diff --git a/SOURCES/bind-9.11-edns512-tcp-loops.patch b/SOURCES/bind-9.11-edns512-tcp-loops.patch
index 7c66164..ce2d478 100644
--- a/SOURCES/bind-9.11-edns512-tcp-loops.patch
+++ b/SOURCES/bind-9.11-edns512-tcp-loops.patch
@@ -1,4 +1,4 @@
-From b2822c93b89588bceb5213ab7c2e8c30d91e5e6c Mon Sep 17 00:00:00 2001
+From a6331686a8e3a5a2b0d1313de84978cd6d9ef65c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 31 Oct 2019 08:48:35 +0100
Subject: [PATCH] Prevent query loops for misbehaving servers
@@ -21,14 +21,13 @@ server gets reduced to 512 bytes and it is impossible to reach it using
TCP.
(cherry picked from commit 6cd115994e0d10631172c56a7dab1ace83e946b4)
-(cherry picked from commit a6331686a8e3a5a2b0d1313de84978cd6d9ef65c)
---
bin/tests/system/legacy/tests.sh | 11 +++++++++++
lib/dns/resolver.c | 13 +++++++++++++
2 files changed, 24 insertions(+)
diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh
-index c4356f2456..7c30dcbc12 100755
+index c4356f2..7c30dcb 100755
--- a/bin/tests/system/legacy/tests.sh
+++ b/bin/tests/system/legacy/tests.sh
@@ -142,6 +142,17 @@ grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
@@ -50,10 +49,10 @@ index c4356f2456..7c30dcbc12 100755
then
$PERL $SYSTEMTESTTOP/stop.pl . ns1
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index e13d684a4a..93ba77056e 100644
+index 0384b15..36f6b6c 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
-@@ -2744,6 +2744,19 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
+@@ -2744,10 +2744,22 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
* No route to remote.
*/
isc_socket_detach(&query->tcpsocket);
@@ -73,6 +72,7 @@ index e13d684a4a..93ba77056e 100644
fctx_cancelquery(&query, NULL, NULL, ISC_TRUE, ISC_FALSE);
retry = ISC_TRUE;
break;
---
-2.21.3
-
+-
+ default:
+ FCTXTRACE3("query canceled in connected() due to "
+ "unexpected event result; responding",
diff --git a/SOURCES/bind-9.11-rh1300636.patch b/SOURCES/bind-9.11-rh1300636.patch
new file mode 100644
index 0000000..5f0cdf1
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1300636.patch
@@ -0,0 +1,77 @@
+From cfbb8a96570959a3d7471edbd8df559ea4e73123 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 14 Nov 2018 15:17:48 +1100
+Subject: [PATCH] free tmpzonename and restart_master
+
+(cherry picked from commit 50714a9b35ce80bd8839a52106778d65b6d4d7ba)
+(cherry picked from commit e409b8c6982a275e3fad960b2e66437890ff08e2)
+---
+ bin/nsupdate/nsupdate.c | 14 ++++++++++++--
+ lib/dns/include/dns/name.h | 5 +++++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
+index a0d0278635..7e241c17e9 100644
+--- a/bin/nsupdate/nsupdate.c
++++ b/bin/nsupdate/nsupdate.c
+@@ -158,8 +158,8 @@ static dns_fixedname_t fuserzone;
+ static dns_fixedname_t fzname;
+ static dns_name_t *userzone = NULL;
+ static dns_name_t *zname = NULL;
+-static dns_name_t tmpzonename;
+-static dns_name_t restart_master;
++static dns_name_t tmpzonename = DNS_NAME_INITEMPTY;
++static dns_name_t restart_master = DNS_NAME_INITEMPTY;
+ static dns_tsig_keyring_t *gssring = NULL;
+ static dns_tsigkey_t *tsigkey = NULL;
+ static dst_key_t *sig0key = NULL;
+@@ -2415,6 +2415,8 @@ update_completed(isc_task_t *task, isc_event_t *event) {
+ if (usegsstsig) {
+ dns_name_free(&tmpzonename, gmctx);
+ dns_name_free(&restart_master, gmctx);
++ dns_name_init(&tmpzonename, 0);
++ dns_name_init(&restart_master, 0);
+ }
+ isc_event_free(&event);
+ done_update();
+@@ -2830,6 +2832,8 @@ failed_gssrequest() {
+
+ dns_name_free(&tmpzonename, gmctx);
+ dns_name_free(&restart_master, gmctx);
++ dns_name_init(&tmpzonename, NULL);
++ dns_name_init(&restart_master, NULL);
+
+ done_update();
+ }
+@@ -3238,6 +3242,12 @@ cleanup(void) {
+ isc_mem_free(gmctx, realm);
+ realm = NULL;
+ }
++ if (dns_name_dynamic(&tmpzonename)) {
++ dns_name_free(&tmpzonename, gmctx);
++ }
++ if (dns_name_dynamic(&restart_master)) {
++ dns_name_free(&restart_master, gmctx);
++ }
+ #endif
+
+ if (sig0key != NULL)
+diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
+index be74667ccb..93ddacd80b 100644
+--- a/lib/dns/include/dns/name.h
++++ b/lib/dns/include/dns/name.h
+@@ -181,6 +181,11 @@ LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname;
+ {NULL, NULL} \
+ }
+
++#define DNS_NAME_INITEMPTY { \
++ DNS_NAME_MAGIC, NULL, 0, 0, 0, NULL, NULL, \
++ { (void *)-1, (void *)-1 }, { NULL, NULL } \
++}
++
+ /*%
+ * Standard size of a wire format name
+ */
+--
+2.21.1
+
diff --git a/SOURCES/bind-9.11-rh1744081.patch b/SOURCES/bind-9.11-rh1744081.patch
new file mode 100644
index 0000000..c58911d
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1744081.patch
@@ -0,0 +1,33 @@
+From f6b9f4dfa61038a353f3974ec7683231fa23ed21 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 11 Mar 2020 17:36:51 +0100
+Subject: [PATCH] Allow conflicting files in zones, warn only
+
+Change hard error to just annoying warning. Broken configuration is
+still error, but it was possible before. Make it possible again.
+Would be fixed by using in-view clause properly.
+---
+ lib/bind9/check.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/bind9/check.c b/lib/bind9/check.c
+index 545e3c6..b02a894 100644
+--- a/lib/bind9/check.c
++++ b/lib/bind9/check.c
+@@ -2650,11 +2650,11 @@ fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, isc_boolean_t writeable,
+ if (writeable) {
+ file = cfg_obj_file(symvalue.as_cpointer);
+ line = cfg_obj_line(symvalue.as_cpointer);
+- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
++ cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+ "writeable file '%s': already in use: "
+ "%s:%u", cfg_obj_asstring(obj),
+ file, line);
+- return (ISC_R_EXISTS);
++ return (ISC_R_SUCCESS); // Pretend it is ok
+ }
+ result = isc_symtab_lookup(symtab, cfg_obj_asstring(obj), 2,
+ &symvalue);
+--
+2.21.1
+
diff --git a/SOURCES/bind-9.11-rh1756201.patch b/SOURCES/bind-9.11-rh1756201.patch
new file mode 100644
index 0000000..b4d011d
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1756201.patch
@@ -0,0 +1,246 @@
+From bd79638f1c2c8f765e316c30b15dfb3e5d31e1e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
+Date: Thu, 3 Jan 2019 14:58:05 +0100
+Subject: [PATCH] If possible don't use forwarders when priming the resolver.
+
+If we try to fetch a record from cache and need to look into
+hints database we assume that the resolver is not primed and
+start dns_resolver_prime(). Priming query is supposed to return
+NSes for "." in ANSWER section and glue records for them in
+ADDITIONAL section, so that we can fill that info in 'regular'
+cache and not use hints db anymore.
+However, if we're using a forwarder the priming query goes through
+it, and if it's configured to return minimal answers we won't get
+the addresses of root servers in ADDITIONAL section. Since the
+only records for root servers we have are in hints database we'll
+try to prime the resolver with every single query.
+
+This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
+forwarders if possible (that is if we have forward-first policy).
+Using this flag on priming fetch fixes the problem as we get the
+proper glue. With forward-only policy the problem is non-existent,
+as we'll never ask for root server addresses because we'll never
+have a need to query them.
+
+Also added a test to confirm priming queries are not forwarded.
+
+(cherry picked from commit b49310ac06ac87733dc2867828e61370a84b2a9a)
+(cherry picked from commit f8963ad70e222edad0c1e64f855f7fb41fb13c3c)
+(cherry picked from commit aa9866c390a21d6984aa75cdb84d7bc77e114c2f)
+---
+ bin/tests/system/forward/ns4/named.conf.in | 3 ++
+ bin/tests/system/forward/ns7/named.conf.in | 28 +++++++++++++++++
+ bin/tests/system/forward/ns7/root.db | 28 +++++++++++++++++
+ bin/tests/system/forward/setup.sh | 1 +
+ bin/tests/system/forward/tests.sh | 12 ++++++++
+ lib/dns/include/dns/resolver.h | 36 ++++++++++++----------
+ lib/dns/resolver.c | 17 ++++++++--
+ 7 files changed, 106 insertions(+), 19 deletions(-)
+ create mode 100644 bin/tests/system/forward/ns7/named.conf.in
+ create mode 100644 bin/tests/system/forward/ns7/root.db
+
+diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
+index 480530b0f2..643e1271b5 100644
+--- a/bin/tests/system/forward/ns4/named.conf.in
++++ b/bin/tests/system/forward/ns4/named.conf.in
+@@ -17,6 +17,9 @@ options {
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
++ recursion yes;
++ dnssec-validation yes;
++ minimal-responses yes;
+ };
+
+ zone "." {
+diff --git a/bin/tests/system/forward/ns7/named.conf.in b/bin/tests/system/forward/ns7/named.conf.in
+new file mode 100644
+index 0000000000..d9f5e8a9db
+--- /dev/null
++++ b/bin/tests/system/forward/ns7/named.conf.in
+@@ -0,0 +1,28 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++ query-source address 10.53.0.7;
++ notify-source 10.53.0.7;
++ transfer-source 10.53.0.7;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.7; };
++ listen-on-v6 { none; };
++ forwarders { 10.53.0.4; };
++ forward first;
++ dnssec-validation yes;
++};
++
++zone "." {
++ type hint;
++ file "root.db";
++};
+diff --git a/bin/tests/system/forward/ns7/root.db b/bin/tests/system/forward/ns7/root.db
+new file mode 100644
+index 0000000000..7346810ba6
+--- /dev/null
++++ b/bin/tests/system/forward/ns7/root.db
+@@ -0,0 +1,28 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300
++. IN SOA gson.nominum.com. a.root.servers.nil. (
++ 2000042100 ; serial
++ 600 ; refresh
++ 600 ; retry
++ 1200 ; expire
++ 600 ; minimum
++ )
++. NS a.root-servers.nil.
++a.root-servers.nil. A 10.53.0.1
++
++example1 NS ns.example1
++ns.example1 A 10.53.0.1
++
++example2 NS ns.example2
++ns.example2 A 10.53.0.1
++
++example3 NS ns.example3
++ns.example3 A 10.53.0.1
+diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
+index c63aeb10d2..d64579e590 100644
+--- a/bin/tests/system/forward/setup.sh
++++ b/bin/tests/system/forward/setup.sh
+@@ -18,3 +18,4 @@ copy_setports ns2/named.conf.in ns2/named.conf
+ copy_setports ns3/named.conf.in ns3/named.conf
+ copy_setports ns4/named.conf.in ns4/named.conf
+ copy_setports ns5/named.conf.in ns5/named.conf
++copy_setports ns7/named.conf.in ns7/named.conf
+diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
+index f23cde1751..8c6496037d 100644
+--- a/bin/tests/system/forward/tests.sh
++++ b/bin/tests/system/forward/tests.sh
+@@ -131,5 +131,17 @@ $CHECKCONF ula-notinherited.conf | grep "forward first;" >/dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
++echo_i "checking that priming queries are not forwarded"
++ret=0
++$DIG $DIGOPTS +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.f7 || ret=1
++sent=`sed -n '/sending packet to 10.53.0.1/,/^$/p' ns7/named.run | grep ";.*IN.*NS" | wc -l`
++[ $sent -eq 1 ] || ret=1
++sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run | wc -l`
++[ $sent -eq 0 ] || ret=1
++sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
++[ $sent -eq 1 ] || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
+index f2f8714d16..e1a10295f3 100644
+--- a/lib/dns/include/dns/resolver.h
++++ b/lib/dns/include/dns/resolver.h
+@@ -88,23 +88,25 @@ typedef enum {
+ /*
+ * Options that modify how a 'fetch' is done.
+ */
+-#define DNS_FETCHOPT_TCP 0x0001 /*%< Use TCP. */
+-#define DNS_FETCHOPT_UNSHARED 0x0002 /*%< See below. */
+-#define DNS_FETCHOPT_RECURSIVE 0x0004 /*%< Set RD? */
+-#define DNS_FETCHOPT_NOEDNS0 0x0008 /*%< Do not use EDNS. */
+-#define DNS_FETCHOPT_FORWARDONLY 0x0010 /*%< Only use forwarders. */
+-#define DNS_FETCHOPT_NOVALIDATE 0x0020 /*%< Disable validation. */
+-#define DNS_FETCHOPT_EDNS512 0x0040 /*%< Advertise a 512 byte
+- UDP buffer. */
+-#define DNS_FETCHOPT_WANTNSID 0x0080 /*%< Request NSID */
+-#define DNS_FETCHOPT_PREFETCH 0x0100 /*%< Do prefetch */
+-#define DNS_FETCHOPT_NOCDFLAG 0x0200 /*%< Don't set CD flag. */
+-#define DNS_FETCHOPT_NONTA 0x0400 /*%< Ignore NTA table. */
+-/* RESERVED ECS 0x0000 */
+-/* RESERVED ECS 0x1000 */
+-/* RESERVED ECS 0x2000 */
+-/* RESERVED TCPCLIENT 0x4000 */
+-#define DNS_FETCHOPT_NOCACHED 0x8000 /*%< Force cache update. */
++#define DNS_FETCHOPT_TCP 0x00001 /*%< Use TCP. */
++#define DNS_FETCHOPT_UNSHARED 0x00002 /*%< See below. */
++#define DNS_FETCHOPT_RECURSIVE 0x00004 /*%< Set RD? */
++#define DNS_FETCHOPT_NOEDNS0 0x00008 /*%< Do not use EDNS. */
++#define DNS_FETCHOPT_FORWARDONLY 0x00010 /*%< Only use forwarders. */
++#define DNS_FETCHOPT_NOVALIDATE 0x00020 /*%< Disable validation. */
++#define DNS_FETCHOPT_EDNS512 0x00040 /*%< Advertise a 512 byte
++ 0 UDP buffer. */
++#define DNS_FETCHOPT_WANTNSID 0x00080 /*%< Request NSID */
++#define DNS_FETCHOPT_PREFETCH 0x00100 /*%< Do prefetch */
++#define DNS_FETCHOPT_NOCDFLAG 0x00200 /*%< Don't set CD flag. */
++#define DNS_FETCHOPT_NONTA 0x00400 /*%< Ignore NTA table. */
++/* RESERVED ECS 0x00000 */
++/* RESERVED ECS 0x01000 */
++/* RESERVED ECS 0x02000 */
++/* RESERVED TCPCLIENT 0x04000 */
++#define DNS_FETCHOPT_NOCACHED 0x08000 /*%< Force cache update. */
++#define DNS_FETCHOPT_NOFORWARD 0x80000 /*%< Do not use forwarders
++ if possible. */
+
+ /* Reserved in use by adb.c 0x00400000 */
+ #define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 301ad52fe2..f701a09be9 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -3261,6 +3261,18 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
+ INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
+ INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
+
++ /*
++ * If we have DNS_FETCHOPT_NOFORWARD set and forwarding policy
++ * allows us to not forward - skip forwarders and go straight
++ * to NSes. This is currently used to make sure that priming query
++ * gets root servers' IP addresses in ADDITIONAL section.
++ */
++ if ((fctx->options & DNS_FETCHOPT_NOFORWARD) != 0 &&
++ (fctx->fwdpolicy != dns_fwdpolicy_only))
++ {
++ goto normal_nses;
++ }
++
+ /*
+ * If this fctx has forwarders, use them; otherwise use any
+ * selective forwarders specified in the view; otherwise use the
+@@ -3346,7 +3358,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
+ /*
+ * Normal nameservers.
+ */
+-
++ normal_nses:
+ stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
+ if (fctx->restarts == 1) {
+ /*
+@@ -9194,7 +9206,8 @@ dns_resolver_prime(dns_resolver_t *res) {
+ LOCK(&res->primelock);
+ result = dns_resolver_createfetch(res, dns_rootname,
+ dns_rdatatype_ns,
+- NULL, NULL, NULL, 0,
++ NULL, NULL, NULL,
++ DNS_FETCHOPT_NOFORWARD,
+ res->buckets[0].task,
+ prime_done,
+ res, rdataset, NULL,
+--
+2.21.1
+
diff --git a/SOURCES/bind-9.11-rh1832812.patch b/SOURCES/bind-9.11-rh1832812.patch
new file mode 100644
index 0000000..f20ddce
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1832812.patch
@@ -0,0 +1,129 @@
+diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db
+new file mode 100644
+index 0000000000000000000000000000000000000000..b47208c1640eaf40d9c23bfb4598000fd068b814
+--- /dev/null
++++ b/bin/tests/system/forward/ns4/malicious.db
+@@ -0,0 +1,22 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++@ IN SOA malicious. admin.malicious. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 86400 ) ; Negative Cache TTL
++
++@ IN NS ns
++
++ns IN A 10.53.0.4
++
++target IN CNAME subdomain.rebind.
+diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
+index 643e1271b53ae85e91a169413259afe84dfe1fee..fee76b41e5d46d5bfdb9fc10bd6e914436417a2b 100644
+--- a/bin/tests/system/forward/ns4/named.conf.in
++++ b/bin/tests/system/forward/ns4/named.conf.in
+@@ -55,3 +55,8 @@ zone "grafted" {
+ forward only;
+ forwarders { 10.53.0.2; };
+ };
++
++zone "malicious." {
++ type master;
++ file "malicious.db";
++};
+diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in
+index 0e65985d52634654cf3ebb757cd1f0296e5d9cb6..6742222d4d088807ce1765c1073ef8ba16768d9c 100644
+--- a/bin/tests/system/forward/ns5/named.conf.in
++++ b/bin/tests/system/forward/ns5/named.conf.in
+@@ -19,9 +19,16 @@ options {
+ listen-on-v6 { none; };
+ forward only;
+ forwarders { 10.53.0.4; };
++ deny-answer-aliases { "rebind"; };
++ dnssec-validation yes;
+ };
+
+ zone "." {
+ type hint;
+ file "root.db";
+ };
++
++zone "rebind" {
++ type master;
++ file "rebind.db";
++};
+diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db
+new file mode 100644
+index 0000000000000000000000000000000000000000..3e71327a4856ab9a164db475423327de0184dd81
+--- /dev/null
++++ b/bin/tests/system/forward/ns5/rebind.db
+@@ -0,0 +1,22 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++@ IN SOA rebind. admin.rebind. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 86400 ) ; Negative Cache TTL
++
++@ IN NS ns
++
++ns IN A 10.53.0.5
++
++subdomain IN A 10.53.0.1
+diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
+index 8c64960..1da4136 100644
+--- a/bin/tests/system/forward/tests.sh
++++ b/bin/tests/system/forward/tests.sh
+@@ -143,5 +143,18 @@ sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+
++n=$((n+1))
++echo_i "checking that rebinding protection works in forward only mode ($n)"
++ret=0
++# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
++# which in turn will return a CNAME for subdomain.rebind.
++# to honor the option deny-answer-aliases { "rebind"; };
++# ns5 should return a SERVFAIL to avoid potential rebinding attacks
++dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
++grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=$((status+ret))
++
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index a8cbb10..39d33e0 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -6413,8 +6413,10 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ /*
+ * If the target name is a subdomain of the search domain, allow it.
+ */
+- if (dns_name_issubdomain(tname, &fctx->domain))
++ if ((fctx->fwdpolicy == dns_fwdpolicy_none) &&
++ dns_name_issubdomain(tname, &fctx->domain)) {
+ return (ISC_TRUE);
++ }
+
+ /*
+ * Otherwise, apply filters.
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 9f6f81f..7aad09a 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -64,7 +64,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.4
-Release: 16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.6
+Release: 26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
#
@@ -163,11 +163,15 @@ Patch176: bind-9.11-rh1753259.patch
Patch177: bind-9.11-rh1743572-2.patch
Patch178: bind-9.11-rh1781576.patch
Patch179: bind-9.11-disab-timer-test.patch
-Patch180: bind-9.11.13-CVE-2020-8616.patch
-Patch181: bind-9.11.13-CVE-2020-8617.patch
+Patch180: bind-9.11-rh1744081.patch
+Patch181: bind-9.11-rh1300636.patch
+Patch182: bind-9.11-rh1756201.patch
+Patch183: bind-9.11.13-CVE-2020-8616.patch
+Patch184: bind-9.11.13-CVE-2020-8617.patch
Patch185: bind-9.11-CVE-2020-8616-test.patch
Patch186: bind-9.11-CVE-2020-8617-test.patch
-Patch187: bind-9.11-edns512-tcp-loops.patch
+Patch187: bind-9.11-rh1832812.patch
+Patch188: bind-9.11-edns512-tcp-loops.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -524,11 +528,15 @@ are used for building ISC DHCP.
%patch176 -p1 -b .rh1753259
%patch177 -p1 -b .rh1743572
%patch178 -p1 -b .rh1781576
-%patch180 -p1 -b .CVE-2020-8616
-%patch181 -p1 -b .CVE-2020-8617
+%patch180 -p1 -b .rh1744081
+%patch181 -p1 -b .rh1300636
+%patch182 -p1 -b .rh1756201
+%patch183 -p1 -b .CVE-2020-8616
+%patch184 -p1 -b .CVE-2020-8617
%patch185 -p1 -b .CVE-2020-8616-test
%patch186 -p1 -b .CVE-2020-8616-test
-%patch187 -p1 -b .edns512-loops
+%patch187 -p1 -b .rh1832812
+%patch188 -p1 -b .edns512-loops
# Override upstream builtin keys
cp -fp %{SOURCE29} bind.keys
@@ -1510,24 +1518,37 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
-* Wed May 27 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2.6
+* Fri May 29 2020 Artem Egorenkov <aegorenk@redhat.com> - 32:9.11.4-26.P2
- Fix EDNS512 loops on broken servers
-* Fri May 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2.5
+* Tue May 26 2020 Artem Egorenkov <aegorenk@redhat.com> - 32:9.11.4-25.P2
+- rebinding protection for forwarding DNS server upstream patch (#1832812)
+
+* Fri May 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-24.P2
- Add CVE tests to codebase
-* Tue May 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2.4
+* Mon May 18 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-23.P2
- Limit number of queries triggered by a request (CVE-2020-8616)
- Fix invalid tsig request (CVE-2020-8617)
-* Wed Mar 04 2020 Miroslav Lichvar <mlichvar@redhat.com> - 32:9.11.4-16.P2.3
-- Disable atomic operations on ppc64, ppc64le, aarch64, ppc (#1779589)
+* Wed Mar 18 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-22.P2
+- Solve often priming queries on some forwarder (#1756201)
-* Sat Feb 22 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.4-16.P2.2
-- Disable unit test timer_test on ppc64le because of its instability
+* Mon Mar 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-21.P2
+- Disable atomic operations also on ppc (#1779589)
+
+* Fri Mar 13 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-20.P2
+- Do not crash when nsupdate with GSS terminated early (#1300636)
-* Fri Feb 21 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.4-16.P2.1
-- Prevent deadlock on reload (#1805685)
+* Wed Mar 11 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-19.P2
+- Allow conflicting zone files with a warning (#1744081)
+
+* Wed Mar 04 2020 Miroslav Lichvar <mlichvar@redhat.com> - 32:9.11.4-18.P2
+- Disable atomic operations on ppc64, ppc64le, aarch64 (#1779589)
+
+* Fri Feb 21 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.4-17.P2
+- Prevent deadlock on reload (#1781576)
+- Disable unit test timer_test on ppc64le because of its instability
* Thu Dec 12 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-16.P2
- Finish dig query when name is too long (#1743572)