bin/dlzbdb
+ make DESTDIR=${RPM_BUILD_ROOT} install
+ popd
+ %endif
popd
%endif
@@ -942,6 +977,7 @@ pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
ln -s named.8.gz named-pkcs11.8.gz
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
+ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
@@ -1448,12 +1484,15 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/bind9-export-config
%endif
-%if %{with DLZ}
+%if %{with DLZ} && %{with BDB}
%files dlz-bdb
%{_sbindir}/dlzbdb
%{_libdir}/bind/dlz_bdbhpt_dynamic.so
%doc contrib/dlz/modules/bdbhpt/testing/*
+%endif
+
+%if %{with DLZ}
%files dlz-filesystem
%{_libdir}/bind/dlz_filesystem_dynamic.so
@@ -1482,6 +1521,38 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
+* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-3
+- Add remaining require to bind package (#1633169)
+
+* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-2
+- Add manual page for dnssec-importkey-pkcs11 (#1666785)
+- Add versioned depends to all library subpackages
+
+* Wed Jun 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-1
+- Update to 9.11.20
+
+* Mon Jun 08 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-2
+- Remove old KSK 19036 from remaining trusted-key.key
+
+* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-1
+- Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617)
+
+* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.18-1
+- Update to 9.11.18
+
+* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.17-1
+- Update to 9.11.17
+
+* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-1
+- Update to 9.11.14
+- Remove libmaxminddb-devel from devel package dependencies
+
+* Thu Feb 27 2020 Miroslav Lichvar <mlichvar@redhat.com> - 32:9.11.13-3
+- Fix rwlock to be thread-safe (#1740511)
+
+* Tue Jan 14 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-2
+- Release GeoIP data on reload (#1790879)
+
* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-1
- Update to 9.11.13