diff --git a/SOURCES/bind93-rh726120.patch b/SOURCES/bind93-rh726120.patch
new file mode 100644
index 0000000..5eb11ee
--- /dev/null
+++ b/SOURCES/bind93-rh726120.patch
@@ -0,0 +1,26 @@
+From 23c33ea76e916cc16e354faa218b6a0ca6385d00 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 5 Dec 2017 16:33:08 +0100
+Subject: [PATCH] Fix bug #726120
+
+---
+ bin/dig/dighost.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index 42a2fe2..3a066c6 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -3416,7 +3416,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
+ return;
+ }
+ if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
+- (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
++ (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 &&
++ msg->rcode != dns_rcode_noerror && l->recurse))
+ {
+ dig_query_t *next = ISC_LIST_NEXT(query, link);
+ if (l->current_query == query)
+--
+2.9.5
+
diff --git a/SOURCES/bind99-rh1464850-2.patch b/SOURCES/bind99-rh1464850-2.patch
new file mode 100644
index 0000000..6c4d07c
--- /dev/null
+++ b/SOURCES/bind99-rh1464850-2.patch
@@ -0,0 +1,102 @@
+From a58f31659a924c59f6342d79d2c19ee956453d82 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Sat, 18 Oct 2014 12:40:13 +1100
+Subject: [PATCH 2/2] 3980. [bug] Improve --with-tuning=large by
+ self tuning of SO_RCVBUF size. [RT #37187]
+
+(cherry picked from commit 871f3c8beeb2134b17414ec167b90a57adb8e122)
+---
+ lib/isc/unix/socket.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 61 insertions(+), 5 deletions(-)
+
+diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
+index af0c3bc..90953ff 100644
+--- a/lib/isc/unix/socket.c
++++ b/lib/isc/unix/socket.c
+@@ -2245,6 +2245,62 @@ free_socket(isc__socket_t **socketp) {
+ *socketp = NULL;
+ }
+
++#ifdef SO_RCVBUF
++static isc_once_t rcvbuf_once = ISC_ONCE_INIT;
++static int rcvbuf = RCVBUFSIZE;
++
++static void
++set_rcvbuf(void) {
++ int fd;
++ int max = rcvbuf, min;
++ ISC_SOCKADDR_LEN_T len;
++
++ fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
++#if defined(ISC_PLATFORM_HAVEIPV6)
++ if (fd == -1) {
++ switch (errno) {
++ case EPROTONOSUPPORT:
++ case EPFNOSUPPORT:
++ case EAFNOSUPPORT:
++ /*
++ * Linux 2.2 (and maybe others) return EINVAL instead of
++ * EAFNOSUPPORT.
++ */
++ case EINVAL:
++ fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
++ break;
++ }
++ }
++#endif
++ if (fd == -1)
++ return;
++
++ len = sizeof(min);
++ if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&min, &len) >= 0 &&
++ min < rcvbuf) {
++ again:
++ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf,
++ sizeof(rcvbuf)) == -1) {
++ if (errno == ENOBUFS && rcvbuf > min) {
++ max = rcvbuf - 1;
++ rcvbuf = (rcvbuf + min) / 2;
++ goto again;
++ } else {
++ rcvbuf = min;
++ goto cleanup;
++ }
++ } else
++ min = rcvbuf;
++ if (min != max) {
++ rcvbuf = max;
++ goto again;
++ }
++ }
++ cleanup:
++ close (fd);
++}
++#endif
++
+ #ifdef SO_BSDCOMPAT
+ /*
+ * This really should not be necessary to do. Having to workout
+@@ -2609,15 +2665,15 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
+ #if defined(SO_RCVBUF)
+ optlen = sizeof(size);
+ if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+- (void *)&size, &optlen) >= 0 &&
+- size < RCVBUFSIZE) {
+- size = RCVBUFSIZE;
++ (void *)&size, &optlen) >= 0 && size < rcvbuf) {
++ RUNTIME_CHECK(isc_once_do(&rcvbuf_once,
++ set_rcvbuf) == ISC_R_SUCCESS);
+ if (setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+- (void *)&size, sizeof(size)) == -1) {
++ (void *)&rcvbuf, sizeof(rcvbuf)) == -1) {
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
+ "setsockopt(%d, SO_RCVBUF, %d) %s: %s",
+- sock->fd, size,
++ sock->fd, rcvbuf,
+ isc_msgcat_get(isc_msgcat,
+ ISC_MSGSET_GENERAL,
+ ISC_MSG_FAILED,
+--
+2.9.5
+
diff --git a/SOURCES/bind99-rh1464850.patch b/SOURCES/bind99-rh1464850.patch
new file mode 100644
index 0000000..f96db9a
--- /dev/null
+++ b/SOURCES/bind99-rh1464850.patch
@@ -0,0 +1,1849 @@
+From b154e9fd7a4acc87435f858d43b8c234885a8763 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Tue, 18 Feb 2014 22:36:14 -0800
+Subject: [PATCH 1/2] add "--with-tuning=large" option
+
+3745. [func] "configure --with-tuning=large" adjusts various
+ compiled-in constants and default settings to
+ values suited to large servers with abundant
+ memory. [RT #29538]
+
+(cherry picked from commit 6a3fa181d1253db5191139e20231512eebaddeeb)
+---
+ README | 8 +
+ bin/named/bind9.ver3.xsl.h | 6 +-
+ bin/named/interfacemgr.c | 9 +-
+ bin/named/named.docbook | 3 +
+ bin/named/server.c | 21 +-
+ bin/named/update.c | 2 +-
+ config.h.in | 3 +
+ configure | 1064 ++++++++++++++++++++++++++++++++++++--------
+ configure.in | 25 ++
+ lib/dns/client.c | 8 +-
+ lib/isc/unix/socket.c | 12 +
+ 11 files changed, 975 insertions(+), 186 deletions(-)
+
+diff --git a/README b/README
+index b22e9ce..7451acb 100644
+--- a/README
++++ b/README
+@@ -221,6 +221,14 @@ Building
+ To build shared libraries, specify "--with-libtool" on the
+ configure command line.
+
++ Certain compiled-in constants and default settings can be
++ increased to values better suited to large servers with abundant
++ memory resources (e.g, 64-bit servers with 12G or more of memory)
++ by specifying "--with-tuning=large" on the configure command
++ line. This can improve performance on big servers, but will
++ consume more memory and may degrade performance on smaller
++ systems.
++
+ For the server to support DNSSEC, you need to build it
+ with crypto support. You must have OpenSSL 0.9.5a
+ or newer installed and specify "--with-openssl" on the
+diff --git a/bin/named/bind9.ver3.xsl.h b/bin/named/bind9.ver3.xsl.h
+index c55714a..8c0a4a9 100644
+--- a/bin/named/bind9.ver3.xsl.h
++++ b/bin/named/bind9.ver3.xsl.h
+@@ -210,7 +210,7 @@ static char xslmsg[] =
+ " <h2>Incoming Requests</h2>\n"
+ " <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+ " <!-- Non Mozilla specific markup -->\n"
+- " <div class=\"pie\" id=\"chart_incoming_requests\">[graph incoming requests]</div>\n"
++ " <div class=\"pie\" id=\"chart_incoming_requests\">[no incoming requests]</div>\n"
+ " </xsl:if>\n"
+ " <table class=\"counters\">\n"
+ " <xsl:for-each select=\"server/counters[@type="opcode"]/counter\">\n"
+@@ -235,7 +235,7 @@ static char xslmsg[] =
+ " <h3>Incoming Queries by Type</h3>\n"
+ " <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
+ " <!-- Non Mozilla specific markup -->\n"
+- " <div class=\"pie\" id=\"chart_incoming_qtypes\">[graph incoming qtypes]</div>\n"
++ " <div class=\"pie\" id=\"chart_incoming_qtypes\">[no incoming queries]</div>\n"
+ " </xsl:if>\n"
+ " <table class=\"counters\">\n"
+ " <xsl:for-each select=\"server/counters[@type="qtype"]/counter\">\n"
+@@ -307,7 +307,7 @@ static char xslmsg[] =
+ " <!-- Non Mozilla specific markup -->\n"
+ " <script type=\"text/javascript\">\n"
+ " graphs.push({\n"
+- " 'title' : \"Server Response Types\",\n"
++ " 'title' : \"Server Counters\",\n"
+ " 'target': 'chart_server_nsstat_restype',\n"
+ " 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type="nsstat"]/counter[.>0]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
+ " });\n"
+diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
+index a9aa4a4..4aee47a 100644
+--- a/bin/named/interfacemgr.c
++++ b/bin/named/interfacemgr.c
+@@ -56,6 +56,12 @@
+ #endif
+ #endif
+
++#ifdef TUNE_LARGE
++#define UDPBUFFERS 32768
++#else
++#define UDPBUFFERS 1000
++#endif /* TUNE_LARGE */
++
+ #define IFMGR_MAGIC ISC_MAGIC('I', 'F', 'M', 'G')
+ #define NS_INTERFACEMGR_VALID(t) ISC_MAGIC_VALID(t, IFMGR_MAGIC)
+
+@@ -422,7 +428,8 @@ ns_interface_listenudp(ns_interface_t *ifp) {
+ result = dns_dispatch_getudp_dup(ifp->mgr->dispatchmgr,
+ ns_g_socketmgr,
+ ns_g_taskmgr, &ifp->addr,
+- 4096, 32768, 32768, 8219, 8237,
++ 4096, UDPBUFFERS,
++ 32768, 8219, 8237,
+ attrs, attrmask,
+ &ifp->udpdispatch[disp],
+ disp == 0
+diff --git a/bin/named/named.docbook b/bin/named/named.docbook
+index 8f46aac..33f962e 100644
+--- a/bin/named/named.docbook
++++ b/bin/named/named.docbook
+@@ -248,6 +248,9 @@
+ <para>
+ Allow <command>named</command> to use up to
+ <replaceable class="parameter">#max-socks</replaceable> sockets.
++ The default value is 4096 on systems built with default
++ configuration options, and 21000 on systems built with
++ "configure --with-tuning=large".
+ </para>
+ <warning>
+ <para>
+diff --git a/bin/named/server.c b/bin/named/server.c
+index b1681b4..48a7ef0 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -127,6 +127,16 @@
+ #define SIZE_MAX ((size_t)-1)
+ #endif
+
++#ifdef TUNE_LARGE
++#define RESOLVER_NTASKS 523
++#define UDPBUFFERS 32768
++#define EXCLBUFFERS 32768
++#else
++#define RESOLVER_NTASKS 31
++#define UDPBUFFERS 1000
++#define EXCLBUFFERS 4096
++#endif /* TUNE_LARGE */
++
+ /*%
+ * Check an operation for failure. Assumes that the function
+ * using it has a 'result' variable and a 'cleanup' label.
+@@ -948,7 +958,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
+ isc_sockaddr_t sa;
+ unsigned int attrs, attrmask;
+ const cfg_obj_t *obj = NULL;
+- unsigned int maxdispatchbuffers;
++ unsigned int maxdispatchbuffers = UDPBUFFERS;
+
+ switch (af) {
+ case AF_INET:
+@@ -997,7 +1007,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
+ }
+ if (isc_sockaddr_getport(&sa) == 0) {
+ attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
+- maxdispatchbuffers = 32768;
++ maxdispatchbuffers = EXCLBUFFERS;
+ } else {
+ INSIST(obj != NULL);
+ if (is_firstview) {
+@@ -1006,7 +1016,6 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,
+ "suppresses port randomization and can be "
+ "insecure.");
+ }
+- maxdispatchbuffers = 32768;
+ }
+
+ attrmask = 0;
+@@ -2718,8 +2727,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+ }
+
+ ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
+- CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,
+- ns_g_socketmgr, ns_g_timermgr,
++ CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,
++ ndisp, ns_g_socketmgr, ns_g_timermgr,
+ resopts, ns_g_dispatchmgr,
+ dispatch4, dispatch6));
+
+@@ -6502,7 +6511,7 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
+
+ result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
+ ns_g_taskmgr, &dispatch->addr, 4096,
+- 32768, 32768, 16411, 16433,
++ UDPBUFFERS, 32768, 16411, 16433,
+ attrs, attrmask, &dispatch->dispatch);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+diff --git a/bin/named/update.c b/bin/named/update.c
+index 2263382..14687ea 100644
+--- a/bin/named/update.c
++++ b/bin/named/update.c
+@@ -2454,7 +2454,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
+ unsigned int options;
+ dns_difftuple_t *tuple;
+ dns_rdata_dnskey_t dnskey;
+- isc_boolean_t had_dnskey;
++ isc_boolean_t had_dnskey = ISC_FALSE;
+ dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+ INSIST(event->ev_type == DNS_EVENT_UPDATE);
+diff --git a/config.h.in b/config.h.in
+index 3515f69..eca525c 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -457,6 +457,9 @@ int sigwait(const unsigned int *set, int *sig);
+ /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
+ #undef TIME_WITH_SYS_TIME
+
++/* Define to use large-system tuning. */
++#undef TUNE_LARGE
++
+ /* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make
+ non-blocking. */
+ #undef USE_FIONBIO_IOCTL
+diff --git a/configure b/configure
+index c62da63..31c518a 100755
+--- a/configure
++++ b/configure
+@@ -162,7 +162,7 @@
+ #
+ # -----------------------------------------------------------------------------
+ #
+-# Copyright (c) 1997 - 2003 Kungliga Tekniska H�gskolan
++# Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ # (Royal Institute of Technology, Stockholm, Sweden).
+ # All rights reserved.
+ #
+@@ -517,6 +517,21 @@
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ # OF THE POSSIBILITY OF SUCH DAMAGE.
+ #
++# -----------------------------------------------------------------------------
++#
++# Copyright (C) 2008-2011 Red Hat, Inc.
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
+ # From configure.in Revision: 1.533 .
+ # Guess values for system-dependent variables and create Makefiles.
+ # Generated by GNU Autoconf 2.69.
+@@ -1305,6 +1320,8 @@ THREADOPTSRCS
+ THREADOPTOBJS
+ ISC_PLATFORM_USETHREADS
+ ALWAYS_DEFINES
++CHECK_DSA
++DNS_CRYPTO_PK11_LIBS
+ DNS_CRYPTO_LIBS
+ DNS_GSSAPI_LIBS
+ DST_GSSAPI_INC
+@@ -1313,7 +1330,25 @@ ISC_PLATFORM_KRB5HEADER
+ ISC_PLATFORM_GSSAPI_KRB5_HEADER
+ ISC_PLATFORM_GSSAPIHEADER
+ ISC_PLATFORM_HAVEGSSAPI
++GEOIPLINKOBJS
++GEOIPLINKSRCS
++PKCS11_TEST
++PKCS11_GOST
++PKCS11_ECDSA
++CRYPTO_PK11
++CRYPTO
++PKCS11LINKSRCS
++PKCS11LINKOBJS
+ PKCS11_PROVIDER
++ISC_ISCPK11_API_O
++ISC_ISCPK11_API_C
++ISC_PK11_RESULT_O
++ISC_PK11_RESULT_C
++ISC_PK11_API_O
++ISC_PK11_API_C
++ISC_PK11_O
++ISC_PK11_C
++PKCS11_ENGINE
+ PKCS11_TOOLS
+ USE_PKCS11
+ ISC_OPENSSL_INC
+@@ -1325,7 +1360,6 @@ OPENSSLLINKOBJS
+ OPENSSLGOSTLINKSRCS
+ OPENSSLGOSTLINKOBJS
+ DST_OPENSSL_INC
+-USE_OPENSSL
+ LWRES_PLATFORM_NEEDSYSSELECTH
+ ISC_PLATFORM_NEEDSYSSELECTH
+ ISC_PLATFORM_HAVEDEVPOLL
+@@ -1434,6 +1468,7 @@ PATH_SEPARATOR
+ SHELL'
+ ac_subst_files='BIND9_MAKE_INCLUDES
+ BIND9_MAKE_RULES
++LIBISCPK11_API
+ LIBISC_API
+ LIBISCCC_API
+ LIBISCCFG_API
+@@ -1460,18 +1495,20 @@ enable_kqueue
+ enable_epoll
+ enable_devpoll
+ with_openssl
+-enable_openssl_version_check
+-with_ecdsa
++enable_native_pkcs11
++with_pkcs11
+ with_gost
++with_ecdsa
++enable_openssl_version_check
+ enable_openssl_hash
+-with_pkcs11
++with_libtool
++with_geoip
+ with_gssapi
+ with_randomdev
+ enable_threads
+ with_libxml2
+ enable_largefile
+ with_purify
+-with_libtool
+ enable_backtrace
+ enable_symtable
+ enable_exportlib
+@@ -1496,6 +1533,7 @@ with_libiconv
+ with_iconv
+ with_idnlib
+ with_atf
++with_tuning
+ with_dlopen
+ with_dlz_postgres
+ with_dlz_mysql
+@@ -2139,6 +2177,7 @@ Optional Features:
+ --enable-kqueue use BSD kqueue when available [default=yes]
+ --enable-epoll use Linux epoll when available [default=auto]
+ --enable-devpoll use /dev/poll when available [default=yes]
++ --enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
+ --enable-openssl-version-check
+ Check OpenSSL Version [default=yes]
+ --enable-openssl-hash use OpenSSL for hash functions [default=no]
+@@ -2175,15 +2214,16 @@ Optional Packages:
+ --with-python=PATH Specify path to python interpreter
+ --with-openssl=PATH Build with OpenSSL yes|no|path.
+ (Required for DNSSEC)
+- --with-ecdsa OpenSSL ECDSA
+- --with-gost OpenSSL GOST
+ --with-pkcs11=PATH Build with PKCS11 support yes|no|path
+ (PATH is for the PKCS11 provider)
++ --with-gost Crypto GOST yes|no|raw|asn1.
++ --with-ecdsa OpenSSL ECDSA
++ --with-libtool use GNU libtool
++ --with-geoip=PATH Build with GeoIP support (yes|no|path)
+ --with-gssapi=PATH Specify path for system-supplied GSSAPI [default=yes]
+ --with-randomdev=PATH Specify path for random device
+ --with-libxml2=PATH Build with libxml2 library yes|no|path
+ --with-purify=PATH use Rational purify
+- --with-libtool use GNU libtool
+ --with-export-libdir=PATH
+ installation directory for the export library
+ [EPREFIX/lib/bind9]
+@@ -2199,6 +2239,7 @@ Optional Packages:
+ --with-iconv=LIBSPEC specify iconv library default -liconv
+ --with-idnlib=ARG specify libidnkit
+ --with-atf=ARG Automated Test Framework support
++ --with-tuning=ARG Specify server tuning (large or default)
+ --with-dlopen=ARG Support dynamically loadable DLZ drivers
+ --with-dlz-postgres=PATH Build with Postgres DLZ driver yes|no|path.
+ (Required to use Postgres with DLZ)
+@@ -13056,13 +13097,16 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h
+ fi
+
+
+-for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
++for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h sys/socket.h net/route.h linux/netlink.h linux/rtnetlink.h
+ do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
+ #ifdef HAVE_SYS_PARAM_H
+ # include <sys/param.h>
+ #endif
++#ifdef HAVE_SYS_SOCKET_H
++# include <sys/socket.h>
++#endif
+
+ "
+ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+@@ -14008,26 +14052,98 @@ else
+ fi
+
+
++#
++# was --enable-native-pkcs11 specified?
++# (note it implies both --without-openssl and --with-pkcs11)
++#
++# Check whether --enable-native-pkcs11 was given.
++if test "${enable_native_pkcs11+set}" = set; then :
++ enableval=$enable_native_pkcs11; want_native_pkcs11="$enableval"
++else
++ want_native_pkcs11="no"
++fi
++
++
++
++# Check whether --with-pkcs11 was given.
++if test "${with_pkcs11+set}" = set; then :
++ withval=$with_pkcs11; use_pkcs11="$withval"
++else
++ use_pkcs11="auto"
++fi
++
++
+ openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+ if test "$use_openssl" = "auto"
+ then
+- for d in $openssldirs
+- do
+- if test -f $d/include/openssl/opensslv.h
+- then
+- use_openssl=$d
+- break
+- fi
+- done
++# if test "$want_native_pkcs11" = "yes"
++# then
++# use_openssl="native_pkcs11"
++# else
++ for d in $openssldirs
++ do
++ if test -f $d/include/openssl/opensslv.h
++ then
++ use_openssl=$d
++ break
++ fi
++ done
++# fi
+ fi
+ OPENSSL_ECDSA=""
+ OPENSSL_GOST=""
++
++# Check whether --with-gost was given.
++if test "${with_gost+set}" = set; then :
++ withval=$with_gost; with_gost="$withval"
++else
++ with_gost="auto"
++fi
++
++
++# Check whether --with-ecdsa was given.
++if test "${with_ecdsa+set}" = set; then :
++ withval=$with_ecdsa; with_ecdsa="$withval"
++else
++ with_ecdsa="auto"
++fi
++
++
++gosttype="raw"
++case "$with_gost" in
++ raw)
++ with_gost="yes"
++ ;;
++ asn1)
++
++$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h
++
++ gosttype="asn1"
++ with_gost="yes"
++ ;;
++ auto|yes|no)
++ ;;
++ *)
++ as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5
++ ;;
++esac
++
+ case "$use_openssl" in
++ native_pkcs11)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled because of native PKCS11" >&5
++$as_echo "disabled because of native PKCS11" >&6; }
++ DST_OPENSSL_INC=""
++ CRYPTO=""
++ OPENSSLGOSTLINKOBJS=""
++ OPENSSLGOSTLINKSRS=""
++ OPENSSLLINKOBJS=""
++ OPENSSLLINKSRCS=""
++ ;;
+ no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+ DST_OPENSSL_INC=""
+- USE_OPENSSL=""
++ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+@@ -14035,7 +14151,7 @@ $as_echo "no" >&6; }
+ ;;
+ auto)
+ DST_OPENSSL_INC=""
+- USE_OPENSSL=""
++ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+@@ -14044,6 +14160,11 @@ $as_echo "no" >&6; }
+ If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+ ;;
+ *)
++# if test "$want_native_pkcs11" = "yes"
++# then
++# AC_MSG_RESULT()
++# AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
++# fi
+ if test "$use_openssl" = "yes"
+ then
+ # User did not specify a path - guess it
+@@ -14065,7 +14186,7 @@ $as_echo "not found" >&6; }
+ then
+ as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
+ fi
+- USE_OPENSSL='-DOPENSSL'
++ CRYPTO='-DOPENSSL'
+ if test "$use_openssl" = "/usr"
+ then
+ DST_OPENSSL_INC=""
+@@ -14102,6 +14223,7 @@ $as_echo "not found" >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
+ $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
+
++ saved_cc="$CC"
+ saved_cflags="$CFLAGS"
+ saved_libs="$LIBS"
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+@@ -14305,13 +14427,6 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ fi
+
+
+-# Check whether --with-ecdsa was given.
+-if test "${with_ecdsa+set}" = set; then :
+- withval=$with_ecdsa; with_ecdsa="$withval"
+-else
+- with_ecdsa="auto"
+-fi
+-
+ case "$with_ecdsa" in
+ yes)
+ case "$have_ecdsa" in
+@@ -14342,6 +14457,15 @@ $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
+ $as_echo_n "checking for OpenSSL GOST support... " >&6; }
+ have_gost=""
++ case "$use_pkcs11" in
++ auto|no)
++ ;;
++ *)
++ if $use_threads; then
++ CC="$CC -pthread"
++ fi
++ ;;
++ esac
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
+ $as_echo "using --with-gost" >&6; }
+@@ -14385,13 +14509,6 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ fi
+
+
+-# Check whether --with-gost was given.
+-if test "${with_gost+set}" = set; then :
+- withval=$with_gost; with_gost="$withval"
+-else
+- with_gost="auto"
+-fi
+-
+ case "$with_gost" in
+ yes)
+ case "$have_gost" in
+@@ -14404,7 +14521,7 @@ fi
+ *)
+ case "$have_gost" in
+ yes|no) ;;
+- *) as_fn_error $? "need --with-gost=[yes or no]" "$LINENO" 5 ;;
++ *) as_fn_error $? "need --with-gost=[yes, no, raw or asn1]" "$LINENO" 5 ;;
+ esac
+ ;;
+ esac
+@@ -14441,8 +14558,8 @@ esac
+
+
+
+-
+ DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
++DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
+
+ #
+ # Use OpenSSL for hash functions
+@@ -14457,7 +14574,7 @@ fi
+
+ case $want_openssl_hash in
+ yes)
+- if test "$USE_OPENSSL" = ""
++ if test "$CRYPTO" = ""
+ then
+ as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5
+ fi
+@@ -14472,6 +14589,46 @@ esac
+
+
+
++
++# Check whether --with-libtool was given.
++if test "${with_libtool+set}" = set; then :
++ withval=$with_libtool; use_libtool="$withval"
++else
++ use_libtool="no"
++fi
++
++
++case $use_libtool in
++ yes)
++
++ O=lo
++ A=la
++ LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
++ LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
++ LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
++ LIBTOOL_MODE_LINK='--mode=link --tag=CC'
++ case "$host" in
++ *) LIBTOOL_ALLOW_UNDEFINED= ;;
++ esac
++ case "$host" in
++ *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
++ *) LIBTOOL_IN_MAIN= ;;
++ esac;
++ ;;
++ *)
++ O=o
++ A=a
++ LIBTOOL=
++
++ LIBTOOL_MKDEP_SED=
++ LIBTOOL_MODE_COMPILE=
++ LIBTOOL_MODE_INSTALL=
++ LIBTOOL_MODE_LINK=
++ LIBTOOL_ALLOW_UNDEFINED=
++ LIBTOOL_IN_MAIN=
++ ;;
++esac
++
+ #
+ # PKCS11 (aka crypto hardware) support
+ #
+@@ -14481,31 +14638,125 @@ esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5
+ $as_echo_n "checking for PKCS11 support... " >&6; }
+
+-# Check whether --with-pkcs11 was given.
+-if test "${with_pkcs11+set}" = set; then :
+- withval=$with_pkcs11; use_pkcs11="$withval"
+-else
+- use_pkcs11="no"
++if test "$use_pkcs11" = "auto"
++then
++ if test "$want_native_pkcs11" = "yes"
++ then
++ use_pkcs11="yes"
++ else
++ use_pkcs11="no"
++ fi
+ fi
+
+-
+ case "$use_pkcs11" in
+ no|'')
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+-$as_echo "disabled" >&6; }
+- USE_PKCS11=''
+- PKCS11_TOOLS=''
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ USE_PKCS11=""
++ PKCS11_TEST=""
++ PKCS11_TOOLS=""
++ ISC_PK11_C=""
++ ISC_PK11_O=""
++ ISC_PK11_API_C=""
++ ISC_PK11_API_O=""
++ ISC_PK11_RESULT_C=""
++ ISC_PK11_RESULT_O=""
++ ISC_ISCPK11_API_C=""
++ ISC_ISCPK11_API_O=""
+ ;;
+ yes|*)
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL with PKCS11 support" >&5
+-$as_echo "using OpenSSL with PKCS11 support" >&6; }
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++ if ! $use_threads; then
++ as_fn_error $? "PKCS11 requires thread support" "$LINENO" 5
++ fi
++ if test "$CRYPTO" != ""
++ then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL with PKCS11 support" >&5
++$as_echo_n "checking for OpenSSL with PKCS11 support... " >&6; }
++ saved_cc="$CC"
++ saved_cflags="$CFLAGS"
++ saved_libs="$LIBS"
++ CC="$CC -pthread"
++ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
++ LIBS="$LIBS $DNS_OPENSSL_LIBS"
++ if test "$cross_compiling" = yes; then :
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross compile" >&5
++$as_echo "cross compile" >&6; }
++ PKCS11_TEST=''
++ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
++else
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++
++#include <openssl/conf.h>
++#include <openssl/engine.h>
++int main() {
++ ENGINE *e;
++
++ OPENSSL_config(NULL);
++ e = ENGINE_by_id("pkcs11");
++ if (e == NULL)
++ return (1);
++ if (ENGINE_init(e) <= 0)
++ return (1);
++ return (0);
++}
++
++_ACEOF
++if ac_fn_c_try_run "$LINENO"; then :
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++ PKCS11_TEST=pkcs11ssl
++ PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'
++else
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++ PKCS11_TEST=''
++ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
++fi
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
++ conftest.$ac_objext conftest.beam conftest.$ac_ext
++fi
++
++ CC="$saved_cc"
++ CFLAGS="$saved_cflags"
++ LIBS="$saved_libs"
++ else
++ PKCS11_TEST=''
++ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
++
++ fi
+ USE_PKCS11='-DUSE_PKCS11'
+ PKCS11_TOOLS=pkcs11
+- ;;
++ ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase"
++if test "x$ac_cv_func_getpassphrase" = xyes; then :
++ $as_echo "#define HAVE_GETPASSPHRASE 1" >>confdefs.h
++
++fi
++
++ ISC_PK11_C="pk11.c"
++ ISC_PK11_O="pk11.$O"
++ ISC_PK11_API_C="pk11_api.c"
++ ISC_PK11_API_O="pk11_api.$O"
++ ISC_PK11_RESULT_C="pk11_result.c"
++ ISC_PK11_RESULT_O="pk11_result.$O"
++ ISC_ISCPK11_API_C="unix/pk11_api.c"
++ ISC_ISCPK11_API_O="unix/pk11_api.$O"
++ ;;
+ esac
+
+
+
++
++
++
++
++
++
++
++
++
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
+ $as_echo_n "checking for PKCS11 tools... " >&6; }
+ case "$use_pkcs11" in
+@@ -14514,68 +14765,448 @@ case "$use_pkcs11" in
+ $as_echo "disabled" >&6; }
+ PKCS11_PROVIDER="undefined"
+ ;;
+- *)
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: PKCS11 provider is \"$use_pkcs11\"" >&5
+-$as_echo "PKCS11 provider is \"$use_pkcs11\"" >&6; }
++ yes|'')
++ PKCS11_PROVIDER="undefined"
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
++$as_echo "enabled" >&6; }
++ ;;
++ *)
+ PKCS11_PROVIDER="$use_pkcs11"
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled, PKCS11 provider is $PKCS11_PROVIDER" >&5
++$as_echo "enabled, PKCS11 provider is $PKCS11_PROVIDER" >&6; }
+ ;;
+ esac
+
+
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
+-$as_echo_n "checking for GSSAPI library... " >&6; }
++CRYPTO_PK11=""
++PKCS11_ECDSA=""
++PKCS11_GOST=""
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
++$as_echo_n "checking for native PKCS11... " >&6; }
+
+-# Check whether --with-gssapi was given.
+-if test "${with_gssapi+set}" = set; then :
+- withval=$with_gssapi; use_gssapi="$withval"
+-else
+- use_gssapi="yes"
+-fi
++case "$want_native_pkcs11" in
++ yes)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5
++$as_echo "using native PKCS11 crypto" >&6; }
++ CRYPTO_PK11="-DPKCS11CRYPTO"
++ PKCS11LINKOBJS='${PKCS11LINKOBJS}'
++ PKCS11LINKSRCS='${PKCS11LINKSRCS}'
++ PKCS11_TEST=pkcs11
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 ECDSA" >&5
++$as_echo_n "checking for PKCS11 ECDSA... " >&6; }
++ case "$with_ecdsa" in
++ no)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
++$as_echo "disabled" >&6; }
++ ;;
++ *)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
++$as_echo "enabled" >&6; }
++ PKCS11_ECDSA="yes"
+
++$as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h
+
+-# gssapi is just the framework, we really require kerberos v5, so
+-# look for those headers (the gssapi headers must be there, too)
+-# The problem with this implementation is that it doesn't allow
+-# for the specification of gssapi and krb5 headers in different locations,
+-# which probably ought to be fixed although fixing might raise the issue of
+-# trying to build with incompatible versions of gssapi and krb5.
+-if test "$use_gssapi" = "yes"
+-then
+- # first, deal with the obvious
+- if test \( -f /usr/include/kerberosv5/krb5.h -o \
+- -f /usr/include/krb5/krb5.h -o \
+- -f /usr/include/krb5.h \) -a \
+- \( -f /usr/include/gssapi.h -o \
+- -f /usr/include/gssapi/gssapi.h \)
+- then
+- use_gssapi=/usr
+- else
+- krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+- for d in $krb5dirs
+- do
+- if test -f $d/include/gssapi/gssapi_krb5.h -o \
+- -f $d/include/krb5.h
+- then
+- if test -f $d/include/gssapi/gssapi.h -o \
+- -f $d/include/gssapi.h
+- then
+- use_gssapi=$d
+- break
+- fi
+- fi
+- use_gssapi="no"
+- done
+- fi
+-fi
++ ;;
++ esac
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 GOST" >&5
++$as_echo_n "checking for PKCS11 GOST... " >&6; }
++ case "$with_gost" in
++ yes)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
++$as_echo "enabled" >&6; }
++ PKCS11_GOST="yes"
+
+-case "$use_gssapi" in
+- no)
++$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
++
++ ;;
++ *)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
++$as_echo "disabled" >&6; }
++ ;;
++ esac
++ ;;
++ no|'')
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+ $as_echo "disabled" >&6; }
+- USE_GSSAPI=''
+ ;;
+- yes)
+- as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
++esac
++
++
++
++
++
++
++
++
++
++# for PKCS11 benchmarks
++have_clock_gt=no
++ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
++if test "x$ac_cv_func_clock_gettime" = xyes; then :
++ have_clock_gt=yes
++fi
++
++if test "$have_clock_gt" = "no"; then
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5
++$as_echo_n "checking for clock_gettime in -lrt... " >&6; }
++if ${ac_cv_lib_rt_clock_gettime+:} false; then :
++ $as_echo_n "(cached) " >&6
++else
++ ac_check_lib_save_LIBS=$LIBS
++LIBS="-lrt $LIBS"
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++
++/* Override any GCC internal prototype to avoid an error.
++ Use char because int might match the return type of a GCC
++ builtin and then its argument prototype would still apply. */
++#ifdef __cplusplus
++extern "C"
++#endif
++char clock_gettime ();
++int
++main ()
++{
++return clock_gettime ();
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++ ac_cv_lib_rt_clock_gettime=yes
++else
++ ac_cv_lib_rt_clock_gettime=no
++fi
++rm -f core conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5
++$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; }
++if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then :
++ have_clock_gt=ye
++fi
++
++ fi
++if test "$have_clock_gt" = "yes"; then
++
++$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
++
++fi
++
++
++GEOIPLINKSRCS=
++GEOIPLINKOBJS=
++
++# Check whether --with-geoip was given.
++if test "${with_geoip+set}" = set; then :
++ withval=$with_geoip; use_geoip="$withval"
++else
++ use_geoip="no"
++fi
++
++
++if test "$use_geoip" = "yes"
++then
++ for d in /usr /usr/local /opt/local
++ do
++ if test -f $d/include/GeoIP.h
++ then
++ use_geoip=$d
++ break
++ fi
++ done
++fi
++
++case "$use_geoip" in
++ no|'')
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
++$as_echo_n "checking for GeoIP support... " >&6; }
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
++$as_echo "disabled" >&6; }
++ ;;
++ *)
++ if test -d "$use_geoip" -o -L "$use_geoip"
++ then
++ CFLAGS="$CFLAGS -I$use_geoip/include"
++ CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
++ LIBS="$LIBS -L$use_geoip/lib"
++ case "$host_os" in
++ netbsd*|openbsd*|solaris*)
++ LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
++ ;;
++ esac
++ elif test "$use_geoip" = "yes"
++ then
++ as_fn_error $? "GeoIP path not found" "$LINENO" 5
++ else
++ as_fn_error $? "GeoIP path $use_geoip does not exist" "$LINENO" 5
++ fi
++ ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default"
++if test "x$ac_cv_header_GeoIP_h" = xyes; then :
++
++else
++ as_fn_error $? "GeoIP header file not found" "$LINENO" 5
++
++fi
++
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_open" >&5
++$as_echo_n "checking for library containing GeoIP_open... " >&6; }
++if ${ac_cv_search_GeoIP_open+:} false; then :
++ $as_echo_n "(cached) " >&6
++else
++ ac_func_search_save_LIBS=$LIBS
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++
++/* Override any GCC internal prototype to avoid an error.
++ Use char because int might match the return type of a GCC
++ builtin and then its argument prototype would still apply. */
++#ifdef __cplusplus
++extern "C"
++#endif
++char GeoIP_open ();
++int
++main ()
++{
++return GeoIP_open ();
++ ;
++ return 0;
++}
++_ACEOF
++for ac_lib in '' GeoIP; do
++ if test -z "$ac_lib"; then
++ ac_res="none required"
++ else
++ ac_res=-l$ac_lib
++ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
++ fi
++ if ac_fn_c_try_link "$LINENO"; then :
++ ac_cv_search_GeoIP_open=$ac_res
++fi
++rm -f core conftest.err conftest.$ac_objext \
++ conftest$ac_exeext
++ if ${ac_cv_search_GeoIP_open+:} false; then :
++ break
++fi
++done
++if ${ac_cv_search_GeoIP_open+:} false; then :
++
++else
++ ac_cv_search_GeoIP_open=no
++fi
++rm conftest.$ac_ext
++LIBS=$ac_func_search_save_LIBS
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_open" >&5
++$as_echo "$ac_cv_search_GeoIP_open" >&6; }
++ac_res=$ac_cv_search_GeoIP_open
++if test "$ac_res" != no; then :
++ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
++
++else
++ as_fn_error $? "GeoIP library not found" "$LINENO" 5
++
++fi
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fabsf" >&5
++$as_echo_n "checking for library containing fabsf... " >&6; }
++if ${ac_cv_search_fabsf+:} false; then :
++ $as_echo_n "(cached) " >&6
++else
++ ac_func_search_save_LIBS=$LIBS
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++
++/* Override any GCC internal prototype to avoid an error.
++ Use char because int might match the return type of a GCC
++ builtin and then its argument prototype would still apply. */
++#ifdef __cplusplus
++extern "C"
++#endif
++char fabsf ();
++int
++main ()
++{
++return fabsf ();
++ ;
++ return 0;
++}
++_ACEOF
++for ac_lib in '' m; do
++ if test -z "$ac_lib"; then
++ ac_res="none required"
++ else
++ ac_res=-l$ac_lib
++ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
++ fi
++ if ac_fn_c_try_link "$LINENO"; then :
++ ac_cv_search_fabsf=$ac_res
++fi
++rm -f core conftest.err conftest.$ac_objext \
++ conftest$ac_exeext
++ if ${ac_cv_search_fabsf+:} false; then :
++ break
++fi
++done
++if ${ac_cv_search_fabsf+:} false; then :
++
++else
++ ac_cv_search_fabsf=no
++fi
++rm conftest.$ac_ext
++LIBS=$ac_func_search_save_LIBS
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fabsf" >&5
++$as_echo "$ac_cv_search_fabsf" >&6; }
++ac_res=$ac_cv_search_fabsf
++if test "$ac_res" != no; then :
++ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
++
++else
++ as_fn_error $? "Math library not found" "$LINENO" 5
++
++fi
++
++
++$as_echo "#define HAVE_GEOIP 1" >>confdefs.h
++
++ GEOIPLINKSRCS='${GEOIPLINKSRCS}'
++ GEOIPLINKOBJS='${GEOIPLINKOBJS}'
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
++$as_echo_n "checking for GeoIP support... " >&6; }
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP Country IPv6 support" >&5
++$as_echo_n "checking for GeoIP Country IPv6 support... " >&6; }
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++
++ #include <GeoIP.h>
++ #include <netinet/in.h>
++
++int
++main ()
++{
++
++ struct in6_addr in6;
++ GeoIP_country_name_by_ipnum_v6(NULL, in6);
++
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++
++$as_echo "#define HAVE_GEOIP_V6 1" >>confdefs.h
++
++
++else
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP City IPv6 support" >&5
++$as_echo_n "checking for GeoIP City IPv6 support... " >&6; }
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++
++ #include <GeoIP.h>
++ #include <GeoIPCity.h>
++ #include <netinet/in.h>
++
++int
++main ()
++{
++
++ struct in6_addr in6;
++ int i = GEOIP_CITY_EDITION_REV0_V6;
++ GeoIP_record_by_ipnum_v6(NULL, in6);
++
++ ;
++ return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++
++$as_echo "#define HAVE_GEOIP_CITY_V6 1" >>confdefs.h
++
++
++else
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++ ;;
++esac
++
++
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
++$as_echo_n "checking for GSSAPI library... " >&6; }
++
++# Check whether --with-gssapi was given.
++if test "${with_gssapi+set}" = set; then :
++ withval=$with_gssapi; use_gssapi="$withval"
++else
++ use_gssapi="yes"
++fi
++
++
++# gssapi is just the framework, we really require kerberos v5, so
++# look for those headers (the gssapi headers must be there, too)
++# The problem with this implementation is that it doesn't allow
++# for the specification of gssapi and krb5 headers in different locations,
++# which probably ought to be fixed although fixing might raise the issue of
++# trying to build with incompatible versions of gssapi and krb5.
++if test "$use_gssapi" = "yes"
++then
++ # first, deal with the obvious
++ if test \( -f /usr/include/kerberosv5/krb5.h -o \
++ -f /usr/include/krb5/krb5.h -o \
++ -f /usr/include/krb5.h \) -a \
++ \( -f /usr/include/gssapi.h -o \
++ -f /usr/include/gssapi/gssapi.h \)
++ then
++ use_gssapi=/usr
++ else
++ krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
++ for d in $krb5dirs
++ do
++ if test -f $d/include/gssapi/gssapi_krb5.h -o \
++ -f $d/include/krb5.h
++ then
++ if test -f $d/include/gssapi/gssapi.h -o \
++ -f $d/include/gssapi.h
++ then
++ use_gssapi=$d
++ break
++ fi
++ fi
++ use_gssapi="no"
++ done
++ fi
++fi
++
++case "$use_gssapi" in
++ no)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
++$as_echo "disabled" >&6; }
++ USE_GSSAPI=''
++ ;;
++ yes)
++ as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
+ ;;
+ *)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
+@@ -14766,13 +15397,14 @@ esac
+
+
+ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+-
++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
+ #
+ # Applications linking with libdns also need to link with these libraries.
+ #
+
+
+
++
+ #
+ # was --with-randomdev specified?
+ #
+@@ -14849,6 +15481,21 @@ $as_echo "using \"$use_randomdev\"" >&6; }
+ esac
+
+ #
++# Only check dsa signature generation on these platforms when performing
++# system tests.
++#
++CHECK_DSA=0
++if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
++then
++ case "$host" in
++ *darwin*|*freebsd*)
++ CHECK_DSA=1
++ ;;
++ esac
++fi
++
++
++#
+ # Do we have arc4random() ?
+ #
+ ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
+@@ -16224,46 +16871,6 @@ esac
+
+
+
+-
+-# Check whether --with-libtool was given.
+-if test "${with_libtool+set}" = set; then :
+- withval=$with_libtool; use_libtool="$withval"
+-else
+- use_libtool="no"
+-fi
+-
+-
+-case $use_libtool in
+- yes)
+-
+- O=lo
+- A=la
+- LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
+- LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
+- LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
+- LIBTOOL_MODE_LINK='--mode=link --tag=CC'
+- case "$host" in
+- *) LIBTOOL_ALLOW_UNDEFINED= ;;
+- esac
+- case "$host" in
+- *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
+- *) LIBTOOL_IN_MAIN= ;;
+- esac;
+- ;;
+- *)
+- O=o
+- A=a
+- LIBTOOL=
+-
+- LIBTOOL_MKDEP_SED=
+- LIBTOOL_MODE_COMPILE=
+- LIBTOOL_MODE_INSTALL=
+- LIBTOOL_MODE_LINK=
+- LIBTOOL_ALLOW_UNDEFINED=
+- LIBTOOL_IN_MAIN=
+- ;;
+-esac
+-
+ #
+ # enable/disable dumping stack backtrace. Also check if the system supports
+ # glibc-compatible backtrace() function.
+@@ -17308,7 +17915,9 @@ _ACEOF
+ if ac_fn_c_try_compile "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
+ $as_echo "size_t for buflen; int for flags" >&6; }
+- $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h
++ # Changed to solve multilib conflict on Fedora
++ #AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
++ $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h
+
+ $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
+
+@@ -18504,6 +19113,10 @@ _ACEOF
+ $as_echo "$arch" >&6; }
+ fi
+
++if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
++ as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5
++fi
++
+ if test "$have_atomic" = "yes"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
+ $as_echo_n "checking compiler support for inline assembly code... " >&6; }
+@@ -19547,6 +20160,38 @@ done
+
+
+ #
++# was --with-tuning specified?
++#
++
++# Check whether --with-tuning was given.
++if test "${with_tuning+set}" = set; then :
++ withval=$with_tuning; use_tuning="$withval"
++else
++ use_tuning="no"
++fi
++
++
++case "$use_tuning" in
++ large)
++ if ! $use_threads; then
++ as_fn_error $? "Large-system tuning requires threads." "$LINENO" 5
++ fi
++
++$as_echo "#define TUNE_LARGE 1" >>confdefs.h
++
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using large-system tuning" >&5
++$as_echo "using large-system tuning" >&6; }
++ ;;
++ no|default)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using default tuning" >&5
++$as_echo "using default tuning" >&6; }
++ ;;
++ yes|*)
++ as_fn_error $? "You must specify \"large\" or \"default\" for --with-tuning." "$LINENO" 5
++ ;;
++esac
++
++#
+ # Substitutions
+ #
+
+@@ -19611,6 +20256,9 @@ BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
+
+
+
++LIBISCPK11_API="$srcdir/lib/iscpk11/api"
++
++
+ LIBISC_API="$srcdir/lib/isc/api"
+
+
+@@ -19810,6 +20458,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
+ #
+ dlzdir='${DLZ_DRIVER_DIR}'
+
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5
++$as_echo_n "checking for target libdir... " >&6; }
++if test "$cross_compiling" = yes; then :
++ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
++$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
++as_fn_error $? "cannot run test program while cross compiling
++See \`config.log' for more details" "$LINENO" 5; }
++else
++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h. */
++int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}
++_ACEOF
++if ac_fn_c_try_run "$LINENO"; then :
++ target_lib=lib64
++else
++ target_lib=lib
++fi
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
++ conftest.$ac_objext conftest.beam conftest.$ac_ext
++fi
++
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5
++$as_echo "\"$target_lib\"" >&6; }
++
+ #
+ # Private autoconf macro to simplify configuring drivers:
+ #
+@@ -19982,9 +20654,9 @@ then
+ then
+ use_dlz_mysql=$d
+ mysql_include=$d/include/mysql
+- if test -d $d/lib/mysql
++ if test -d $d/${target_lib}/mysql
+ then
+- mysql_lib=$d/lib/mysql
++ mysql_lib=$d/${target_lib}/mysql
+ else
+ mysql_lib=$d/lib
+ fi
+@@ -20118,7 +20790,7 @@ $as_echo "not found" >&6; }
+ # Check other locations for includes.
+ # Order is important (sigh).
+
+- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/"
++ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/"
+ for d in $bdb_incdirs
+ do
+ if test -f "$dd/include${d}db.h"
+@@ -20142,15 +20814,9 @@ $as_echo "not found" >&6; }
+ bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
+ for d in $bdb_libnames
+ do
+- if test -f "$dd/lib/lib${d}.so"
++ if test -f "$dd/${target_lib}/lib${d}.so"
+ then
+- if test "$dd" != "/usr"
+- then
+- dlz_bdb_libs="-L${dd}/lib "
+- else
+- dlz_bdb_libs=""
+- fi
+- dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
++ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
+ break
+ fi
+ done
+@@ -20306,9 +20972,9 @@ $as_echo "no" >&6; }
+ then
+ DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
+ fi
+- if test -n "-L$use_dlz_ldap/lib -lldap -llber"
++ if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber"
+ then
+- DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber"
++ DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber"
+ fi
+
+
+@@ -20339,7 +21005,7 @@ then
+ odbcdirs="/usr /usr/local /usr/pkg"
+ for d in $odbcdirs
+ do
+- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
++ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
+ then
+ use_dlz_odbc=$d
+ break
+@@ -20369,9 +21035,9 @@ $as_echo "not found" >&6; }
+ then
+ DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_odbc/include"
+ fi
+- if test -n "-L$use_dlz_odbc/lib -lodbc"
++ if test -n "-L$use_dlz_odbc/${target_lib} -lodbc"
+ then
+- DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_odbc/lib -lodbc"
++ DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_odbc/${target_lib} -lodbc"
+ fi
+
+
+@@ -20595,7 +21261,7 @@ ac_config_commands="$ac_config_commands chmod"
+ # elsewhere if there's a good reason for doing so.
+ #
+
+-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/ecdsa/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rrl/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/export/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile unit/Makefile unit/unittest.sh"
++ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/dnssec-pkcs11/Makefile bin/named/Makefile bin/named-pkcs11/Makefile bin/named-pkcs11/unix/Makefile bin/named/unix/Makefile bin/named-sdb/Makefile bin/named-sdb/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/sdb_tools/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dyndb/Makefile bin/tests/system/dyndb/driver/Makefile bin/tests/system/ecdsa/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rrl/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/dns-pkcs11/Makefile lib/dns-pkcs11/include/Makefile lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile lib/export/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/dns-pkcs11/Makefile lib/export/dns-pkcs11/include/Makefile lib/export/dns-pkcs11/include/dns/Makefile lib/export/dns-pkcs11/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isc-pkcs11/$thread_dir/Makefile lib/export/isc-pkcs11/$thread_dir/include/Makefile lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile lib/export/isc-pkcs11/Makefile lib/export/isc-pkcs11/include/Makefile lib/export/isc-pkcs11/include/isc/Makefile lib/export/isc-pkcs11/nls/Makefile lib/export/isc-pkcs11/unix/Makefile lib/export/isc-pkcs11/unix/include/Makefile lib/export/isc-pkcs11/unix/include/isc/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isc-pkcs11/$arch/Makefile lib/isc-pkcs11/$arch/include/Makefile lib/isc-pkcs11/$arch/include/isc/Makefile lib/isc-pkcs11/$thread_dir/Makefile lib/isc-pkcs11/$thread_dir/include/Makefile lib/isc-pkcs11/$thread_dir/include/isc/Makefile lib/isc-pkcs11/Makefile lib/isc-pkcs11/include/Makefile lib/isc-pkcs11/include/isc/Makefile lib/isc-pkcs11/include/isc/platform.h lib/isc-pkcs11/include/pk11/Makefile lib/isc-pkcs11/include/pkcs11/Makefile lib/isc-pkcs11/tests/Makefile lib/isc-pkcs11/nls/Makefile lib/isc-pkcs11/unix/Makefile lib/isc-pkcs11/unix/include/Makefile lib/isc-pkcs11/unix/include/isc/Makefile lib/isc-pkcs11/unix/include/pkcs11/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile unit/Makefile unit/unittest.sh"
+
+
+ #
+@@ -21597,14 +22263,20 @@ do
+ "bin/confgen/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/unix/Makefile" ;;
+ "bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
+ "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
++ "bin/dnssec-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec-pkcs11/Makefile" ;;
+ "bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;
++ "bin/named-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-pkcs11/Makefile" ;;
++ "bin/named-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-pkcs11/unix/Makefile" ;;
+ "bin/named/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/unix/Makefile" ;;
++ "bin/named-sdb/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-sdb/Makefile" ;;
++ "bin/named-sdb/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named-sdb/unix/Makefile" ;;
+ "bin/nsupdate/Makefile") CONFIG_FILES="$CONFIG_FILES bin/nsupdate/Makefile" ;;
+ "bin/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pkcs11/Makefile" ;;
+ "bin/python/Makefile") CONFIG_FILES="$CONFIG_FILES bin/python/Makefile" ;;
+ "bin/python/dnssec-checkds.py") CONFIG_FILES="$CONFIG_FILES bin/python/dnssec-checkds.py" ;;
+ "bin/python/dnssec-coverage.py") CONFIG_FILES="$CONFIG_FILES bin/python/dnssec-coverage.py" ;;
+ "bin/rndc/Makefile") CONFIG_FILES="$CONFIG_FILES bin/rndc/Makefile" ;;
++ "bin/sdb_tools/Makefile") CONFIG_FILES="$CONFIG_FILES bin/sdb_tools/Makefile" ;;
+ "bin/tests/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/Makefile" ;;
+ "bin/tests/atomic/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/atomic/Makefile" ;;
+ "bin/tests/db/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/db/Makefile" ;;
+@@ -21630,6 +22302,8 @@ do
+ "bin/tests/mem/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/mem/Makefile" ;;
+ "bin/tests/names/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/names/Makefile" ;;
+ "bin/tests/net/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/net/Makefile" ;;
++ "bin/tests/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/Makefile" ;;
++ "bin/tests/pkcs11/benchmarks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/benchmarks/Makefile" ;;
+ "bin/tests/rbt/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/rbt/Makefile" ;;
+ "bin/tests/resolver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/resolver/Makefile" ;;
+ "bin/tests/sockaddr/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/sockaddr/Makefile" ;;
+@@ -21642,6 +22316,7 @@ do
+ "bin/tests/system/dyndb/driver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/dyndb/driver/Makefile" ;;
+ "bin/tests/system/ecdsa/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/ecdsa/prereq.sh" ;;
+ "bin/tests/system/filter-aaaa/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/filter-aaaa/Makefile" ;;
++ "bin/tests/system/geoip/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/geoip/Makefile" ;;
+ "bin/tests/system/gost/prereq.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/gost/prereq.sh" ;;
+ "bin/tests/system/lwresd/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/lwresd/Makefile" ;;
+ "bin/tests/system/rpz/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/rpz/Makefile" ;;
+@@ -21677,11 +22352,19 @@ do
+ "lib/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dns/Makefile" ;;
+ "lib/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dst/Makefile" ;;
+ "lib/dns/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/tests/Makefile" ;;
++ "lib/dns-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/Makefile" ;;
++ "lib/dns-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/include/Makefile" ;;
++ "lib/dns-pkcs11/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/include/dns/Makefile" ;;
++ "lib/dns-pkcs11/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns-pkcs11/include/dst/Makefile" ;;
+ "lib/export/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/Makefile" ;;
+ "lib/export/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/Makefile" ;;
+ "lib/export/dns/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/Makefile" ;;
+ "lib/export/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/dns/Makefile" ;;
+ "lib/export/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/dst/Makefile" ;;
++ "lib/export/dns-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/Makefile" ;;
++ "lib/export/dns-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/include/Makefile" ;;
++ "lib/export/dns-pkcs11/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/include/dns/Makefile" ;;
++ "lib/export/dns-pkcs11/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns-pkcs11/include/dst/Makefile" ;;
+ "lib/export/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/Makefile" ;;
+ "lib/export/irs/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/include/Makefile" ;;
+ "lib/export/irs/include/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/include/irs/Makefile" ;;
+@@ -21695,6 +22378,16 @@ do
+ "lib/export/isc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/Makefile" ;;
+ "lib/export/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/include/Makefile" ;;
+ "lib/export/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/include/isc/Makefile" ;;
++ "lib/export/isc-pkcs11/$thread_dir/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/$thread_dir/Makefile" ;;
++ "lib/export/isc-pkcs11/$thread_dir/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/$thread_dir/include/Makefile" ;;
++ "lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile" ;;
++ "lib/export/isc-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/Makefile" ;;
++ "lib/export/isc-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/include/Makefile" ;;
++ "lib/export/isc-pkcs11/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/include/isc/Makefile" ;;
++ "lib/export/isc-pkcs11/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/nls/Makefile" ;;
++ "lib/export/isc-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/unix/Makefile" ;;
++ "lib/export/isc-pkcs11/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/unix/include/Makefile" ;;
++ "lib/export/isc-pkcs11/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc-pkcs11/unix/include/isc/Makefile" ;;
+ "lib/export/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/Makefile" ;;
+ "lib/export/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/include/Makefile" ;;
+ "lib/export/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/include/isccfg/Makefile" ;;
+@@ -21715,11 +22408,32 @@ do
+ "lib/isc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/Makefile" ;;
+ "lib/isc/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/Makefile" ;;
+ "lib/isc/include/isc/platform.h") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/platform.h" ;;
++ "lib/isc/include/pk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pk11/Makefile" ;;
++ "lib/isc/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pkcs11/Makefile" ;;
+ "lib/isc/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/tests/Makefile" ;;
+ "lib/isc/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/nls/Makefile" ;;
+ "lib/isc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/Makefile" ;;
+ "lib/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/Makefile" ;;
+ "lib/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/isc/Makefile" ;;
++ "lib/isc/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/pkcs11/Makefile" ;;
++ "lib/isc-pkcs11/$arch/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$arch/Makefile" ;;
++ "lib/isc-pkcs11/$arch/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$arch/include/Makefile" ;;
++ "lib/isc-pkcs11/$arch/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$arch/include/isc/Makefile" ;;
++ "lib/isc-pkcs11/$thread_dir/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/Makefile" ;;
++ "lib/isc-pkcs11/$thread_dir/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/include/Makefile" ;;
++ "lib/isc-pkcs11/$thread_dir/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/include/isc/Makefile" ;;
++ "lib/isc-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/Makefile" ;;
++ "lib/isc-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/Makefile" ;;
++ "lib/isc-pkcs11/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/isc/Makefile" ;;
++ "lib/isc-pkcs11/include/isc/platform.h") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/isc/platform.h" ;;
++ "lib/isc-pkcs11/include/pk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/pk11/Makefile" ;;
++ "lib/isc-pkcs11/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/include/pkcs11/Makefile" ;;
++ "lib/isc-pkcs11/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/tests/Makefile" ;;
++ "lib/isc-pkcs11/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/nls/Makefile" ;;
++ "lib/isc-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/Makefile" ;;
++ "lib/isc-pkcs11/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/include/Makefile" ;;
++ "lib/isc-pkcs11/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/include/isc/Makefile" ;;
++ "lib/isc-pkcs11/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/include/pkcs11/Makefile" ;;
+ "lib/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/Makefile" ;;
+ "lib/isccc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/include/Makefile" ;;
+ "lib/isccc/include/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/include/isccc/Makefile" ;;
+@@ -23043,6 +23757,7 @@ echo "------------------------------------------------------------------------"
+ echo "Optional features enabled:"
+ $use_threads && echo " Multiprocessing support (--enable-threads)"
+
++test "$use_tuning" = "large" && echo " Large-system tuning (--with-tuning)"
+ test "$enable_fixed" = "yes" && \
+ echo " Fixed RRset order (--enable-fixed-rrset)"
+ test "$atf" = "no" || echo " Automated Testing Framework (--with-atf)"
+@@ -23062,12 +23777,8 @@ test "$use_pkcs11" = "no" || echo " PKCS#11/Cryptoki support (--with-pkcs11)"
+ if test "$enable_full_report" = "yes"; then
+ test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" || \
+ echo " IPv6 support (--enable-ipv6)"
+- test "X$USE_OPENSSL" = "X" || \
++ test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
+ echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
+- test "$OPENSSL_GOST" != "yes" || \
+- echo " GOST algorithm support (--with-gost)"
+- test "$OPENSSL_ECDSA" != "yes" || \
+- echo " ECDSA algorithm support (--with-ecdsa)"
+ test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
+ test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)"
+ fi
+@@ -23092,6 +23803,7 @@ echo
+
+ echo "Features disabled or unavailable on this platform:"
+ $use_threads || echo " Multiprocessing support (--enable-threads)"
++test "$use_tuning" = "large" || echo " Large-system tuning (--with-tuning)"
+ test "$enable_fixed" = "yes" || \
+ echo " Fixed RRset order (--enable-fixed-rrset)"
+ test "$atf" = "no" && echo " Automated Testing Framework (--with-atf)"
+@@ -23100,24 +23812,28 @@ test "$enable_filter" = "yes" || \
+ test "$use_gssapi" = "no" && echo " GSS-API (--with-gssapi)"
+ test "$want_backtrace" = "yes" || \
+ echo " Print backtrace on crash (--enable-backtrace)"
+-test "$use_pkcs11" = "no" && echo " PKCS#11/Cryptoki support (--with-pkcs11)"
+
+-test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \
+- echo " IPv6 support (--enable-ipv6)"
+-test "X$USE_OPENSSL" = "X" && \
+- echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
+-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_GOST" != "yes" && \
++test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" && \
++ echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
++test "$want_native_pkcs11" != "yes" && \
++ echo " Native PKCS#11 cryptography/DNSSEC (--enable-native-pkcs11)"
++test "X$CRYPTO" = "X" -o "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" || \
+ echo " GOST algorithm support (--with-gost)"
+-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
++test "X$CRYPTO" = "X" -o "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" || \
+ echo " ECDSA algorithm support (--with-ecdsa)"
++test "$use_pkcs11" = "no" && echo " PKCS#11/Cryptoki support (--with-pkcs11)"
++test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \
++ echo " IPv6 support (--enable-ipv6)"
+ test "X$PYTHON" = "X" && echo " Python tools (--with-python)"
+ test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)"
+
+ echo "========================================================================"
+
+-if test "X$USE_OPENSSL" = "X"; then
++if test "X$CRYPTO" = "X"; then
+ cat << \EOF
+-BIND is being built without OpenSSL. This means it will not have DNSSEC support.
++BIND 9 is being built without cryptography support. This means it will
++not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
++--enable-native-pkcs11 to enable cryptography.
+ EOF
+ fi
+
+diff --git a/configure.in b/configure.in
+index 5c79d6d..529989d 100644
+--- a/configure.in
++++ b/configure.in
+@@ -3671,6 +3671,29 @@ AC_CHECK_HEADERS(locale.h)
+ AC_CHECK_FUNCS(setlocale)
+
+ #
++# was --with-tuning specified?
++#
++AC_ARG_WITH(tuning,
++ [ --with-tuning=ARG Specify server tuning (large or default)],
++ use_tuning="$withval", use_tuning="no")
++
++case "$use_tuning" in
++ large)
++ if ! $use_threads; then
++ AC_MSG_ERROR([Large-system tuning requires threads.])
++ fi
++ AC_DEFINE(TUNE_LARGE, 1, [Define to use large-system tuning.])
++ AC_MSG_RESULT(using large-system tuning)
++ ;;
++ no|default)
++ AC_MSG_RESULT(using default tuning)
++ ;;
++ yes|*)
++ AC_MSG_ERROR([You must specify "large" or "default" for --with-tuning.])
++ ;;
++esac
++
++#
+ # Substitutions
+ #
+ AC_SUBST(BIND9_TOP_BUILDDIR)
+@@ -4193,6 +4216,7 @@ echo "------------------------------------------------------------------------"
+ echo "Optional features enabled:"
+ $use_threads && echo " Multiprocessing support (--enable-threads)"
+
++test "$use_tuning" = "large" && echo " Large-system tuning (--with-tuning)"
+ test "$enable_fixed" = "yes" && \
+ echo " Fixed RRset order (--enable-fixed-rrset)"
+ test "$atf" = "no" || echo " Automated Testing Framework (--with-atf)"
+@@ -4238,6 +4262,7 @@ echo
+
+ echo "Features disabled or unavailable on this platform:"
+ $use_threads || echo " Multiprocessing support (--enable-threads)"
++test "$use_tuning" = "large" || echo " Large-system tuning (--with-tuning)"
+ test "$enable_fixed" = "yes" || \
+ echo " Fixed RRset order (--enable-fixed-rrset)"
+ test "$atf" = "no" && echo " Automated Testing Framework (--with-atf)"
+diff --git a/lib/dns/client.c b/lib/dns/client.c
+index e9e8bde..d3b371b 100644
+--- a/lib/dns/client.c
++++ b/lib/dns/client.c
+@@ -67,6 +67,12 @@
+
+ #define MAX_RESTARTS 16
+
++#ifdef TUNE_LARGE
++#define RESOLVER_NTASKS 523
++#else
++#define RESOLVER_NTASKS 31
++#endif /* TUNE_LARGE */
++
+ /*%
+ * DNS client object
+ */
+@@ -480,7 +486,7 @@ dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+
+ /* Create the default view for class IN */
+ result = dns_client_createview(mctx, dns_rdataclass_in, options,
+- taskmgr, 31, socketmgr, timermgr,
++ taskmgr, RESOLVER_NTASKS, socketmgr, timermgr,
+ dispatchmgr, dispatchv4, dispatchv6,
+ &view);
+ if (result != ISC_R_SUCCESS)
+diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
+index cbc506b..af0c3bc 100644
+--- a/lib/isc/unix/socket.c
++++ b/lib/isc/unix/socket.c
+@@ -157,7 +157,11 @@ struct isc_socketwait {
+ */
+ #ifndef ISC_SOCKET_MAXSOCKETS
+ #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
++#ifdef TUNE_LARGE
++#define ISC_SOCKET_MAXSOCKETS 21000
++#else
+ #define ISC_SOCKET_MAXSOCKETS 4096
++#endif /* TUNE_LARGE */
+ #elif defined(USE_SELECT)
+ #define ISC_SOCKET_MAXSOCKETS FD_SETSIZE
+ #endif /* USE_KQUEUE... */
+@@ -219,7 +223,11 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
+ */
+ #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+ #ifndef ISC_SOCKET_MAXEVENTS
++#ifdef TUNE_LARGE
+ #define ISC_SOCKET_MAXEVENTS 2048
++#else
++#define ISC_SOCKET_MAXEVENTS 64
++#endif /* TUNE_LARGE */
+ #endif
+ #endif
+
+@@ -295,7 +303,11 @@ typedef isc_event_t intev_t;
+ /*%
+ * The size to raise the receive buffer to (from BIND 8).
+ */
++#ifdef TUNE_LARGE
++#define RCVBUFSIZE (16*1024*1024)
++#else
+ #define RCVBUFSIZE (32*1024)
++#endif /* TUNE_LARGE */
+
+ /*%
+ * The number of times a send operation is repeated if the result is EINTR.
+--
+2.9.5
+
diff --git a/SOURCES/bind99-rh1470637-tests.patch b/SOURCES/bind99-rh1470637-tests.patch
new file mode 100644
index 0000000..a43776c
--- /dev/null
+++ b/SOURCES/bind99-rh1470637-tests.patch
@@ -0,0 +1,434 @@
+From 148bbbd1c1463c9b9626d7d9668d8768179d596b Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 11 Dec 2015 14:52:12 +1100
+Subject: [PATCH 1/2] add digdelv
+
+(cherry picked from commit 51aed1827453f40ee56b165d45c5d58d96838d94)
+
+Deleted failing tests
+---
+ bin/tests/system/conf.sh.in | 2 +-
+ bin/tests/system/digdelv/clean.sh | 21 +++++
+ bin/tests/system/digdelv/ns1/named.conf | 37 +++++++++
+ bin/tests/system/digdelv/ns1/root.db | 29 +++++++
+ bin/tests/system/digdelv/ns2/example.db | 50 ++++++++++++
+ bin/tests/system/digdelv/ns2/named.conf | 40 ++++++++++
+ bin/tests/system/digdelv/ns3/named.conf | 36 +++++++++
+ bin/tests/system/digdelv/tests.sh | 137 ++++++++++++++++++++++++++++++++
+ 8 files changed, 351 insertions(+), 1 deletion(-)
+ create mode 100644 bin/tests/system/digdelv/clean.sh
+ create mode 100644 bin/tests/system/digdelv/ns1/named.conf
+ create mode 100644 bin/tests/system/digdelv/ns1/root.db
+ create mode 100644 bin/tests/system/digdelv/ns2/example.db
+ create mode 100644 bin/tests/system/digdelv/ns2/named.conf
+ create mode 100644 bin/tests/system/digdelv/ns3/named.conf
+ create mode 100644 bin/tests/system/digdelv/tests.sh
+
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index 6df4734..49c5686 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -60,7 +60,7 @@ SAMPLE=$TOP/lib/export/samples/sample
+ # v6synth
+ SUBDIRS="acl additional allow_query addzone autosign builtin
+ cacheclean checkconf @CHECKDS@ checknames checkzone @COVERAGE@
+- database dlv dlvauto dlz dlzexternal dname dns64 dnssec dyndb
++ database digdelv dlv dlvauto dlz dlzexternal dname dns64 dnssec dyndb
+ ecdsa formerr forward glue gost ixfr inline limits logfileconfig
+ lwresd masterfile masterformat metadata notify nsupdate pending
+ @PKCS11_TEST@ redirect resolver rndc rpz rrl rrsetorder rsabigexponent
+diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh
+new file mode 100644
+index 0000000..0f442fb
+--- /dev/null
++++ b/bin/tests/system/digdelv/clean.sh
+@@ -0,0 +1,21 @@
++#!/bin/sh
++#
++# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
++
++rm -f dig.out.test*
++rm -f delv.out.test*
++rm -f */named.memstats
++rm -f */named.run
++rm -f ns*/named.lock
+diff --git a/bin/tests/system/digdelv/ns1/named.conf b/bin/tests/system/digdelv/ns1/named.conf
+new file mode 100644
+index 0000000..c5f0470
+--- /dev/null
++++ b/bin/tests/system/digdelv/ns1/named.conf
+@@ -0,0 +1,37 @@
++/*
++ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++// NS1
++
++controls { /* empty */ };
++
++options {
++ query-source address 10.53.0.1;
++ port 5300;
++ pid-file "named.pid";
++ listen-on { 10.53.0.1; };
++ listen-on-v6 { fd92:7065:b8e:ffff::1; };
++ recursion no;
++ notify yes;
++ dnssec-enable no;
++ dnssec-validation no;
++};
++
++zone "." {
++ type master;
++ file "root.db";
++};
++
+diff --git a/bin/tests/system/digdelv/ns1/root.db b/bin/tests/system/digdelv/ns1/root.db
+new file mode 100644
+index 0000000..f4316a5
+--- /dev/null
++++ b/bin/tests/system/digdelv/ns1/root.db
+@@ -0,0 +1,29 @@
++; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
++;
++; Permission to use, copy, modify, and/or distribute this software for any
++; purpose with or without fee is hereby granted, provided that the above
++; copyright notice and this permission notice appear in all copies.
++;
++; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++; PERFORMANCE OF THIS SOFTWARE.
++
++$TTL 300
++. IN SOA gson.nominum.com. a.root.servers.nil. (
++ 2000042100 ; serial
++ 600 ; refresh
++ 600 ; retry
++ 1200 ; expire
++ 600 ; minimum
++ )
++. NS a.root-servers.nil.
++a.root-servers.nil. A 10.53.0.1
++a.root-servers.nil. AAAA fd92:7065:b8e:ffff::1
++
++example. NS ns2.example.
++ns2.example. A 10.53.0.2
++ns2.example. AAAA fd92:7065:b8e:ffff::2
+diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
+new file mode 100644
+index 0000000..0a1aa5d
+--- /dev/null
++++ b/bin/tests/system/digdelv/ns2/example.db
+@@ -0,0 +1,50 @@
++; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
++;
++; Permission to use, copy, modify, and/or distribute this software for any
++; purpose with or without fee is hereby granted, provided that the above
++; copyright notice and this permission notice appear in all copies.
++;
++; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++; PERFORMANCE OF THIS SOFTWARE.
++
++$TTL 300 ; 5 minutes
++@ IN SOA mname1. . (
++ 2000042407 ; serial
++ 20 ; refresh (20 seconds)
++ 20 ; retry (20 seconds)
++ 1814400 ; expire (3 weeks)
++ 3600 ; minimum (1 hour)
++ )
++ NS ns2
++ NS ns3
++ns2 A 10.53.0.2
++ns2 AAAA fd92:7065:b8e:ffff::2
++ns3 A 10.53.0.3
++ns3 AAAA fd92:7065:b8e:ffff::3
++
++a A 10.0.0.1
++a AAAA fd92:7065:b8e:ffff::1
++b A 10.0.0.2
++b AAAA fd92:7065:b8e:ffff::2
++c A 10.0.0.3
++c AAAA fd92:7065:b8e:ffff::3
++
++foo TXT "testing"
++foo A 10.0.1.0
++foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
++
++;;
++;; we are not testing DNSSEC behavior, so we don't care about the semantics
++;; of the following records.
++dnskey 300 DNSKEY 256 3 1 (
++ AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
++ +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
++ Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
++ b9VIE5x7KNHAYTvTO5d4S8M=
++ )
++
+diff --git a/bin/tests/system/digdelv/ns2/named.conf b/bin/tests/system/digdelv/ns2/named.conf
+new file mode 100644
+index 0000000..266e958
+--- /dev/null
++++ b/bin/tests/system/digdelv/ns2/named.conf
+@@ -0,0 +1,40 @@
++/*
++ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++// NS2
++
++controls { /* empty */ };
++
++options {
++ query-source address 10.53.0.2;
++ port 5300;
++ pid-file "named.pid";
++ listen-on { 10.53.0.2; };
++ listen-on-v6 { fd92:7065:b8e:ffff::2; };
++ recursion no;
++ dnssec-enable no;
++ dnssec-validation no;
++};
++
++zone "." {
++ type hint;
++ file "../../common/root.hint";
++};
++
++zone "example" {
++ type master;
++ file "example.db";
++};
+diff --git a/bin/tests/system/digdelv/ns3/named.conf b/bin/tests/system/digdelv/ns3/named.conf
+new file mode 100644
+index 0000000..e73c543
+--- /dev/null
++++ b/bin/tests/system/digdelv/ns3/named.conf
+@@ -0,0 +1,36 @@
++/*
++ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++// NS4
++
++controls { /* empty */ };
++
++options {
++ query-source address 10.53.0.3;
++ port 5300;
++ pid-file "named.pid";
++ listen-on { 10.53.0.3; };
++ listen-on-v6 { fd92:7065:b8e:ffff::3; };
++ recursion yes;
++ acache-enable yes;
++ dnssec-enable no;
++ dnssec-validation no;
++};
++
++zone "." {
++ type hint;
++ file "../../common/root.hint";
++};
+diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
+new file mode 100644
+index 0000000..988bd52
+--- /dev/null
++++ b/bin/tests/system/digdelv/tests.sh
+@@ -0,0 +1,137 @@
++# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
++
++SYSTEMTESTTOP=..
++. $SYSTEMTESTTOP/conf.sh
++
++status=0
++n=0
++# using dig insecure mode as not testing dnssec here
++DIGOPTS="-i -p 5300"
++
++if [ -x ${DIG} ] ; then
++ n=`expr $n + 1`
++ echo "I:checking dig short form works ($n)"
++ ret=0
++ $DIG $DIGOPTS @10.53.0.3 +short a a.example > dig.out.test$n || ret=1
++ if test `wc -l < dig.out.test$n` != 1 ; then ret=1 ; fi
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking dig split width works ($n)"
++ ret=0
++ $DIG $DIGOPTS @10.53.0.3 +split=4 -t sshfp foo.example > dig.out.test$n || ret=1
++ grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking dig with reverse lookup works ($n)"
++ ret=0
++ $DIG $DIGOPTS @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1
++ # doesn't matter if has answer
++ grep -i "127\.in-addr\.arpa\." < dig.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking dig over TCP works ($n)"
++ ret=0
++ $DIG $DIGOPTS +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1
++ grep "10\.0\.0\.1$" < dig.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking dig +rrcomments works for DNSKEY($n)"
++ ret=0
++ $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
++ grep "; ZSK; alg = RSAMD5 *; key id = 30795" < dig.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++else
++ echo "W:$DIG is needed, so skipping these dig tests"
++fi
++
++# using delv insecure mode as not testing dnssec here
++DELVOPTS="-i -p 5300"
++
++if [ -n "${DELV}" -a -x "${DELV}" ] ; then
++ n=`expr $n + 1`
++ echo "I:checking delv short form works ($n)"
++ ret=0
++ $DELV $DELVOPTS @10.53.0.3 +short a a.example > delv.out.test$n || ret=1
++ if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking delv split width works ($n)"
++ ret=0
++ $DELV $DELVOPTS @10.53.0.3 +split=4 -t sshfp foo.example > delv.out.test$n || ret=1
++ grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking delv with IPv6 on IPv4 does not work ($n)"
++ if $TESTSOCK6 fd92:7065:b8e:ffff::3
++ then
++ ret=0
++ # following should fail because @IPv4 overrides earlier @IPv6 above
++ # and -6 forces IPv6 so this should fail, such as:
++ # ;; getaddrinfo failed: hostname nor servname provided, or not known
++ # ;; resolution failed: not found
++ # note that delv returns success even on lookup failure
++ $DELV $DELVOPTS @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 || ret=1
++ # it should have no results but error output
++ grep "testing" < delv.out.test$n > /dev/null && ret=1
++ grep "getaddrinfo failed:" < delv.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++ else
++ echo "I:IPv6 unavailable; skipping"
++ fi
++
++ n=`expr $n + 1`
++ echo "I:checking delv with reverse lookup works ($n)"
++ ret=0
++ $DELV $DELVOPTS @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1
++ # doesn't matter if has answer
++ grep -i "127\.in-addr\.arpa\." < delv.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking delv over TCP works ($n)"
++ ret=0
++ $DELV $DELVOPTS @10.53.0.3 a a.example > delv.out.test$n || ret=1
++ grep "10\.0\.0\.1$" < delv.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ n=`expr $n + 1`
++ echo "I:checking delv +rrcomments works for DNSKEY($n)"
++ ret=0
++ $DELV $DELVOPTS @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
++ grep "; ZSK; alg = RSAMD5 *; key id = 30795" < delv.out.test$n > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
++ exit $status
++else
++ echo "W:${DELV:-delv} is not available, so skipping these delv tests"
++fi
+--
+2.9.5
+
diff --git a/SOURCES/bind99-rh1470637.patch b/SOURCES/bind99-rh1470637.patch
new file mode 100644
index 0000000..4fc74ba
--- /dev/null
+++ b/SOURCES/bind99-rh1470637.patch
@@ -0,0 +1,195 @@
+From a200b2dd994cbb4ff29151ff46342268bc8fb3c2 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Mon, 11 Sep 2017 10:34:10 -0700
+Subject: [PATCH 2/2] dig: retain domain when retrying with tcp
+
+4712. [bug] "dig +domain" and "dig +search" didn't retain the
+ search domain when retrying with TCP. [RT #45547]
+
+(cherry picked from commit 8e014c45ae75a3ca893cec6a0711beb69ecd18a4)
+(cherry picked from commit 88e2cefcc2e8f48c0fba97661ff79c2506b52b23)
+(cherry picked from commit 51b00c6c783ccf5dca86119ff8f4f8b994298ca4)
+
+Modified to pass with libidn
+
+Fix origin test
+---
+ bin/dig/dighost.c | 13 ++++-------
+ bin/tests/system/ans.pl | 43 +++++++++++++++++++++++++----------
+ bin/tests/system/digdelv/ans4/startme | 0
+ bin/tests/system/digdelv/tests.sh | 23 ++++++++++++++++++-
+ 4 files changed, 58 insertions(+), 21 deletions(-)
+ create mode 100644 bin/tests/system/digdelv/ans4/startme
+
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index 5c03d95..3a066c6 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -887,6 +887,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
+ looknew->section_answer = lookold->section_answer;
+ looknew->section_authority = lookold->section_authority;
+ looknew->section_additional = lookold->section_additional;
++ looknew->origin = lookold->origin;
+ looknew->retries = lookold->retries;
+ looknew->tsigctx = NULL;
+ looknew->need_search = lookold->need_search;
+@@ -2134,6 +2135,7 @@ setup_lookup(dig_lookup_t *lookup) {
+
+ #ifdef WITH_IDN
+ if (lookup->origin != NULL) {
++ debug("trying origin %s", lookup->origin->origin);
+ mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
+ lookup->origin->origin, utf8_origin,
+ sizeof(utf8_origin));
+@@ -2148,6 +2150,7 @@ setup_lookup(dig_lookup_t *lookup) {
+ idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
+ #elif defined (WITH_LIBIDN)
+ if (lookup->origin != NULL) {
++ debug("trying origin %s", lookup->origin->origin);
+ result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str);
+ check_result (result, "convert origin to UTF-8");
+ if (len > 0 && utf8_name[len - 1] != '.') {
+@@ -3409,7 +3407,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
+ printf(";; Truncated, retrying in TCP mode.\n");
+ n = requeue_lookup(l, ISC_TRUE);
+ n->tcp_mode = ISC_TRUE;
+- n->origin = query->lookup->origin;
+ dns_message_destroy(&msg);
+ isc_event_free(&event);
+ clear_query(query);
+diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl
+index d6ff3c2..d8c9f9d 100644
+--- a/bin/tests/system/ans.pl
++++ b/bin/tests/system/ans.pl
+@@ -35,7 +35,12 @@
+ #
+ # There can be any number of patterns, each associated
+ # with any number of response RRs. Each pattern is a
+-# Perl regular expression.
++# Perl regular expression. If an empty pattern ("//") is
++# received, the server will ignore all incoming queries (TCP
++# connections will still be accepted, but both UDP queries
++# and TCP queries will not be responded to). If a non-empty
++# pattern is then received over the same control connection,
++# default behavior is restored.
+ #
+ # Each incoming query is converted into a string of the form
+ # "qname qtype" (the printable query domain name, space,
+@@ -105,6 +110,9 @@ $SIG{TERM} = \&rmpid;
+
+ #my @answers = ();
+ my @rules;
++my $udphandler;
++my $tcphandler;
++
+ sub handleUDP {
+ my ($buf) = @_;
+ my $request;
+@@ -414,8 +422,15 @@ for (;;) {
+ while (my $line = $conn->getline) {
+ chomp $line;
+ if ($line =~ m!^/(.*)/$!) {
+- $rule = { pattern => $1, answer => [] };
+- push(@rules, $rule);
++ if (length($1) == 0) {
++ $udphandler = sub { return; };
++ $tcphandler = sub { return; };
++ } else {
++ $udphandler = \&handleUDP;
++ $tcphandler = \&handleTCP;
++ $rule = { pattern => $1, answer => [] };
++ push(@rules, $rule);
++ }
+ } else {
+ push(@{$rule->{answer}},
+ new Net::DNS::RR($line));
+@@ -430,9 +445,11 @@ for (;;) {
+ printf "UDP request\n";
+ my $buf;
+ $udpsock->recv($buf, 512);
+- my $result = handleUDP($buf);
+- my $num_chars = $udpsock->send($result);
+- print " Sent $num_chars bytes via UDP\n";
++ my $result = &$udphandler($buf);
++ if (defined($result)) {
++ my $num_chars = $udpsock->send($result);
++ print " Sent $num_chars bytes via UDP\n";
++ }
+ } elsif (vec($rout, fileno($tcpsock), 1)) {
+ my $conn = $tcpsock->accept;
+ my $buf;
+@@ -444,12 +461,14 @@ for (;;) {
+ $n = $conn->sysread($buf, $len);
+ last unless $n == $len;
+ print "TCP request\n";
+- my $result = handleTCP($buf);
+- foreach my $response (@$result) {
+- $len = length($response);
+- $n = $conn->syswrite(pack("n", $len), 2);
+- $n = $conn->syswrite($response, $len);
+- print " Sent: $n chars via TCP\n";
++ my $result = &$tcphandler($buf);
++ if (defined($result)) {
++ foreach my $response (@$result) {
++ $len = length($response);
++ $n = $conn->syswrite(pack("n", $len), 2);
++ $n = $conn->syswrite($response, $len);
++ print " Sent: $n chars via TCP\n";
++ }
+ }
+ }
+ $conn->close;
+diff --git a/bin/tests/system/digdelv/ans4/startme b/bin/tests/system/digdelv/ans4/startme
+new file mode 100644
+index 0000000..e69de29
+diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
+index 988bd52..a19256c 100644
+--- a/bin/tests/system/digdelv/tests.sh
++++ b/bin/tests/system/digdelv/tests.sh
+@@ -19,6 +19,7 @@ status=0
+ n=0
+ # using dig insecure mode as not testing dnssec here
+ DIGOPTS="-i -p 5300"
++SENDCMD="$PERL $SYSTEMTESTTOP/send.pl 10.53.0.4 5301"
+
+ if [ -x ${DIG} ] ; then
+ n=`expr $n + 1`
+@@ -62,6 +63,24 @@ if [ -x ${DIG} ] ; then
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
++ n=`expr $n + 1`
++ echo "I:checking dig preserves origin on TCP retries ($n)"
++ ret=0
++ # Ask ans4 to still accept TCP connections, but not respond to queries
++ echo "//" | $SENDCMD
++ $DIG $DIGOPTS -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1
++ l=`grep "trying origin bar" dig.out.test$n | wc -l`
++ [ ${l:-0} -eq 2 ] || ret=1
++ if grep "libidn_locale_to_utf8" dig.out.test$n > /dev/null
++ then
++ # libidn patch uses always using root origin, but print also name
++ grep '^foo\.$' < dig.out.test$n > /dev/null && ret=1
++ else
++ grep "using root origin" < dig.out.test$n > /dev/null && ret=1
++ fi
++ if [ $ret != 0 ]; then echo "I:failed"; fi
++ status=`expr $status + $ret`
++
+ else
+ echo "W:$DIG is needed, so skipping these dig tests"
+ fi
+@@ -131,7 +150,9 @@ if [ -n "${DELV}" -a -x "${DELV}" ] ; then
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+- exit $status
+ else
+ echo "W:${DELV:-delv} is not available, so skipping these delv tests"
+ fi
++
++echo "I:exit status: $status"
++[ $status -eq 0 ] || exit 1
+--
+2.9.5
+
diff --git a/SOURCES/bind99-rh1472862.patch b/SOURCES/bind99-rh1472862.patch
new file mode 100644
index 0000000..b1f31d9
--- /dev/null
+++ b/SOURCES/bind99-rh1472862.patch
@@ -0,0 +1,32 @@
+From e3894cd3a92be79a64072835008ec589b17c601a Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Wed, 9 Apr 2014 17:17:53 -0700
+Subject: [PATCH] [v9_9] missing manpage install rule for dnssec-importkey
+
+(cherry picked from commit 540daf2887dfc813657c27408a2363ba719bf8d4)
+---
+ bin/dnssec/Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
+index 5966d16..58352d8 100644
+--- a/bin/dnssec/Makefile.in
++++ b/bin/dnssec/Makefile.in
+@@ -55,12 +55,12 @@ SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
+
+ MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
+ dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
+- dnssec-verify.8
++ dnssec-verify.8 dnssec-importkey.8
+
+ HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
+ dnssec-keygen.html dnssec-revoke.html \
+ dnssec-settime.html dnssec-signzone.html \
+- dnssec-verify.html
++ dnssec-verify.html dnssec-importkey.html
+
+ MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
+--
+2.9.4
+
diff --git a/SOURCES/bind99-rh1476013.patch b/SOURCES/bind99-rh1476013.patch
new file mode 100644
index 0000000..7f5a27e
--- /dev/null
+++ b/SOURCES/bind99-rh1476013.patch
@@ -0,0 +1,574 @@
+From 4827d4b06c2aaec913536143e4a26a0904d1fc58 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 7 Jul 2017 23:19:05 +1000
+Subject: [PATCH] 4647. [bug] Change 4643 broke verification of TSIG signed TCP
+ message sequences where not all the messages contain TSIG records. These may
+ be used in AXFR and IXFR responses. [RT #45509]
+
+(cherry picked from commit 58f0fb325bbd9258d06431281eb8fdea2b126305)
+---
+ lib/dns/tests/Makefile.in | 9 +-
+ lib/dns/tests/tsig_test.c | 489 ++++++++++++++++++++++++++++++++++++++++++++++
+ lib/dns/tsig.c | 10 +-
+ 3 files changed, 504 insertions(+), 4 deletions(-)
+ create mode 100644 lib/dns/tests/tsig_test.c
+
+diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
+index 8d1b83e..023e60c 100644
+--- a/lib/dns/tests/Makefile.in
++++ b/lib/dns/tests/Makefile.in
+@@ -39,13 +39,13 @@ LIBS = @LIBS@ @ATFLIBS@
+
+ OBJS = dnstest.@O@
+ SRCS = dnstest.c gost_test.c master_test.c dbiterator_test.c time_test.c \
+- private_test.c update_test.c zonemgr_test.c zt_test.c \
++ private_test.c tsig_test.c update_test.c zonemgr_test.c zt_test.c \
+ dbdiff_test.c geoip_test.c dispatch_test.c nsec3_test.c \
+ rdataset_test.c rdata_test.c
+
+ SUBDIRS =
+ TARGETS = gost_test@EXEEXT@ master_test@EXEEXT@ dbiterator_test@EXEEXT@ time_test@EXEEXT@ \
+- private_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \
++ private_test@EXEEXT@ tsig_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \
+ zt_test@EXEEXT@ dbversion_test@EXEEXT@ dbdiff_test@EXEEXT@ geoip_test@EXEEXT@ \
+ dispatch_test@EXEEXT@ nsec3_test@EXEEXT@ \
+ rdataset_test@EXEEXT@ rdata_test@EXEEXT@
+@@ -134,6 +134,11 @@ geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
+ ${ISCLIBS} ${LIBS}
+
++tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
++ tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
++ ${ISCLIBS} ${LIBS}
++
+ unit::
+ sh ${top_srcdir}/unit/unittest.sh
+
+diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
+new file mode 100644
+index 0000000..956e4a0
+--- /dev/null
++++ b/lib/dns/tests/tsig_test.c
+@@ -0,0 +1,489 @@
++/*
++ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ */
++
++/* ! \file */
++
++#include <config.h>
++#include <atf-c.h>
++#include <isc/mem.h>
++
++#include <dns/rdatalist.h>
++#include <dns/rdataset.h>
++#include <dns/tsig.h>
++
++#include "dnstest.h"
++
++#ifdef HAVE_INTTYPES_H
++#include <inttypes.h> /* uintptr_t */
++#endif
++
++static int debug = 0;
++
++static isc_result_t
++add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
++ dns_rdata_any_tsig_t tsig;
++ dns_rdata_t rdata = DNS_RDATA_INIT;
++ isc_buffer_t databuf;
++ isc_region_t r;
++ isc_result_t result;
++ unsigned char tsigbuf[1024];
++
++ isc_buffer_usedregion(buf, &r);
++ dns_rdata_fromregion(&rdata, dns_rdataclass_any,
++ dns_rdatatype_tsig, &r);
++ isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
++ CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL));
++ isc_buffer_putuint16(&databuf, tsig.siglen);
++ isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen);
++ isc_buffer_usedregion(&databuf, &r);
++ result = dst_context_adddata(tsigctx, &r);
++ dns_rdata_freestruct(&tsig);
++ cleanup:
++ return (result);
++}
++
++static isc_result_t
++add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
++ dns_compress_t cctx;
++ dns_rdata_any_tsig_t tsig;
++ dns_rdata_t rdata = DNS_RDATA_INIT;
++ dns_rdatalist_t rdatalist;
++ dns_rdataset_t rdataset;
++ isc_buffer_t *dynbuf = NULL;
++ isc_buffer_t databuf;
++ isc_buffer_t sigbuf;
++ isc_region_t r;
++ isc_result_t result = ISC_R_SUCCESS;
++ isc_stdtime_t now;
++ unsigned char tsigbuf[1024];
++ unsigned int count;
++ unsigned int sigsize;
++ isc_boolean_t invalidate_ctx = ISC_FALSE;
++
++ CHECK(dns_compress_init(&cctx, -1, mctx));
++ invalidate_ctx = ISC_TRUE;
++
++ memset(&tsig, 0, sizeof(tsig));
++ tsig.common.rdclass = dns_rdataclass_any;
++ tsig.common.rdtype = dns_rdatatype_tsig;
++ ISC_LINK_INIT(&tsig.common, link);
++ dns_name_init(&tsig.algorithm, NULL);
++ dns_name_clone(key->algorithm, &tsig.algorithm);
++
++ isc_stdtime_get(&now);
++ tsig.timesigned = now;
++ tsig.fudge = DNS_TSIG_FUDGE;
++ tsig.originalid = 50;
++ tsig.error = dns_rcode_noerror;
++ tsig.otherlen = 0;
++ tsig.other = NULL;
++
++ isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
++ isc_buffer_putuint48(&databuf, tsig.timesigned);
++ isc_buffer_putuint16(&databuf, tsig.fudge);
++ isc_buffer_usedregion(&databuf, &r);
++ CHECK(dst_context_adddata(tsigctx, &r));
++
++ CHECK(dst_key_sigsize(key->key, &sigsize));
++ tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
++ if (tsig.signature == NULL)
++ CHECK(ISC_R_NOMEMORY);
++ isc_buffer_init(&sigbuf, tsig.signature, sigsize);
++ CHECK(dst_context_sign(tsigctx, &sigbuf));
++ tsig.siglen = isc_buffer_usedlength(&sigbuf);
++
++ CHECK(isc_buffer_allocate(mctx, &dynbuf, 512));
++ CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_any,
++ dns_rdatatype_tsig, &tsig, dynbuf));
++ dns_rdatalist_init(&rdatalist);
++ rdatalist.rdclass = dns_rdataclass_any;
++ rdatalist.type = dns_rdatatype_tsig;
++ ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
++ dns_rdataset_init(&rdataset);
++ CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
++ CHECK(dns_rdataset_towire(&rdataset, &key->name, &cctx,
++ target, 0, &count));
++
++ /*
++ * Fixup additional record count.
++ */
++ ((unsigned char*)target->base)[11]++;
++ if (((unsigned char*)target->base)[11] == 0)
++ ((unsigned char*)target->base)[10]++;
++ cleanup:
++ if (tsig.signature != NULL)
++ isc_mem_put(mctx, tsig.signature, sigsize);
++ if (dynbuf != NULL)
++ isc_buffer_free(&dynbuf);
++ if (invalidate_ctx)
++ dns_compress_invalidate(&cctx);
++
++ return (result);
++}
++
++static void
++printmessage(dns_message_t *msg) {
++ isc_buffer_t b;
++ char *buf = NULL;
++ int len = 1024;
++ isc_result_t result = ISC_R_SUCCESS;
++
++ if (!debug)
++ return;
++
++ do {
++ buf = isc_mem_get(mctx, len);
++ if (buf == NULL) {
++ result = ISC_R_NOMEMORY;
++ break;
++ }
++
++ isc_buffer_init(&b, buf, len);
++ result = dns_message_totext(msg, &dns_master_style_debug,
++ 0, &b);
++ if (result == ISC_R_NOSPACE) {
++ isc_mem_put(mctx, buf, len);
++ len *= 2;
++ } else if (result == ISC_R_SUCCESS)
++ printf("%.*s\n", (int) isc_buffer_usedlength(&b), buf);
++ } while (result == ISC_R_NOSPACE);
++
++ if (buf != NULL)
++ isc_mem_put(mctx, buf, len);
++}
++
++static void
++render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key,
++ isc_buffer_t **tsigin, isc_buffer_t **tsigout,
++ dst_context_t *tsigctx)
++{
++ dns_message_t *msg = NULL;
++ dns_compress_t cctx;
++ isc_result_t result;
++
++ result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &msg);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_create: %s",
++ dns_result_totext(result));
++
++ msg->id = 50;
++ msg->rcode = dns_rcode_noerror;
++ msg->flags = flags;
++
++ if (tsigin == tsigout)
++ msg->tcp_continuation = 1;
++
++ if (tsigctx == NULL) {
++ result = dns_message_settsigkey(msg, key);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_settsigkey: %s",
++ dns_result_totext(result));
++
++ result = dns_message_setquerytsig(msg, *tsigin);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_setquerytsig: %s",
++ dns_result_totext(result));
++ }
++
++ result = dns_compress_init(&cctx, -1, mctx);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_compress_init: %s",
++ dns_result_totext(result));
++
++ result = dns_message_renderbegin(msg, &cctx, buf);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_renderbegin: %s",
++ dns_result_totext(result));
++
++ result = dns_message_renderend(msg);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_renderend: %s",
++ dns_result_totext(result));
++
++ if (tsigctx != NULL) {
++ isc_region_t r;
++
++ isc_buffer_usedregion(buf, &r);
++ result = dst_context_adddata(tsigctx, &r);
++ } else {
++ if (tsigin == tsigout && *tsigin != NULL)
++ isc_buffer_free(tsigin);
++
++ result = dns_message_getquerytsig(msg, mctx, tsigout);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_getquerytsig: %s",
++ dns_result_totext(result));
++ }
++
++ dns_compress_invalidate(&cctx);
++ dns_message_destroy(&msg);
++}
++
++/*
++ * Check that a simulated three message TCP sequence where the first
++ * and last messages contain TSIGs but the intermediate message doesn't
++ * correctly verifies.
++ */
++ATF_TC(tsig_tcp);
++ATF_TC_HEAD(tsig_tcp, tc) {
++ atf_tc_set_md_var(tc, "descr", "test tsig tcp-continuation validation");
++}
++ATF_TC_BODY(tsig_tcp, tc) {
++ dns_name_t *tsigowner = NULL;
++ dns_fixedname_t fkeyname;
++ dns_message_t *msg = NULL;
++ dns_name_t *keyname;
++ dns_tsig_keyring_t *ring = NULL;
++ dns_tsigkey_t *key = NULL;
++ isc_buffer_t *buf = NULL;
++ isc_buffer_t *querytsig = NULL;
++ isc_buffer_t *tsigin = NULL;
++ isc_buffer_t *tsigout = NULL;
++ isc_result_t result;
++ unsigned char secret[16] = { 0 };
++ dst_context_t *tsigctx = NULL;
++ dst_context_t *outctx = NULL;
++
++ UNUSED(tc);
++
++ result = dns_test_begin(stderr, ISC_FALSE);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++
++ /* isc_log_setdebuglevel(lctx, 99); */
++
++ dns_fixedname_init(&fkeyname);
++ keyname = dns_fixedname_name(&fkeyname);
++ result = dns_name_fromstring(keyname, "test", 0, NULL);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++
++ result = dns_tsigkeyring_create(mctx, &ring);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++
++ result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name,
++ secret, sizeof(secret), ISC_FALSE,
++ NULL, 0, 0, mctx, ring, &key);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++
++ /*
++ * Create request.
++ */
++ result = isc_buffer_allocate(mctx, &buf, 65535);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ render(buf, 0, key, &tsigout, &querytsig, NULL);
++ isc_buffer_free(&buf);
++
++ /*
++ * Create response message 1.
++ */
++ result = isc_buffer_allocate(mctx, &buf, 65535);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
++
++ /*
++ * Process response message 1.
++ */
++ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_create: %s",
++ dns_result_totext(result));
++
++ result = dns_message_settsigkey(msg, key);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_settsigkey: %s",
++ dns_result_totext(result));
++
++ result = dns_message_parse(msg, buf, 0);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_parse: %s",
++ dns_result_totext(result));
++
++ printmessage(msg);
++
++ result = dns_message_setquerytsig(msg, querytsig);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_setquerytsig: %s",
++ dns_result_totext(result));
++
++ result = dns_tsig_verify(buf, msg, NULL, NULL);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_tsig_verify: %s",
++ dns_result_totext(result));
++ ATF_CHECK_EQ(msg->verified_sig, 1);
++ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
++
++ /*
++ * Check that we have a TSIG in the first message.
++ */
++ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
++
++ result = dns_message_getquerytsig(msg, mctx, &tsigin);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_getquerytsig: %s",
++ dns_result_totext(result));
++
++ tsigctx = msg->tsigctx;
++ msg->tsigctx = NULL;
++ isc_buffer_free(&buf);
++ dns_message_destroy(&msg);
++
++ result = dst_context_create2(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
++ &outctx);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++
++ /*
++ * Start digesting.
++ */
++ result = add_mac(outctx, tsigout);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++
++ /*
++ * Create response message 2.
++ */
++ result = isc_buffer_allocate(mctx, &buf, 65535);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
++
++ /*
++ * Process response message 2.
++ */
++ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_create: %s",
++ dns_result_totext(result));
++
++ msg->tcp_continuation = 1;
++ msg->tsigctx = tsigctx;
++ tsigctx = NULL;
++
++ result = dns_message_settsigkey(msg, key);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_settsigkey: %s",
++ dns_result_totext(result));
++
++ result = dns_message_parse(msg, buf, 0);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_parse: %s",
++ dns_result_totext(result));
++
++ printmessage(msg);
++
++ result = dns_message_setquerytsig(msg, tsigin);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_setquerytsig: %s",
++ dns_result_totext(result));
++
++ result = dns_tsig_verify(buf, msg, NULL, NULL);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_tsig_verify: %s",
++ dns_result_totext(result));
++ ATF_CHECK_EQ(msg->verified_sig, 1);
++ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
++
++ /*
++ * Check that we don't have a TSIG in the second message.
++ */
++ tsigowner = NULL;
++ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) == NULL);
++
++ tsigctx = msg->tsigctx;
++ msg->tsigctx = NULL;
++ isc_buffer_free(&buf);
++ dns_message_destroy(&msg);
++
++ /*
++ * Create response message 3.
++ */
++ result = isc_buffer_allocate(mctx, &buf, 65535);
++ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
++ render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
++
++ result = add_tsig(outctx, key, buf);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "add_tsig: %s",
++ dns_result_totext(result));
++
++ /*
++ * Process response message 3.
++ */
++ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_create: %s",
++ dns_result_totext(result));
++
++ msg->tcp_continuation = 1;
++ msg->tsigctx = tsigctx;
++ tsigctx = NULL;
++
++ result = dns_message_settsigkey(msg, key);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_settsigkey: %s",
++ dns_result_totext(result));
++
++ result = dns_message_parse(msg, buf, 0);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_parse: %s",
++ dns_result_totext(result));
++
++ printmessage(msg);
++
++ /*
++ * Check that we had a TSIG in the third message.
++ */
++ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
++
++ result = dns_message_setquerytsig(msg, tsigin);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_setquerytsig: %s",
++ dns_result_totext(result));
++
++ result = dns_tsig_verify(buf, msg, NULL, NULL);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_tsig_verify: %s",
++ dns_result_totext(result));
++ ATF_CHECK_EQ(msg->verified_sig, 1);
++ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
++
++ if (tsigin != NULL)
++ isc_buffer_free(&tsigin);
++
++ result = dns_message_getquerytsig(msg, mctx, &tsigin);
++ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
++ "dns_message_getquerytsig: %s",
++ dns_result_totext(result));
++
++ isc_buffer_free(&buf);
++ dns_message_destroy(&msg);
++
++ if (outctx != NULL)
++ dst_context_destroy(&outctx);
++ if (querytsig != NULL)
++ isc_buffer_free(&querytsig);
++ if (tsigin != NULL)
++ isc_buffer_free(&tsigin);
++ if (tsigout != NULL)
++ isc_buffer_free(&tsigout);
++ if (buf != NULL)
++ isc_buffer_free(&buf);
++ if (msg != NULL)
++ dns_message_destroy(&msg);
++ if (key != NULL)
++ dns_tsigkey_detach(&key);
++ if (ring != NULL)
++ dns_tsigkeyring_detach(&ring);
++ dns_test_end();
++}
++
++/*
++ * Main
++ */
++ATF_TP_ADD_TCS(tp) {
++ ATF_TP_ADD_TC(tp, tsig_tcp);
++ return (atf_no_error());
++}
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index 7b91d1e..325c901 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -1535,7 +1535,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+ msg->verified_sig = 1;
+ ret = ISC_R_SUCCESS;
+
+-cleanup_context:
++ cleanup_context:
+ if (ctx != NULL)
+ dst_context_destroy(&ctx);
+
+@@ -1859,8 +1859,14 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+ ret = ISC_R_SUCCESS;
+
+ cleanup_context:
+- if (msg->tsigctx != NULL)
++ /*
++ * Except in error conditions, don't destroy the DST context
++ * for unsigned messages; it is a running sum till the next
++ * TSIG signed message.
++ */
++ if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) {
+ dst_context_destroy(&msg->tsigctx);
++ }
+
+ cleanup_querystruct:
+ dns_rdata_freestruct(&querytsig);
+--
+2.9.4
+
diff --git a/SOURCES/bind99-rh1501531.patch b/SOURCES/bind99-rh1501531.patch
new file mode 100644
index 0000000..62c067c
--- /dev/null
+++ b/SOURCES/bind99-rh1501531.patch
@@ -0,0 +1,1961 @@
+From 85938345f9da377e903de0e99b36eaa2a98d99c7 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Wed, 13 Mar 2013 17:53:11 -0700
+Subject: [PATCH] algorithm flexibility for rndc
+
+3525. [func] Support for additional signing algorithms in rndc:
+ hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
+ The -A option to rndc-confgen can be used to
+ select the algorithm for the generated key.
+ (The default is still hmac-md5; this may
+ change in a future release.) [RT #20363]
+---
+ bin/confgen/rndc-confgen.c | 27 +-
+ bin/confgen/rndc-confgen.docbook | 18 +-
+ bin/named/controlconf.c | 22 +-
+ bin/rndc/rndc.c | 38 ++-
+ bin/rndc/rndc.conf | 4 +-
+ bin/rndc/rndc.conf.docbook | 16 +-
+ bin/rndc/rndc.docbook | 14 +-
+ bin/tests/system/autosign/ns1/named.conf | 2 +-
+ bin/tests/system/autosign/ns2/named.conf | 2 +-
+ bin/tests/system/autosign/ns3/named.conf | 2 +-
+ bin/tests/system/cacheclean/ns2/named.conf | 2 +-
+ bin/tests/system/common/controls.conf | 2 +-
+ bin/tests/system/common/rndc.conf | 2 +-
+ bin/tests/system/common/rndc.key | 2 +-
+ bin/tests/system/conf.sh.in | 1 +
+ bin/tests/system/database/ns1/named.conf1 | 2 +-
+ bin/tests/system/database/ns1/named.conf2 | 2 +-
+ bin/tests/system/dlv/ns5/named.conf | 4 +-
+ bin/tests/system/dlv/ns5/rndc.conf | 2 +-
+ bin/tests/system/dlvauto/ns2/named.conf | 2 +-
+ bin/tests/system/dlzexternal/ns1/named.conf.in | 2 +-
+ bin/tests/system/dnssec/ns3/named.conf | 2 +-
+ bin/tests/system/dnssec/ns4/named1.conf | 2 +-
+ bin/tests/system/dnssec/ns4/named2.conf | 2 +-
+ bin/tests/system/dnssec/ns4/named3.conf | 2 +-
+ bin/tests/system/geoip/ns2/named1.conf | 2 +-
+ bin/tests/system/geoip/ns2/named10.conf | 2 +-
+ bin/tests/system/geoip/ns2/named11.conf | 2 +-
+ bin/tests/system/geoip/ns2/named2.conf | 2 +-
+ bin/tests/system/geoip/ns2/named3.conf | 2 +-
+ bin/tests/system/geoip/ns2/named4.conf | 2 +-
+ bin/tests/system/geoip/ns2/named5.conf | 2 +-
+ bin/tests/system/geoip/ns2/named6.conf | 2 +-
+ bin/tests/system/geoip/ns2/named7.conf | 2 +-
+ bin/tests/system/geoip/ns2/named8.conf | 2 +-
+ bin/tests/system/geoip/ns2/named9.conf | 2 +-
+ bin/tests/system/ixfr/ns3/named.conf | 2 +-
+ bin/tests/system/ixfr/ns4/named.conf | 2 +-
+ bin/tests/system/ixfr/setup.sh | 2 +-
+ bin/tests/system/logfileconfig/ns1/named.dirconf | 2 +-
+ bin/tests/system/logfileconfig/ns1/named.pipeconf | 2 +-
+ bin/tests/system/logfileconfig/ns1/named.plain | 2 +-
+ bin/tests/system/logfileconfig/ns1/named.symconf | 2 +-
+ bin/tests/system/logfileconfig/ns1/rndc.conf | 2 +-
+ bin/tests/system/nsupdate/ns1/named.conf | 2 +-
+ bin/tests/system/pkcs11/ns1/named.conf | 2 +-
+ bin/tests/system/resolver/ns4/named.conf | 2 +-
+ bin/tests/system/rndc/clean.sh | 2 +
+ bin/tests/system/rndc/ns2/named.conf | 4 +-
+ bin/tests/system/rndc/ns2/secondkey.conf | 2 +-
+ bin/tests/system/rndc/ns3/named.conf | 4 +-
+ bin/tests/system/rndc/ns4/3bf305731dd26307.nta | 3 +
+ bin/tests/system/rndc/ns4/named.conf.in | 28 +++
+ bin/tests/system/rndc/setup.sh | 24 +-
+ bin/tests/system/rndc/tests.sh | 60 +++++
+ bin/tests/system/rpz/ns3/named.conf | 2 +-
+ bin/tests/system/rpz/ns5/named.conf | 2 +-
+ bin/tests/system/rrl/ns2/named.conf | 2 +-
+ bin/tests/system/staticstub/ns3/named.conf.in | 2 +-
+ bin/tests/system/stress/ns3/named.conf | 2 +-
+ bin/tests/system/tkey/ns1/named.conf.in | 2 +-
+ bin/tests/system/tsiggss/ns1/named.conf | 2 +-
+ bin/tests/system/views/ns3/named1.conf | 2 +-
+ bin/tests/system/views/ns3/named2.conf | 2 +-
+ bin/tests/system/xfer/ns3/named.conf | 2 +-
+ bin/tests/system/xfer/ns4/named.conf.base | 2 +-
+ lib/isccc/cc.c | 289 ++++++++++++++++++----
+ lib/isccc/include/isccc/cc.h | 26 +-
+ 68 files changed, 526 insertions(+), 158 deletions(-)
+ create mode 100644 bin/tests/system/rndc/ns4/3bf305731dd26307.nta
+ create mode 100644 bin/tests/system/rndc/ns4/named.conf.in
+
+diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
+index e2ac079..3fd54fe 100644
+--- a/bin/confgen/rndc-confgen.c
++++ b/bin/confgen/rndc-confgen.c
+@@ -57,7 +57,6 @@
+ #include "util.h"
+ #include "keygen.h"
+
+-#define DEFAULT_KEYLENGTH 128 /*% Bits. */
+ #define DEFAULT_KEYNAME "rndc-key"
+ #define DEFAULT_SERVER "127.0.0.1"
+ #define DEFAULT_PORT 953
+@@ -80,7 +79,8 @@ Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+ [-s addr] [-t chrootdir] [-u user]\n\
+ -a: generate just the key clause and write it to keyfile (%s)\n\
+- -b bits: from 1 through 512, default %d; total length of the secret\n\
++ -A alg: algorithm (default hmac-md5)\n\
++ -b bits: from 1 through 512, default 256; total length of the secret\n\
+ -c keyfile: specify an alternate key file (requires -a)\n\
+ -k keyname: the name as it will be used in named.conf and rndc.conf\n\
+ -p port: the port named will listen on and rndc will connect to\n\
+@@ -88,7 +88,7 @@ Usage:\n\
+ -s addr: the address to which rndc should connect\n\
+ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
+ -u user: set the keyfile owner to \"user\" (requires -a)\n",
+- progname, keydef, DEFAULT_KEYLENGTH);
++ progname, keydef);
+
+ exit (status);
+ }
+@@ -103,12 +103,12 @@ main(int argc, char **argv) {
+ const char *keyname = NULL;
+ const char *randomfile = NULL;
+ const char *serveraddr = NULL;
+- dns_secalg_t alg = DST_ALG_HMACMD5;
+- const char *algname = alg_totext(alg);
++ dns_secalg_t alg;
++ const char *algname;
+ char *p;
+ int ch;
+ int port;
+- int keysize;
++ int keysize = -1;
+ struct in_addr addr4_dummy;
+ struct in6_addr addr6_dummy;
+ char *chrootdir = NULL;
+@@ -124,18 +124,25 @@ main(int argc, char **argv) {
+ progname = program;
+
+ keyname = DEFAULT_KEYNAME;
+- keysize = DEFAULT_KEYLENGTH;
++ alg = DST_ALG_HMACMD5;
+ serveraddr = DEFAULT_SERVER;
+ port = DEFAULT_PORT;
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv,
+- "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
++ "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
++ {
+ switch (ch) {
+ case 'a':
+ keyonly = ISC_TRUE;
+ break;
++ case 'A':
++ algname = isc_commandline_argument;
++ alg = alg_fromtext(algname);
++ if (alg == DST_ALG_UNKNOWN)
++ fatal("Unsupported algorithm '%s'", algname);
++ break;
+ case 'b':
+ keysize = strtol(isc_commandline_argument, &p, 10);
+ if (*p != '\0' || keysize < 0)
+@@ -203,6 +210,10 @@ main(int argc, char **argv) {
+ if (argc > 0)
+ usage(1);
+
++ if (keysize < 0)
++ keysize = alg_bits(alg);
++ algname = alg_totext(alg);
++
+ DO("create memory context", isc_mem_create(0, 0, &mctx));
+ isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
+index af2cc43..f367b94 100644
+--- a/bin/confgen/rndc-confgen.docbook
++++ b/bin/confgen/rndc-confgen.docbook
+@@ -1,6 +1,6 @@
+ <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+- [<!ENTITY mdash "—">]>
++ [<!ENTITY mdash "—">]>
+ <!--
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003 Internet Software Consortium.
+@@ -41,6 +41,7 @@
+ <year>2005</year>
+ <year>2007</year>
+ <year>2009</year>
++ <year>2013</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ <copyright>
+@@ -54,6 +55,7 @@
+ <cmdsynopsis>
+ <command>rndc-confgen</command>
+ <arg><option>-a</option></arg>
++ <arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
+ <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+ <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+@@ -129,11 +131,23 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term>-A <replaceable class="parameter">algorithm</replaceable></term>
++ <listitem>
++ <para>
++ Specifies the algorithm to use for the TSIG key. Available
++ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
++ hmac-sha384 and hmac-sha512. The default is hmac-md5.
++ </para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-b <replaceable class="parameter">keysize</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the size of the authentication key in bits.
+- Must be between 1 and 512 bits; the default is 128.
++ Must be between 1 and 512 bits; the default is the
++ hash size.
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
+index ef32790..b4176c9 100644
+--- a/bin/named/controlconf.c
++++ b/bin/named/controlconf.c
+@@ -71,6 +71,7 @@ typedef ISC_LIST(controllistener_t) controllistenerlist_t;
+
+ struct controlkey {
+ char * keyname;
++ isc_uint32_t algorithm;
+ isc_region_t secret;
+ ISC_LINK(controlkey_t) link;
+ };
+@@ -325,6 +326,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+ isccc_sexpr_t *request = NULL;
+ isccc_sexpr_t *response = NULL;
+ isccc_region_t ccregion;
++ isc_uint32_t algorithm;
+ isccc_region_t secret;
+ isc_stdtime_t now;
+ isc_buffer_t b;
+@@ -343,6 +345,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+
+ conn = event->ev_arg;
+ listener = conn->listener;
++ algorithm = DST_ALG_UNKNOWN;
+ secret.rstart = NULL;
+
+ /* Is the server shutting down? */
+@@ -369,7 +372,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+ goto cleanup;
+ memcpy(secret.rstart, key->secret.base, key->secret.length);
+ secret.rend = secret.rstart + key->secret.length;
+- result = isccc_cc_fromwire(&ccregion, &request, &secret);
++ algorithm = key->algorithm;
++ result = isccc_cc_fromwire(&ccregion, &request,
++ algorithm, &secret);
+ if (result == ISC_R_SUCCESS)
+ break;
+ isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
+@@ -480,7 +485,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+
+ ccregion.rstart = conn->buffer + 4;
+ ccregion.rend = conn->buffer + sizeof(conn->buffer);
+- result = isccc_cc_towire(response, &ccregion, &secret);
++ result = isccc_cc_towire(response, &ccregion, algorithm, &secret);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_response;
+ isc_buffer_init(&b, conn->buffer, 4);
+@@ -693,6 +698,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
+ if (key == NULL)
+ goto cleanup;
+ key->keyname = newstr;
++ key->algorithm = DST_ALG_UNKNOWN;
+ key->secret.base = NULL;
+ key->secret.length = 0;
+ ISC_LINK_INIT(key, link);
+@@ -737,6 +743,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+ const cfg_obj_t *secretobj = NULL;
+ const char *algstr = NULL;
+ const char *secretstr = NULL;
++ unsigned int algtype;
+
+ (void)cfg_map_get(keydef, "algorithm", &algobj);
+ (void)cfg_map_get(keydef, "secret", &secretobj);
+@@ -745,8 +752,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+ algstr = cfg_obj_asstring(algobj);
+ secretstr = cfg_obj_asstring(secretobj);
+
+- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
+- ISC_R_SUCCESS)
++ if (ns_config_getkeyalgorithm2(algstr, NULL,
++ &algtype, NULL) != ISC_R_SUCCESS)
+ {
+ cfg_obj_log(control, ns_g_lctx,
+ ISC_LOG_WARNING,
+@@ -759,6 +766,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+ continue;
+ }
+
++ keyid->algorithm = algtype;
+ isc_buffer_init(&b, secret, sizeof(secret));
+ result = isc_base64_decodestring(secretstr, &b);
+
+@@ -809,6 +817,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
+ const char *secretstr = NULL;
+ controlkey_t *keyid = NULL;
+ char secret[1024];
++ unsigned int algtype;
+ isc_buffer_t b;
+
+ CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
+@@ -822,6 +831,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
+ cfg_obj_asstring(cfg_map_getname(key)));
+ keyid->secret.base = NULL;
+ keyid->secret.length = 0;
++ keyid->algorithm = DST_ALG_UNKNOWN;
+ ISC_LINK_INIT(keyid, link);
+ if (keyid->keyname == NULL)
+ CHECK(ISC_R_NOMEMORY);
+@@ -835,7 +845,8 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
+ algstr = cfg_obj_asstring(algobj);
+ secretstr = cfg_obj_asstring(secretobj);
+
+- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
++ if (ns_config_getkeyalgorithm2(algstr, NULL,
++ &algtype, NULL) != ISC_R_SUCCESS) {
+ cfg_obj_log(key, ns_g_lctx,
+ ISC_LOG_WARNING,
+ "unsupported algorithm '%s' in "
+@@ -845,6 +856,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
+ goto cleanup;
+ }
+
++ keyid->algorithm = algtype;
+ isc_buffer_init(&b, secret, sizeof(secret));
+ result = isc_base64_decodestring(secretstr, &b);
+
+diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+index be198b1..c67223b 100644
+--- a/bin/rndc/rndc.c
++++ b/bin/rndc/rndc.c
+@@ -77,6 +77,7 @@ static unsigned int remoteport = 0;
+ static isc_socketmgr_t *socketmgr = NULL;
+ static unsigned char databuf[2048];
+ static isccc_ccmsg_t ccmsg;
++static isc_uint32_t algorithm;
+ static isccc_region_t secret;
+ static isc_boolean_t failed = ISC_FALSE;
+ static isc_boolean_t c_flag = ISC_FALSE;
+@@ -250,7 +251,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+ source.rstart = isc_buffer_base(&ccmsg.buffer);
+ source.rend = isc_buffer_used(&ccmsg.buffer);
+
+- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
++ DO("parse message",
++ isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+ data = isccc_alist_lookup(response, "_data");
+ if (!isccc_alist_alistp(data))
+@@ -305,7 +307,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+ "* the remote server is using an older version of"
+ " the command protocol,\n"
+ "* this host is not authorized to connect,\n"
+- "* the clocks are not synchronized, or\n"
++ "* the clocks are not synchronized,\n"
++ "* the the key signing algorithm is incorrect, or\n"
+ "* the key is invalid.");
+
+ if (ccmsg.result != ISC_R_SUCCESS)
+@@ -314,7 +317,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+ source.rstart = isc_buffer_base(&ccmsg.buffer);
+ source.rend = isc_buffer_used(&ccmsg.buffer);
+
+- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
++ DO("parse message",
++ isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+ _ctrl = isccc_alist_lookup(response, "_ctrl");
+ if (!isccc_alist_alistp(_ctrl))
+@@ -341,7 +345,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+ }
+ message.rstart = databuf + 4;
+ message.rend = databuf + sizeof(databuf);
+- DO("render message", isccc_cc_towire(request, &message, &secret));
++ DO("render message",
++ isccc_cc_towire(request, &message, algorithm, &secret));
+ len = sizeof(databuf) - REGION_SIZE(message);
+ isc_buffer_init(&b, databuf, 4);
+ isc_buffer_putuint32(&b, len - 4);
+@@ -403,7 +408,8 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
+ fatal("out of memory");
+ message.rstart = databuf + 4;
+ message.rend = databuf + sizeof(databuf);
+- DO("render message", isccc_cc_towire(request, &message, &secret));
++ DO("render message",
++ isccc_cc_towire(request, &message, algorithm, &secret));
+ len = sizeof(databuf) - REGION_SIZE(message);
+ isc_buffer_init(&b, databuf, 4);
+ isc_buffer_putuint32(&b, len - 4);
+@@ -483,7 +489,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+ const cfg_obj_t *address = NULL;
+ const cfg_listelt_t *elt;
+ const char *secretstr;
+- const char *algorithm;
++ const char *algorithmstr;
+ static char secretarray[1024];
+ const cfg_type_t *conftype = &cfg_type_rndcconf;
+ isc_boolean_t key_only = ISC_FALSE;
+@@ -587,10 +593,22 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+ fatal("key must have algorithm and secret");
+
+ secretstr = cfg_obj_asstring(secretobj);
+- algorithm = cfg_obj_asstring(algorithmobj);
+-
+- if (strcasecmp(algorithm, "hmac-md5") != 0)
+- fatal("unsupported algorithm: %s", algorithm);
++ algorithmstr = cfg_obj_asstring(algorithmobj);
++
++ if (strcasecmp(algorithmstr, "hmac-md5") == 0)
++ algorithm = ISCCC_ALG_HMACMD5;
++ else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
++ algorithm = ISCCC_ALG_HMACSHA1;
++ else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
++ algorithm = ISCCC_ALG_HMACSHA224;
++ else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
++ algorithm = ISCCC_ALG_HMACSHA256;
++ else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
++ algorithm = ISCCC_ALG_HMACSHA384;
++ else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
++ algorithm = ISCCC_ALG_HMACSHA512;
++ else
++ fatal("unsupported algorithm: %s", algorithmstr);
+
+ secret.rstart = (unsigned char *)secretarray;
+ secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
+diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
+index 67542b9..c463b96 100644
+--- a/bin/rndc/rndc.conf
++++ b/bin/rndc/rndc.conf
+@@ -31,7 +31,7 @@ server localhost {
+ };
+
+ key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "34f88008d07deabbe65bd01f1d233d47";
+ };
+
+@@ -42,6 +42,6 @@ server "test1" {
+ };
+
+ key "key" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+ };
+diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
+index 9de1995..5753378 100644
+--- a/bin/rndc/rndc.conf.docbook
++++ b/bin/rndc/rndc.conf.docbook
+@@ -40,6 +40,7 @@
+ <year>2004</year>
+ <year>2005</year>
+ <year>2007</year>
++ <year>2013</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ <copyright>
+@@ -119,11 +120,12 @@
+ <para>
+ The <option>key</option> statement begins with an identifying
+ string, the name of the key. The statement has two clauses.
+- <option>algorithm</option> identifies the encryption algorithm
++ <option>algorithm</option> identifies the authentication algorithm
+ for <command>rndc</command> to use; currently only HMAC-MD5
+- is
++ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
++ (default), HMAC-SHA384 and HMAC-SHA512 are
+ supported. This is followed by a secret clause which contains
+- the base-64 encoding of the algorithm's encryption key. The
++ the base-64 encoding of the algorithm's authentication key. The
+ base-64 string is enclosed in double quotes.
+ </para>
+ <para>
+@@ -166,14 +168,14 @@
+ </para>
+ <para><programlisting>
+ key samplekey {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+ };
+ </programlisting>
+ </para>
+ <para><programlisting>
+ key testkey {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
+ };
+ </programlisting>
+@@ -186,8 +188,8 @@
+ Commands to the localhost server will use the samplekey key, which
+ must also be defined in the server's configuration file with the
+ same name and secret. The key statement indicates that samplekey
+- uses the HMAC-MD5 algorithm and its secret clause contains the
+- base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
++ uses the HMAC-SHA256 algorithm and its secret clause contains the
++ base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
+ </para>
+ <para>
+ If <command>rndc -s testserver</command> is used then <command>rndc</command> will
+diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
+index 27645b5..5f97749 100644
+--- a/bin/rndc/rndc.docbook
++++ b/bin/rndc/rndc.docbook
+@@ -76,12 +76,14 @@
+ arguments.
+ </para>
+ <para><command>rndc</command>
+- communicates with the name server
+- over a TCP connection, sending commands authenticated with
+- digital signatures. In the current versions of
++ communicates with the name server over a TCP connection, sending
++ commands authenticated with digital signatures. In the current
++ versions of
+ <command>rndc</command> and <command>named</command>,
+- the only supported authentication algorithm is HMAC-MD5,
+- which uses a shared secret on each end of the connection.
++ the only supported authentication algorithms are HMAC-MD5
++ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
++ (default), HMAC-SHA384 and HMAC-SHA512.
++ They use a shared secret on each end of the connection.
+ This provides TSIG-style authentication for the command
+ request and the name server's response. All commands sent
+ over the channel must be signed by a key_id known to the
+@@ -145,7 +147,7 @@
+ <command>rndc</command>. If no server is supplied on the
+ command line, the host named by the default-server clause
+ in the options statement of the <command>rndc</command>
+- configuration file will be used.
++ configuration file will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/bin/tests/system/autosign/ns1/named.conf b/bin/tests/system/autosign/ns1/named.conf
+index 2fbe62f..e67c4e4 100644
+--- a/bin/tests/system/autosign/ns1/named.conf
++++ b/bin/tests/system/autosign/ns1/named.conf
+@@ -36,7 +36,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf
+index 5e9ad8f..826bb91 100644
+--- a/bin/tests/system/autosign/ns2/named.conf
++++ b/bin/tests/system/autosign/ns2/named.conf
+@@ -37,7 +37,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
+index 542a81e..89b7ece 100644
+--- a/bin/tests/system/autosign/ns3/named.conf
++++ b/bin/tests/system/autosign/ns3/named.conf
+@@ -39,7 +39,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/cacheclean/ns2/named.conf b/bin/tests/system/cacheclean/ns2/named.conf
+index cb675d2..6f0fba0 100644
+--- a/bin/tests/system/cacheclean/ns2/named.conf
++++ b/bin/tests/system/cacheclean/ns2/named.conf
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf
+index b5d619e..b9b6311 100644
+--- a/bin/tests/system/common/controls.conf
++++ b/bin/tests/system/common/controls.conf
+@@ -19,7 +19,7 @@
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf
+index 3704ae7..5661b26 100644
+--- a/bin/tests/system/common/rndc.conf
++++ b/bin/tests/system/common/rndc.conf
+@@ -22,6 +22,6 @@ options {
+ };
+
+ key rndc_key {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "1234abcd8765";
+ };
+diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key
+index 1239e93..d5a7a9f 100644
+--- a/bin/tests/system/common/rndc.key
++++ b/bin/tests/system/common/rndc.key
+@@ -18,5 +18,5 @@
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index 49c5686..2bd42f9 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -36,6 +36,7 @@ DIG=$TOP/bin/dig/dig
+ RNDC=$TOP/bin/rndc/rndc
+ NSUPDATE=$TOP/bin/nsupdate/nsupdate
+ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
++RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
+ KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+ KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
+ SIGNER=$TOP/bin/dnssec/dnssec-signzone
+diff --git a/bin/tests/system/database/ns1/named.conf1 b/bin/tests/system/database/ns1/named.conf1
+index 08dedc8..9270d56 100644
+--- a/bin/tests/system/database/ns1/named.conf1
++++ b/bin/tests/system/database/ns1/named.conf1
+@@ -20,7 +20,7 @@
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/database/ns1/named.conf2 b/bin/tests/system/database/ns1/named.conf2
+index c79bf9b..ed1bdfb 100644
+--- a/bin/tests/system/database/ns1/named.conf2
++++ b/bin/tests/system/database/ns1/named.conf2
+@@ -20,7 +20,7 @@
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
+index d886331..954fb37 100644
+--- a/bin/tests/system/dlv/ns5/named.conf
++++ b/bin/tests/system/dlv/ns5/named.conf
+@@ -23,7 +23,7 @@
+ *
+ * e.g.
+ * key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+- * algorithm hmac-md5;
++ * algorithm hmac-sha256;
+ * secret "34f88008d07deabbe65bd01f1d233d47";
+ * };
+ *
+@@ -36,7 +36,7 @@
+ */
+
+ key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "34f88008d07deabbe65bd01f1d233d47";
+ };
+
+diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf
+index 958ee98..ecc29b3 100644
+--- a/bin/tests/system/dlv/ns5/rndc.conf
++++ b/bin/tests/system/dlv/ns5/rndc.conf
+@@ -17,7 +17,7 @@
+ /* $Id: rndc.conf,v 1.5 2007/06/19 23:47:02 tbox Exp $ */
+
+ key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "34f88008d07deabbe65bd01f1d233d47";
+ };
+
+diff --git a/bin/tests/system/dlvauto/ns2/named.conf b/bin/tests/system/dlvauto/ns2/named.conf
+index a7b86d0..fce5d85 100644
+--- a/bin/tests/system/dlvauto/ns2/named.conf
++++ b/bin/tests/system/dlvauto/ns2/named.conf
+@@ -37,7 +37,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in
+index 6577761..01a4a3b 100644
+--- a/bin/tests/system/dlzexternal/ns1/named.conf.in
++++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
+@@ -33,7 +33,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ include "ddns.key";
+diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
+index 37d23c1..6ef21b3 100644
+--- a/bin/tests/system/dnssec/ns3/named.conf
++++ b/bin/tests/system/dnssec/ns3/named.conf
+@@ -38,7 +38,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/dnssec/ns4/named1.conf b/bin/tests/system/dnssec/ns4/named1.conf
+index 432d3f6..542266f 100644
+--- a/bin/tests/system/dnssec/ns4/named1.conf
++++ b/bin/tests/system/dnssec/ns4/named1.conf
+@@ -47,7 +47,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/dnssec/ns4/named2.conf b/bin/tests/system/dnssec/ns4/named2.conf
+index cc395be..f7e812c 100644
+--- a/bin/tests/system/dnssec/ns4/named2.conf
++++ b/bin/tests/system/dnssec/ns4/named2.conf
+@@ -37,7 +37,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/dnssec/ns4/named3.conf b/bin/tests/system/dnssec/ns4/named3.conf
+index 2d40740..d391aac 100644
+--- a/bin/tests/system/dnssec/ns4/named3.conf
++++ b/bin/tests/system/dnssec/ns4/named3.conf
+@@ -38,7 +38,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf
+index 66aca6f..e4c8eca 100644
+--- a/bin/tests/system/geoip/ns2/named1.conf
++++ b/bin/tests/system/geoip/ns2/named1.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf
+index 2dd52ae..6f3fdee 100644
+--- a/bin/tests/system/geoip/ns2/named10.conf
++++ b/bin/tests/system/geoip/ns2/named10.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf
+index af87edf..149e19a 100644
+--- a/bin/tests/system/geoip/ns2/named11.conf
++++ b/bin/tests/system/geoip/ns2/named11.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named2.conf b/bin/tests/system/geoip/ns2/named2.conf
+index 67a5155..5dc3848 100644
+--- a/bin/tests/system/geoip/ns2/named2.conf
++++ b/bin/tests/system/geoip/ns2/named2.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named3.conf b/bin/tests/system/geoip/ns2/named3.conf
+index 65113a6..ebf96a9 100644
+--- a/bin/tests/system/geoip/ns2/named3.conf
++++ b/bin/tests/system/geoip/ns2/named3.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named4.conf b/bin/tests/system/geoip/ns2/named4.conf
+index d2393d5..cc79dde 100644
+--- a/bin/tests/system/geoip/ns2/named4.conf
++++ b/bin/tests/system/geoip/ns2/named4.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named5.conf b/bin/tests/system/geoip/ns2/named5.conf
+index 011e310..acbbdb1 100644
+--- a/bin/tests/system/geoip/ns2/named5.conf
++++ b/bin/tests/system/geoip/ns2/named5.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named6.conf b/bin/tests/system/geoip/ns2/named6.conf
+index 7ef7b19..5e93510 100644
+--- a/bin/tests/system/geoip/ns2/named6.conf
++++ b/bin/tests/system/geoip/ns2/named6.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named7.conf b/bin/tests/system/geoip/ns2/named7.conf
+index 118bdbe..508a650 100644
+--- a/bin/tests/system/geoip/ns2/named7.conf
++++ b/bin/tests/system/geoip/ns2/named7.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named8.conf b/bin/tests/system/geoip/ns2/named8.conf
+index 9cb5c0a..60dcef2 100644
+--- a/bin/tests/system/geoip/ns2/named8.conf
++++ b/bin/tests/system/geoip/ns2/named8.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/geoip/ns2/named9.conf b/bin/tests/system/geoip/ns2/named9.conf
+index af2f7ff..605b1ff 100644
+--- a/bin/tests/system/geoip/ns2/named9.conf
++++ b/bin/tests/system/geoip/ns2/named9.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/ixfr/ns3/named.conf b/bin/tests/system/ixfr/ns3/named.conf
+index c01ce54..b164968 100644
+--- a/bin/tests/system/ixfr/ns3/named.conf
++++ b/bin/tests/system/ixfr/ns3/named.conf
+@@ -31,7 +31,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/ixfr/ns4/named.conf b/bin/tests/system/ixfr/ns4/named.conf
+index b8c8e8c..073d1a9 100644
+--- a/bin/tests/system/ixfr/ns4/named.conf
++++ b/bin/tests/system/ixfr/ns4/named.conf
+@@ -30,7 +30,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh
+index 7e68ebc..9b3b96d 100644
+--- a/bin/tests/system/ixfr/setup.sh
++++ b/bin/tests/system/ixfr/setup.sh
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/logfileconfig/ns1/named.dirconf b/bin/tests/system/logfileconfig/ns1/named.dirconf
+index 9cbd039..3621c2f 100644
+--- a/bin/tests/system/logfileconfig/ns1/named.dirconf
++++ b/bin/tests/system/logfileconfig/ns1/named.dirconf
+@@ -46,7 +46,7 @@ controls {
+ };
+
+ key "rndc-key" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "Am9vCg==";
+ };
+
+diff --git a/bin/tests/system/logfileconfig/ns1/named.pipeconf b/bin/tests/system/logfileconfig/ns1/named.pipeconf
+index bf5d02f..94c10f4 100644
+--- a/bin/tests/system/logfileconfig/ns1/named.pipeconf
++++ b/bin/tests/system/logfileconfig/ns1/named.pipeconf
+@@ -46,7 +46,7 @@ controls {
+ };
+
+ key "rndc-key" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "Am9vCg==";
+ };
+
+diff --git a/bin/tests/system/logfileconfig/ns1/named.plain b/bin/tests/system/logfileconfig/ns1/named.plain
+index 64cfbfa..a404577 100644
+--- a/bin/tests/system/logfileconfig/ns1/named.plain
++++ b/bin/tests/system/logfileconfig/ns1/named.plain
+@@ -46,7 +46,7 @@ controls {
+ };
+
+ key "rndc-key" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "Am9vCg==";
+ };
+
+diff --git a/bin/tests/system/logfileconfig/ns1/named.symconf b/bin/tests/system/logfileconfig/ns1/named.symconf
+index fc3f9bd..7c42619 100644
+--- a/bin/tests/system/logfileconfig/ns1/named.symconf
++++ b/bin/tests/system/logfileconfig/ns1/named.symconf
+@@ -46,7 +46,7 @@ controls {
+ };
+
+ key "rndc-key" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "Am9vCg==";
+ };
+
+diff --git a/bin/tests/system/logfileconfig/ns1/rndc.conf b/bin/tests/system/logfileconfig/ns1/rndc.conf
+index f7fe7aa..2f3d0ab 100644
+--- a/bin/tests/system/logfileconfig/ns1/rndc.conf
++++ b/bin/tests/system/logfileconfig/ns1/rndc.conf
+@@ -26,6 +26,6 @@ server localhost {
+ };
+
+ key "rndc-key" {
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ secret "Am9vCg==";
+ };
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
+index 3492b4c..86fe91d 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf
++++ b/bin/tests/system/nsupdate/ns1/named.conf
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
+index 48b8adf..0c8bdec 100644
+--- a/bin/tests/system/pkcs11/ns1/named.conf
++++ b/bin/tests/system/pkcs11/ns1/named.conf
+@@ -32,7 +32,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/resolver/ns4/named.conf b/bin/tests/system/resolver/ns4/named.conf
+index 353cfe7..7fe14df 100644
+--- a/bin/tests/system/resolver/ns4/named.conf
++++ b/bin/tests/system/resolver/ns4/named.conf
+@@ -59,7 +59,7 @@ zone "broken" {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh
+index 2fcfcfb..7e16cb4 100644
+--- a/bin/tests/system/rndc/clean.sh
++++ b/bin/tests/system/rndc/clean.sh
+@@ -22,3 +22,5 @@ rm -f ns2/named.stats
+ rm -f ns3/named_dump.db
+ rm -f ns*/named.memstats
+ rm -f ns*/named.run
++rm -f random.data
++rm -f ns4/*.conf
+diff --git a/bin/tests/system/rndc/ns2/named.conf b/bin/tests/system/rndc/ns2/named.conf
+index 12d6f14..e94bfe9 100644
+--- a/bin/tests/system/rndc/ns2/named.conf
++++ b/bin/tests/system/rndc/ns2/named.conf
+@@ -29,12 +29,12 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ key secondkey {
+ secret "abcd1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/rndc/ns2/secondkey.conf b/bin/tests/system/rndc/ns2/secondkey.conf
+index 99a876c..0445299 100644
+--- a/bin/tests/system/rndc/ns2/secondkey.conf
++++ b/bin/tests/system/rndc/ns2/secondkey.conf
+@@ -22,5 +22,5 @@ options {
+
+ key secondkey {
+ secret "abcd1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/rndc/ns3/named.conf b/bin/tests/system/rndc/ns3/named.conf
+index 9feefac..b8e0780 100644
+--- a/bin/tests/system/rndc/ns3/named.conf
++++ b/bin/tests/system/rndc/ns3/named.conf
+@@ -28,12 +28,12 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ key secondkey {
+ secret "abcd1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/rndc/ns4/3bf305731dd26307.nta b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
+new file mode 100644
+index 0000000..2f5d3cd
+--- /dev/null
++++ b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
+@@ -0,0 +1,3 @@
++nta1.example. regular 20171113185318
++nta2.example. regular 20171114165318
++nta3.example. regular 20171120165318
+diff --git a/bin/tests/system/rndc/ns4/named.conf.in b/bin/tests/system/rndc/ns4/named.conf.in
+new file mode 100644
+index 0000000..9f926f6
+--- /dev/null
++++ b/bin/tests/system/rndc/ns4/named.conf.in
+@@ -0,0 +1,28 @@
++/*
++ * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
++ *
++ * Permission to use, copy, modify, and/or distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++ * PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/* $Id$ */
++
++controls { /* empty */ };
++
++options {
++ port 5300;
++ pid-file "named.pid";
++ listen-on { 10.53.0.4; };
++ listen-on-v6 { none; };
++ recursion no;
++};
++
+diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
+index aed84af..ce80005 100644
+--- a/bin/tests/system/rndc/setup.sh
++++ b/bin/tests/system/rndc/setup.sh
+@@ -10,14 +10,36 @@
+ # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGEN
++# -r random.dataCE
+ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ # PERFORMANCE OF THIS SOFTWARE.
+
+ # $Id: setup.sh,v 1.2 2011/03/21 18:06:06 each Exp $
+
++SYSTEMTESTTOP=..
++. $SYSTEMTESTTOP/conf.sh
++
+ sh clean.sh
+
++../../../tools/genrandom 400 random.data
++
+ sh ../genzone.sh 2 >ns2/nil.db
+ sh ../genzone.sh 2 >ns2/other.db
+ sh ../genzone.sh 2 >ns2/static.db
++
++cat ns4/named.conf.in > ns4/named.conf
++
++make_key () {
++ $RNDCCONFGEN -r random.data -k key$1 -A $2 -s 10.53.0.4 -p 995${1} \
++ > ns4/key${1}.conf
++ egrep -v '(Start|End|Use|^[^#])' ns4/key$1.conf | cut -c3- | \
++ sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
++}
++
++make_key 1 hmac-md5
++make_key 2 hmac-sha1
++make_key 3 hmac-sha224
++make_key 4 hmac-sha256
++make_key 5 hmac-sha384
++make_key 6 hmac-sha512
+diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
+index a558e19..947987b 100644
+--- a/bin/tests/system/rndc/tests.sh
++++ b/bin/tests/system/rndc/tests.sh
+@@ -245,5 +245,65 @@ done
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
++echo "I:testing rndc with hmac-md5"
++ret=0
++$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
++for i in 2 3 4 5 6
++do
++ $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++done
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:testing rndc with hmac-sha1"
++ret=0
++$RNDC -s 10.53.0.4 -p 9952 -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
++for i in 1 3 4 5 6
++do
++ $RNDC -s 10.53.0.4 -p 9952 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++done
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:testing rndc with hmac-sha224"
++ret=0
++$RNDC -s 10.53.0.4 -p 9953 -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
++for i in 1 2 4 5 6
++do
++ $RNDC -s 10.53.0.4 -p 9953 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++done
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:testing rndc with hmac-sha256"
++ret=0
++$RNDC -s 10.53.0.4 -p 9954 -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
++for i in 1 2 3 5 6
++do
++ $RNDC -s 10.53.0.4 -p 9954 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++done
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:testing rndc with hmac-sha384"
++ret=0
++$RNDC -s 10.53.0.4 -p 9955 -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
++for i in 1 2 3 4 6
++do
++ $RNDC -s 10.53.0.4 -p 9955 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++done
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:testing rndc with hmac-sha512"
++ret=0
++$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
++for i in 1 2 3 4 5
++do
++ $RNDC -s 10.53.0.4 -p 9956 -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
++done
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
+ echo "I:exit status: $status"
+ exit $status
+diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf
+index 4553b97..1e73a88 100644
+--- a/bin/tests/system/rpz/ns3/named.conf
++++ b/bin/tests/system/rpz/ns3/named.conf
+@@ -52,7 +52,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+ controls {
+ inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+diff --git a/bin/tests/system/rpz/ns5/named.conf b/bin/tests/system/rpz/ns5/named.conf
+index 82b6fde..df63189 100644
+--- a/bin/tests/system/rpz/ns5/named.conf
++++ b/bin/tests/system/rpz/ns5/named.conf
+@@ -40,7 +40,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+ controls {
+ inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
+diff --git a/bin/tests/system/rrl/ns2/named.conf b/bin/tests/system/rrl/ns2/named.conf
+index cc261cb..748639c 100644
+--- a/bin/tests/system/rrl/ns2/named.conf
++++ b/bin/tests/system/rrl/ns2/named.conf
+@@ -44,7 +44,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+ controls {
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+diff --git a/bin/tests/system/staticstub/ns3/named.conf.in b/bin/tests/system/staticstub/ns3/named.conf.in
+index 159a4be..dbf9b17 100644
+--- a/bin/tests/system/staticstub/ns3/named.conf.in
++++ b/bin/tests/system/staticstub/ns3/named.conf.in
+@@ -32,7 +32,7 @@
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf
+index 9ff09d7..f8695bc 100644
+--- a/bin/tests/system/stress/ns3/named.conf
++++ b/bin/tests/system/stress/ns3/named.conf
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
+index b0f1700..6225563 100644
+--- a/bin/tests/system/tkey/ns1/named.conf.in
++++ b/bin/tests/system/tkey/ns1/named.conf.in
+@@ -37,7 +37,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/tsiggss/ns1/named.conf b/bin/tests/system/tsiggss/ns1/named.conf
+index 645d578..3084a1b 100644
+--- a/bin/tests/system/tsiggss/ns1/named.conf
++++ b/bin/tests/system/tsiggss/ns1/named.conf
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/views/ns3/named1.conf b/bin/tests/system/views/ns3/named1.conf
+index 9723e08..8071dbf 100644
+--- a/bin/tests/system/views/ns3/named1.conf
++++ b/bin/tests/system/views/ns3/named1.conf
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/views/ns3/named2.conf b/bin/tests/system/views/ns3/named2.conf
+index 27d4955..2804059 100644
+--- a/bin/tests/system/views/ns3/named2.conf
++++ b/bin/tests/system/views/ns3/named2.conf
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
+index 5f742d2..0ea4663 100644
+--- a/bin/tests/system/xfer/ns3/named.conf
++++ b/bin/tests/system/xfer/ns3/named.conf
+@@ -34,7 +34,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ controls {
+diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
+index 231fcfa..ecab46a 100644
+--- a/bin/tests/system/xfer/ns4/named.conf.base
++++ b/bin/tests/system/xfer/ns4/named.conf.base
+@@ -30,7 +30,7 @@ options {
+
+ key rndc_key {
+ secret "1234abcd8765";
+- algorithm hmac-md5;
++ algorithm hmac-sha256;
+ };
+
+ key unused_key. {
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index 10e5dc9..9428374 100644
+--- a/lib/isccc/cc.c
++++ b/lib/isccc/cc.c
+@@ -41,6 +41,7 @@
+
+ #include <isc/assertions.h>
+ #include <isc/hmacmd5.h>
++#include <isc/hmacsha.h>
+ #include <isc/print.h>
+ #include <isc/safe.h>
+ #include <isc/stdlib.h>
+@@ -78,6 +79,34 @@ static unsigned char auth_hmd5[] = {
+ #define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
+ #define HMD5_LENGTH 22
+
++static unsigned char auth_hsha[] = {
++ 0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
++ ISCCC_CCMSGTYPE_TABLE, /*%< message type */
++ 0x00, 0x00, 0x00, 0x63, /*%< length == 99 */
++ 0x04, 0x68, 0x73, 0x68, 0x61, /*%< len + hsha */
++ ISCCC_CCMSGTYPE_BINARYDATA, /*%< message type */
++ 0x00, 0x00, 0x00, 0x59, /*%< length == 89 */
++ 0x00, /*%< algorithm */
++ /*
++ * The base64 encoding of one of our HMAC-SHA* signatures is
++ * 88 bytes.
++ */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
++};
++
++#define HSHA_OFFSET 22 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
++#define HSHA_LENGTH 88
++
+ static isc_result_t
+ table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
+
+@@ -205,53 +234,133 @@ list_towire(isccc_sexpr_t *list, isccc_region_t *target)
+ }
+
+ static isc_result_t
+-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
+- isccc_region_t *secret)
++sign(unsigned char *data, unsigned int length, unsigned char *hmac,
++ isc_uint32_t algorithm, isccc_region_t *secret)
+ {
+- isc_hmacmd5_t ctx;
++ union {
++ isc_hmacmd5_t hmd5;
++ isc_hmacsha1_t hsha;
++ isc_hmacsha224_t h224;
++ isc_hmacsha256_t h256;
++ isc_hmacsha384_t h384;
++ isc_hmacsha512_t h512;
++ } ctx;
+ isc_result_t result;
+ isccc_region_t source, target;
+- unsigned char digest[ISC_MD5_DIGESTLENGTH];
+- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
++ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
++ unsigned char digestb64[HSHA_LENGTH + 4];
+
+- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
+- isc_hmacmd5_update(&ctx, data, length);
+- isc_hmacmd5_sign(&ctx, digest);
+ source.rstart = digest;
+- source.rend = digest + ISC_MD5_DIGESTLENGTH;
++
++ switch (algorithm) {
++ case ISCCC_ALG_HMACMD5:
++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacmd5_update(&ctx.hmd5, data, length);
++ isc_hmacmd5_sign(&ctx.hmd5, digest);
++ source.rend = digest + ISC_MD5_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA1:
++ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha1_update(&ctx.hsha, data, length);
++ isc_hmacsha1_sign(&ctx.hsha, digest,
++ ISC_SHA1_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA224:
++ isc_hmacsha224_init(&ctx.h224, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha224_update(&ctx.h224, data, length);
++ isc_hmacsha224_sign(&ctx.h224, digest,
++ ISC_SHA224_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA256:
++ isc_hmacsha256_init(&ctx.h256, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha256_update(&ctx.h256, data, length);
++ isc_hmacsha256_sign(&ctx.h256, digest,
++ ISC_SHA256_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA384:
++ isc_hmacsha384_init(&ctx.h384, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha384_update(&ctx.h384, data, length);
++ isc_hmacsha384_sign(&ctx.h384, digest,
++ ISC_SHA384_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA512:
++ isc_hmacsha512_init(&ctx.h512, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha512_update(&ctx.h512, data, length);
++ isc_hmacsha512_sign(&ctx.h512, digest,
++ ISC_SHA512_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
++ break;
++
++ default:
++ return (ISC_R_FAILURE);
++ }
++
++ memset(digestb64, 0, sizeof(digestb64));
+ target.rstart = digestb64;
+- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
++ target.rend = digestb64 + sizeof(digestb64);
+ result = isccc_base64_encode(&source, 64, "", &target);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+- PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
+-
++ if (algorithm == ISCCC_ALG_HMACMD5)
++ PUT_MEM(digestb64, HMD5_LENGTH, hmac);
++ else
++ PUT_MEM(digestb64, HSHA_LENGTH, hmac);
+ return (ISC_R_SUCCESS);
+ }
+
+ isc_result_t
+ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
+- isccc_region_t *secret)
++ isc_uint32_t algorithm, isccc_region_t *secret)
+ {
+- unsigned char *hmd5_rstart, *signed_rstart;
++ unsigned char *hmac_rstart, *signed_rstart;
+ isc_result_t result;
+
+- if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
+- return (ISC_R_NOSPACE);
++ if (algorithm == ISCCC_ALG_HMACMD5) {
++ if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
++ return (ISC_R_NOSPACE);
++ } else {
++ if (REGION_SIZE(*target) < 4 + sizeof(auth_hsha))
++ return (ISC_R_NOSPACE);
++ }
++
+ /*
+ * Emit protocol version.
+ */
+ PUT32(1, target->rstart);
+ if (secret != NULL) {
+ /*
+- * Emit _auth section with zeroed HMAC-MD5 signature.
++ * Emit _auth section with zeroed HMAC signature.
+ * We'll replace the zeros with the real signature once
+ * we know what it is.
+ */
+- hmd5_rstart = target->rstart + HMD5_OFFSET;
+- PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
++ if (algorithm == ISCCC_ALG_HMACMD5) {
++ hmac_rstart = target->rstart + HMD5_OFFSET;
++ PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
++ } else {
++ unsigned char *hmac_alg;
++
++ hmac_rstart = target->rstart + HSHA_OFFSET;
++ hmac_alg = hmac_rstart - 1;
++ PUT_MEM(auth_hsha, sizeof(auth_hsha), target->rstart);
++ PUT8(algorithm, hmac_alg);
++ }
+ } else
+- hmd5_rstart = NULL;
++ hmac_rstart = NULL;
+ signed_rstart = target->rstart;
+ /*
+ * Delete any existing _auth section so that we don't try
+@@ -266,21 +375,28 @@ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
+ return (result);
+ if (secret != NULL)
+ return (sign(signed_rstart, (target->rstart - signed_rstart),
+- hmd5_rstart, secret));
++ hmac_rstart, algorithm, secret));
+ return (ISC_R_SUCCESS);
+ }
+
+ static isc_result_t
+ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+- isccc_region_t *secret)
++ isc_uint32_t algorithm, isccc_region_t *secret)
+ {
+- isc_hmacmd5_t ctx;
++ union {
++ isc_hmacmd5_t hmd5;
++ isc_hmacsha1_t hsha;
++ isc_hmacsha224_t h224;
++ isc_hmacsha256_t h256;
++ isc_hmacsha384_t h384;
++ isc_hmacsha512_t h512;
++ } ctx;
+ isccc_region_t source;
+ isccc_region_t target;
+ isc_result_t result;
+- isccc_sexpr_t *_auth, *hmd5;
+- unsigned char digest[ISC_MD5_DIGESTLENGTH];
+- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
++ isccc_sexpr_t *_auth, *hmac;
++ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
++ unsigned char digestb64[HSHA_LENGTH * 4];
+
+ /*
+ * Extract digest.
+@@ -288,40 +404,107 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ _auth = isccc_alist_lookup(alist, "_auth");
+ if (!isccc_alist_alistp(_auth))
+ return (ISC_R_FAILURE);
+- hmd5 = isccc_alist_lookup(_auth, "hmd5");
+- if (!isccc_sexpr_binaryp(hmd5))
++ if (algorithm == ISCCC_ALG_HMACMD5)
++ hmac = isccc_alist_lookup(_auth, "hmd5");
++ else
++ hmac = isccc_alist_lookup(_auth, "hsha");
++ if (!isccc_sexpr_binaryp(hmac))
+ return (ISC_R_FAILURE);
+ /*
+ * Compute digest.
+ */
+- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
+- isc_hmacmd5_update(&ctx, data, length);
+- isc_hmacmd5_sign(&ctx, digest);
+ source.rstart = digest;
+- source.rend = digest + ISC_MD5_DIGESTLENGTH;
+ target.rstart = digestb64;
+- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
++ switch (algorithm) {
++ case ISCCC_ALG_HMACMD5:
++ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacmd5_update(&ctx.hmd5, data, length);
++ isc_hmacmd5_sign(&ctx.hmd5, digest);
++ source.rend = digest + ISC_MD5_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA1:
++ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha1_update(&ctx.hsha, data, length);
++ isc_hmacsha1_sign(&ctx.hsha, digest,
++ ISC_SHA1_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA224:
++ isc_hmacsha224_init(&ctx.h224, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha224_update(&ctx.h224, data, length);
++ isc_hmacsha224_sign(&ctx.h224, digest,
++ ISC_SHA224_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA256:
++ isc_hmacsha256_init(&ctx.h256, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha256_update(&ctx.h256, data, length);
++ isc_hmacsha256_sign(&ctx.h256, digest,
++ ISC_SHA256_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA384:
++ isc_hmacsha384_init(&ctx.h384, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha384_update(&ctx.h384, data, length);
++ isc_hmacsha384_sign(&ctx.h384, digest,
++ ISC_SHA384_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
++ break;
++
++ case ISCCC_ALG_HMACSHA512:
++ isc_hmacsha512_init(&ctx.h512, secret->rstart,
++ REGION_SIZE(*secret));
++ isc_hmacsha512_update(&ctx.h512, data, length);
++ isc_hmacsha512_sign(&ctx.h512, digest,
++ ISC_SHA512_DIGESTLENGTH);
++ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
++ break;
++
++ default:
++ return (ISC_R_FAILURE);
++ }
++ target.rstart = digestb64;
++ target.rend = digestb64 + sizeof(digestb64);
++ memset(digestb64, 0, sizeof(digestb64));
+ result = isccc_base64_encode(&source, 64, "", &target);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+- /*
+- * Strip trailing == and NUL terminate target.
+- */
+- target.rstart -= 2;
+- *target.rstart++ = '\0';
++
+ /*
+ * Verify.
+ */
+- if (!isc_safe_memcmp((unsigned char *) isccc_sexpr_tostring(hmd5),
+- digestb64, HMD5_LENGTH))
+- return (ISCCC_R_BADAUTH);
++ if (algorithm == ISCCC_ALG_HMACMD5) {
++ unsigned char *value;
++
++ value = (unsigned char *) isccc_sexpr_tostring(hmac);
++ if (memcmp(value, digestb64, HMD5_LENGTH) != 0)
++ return (ISCCC_R_BADAUTH);
++ } else {
++ unsigned char *value;
++ isc_uint32_t valalg;
++
++ value = (unsigned char *) isccc_sexpr_tostring(hmac);
++ GET8(valalg, value);
++ if ((valalg != algorithm) ||
++ (memcmp(value, digestb64, HSHA_LENGTH) != 0))
++ return (ISCCC_R_BADAUTH);
++ }
+
+ return (ISC_R_SUCCESS);
+ }
+
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+- isccc_sexpr_t **alistp);
++ isc_uint32_t algorithm, isccc_sexpr_t **alistp);
+
+ static isc_result_t
+ list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+@@ -352,7 +535,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
+ } else
+ result = ISC_R_NOMEMORY;
+ } else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+- result = table_fromwire(&active, NULL, valuep);
++ result = table_fromwire(&active, NULL, 0, valuep);
+ else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+ result = list_fromwire(&active, valuep);
+ else
+@@ -363,7 +546,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
+
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+- isccc_sexpr_t **alistp)
++ isc_uint32_t algorithm, isccc_sexpr_t **alistp)
+ {
+ char key[256];
+ isc_uint32_t len;
+@@ -405,7 +588,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ if (checksum_rstart != NULL)
+ result = verify(alist, checksum_rstart,
+ (source->rend - checksum_rstart),
+- secret);
++ algorithm, secret);
+ else
+ result = ISCCC_R_BADAUTH;
+ } else
+@@ -448,7 +631,7 @@ list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
+
+ isc_result_t
+ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+- isccc_region_t *secret)
++ isc_uint32_t algorithm, isccc_region_t *secret)
+ {
+ unsigned int size;
+ isc_uint32_t version;
+@@ -460,7 +643,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+ if (version != 1)
+ return (ISCCC_R_UNKNOWNVERSION);
+
+- return (table_fromwire(source, secret, alistp));
++ return (table_fromwire(source, secret, algorithm, alistp));
+ }
+
+ static isc_result_t
+@@ -523,8 +706,8 @@ createmessage(isc_uint32_t version, const char *from, const char *to,
+
+ isc_result_t
+ isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
+- isc_uint32_t serial, isccc_time_t now,
+- isccc_time_t expires, isccc_sexpr_t **alistp)
++ isc_uint32_t serial, isccc_time_t now,
++ isccc_time_t expires, isccc_sexpr_t **alistp)
+ {
+ return (createmessage(version, from, to, serial, now, expires,
+ alistp, ISC_TRUE));
+@@ -532,7 +715,7 @@ isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
+
+ isc_result_t
+ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
+- isccc_sexpr_t **ackp)
++ isccc_sexpr_t **ackp)
+ {
+ char *_frm, *_to;
+ isc_uint32_t serial;
+@@ -610,7 +793,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
+
+ isc_result_t
+ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+- isccc_time_t expires, isccc_sexpr_t **alistp)
++ isccc_time_t expires, isccc_sexpr_t **alistp)
+ {
+ char *_frm, *_to, *type = NULL;
+ isc_uint32_t serial;
+@@ -720,7 +903,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
+
+ isc_result_t
+ isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
+- isc_uint32_t *uintp)
++ isc_uint32_t *uintp)
+ {
+ isccc_sexpr_t *kv, *v;
+
+@@ -798,7 +981,7 @@ has_whitespace(const char *str)
+
+ isc_result_t
+ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+- isccc_time_t now)
++ isccc_time_t now)
+ {
+ const char *_frm;
+ const char *_to;
+diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
+index 79393be..777e675 100644
+--- a/lib/isccc/include/isccc/cc.h
++++ b/lib/isccc/include/isccc/cc.h
+@@ -41,6 +41,16 @@
+
+ ISC_LANG_BEGINDECLS
+
++/*% from lib/dns/include/dst/dst.h */
++
++#define ISCCC_ALG_UNKNOWN 0
++#define ISCCC_ALG_HMACMD5 157
++#define ISCCC_ALG_HMACSHA1 161
++#define ISCCC_ALG_HMACSHA224 162
++#define ISCCC_ALG_HMACSHA256 163
++#define ISCCC_ALG_HMACSHA384 164
++#define ISCCC_ALG_HMACSHA512 165
++
+ /*% Maximum Datagram Package */
+ #define ISCCC_CC_MAXDGRAMPACKET 4096
+
+@@ -56,23 +66,23 @@ ISC_LANG_BEGINDECLS
+ /*% Send to Wire */
+ isc_result_t
+ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
+- isccc_region_t *secret);
++ isc_uint32_t algorithm, isccc_region_t *secret);
+
+ /*% Get From Wire */
+ isc_result_t
+ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+- isccc_region_t *secret);
++ isc_uint32_t algorithm, isccc_region_t *secret);
+
+ /*% Create Message */
+ isc_result_t
+ isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
+- isc_uint32_t serial, isccc_time_t now,
+- isccc_time_t expires, isccc_sexpr_t **alistp);
++ isc_uint32_t serial, isccc_time_t now,
++ isccc_time_t expires, isccc_sexpr_t **alistp);
+
+ /*% Create Acknowledgment */
+ isc_result_t
+ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
+- isccc_sexpr_t **ackp);
++ isccc_sexpr_t **ackp);
+
+ /*% Is Ack? */
+ isc_boolean_t
+@@ -85,7 +95,7 @@ isccc_cc_isreply(isccc_sexpr_t *message);
+ /*% Create Response */
+ isc_result_t
+ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+- isccc_time_t expires, isccc_sexpr_t **alistp);
++ isccc_time_t expires, isccc_sexpr_t **alistp);
+
+ /*% Define String */
+ isccc_sexpr_t *
+@@ -102,7 +112,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
+ /*% Lookup uint 32 */
+ isc_result_t
+ isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
+- isc_uint32_t *uintp);
++ isc_uint32_t *uintp);
+
+ /*% Create Symbol Table */
+ isc_result_t
+@@ -115,7 +125,7 @@ isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
+ /*% Check for Duplicates */
+ isc_result_t
+ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+- isccc_time_t now);
++ isccc_time_t now);
+
+ ISC_LANG_ENDDECLS
+
+--
+2.9.5
+
diff --git a/SOURCES/generate-rndc-key.sh b/SOURCES/generate-rndc-key.sh
index 194e65b..dde7f70 100755
--- a/SOURCES/generate-rndc-key.sh
+++ b/SOURCES/generate-rndc-key.sh
@@ -6,9 +6,10 @@
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
echo -n $"Generating /etc/rndc.key:"
- if /usr/sbin/rndc-confgen -a -r /dev/urandom > /dev/null 2>&1; then
+ if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1
+ then
chmod 640 /etc/rndc.key
- chown root.named /etc/rndc.key
+ chown root:named /etc/rndc.key
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
success $"/etc/rndc.key generation"
echo
diff --git a/SOURCES/nslookup-norec.patch b/SOURCES/nslookup-norec.patch
deleted file mode 100644
index 77350ad..0000000
--- a/SOURCES/nslookup-norec.patch
+++ /dev/null
@@ -1,28 +0,0 @@
---- dighost.c.orig 2011-03-11 07:46:58.000000000 +0100
-+++ dighost.c 2011-10-28 14:31:29.806591603 +0200
-@@ -2619,8 +2619,13 @@ connect_timeout(isc_task_t *task, isc_ev
- }
- } else {
- fputs(l->cmdline, stdout);
-- printf(";; connection timed out; no servers could be "
-- "reached\n");
-+ if (!next_origin(ISC_LIST_HEAD(l->q))) {
-+ printf(";; connection timed out; no servers could be "
-+ "reached\n");
-+ } else {
-+ printf(";; connection timed out; trying next "
-+ "origin\n");
-+ }
- cancel_lookup(l);
- check_next_lookup(l);
- if (exitcode < 9)
-@@ -3270,7 +3275,8 @@ recv_done(isc_task_t *task, isc_event_t
- return;
- }
- if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
-- (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
-+ (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 &&
-+ msg->rcode != dns_rcode_noerror && l->recurse))
- {
- dig_query_t *next = ISC_LIST_NEXT(query, link);
- if (l->current_query == query)
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index a93cb66..d7988d4 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -25,7 +25,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.4
-Release: 51%{?PATCHVER}%{?PREVER}%{?dist}.2
+Release: 61%{?PATCHVER}%{?PREVER}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -79,7 +79,7 @@ Patch111:bind97-exportlib.patch
Patch112:bind97-rh645544.patch
Patch119:bind97-rh693982.patch
Patch123:bind98-rh735103.patch
-Patch124:nslookup-norec.patch
+Patch124:bind93-rh726120.patch
# FIXME: This disables dlzexternal, which I will enable later again
# Make tests on all architectures and disable it
Patch127:bind99-forward.patch
@@ -144,9 +144,23 @@ Patch180:bind99-CVE-2017-3137.patch
# commit 5e746ab61ed8158f784b86111fef95581a08b7dd ISC 3905
Patch181:bind99-rh1416304.patch
# ISC 4643
-Patch182:bind99-CVE-2017-3142+3143.patch
+Patch182: bind99-CVE-2017-3142+3143.patch
+# commit e3894cd3a92be79a64072835008ec589b17c601a
+Patch183: bind99-rh1472862.patch
+# commit 2fc1b8102d4bf02162012c27ab95e98a7438bd8f ISC 4647
+Patch184: bind99-rh1476013.patch
+# commit 51aed1827453f40ee56b165d45c5d58d96838d94
+Patch185: bind99-rh1470637-tests.patch
+# commit 51b00c6c783ccf5dca86119ff8f4f8b994298ca4 ISC 4712
+Patch186: bind99-rh1470637.patch
+# commit 6a3fa181d1253db5191139e20231512eebaddeeb ISC 3745
+Patch187: bind99-rh1464850.patch
+# commit 871f3c8beeb2134b17414ec167b90a57adb8e122 ISC 3980
+Patch188: bind99-rh1464850-2.patch
+# commit 4eb998928b9aef0ceda42d7529980d658138698a ISC 3525
+Patch189: bind99-rh1501531.patch
# ISC 4858
-Patch183:bind99-CVE-2017-3145.patch
+Patch190: bind99-CVE-2017-3145.patch
# Native PKCS#11 functionality from 9.10
Patch150:bind-9.9-allow_external_dnskey.patch
@@ -388,9 +402,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
%patch112 -p1 -b .rh645544
%patch119 -p1 -b .rh693982
%patch123 -p1 -b .rh735103
-pushd bin/dig
-%patch124 -p0 -b .nslookup-norec
-popd
+%patch124 -p1 -b .rh726120
%patch127 -p1 -b .forward
%patch130 -p1 -b .libdb
%patch131 -p1 -b .multlib-conflict
@@ -447,7 +459,14 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data
%patch180 -p1 -b .CVE-2017-3137
%patch181 -p1 -b .rh1416304
%patch182 -p1 -b .CVE-2017-3142+3143
-%patch183 -p1 -b .CVE-2017-3145
+%patch183 -p1 -b .rh1472862
+%patch184 -p1 -b .rh1476013
+%patch185 -p1 -b .rh1470637-tests
+%patch186 -p1 -b .rh1470637
+%patch187 -p1 -b .rh1464850
+%patch188 -p1 -b .rh1464850
+%patch189 -p1 -b .rh1501531
+%patch190 -p1 -b .CVE-2017-3145
# Override upstream builtin keys
cp -fp %{SOURCE29} bind.keys
@@ -549,6 +568,7 @@ libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
--disable-isc-spnego \
%endif
--enable-fixed-rrset \
+ --with-tuning=large \
--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
;
make %{?_smp_mflags}
@@ -708,6 +728,7 @@ ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
+ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
popd
%endif
@@ -1134,11 +1155,36 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
-* Wed Jan 17 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-51.2
+* Tue Jan 16 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-61
- Fix CVE-2017-3145
-* Fri Oct 20 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-51.1
-- Fix named-chroot restart leak (#1504700)
+* Tue Dec 05 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-60
+- Fix regression caused by bug #1470637
+
+* Mon Nov 13 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-59
+- Support for additional signing algorithms in rndc (#1501531)
+- New autogenerated rndc keys will use hmac-sha256 algorithm
+
+* Tue Oct 31 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-58
+- Fix multilib regression in headers
+
+* Mon Oct 30 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-57
+- Add with-tunning=large support (#rh1464850)
+
+* Thu Oct 19 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-56
+- Fix named-chroot restart leak (#1503646)
+
+* Thu Oct 12 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-55
+- Handle dig timeouts the same way as upstream (#1470637)
+
+* Wed Oct 11 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-54
+- Do not use next search domain on timeout from dig (#1470637)
+
+* Tue Aug 01 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-53
+- Fixed TSIG validation of AXFR and IXFR (#1476013)
+
+* Fri Jul 07 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-52
+- Add missing manual for dnssec-importkey (#1472862)
* Thu Jun 29 2017 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-51
- Fix CVE-2017-3142 and CVE-2017-3143