diff --git a/SOURCES/bind-9.11-CVE-2021-25220-test.patch b/SOURCES/bind-9.11-CVE-2021-25220-test.patch
new file mode 100644
index 0000000..a13f81a
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2021-25220-test.patch
@@ -0,0 +1,1171 @@
+From 800ef75553881527e2406f22887e976bb1ba3bfe Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 18 Jan 2022 00:19:47 +1100
+Subject: [PATCH] Add tests for forwarder cache poisoning scenarios
+
+- Check that an NS in an authority section returned from a forwarder
+ which is above the name in a configured "forward first" or "forward
+ only" zone (i.e., net/NS in a response from a forwarder configured for
+ local.net) is not cached.
+- Test that a DNAME for a parent domain will not be cached when sent
+ in a response from a forwarder configured to answer for a child.
+- Check that glue is rejected if its name falls below that of zone
+ configured locally.
+- Check that an extra out-of-bailiwick data in the answer section is
+ not cached (this was already working correctly, but was not explicitly
+ tested before).
+
+- v9_11 backport: Revert primary/secondary to master/slave,
+ backport rndc helper, backport ns8 config.
+
+(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604)
+(cherry picked from commit 29f08170f05c2c96fb67f3b561b46aa0bae356f7)
+---
+ bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++
+ bin/tests/system/forward/clean.sh | 2 +
+ bin/tests/system/forward/ns1/diditwork.net.db | 20 +++
+ bin/tests/system/forward/ns1/named.conf.in | 20 +++
+ bin/tests/system/forward/ns1/net.example.lll | 13 ++
+ bin/tests/system/forward/ns1/spoofed.net.db | 20 +++
+ bin/tests/system/forward/ns1/sub.local.net.db | 20 +++
+ bin/tests/system/forward/ns10/fakenet.zone | 15 ++
+ bin/tests/system/forward/ns10/fakenet2.zone | 13 ++
+ .../system/forward/ns10/fakesublocalnet.zone | 13 ++
+ .../system/forward/ns10/fakesublocaltld.zone | 13 ++
+ bin/tests/system/forward/ns10/named.conf.in | 51 +++++++
+ bin/tests/system/forward/ns10/net.example.lll | 13 ++
+ bin/tests/system/forward/ns10/spoofednet.zone | 14 ++
+ bin/tests/system/forward/ns4/named.conf.in | 5 +
+ bin/tests/system/forward/ns4/sibling.tld.db | 20 +++
+ bin/tests/system/forward/ns8/named.conf.in | 33 +++++
+ bin/tests/system/forward/ns8/root.db | 11 ++
+ bin/tests/system/forward/ns8/sub.local.tld.db | 13 ++
+ bin/tests/system/forward/ns9/local.net.db | 14 ++
+ bin/tests/system/forward/ns9/local.tld.db | 13 ++
+ bin/tests/system/forward/ns9/named1.conf.in | 65 +++++++++
+ bin/tests/system/forward/ns9/named2.conf.in | 68 +++++++++
+ bin/tests/system/forward/ns9/named3.conf.in | 48 +++++++
+ bin/tests/system/forward/ns9/named4.conf.in | 45 ++++++
+ bin/tests/system/forward/ns9/root.db | 11 ++
+ bin/tests/system/forward/prereq.sh | 14 ++
+ bin/tests/system/forward/setup.sh | 3 +
+ bin/tests/system/forward/tests.sh | 126 ++++++++++++++++
+ bin/tests/system/ifconfig.sh | 8 +-
+ 30 files changed, 856 insertions(+), 4 deletions(-)
+ create mode 100644 bin/tests/system/forward/ans11/ans.py
+ create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db
+ create mode 100644 bin/tests/system/forward/ns1/net.example.lll
+ create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db
+ create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db
+ create mode 100644 bin/tests/system/forward/ns10/fakenet.zone
+ create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone
+ create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone
+ create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone
+ create mode 100644 bin/tests/system/forward/ns10/named.conf.in
+ create mode 100644 bin/tests/system/forward/ns10/net.example.lll
+ create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone
+ create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db
+ create mode 100644 bin/tests/system/forward/ns8/named.conf.in
+ create mode 100644 bin/tests/system/forward/ns8/root.db
+ create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db
+ create mode 100644 bin/tests/system/forward/ns9/local.net.db
+ create mode 100644 bin/tests/system/forward/ns9/local.tld.db
+ create mode 100644 bin/tests/system/forward/ns9/named1.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/named2.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/named3.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/named4.conf.in
+ create mode 100644 bin/tests/system/forward/ns9/root.db
+
+diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py
+new file mode 100644
+index 0000000000..2956cf6eff
+--- /dev/null
++++ b/bin/tests/system/forward/ans11/ans.py
+@@ -0,0 +1,136 @@
++############################################################################
++# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, you can obtain one at https://mozilla.org/MPL/2.0/.
++#
++# See the COPYRIGHT file distributed with this work for additional
++# information regarding copyright ownership.
++############################################################################
++
++from __future__ import print_function
++import os
++import sys
++import signal
++import socket
++import select
++from datetime import datetime, timedelta
++import time
++import functools
++
++import dns, dns.message, dns.query, dns.flags
++from dns.rdatatype import *
++from dns.rdataclass import *
++from dns.rcode import *
++from dns.name import *
++
++# Log query to file
++def logquery(type, qname):
++ with open("qlog", "a") as f:
++ f.write("%s %s\n", type, qname)
++
++############################################################################
++# Respond to a DNS query.
++############################################################################
++def create_response(msg):
++ m = dns.message.from_wire(msg)
++ qname = m.question[0].name.to_text()
++ rrtype = m.question[0].rdtype
++ typename = dns.rdatatype.to_text(rrtype)
++
++ with open("query.log", "a") as f:
++ f.write("%s %s\n" % (typename, qname))
++ print("%s %s" % (typename, qname), end=" ")
++
++ r = dns.message.make_response(m)
++ r.set_rcode(NOERROR)
++ if rrtype == A:
++ tld=qname.split('.')[-2] + '.'
++ ns="local." + tld
++ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11"))
++ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld))
++ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11"))
++ elif rrtype == NS:
++ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, "."))
++ elif rrtype == SOA:
++ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
++ else:
++ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0"))
++ r.flags |= dns.flags.AA
++ return r
++
++def sigterm(signum, frame):
++ print ("Shutting down now...")
++ os.remove('ans.pid')
++ running = False
++ sys.exit(0)
++
++############################################################################
++# Main
++#
++# Set up responder and control channel, open the pid file, and start
++# the main loop, listening for queries on the query channel or commands
++# on the control channel and acting on them.
++############################################################################
++ip4 = "10.53.0.11"
++ip6 = "fd92:7065:b8e:ffff::11"
++
++try: port=int(os.environ['PORT'])
++except: port=5300
++
++query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
++query4_socket.bind((ip4, port))
++havev6 = True
++try:
++ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
++ try:
++ query6_socket.bind((ip6, port))
++ except:
++ query6_socket.close()
++ havev6 = False
++except:
++ havev6 = False
++signal.signal(signal.SIGTERM, sigterm)
++
++f = open('ans.pid', 'w')
++pid = os.getpid()
++print (pid, file=f)
++f.close()
++
++running = True
++
++print ("Listening on %s port %d" % (ip4, port))
++if havev6:
++ print ("Listening on %s port %d" % (ip6, port))
++print ("Ctrl-c to quit")
++
++if havev6:
++ input = [query4_socket, query6_socket]
++else:
++ input = [query4_socket]
++
++while running:
++ try:
++ inputready, outputready, exceptready = select.select(input, [], [])
++ except select.error as e:
++ break
++ except socket.error as e:
++ break
++ except KeyboardInterrupt:
++ break
++
++ for s in inputready:
++ if s == query4_socket or s == query6_socket:
++ print ("Query received on %s" %
++ (ip4 if s == query4_socket else ip6), end=" ")
++ # Handle incoming queries
++ msg = s.recvfrom(65535)
++ rsp = create_response(msg[0])
++ if rsp:
++ print(dns.rcode.to_text(rsp.rcode()))
++ s.sendto(rsp.to_wire(), msg[1])
++ else:
++ print("NO RESPONSE")
++ if not running:
++ break
+diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
+index 26e4e76db6..26a550db49 100644
+--- a/bin/tests/system/forward/clean.sh
++++ b/bin/tests/system/forward/clean.sh
+@@ -10,8 +10,10 @@
+ #
+ # Clean up after forward tests.
+ #
++rm -f ./ans11/query.log
+ rm -f ./dig.out.*
+ rm -f ./*/named.conf
+ rm -f ./*/named.memstats
+ rm -f ./*/named.run ./*/named.run.prev
++rm -f ./*/named_dump.db
+ rm -f ./ns*/named.lock
+diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db
+new file mode 100644
+index 0000000000..be9a7f72bc
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/diditwork.net.db
+@@ -0,0 +1,20 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300 ; 5 minutes
++@ IN SOA ns root (
++ 2000082401 ; serial
++ 1800 ; refresh (30 minutes)
++ 1800 ; retry (30 minutes)
++ 1814400 ; expire (3 weeks)
++ 3600 ; minimum (1 hour)
++ )
++ NS ns
++ TXT "recursed"
++ns A 10.53.0.1
+diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in
+index 9904f37ef5..1c31d84608 100644
+--- a/bin/tests/system/forward/ns1/named.conf.in
++++ b/bin/tests/system/forward/ns1/named.conf.in
+@@ -54,3 +54,23 @@ zone "example5." {
+ zone "example6" {
+ type forward;
+ };
++
++zone "diditwork.net" {
++ type master;
++ file "diditwork.net.db";
++};
++
++zone "spoofed.net" {
++ type master;
++ file "spoofed.net.db";
++};
++
++zone "sub.local.net" {
++ type master;
++ file "sub.local.net.db";
++};
++
++zone "net.example.lll" {
++ type master;
++ file "net.example.lll";
++};
+diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll
+new file mode 100644
+index 0000000000..d179853fa5
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/net.example.lll
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net.example.lll. SOA . . 0 0 0 0 0
++net.example.lll. NS attackSecureDomain.net.
++didItWork.net.example.lll. TXT "if you can see this record the attack worked"
+diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db
+new file mode 100644
+index 0000000000..d498d5fa0d
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/spoofed.net.db
+@@ -0,0 +1,20 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300 ; 5 minutes
++@ IN SOA ns root (
++ 2000082401 ; serial
++ 1800 ; refresh (30 minutes)
++ 1800 ; retry (30 minutes)
++ 1814400 ; expire (3 weeks)
++ 3600 ; minimum (1 hour)
++ )
++ NS ns
++ns A 10.53.0.1
++sub TXT "recursed"
+diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db
+new file mode 100644
+index 0000000000..be9a7f72bc
+--- /dev/null
++++ b/bin/tests/system/forward/ns1/sub.local.net.db
+@@ -0,0 +1,20 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300 ; 5 minutes
++@ IN SOA ns root (
++ 2000082401 ; serial
++ 1800 ; refresh (30 minutes)
++ 1800 ; retry (30 minutes)
++ 1814400 ; expire (3 weeks)
++ 3600 ; minimum (1 hour)
++ )
++ NS ns
++ TXT "recursed"
++ns A 10.53.0.1
+diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone
+new file mode 100644
+index 0000000000..14e5c777cb
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakenet.zone
+@@ -0,0 +1,15 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net. SOA . . 0 0 0 0 0
++net. NS attackSecureDomain.net.
++attackSecureDomain.net. A 10.53.0.10
++didItWork.net. TXT "if you can see this record the attack worked"
++ns.spoofed.net. A 10.53.0.10
+diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone
+new file mode 100644
+index 0000000000..7ca28a934e
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakenet2.zone
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net2. SOA . . 0 0 0 0 0
++net2. NS attackSecureDomain.net.
++net2. DNAME net.example.lll.
+diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone
+new file mode 100644
+index 0000000000..6caa071891
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++sub.local.net. SOA . . 0 0 0 0 0
++sub.local.net. NS ns.spoofed.net.
++sub.local.net. TXT "if you see this attacker overrode local delegation"
+diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone
+new file mode 100644
+index 0000000000..6a431de47f
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0
++sub.local.tld. 3600 IN NS ns.sub.local.tld.
++sub.local.tld. 3600 IN TXT bad
++ns.sub.local.tld. 3600 IN A 10.53.0.8
+diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in
+new file mode 100644
+index 0000000000..025c108418
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/named.conf.in
+@@ -0,0 +1,51 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++ query-source address 10.53.0.10;
++ notify-source 10.53.0.10;
++ transfer-source 10.53.0.10;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.10; };
++ listen-on-v6 { none; };
++ minimal-responses no;
++};
++
++zone "net." {
++ type master;
++ file "fakenet.zone";
++};
++
++zone "spoofed.net." {
++ type master;
++ file "spoofednet.zone";
++};
++
++zone "sub.local.net." {
++ type master;
++ file "fakesublocalnet.zone";
++};
++
++zone "net2" {
++ type master;
++ file "fakenet2.zone";
++};
++
++zone "net.example.lll" {
++ type master;
++ file "net.example.lll";
++};
++
++zone "sub.local.tld." {
++ type master;
++ file "fakesublocaltld.zone";
++};
+diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll
+new file mode 100644
+index 0000000000..d179853fa5
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/net.example.lll
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++net.example.lll. SOA . . 0 0 0 0 0
++net.example.lll. NS attackSecureDomain.net.
++didItWork.net.example.lll. TXT "if you can see this record the attack worked"
+diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone
+new file mode 100644
+index 0000000000..13921a08cd
+--- /dev/null
++++ b/bin/tests/system/forward/ns10/spoofednet.zone
+@@ -0,0 +1,14 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++spoofed.net. SOA . . 0 0 0 0 0
++spoofed.net. NS ns.spoofed.net.
++ns.spoofed.net. A 10.53.0.10
++spoofed.net. TXT "this record is clearly spoofed"
+diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
+index d42a9eb797..6db65e71bc 100644
+--- a/bin/tests/system/forward/ns4/named.conf.in
++++ b/bin/tests/system/forward/ns4/named.conf.in
+@@ -60,3 +60,8 @@ zone "malicious." {
+ type master;
+ file "malicious.db";
+ };
++
++zone "sibling.tld" {
++ type master;
++ file "sibling.tld.db";
++};
+diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db
+new file mode 100644
+index 0000000000..58037d093b
+--- /dev/null
++++ b/bin/tests/system/forward/ns4/sibling.tld.db
+@@ -0,0 +1,20 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 86400
++@ IN SOA malicious. admin.malicious. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 86400 ) ; Negative Cache TTL
++
++@ IN NS ns
++
++ns IN A 10.53.0.4
+diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in
+new file mode 100644
+index 0000000000..9260f69ded
+--- /dev/null
++++ b/bin/tests/system/forward/ns8/named.conf.in
+@@ -0,0 +1,33 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++ query-source address 10.53.0.8;
++ notify-source 10.53.0.8;
++ transfer-source 10.53.0.8;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.8; };
++ listen-on-v6 { none; };
++ forwarders { 10.53.0.2; }; // returns referrals
++ forward first;
++ dnssec-validation yes;
++};
++
++zone "." {
++ type hint;
++ file "root.db";
++};
++
++zone "sub.local.tld" {
++ type master;
++ file "sub.local.tld.db";
++};
+diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db
+new file mode 100644
+index 0000000000..4f30322270
+--- /dev/null
++++ b/bin/tests/system/forward/ns8/root.db
+@@ -0,0 +1,11 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++. NS a.root-servers.nil.
++a.root-servers.nil. A 10.53.0.1
+diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db
+new file mode 100644
+index 0000000000..eb20683ae9
+--- /dev/null
++++ b/bin/tests/system/forward/ns8/sub.local.tld.db
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0
++sub.local.tld. 3600 IN NS ns.sub.local.tld.
++sub.local.tld. 3600 IN TXT good
++ns.sub.local.tld. 3600 IN A 10.53.0.8
+diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db
+new file mode 100644
+index 0000000000..2c971e1e93
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/local.net.db
+@@ -0,0 +1,14 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++local.net. 3600 IN SOA . . 0 0 0 0 0
++local.net. 3600 IN NS localhost.
++ns.local.net. 3600 IN A 10.53.0.9
++txt.local.net. 3600 IN TXT "something in the local auth zone"
++sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this
+diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db
+new file mode 100644
+index 0000000000..59403915fb
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/local.tld.db
+@@ -0,0 +1,13 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++local.tld. 3600 IN SOA . . 0 0 0 0 0
++local.tld. 3600 IN NS localhost.
++sub.local.tld. 3600 IN NS ns.sub.local.tld.
++ns.sub.local.tld. 3600 IN A 10.53.0.8
+diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in
+new file mode 100644
+index 0000000000..943e037d09
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named1.conf.in
+@@ -0,0 +1,65 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++ query-source address 10.53.0.9;
++ notify-source 10.53.0.9;
++ transfer-source 10.53.0.9;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.9; };
++ listen-on-v6 { none; };
++ dnssec-validation no;
++ edns-udp-size 1232;
++};
++
++key rndc_key {
++ secret "1234abcd8765";
++ algorithm hmac-sha256;
++};
++
++controls {
++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++ edns no;
++};
++
++server 10.53.0.11 {
++ edns no;
++};
++
++zone "." {
++ type hint;
++ file "root.db";
++};
++
++zone "attacksecuredomain.net." {
++ type forward;
++ forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net2." {
++ type forward;
++ forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net3." {
++ type forward;
++ forwarders { 10.53.0.11; };
++};
++
++zone "local.net." {
++ type master;
++ file "local.net.db";
++ forwarders {};
++};
+diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in
+new file mode 100644
+index 0000000000..5a17d1998a
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named2.conf.in
+@@ -0,0 +1,68 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++ query-source address 10.53.0.9;
++ notify-source 10.53.0.9;
++ transfer-source 10.53.0.9;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.9; };
++ listen-on-v6 { none; };
++ dnssec-validation no;
++ edns-udp-size 1232;
++};
++
++key rndc_key {
++ secret "1234abcd8765";
++ algorithm hmac-sha256;
++};
++
++controls {
++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++ edns no;
++};
++
++server 10.53.0.11 {
++ edns no;
++};
++
++zone "." {
++ type hint;
++ file "root.db";
++};
++
++zone "attacksecuredomain.net." {
++ type forward;
++ forward only;
++ forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net2." {
++ type forward;
++ forward only;
++ forwarders { 10.53.0.10; };
++};
++
++zone "attacksecuredomain.net3." {
++ type forward;
++ forward only;
++ forwarders { 10.53.0.11; };
++};
++
++zone "local.net." {
++ type master;
++ file "local.net.db";
++ forwarders {};
++};
+diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in
+new file mode 100644
+index 0000000000..1e70d1ae51
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named3.conf.in
+@@ -0,0 +1,48 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++ query-source address 10.53.0.9;
++ notify-source 10.53.0.9;
++ transfer-source 10.53.0.9;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.9; };
++ listen-on-v6 { none; };
++ dnssec-validation no;
++ edns-udp-size 1232;
++ forward only;
++ forwarders { 10.53.0.10; };
++};
++
++key rndc_key {
++ secret "1234abcd8765";
++ algorithm hmac-sha256;
++};
++
++controls {
++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++ edns no;
++};
++
++zone "." {
++ type hint;
++ file "root.db";
++};
++
++zone "local.net." {
++ type master;
++ file "local.net.db";
++ forwarders {};
++};
+diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in
+new file mode 100644
+index 0000000000..6f7b1075b5
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/named4.conf.in
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++options {
++ query-source address 10.53.0.9;
++ notify-source 10.53.0.9;
++ transfer-source 10.53.0.9;
++ port @PORT@;
++ pid-file "named.pid";
++ listen-on { 10.53.0.9; };
++ listen-on-v6 { none; };
++ dnssec-validation no;
++ edns-udp-size 1232;
++};
++
++key rndc_key {
++ secret "1234abcd8765";
++ algorithm hmac-sha256;
++};
++
++controls {
++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++server 10.53.0.10 {
++ edns no;
++};
++
++zone "." {
++ type hint;
++ file "root.db";
++};
++
++zone "local.tld." {
++ type master;
++ file "local.tld.db";
++};
+diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db
+new file mode 100644
+index 0000000000..4f30322270
+--- /dev/null
++++ b/bin/tests/system/forward/ns9/root.db
+@@ -0,0 +1,11 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, you can obtain one at https://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++. NS a.root-servers.nil.
++a.root-servers.nil. A 10.53.0.1
+diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh
+index d2ca8fc2bf..53fb5817df 100644
+--- a/bin/tests/system/forward/prereq.sh
++++ b/bin/tests/system/forward/prereq.sh
+@@ -12,6 +12,20 @@
+ SYSTEMTESTTOP=..
+ . $SYSTEMTESTTOP/conf.sh
+
++if test -n "$PYTHON"
++then
++ if $PYTHON -c "import dns" 2> /dev/null
++ then
++ :
++ else
++ echo_i "This test requires the dnspython module." >&2
++ exit 1
++ fi
++else
++ echo_i "This test requires Python and the dnspython module." >&2
++ exit 1
++fi
++
+ if $PERL -e 'use Net::DNS;' 2>/dev/null
+ then
+ :
+diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
+index 87452b9a88..18e81d277d 100644
+--- a/bin/tests/system/forward/setup.sh
++++ b/bin/tests/system/forward/setup.sh
+@@ -18,3 +18,6 @@ copy_setports ns3/named.conf.in ns3/named.conf
+ copy_setports ns4/named.conf.in ns4/named.conf
+ copy_setports ns5/named.conf.in ns5/named.conf
+ copy_setports ns7/named.conf.in ns7/named.conf
++copy_setports ns8/named.conf.in ns8/named.conf
++copy_setports ns9/named1.conf.in ns9/named.conf
++copy_setports ns10/named.conf.in ns10/named.conf
+diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
+index e3549c5bc7..ce9b309a27 100644
+--- a/bin/tests/system/forward/tests.sh
++++ b/bin/tests/system/forward/tests.sh
+@@ -19,6 +19,10 @@ sendcmd() (
+ "$PERL" ../send.pl 10.53.0.6 "$EXTRAPORT1"
+ )
+
++rndccmd() {
++ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
++}
++
+ root=10.53.0.1
+ hidden=10.53.0.2
+ f1=10.53.0.3
+@@ -223,5 +227,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+
+
++#
++# Check various spoofed response scenarios. The same tests will be
++# run twice, with "forward first" and "forward only" configurations.
++#
++run_spooftests () {
++ n=$((n+1))
++ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
++ ret=0
++ # prime
++ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
++ # check 'net' is not poisoned.
++ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
++ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
++ # check 'sub.local.net' is not poisoned.
++ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
++ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo_i "failed"; fi
++ status=$((status+ret))
++
++ n=$((n+1))
++ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
++ ret=0
++ # prime
++ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
++ # check that net2/DNAME is not cached
++ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
++ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
++ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
++ if [ $ret != 0 ]; then echo_i "failed"; fi
++ status=$((status+ret))
++
++ n=$((n+1))
++ echo_i "checking spoofed response scenario 3 - extra answer ($n)"
++ ret=0
++ # prime
++ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
++ # check extra net3 records are not cached
++ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
++ for try in 1 2 3 4 5; do
++ lines=$(grep "net3" ns9/named_dump.db | wc -l)
++ if [ ${lines} -eq 0 ]; then
++ sleep 1
++ continue
++ fi
++ [ ${lines} -eq 1 ] || ret=1
++ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
++ grep -q '^local.net3' ns9/named_dump.db && ret=1
++ done
++ if [ $ret != 0 ]; then echo_i "failed"; fi
++ status=$((status+ret))
++}
++
++echo_i "checking spoofed response scenarios with forward first zones"
++run_spooftests
++
++copy_setports ns9/named2.conf.in ns9/named.conf
++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
++sleep 1
++
++echo_i "rechecking spoofed response scenarios with forward only zones"
++run_spooftests
++
++#
++# This scenario expects the spoofed response to succeed. The tests are
++# similar to the ones above, but not identical.
++#
++echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
++copy_setports ns9/named3.conf.in ns9/named.conf
++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
++sleep 1
++
++n=$((n+1))
++echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
++ret=0
++# prime
++dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
++# check 'net' is poisoned.
++dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
++grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
++# check 'sub.local.net' is poisoned.
++dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
++grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=$((status+ret))
++
++n=$((n+1))
++echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
++ret=0
++# prime
++dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
++# check that net2/DNAME is cached
++dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
++grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
++grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=$((status+ret))
++
++#
++# This test doesn't use any forwarder clauses but is here because it
++# is similar to forwarders, as the set of servers that can populate
++# the namespace is defined by the zone content.
++#
++echo_i "rechecking spoofed response scenarios glue below local zone"
++copy_setports ns9/named4.conf.in ns9/named.conf
++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
++sleep 1
++
++n=$((n+1))
++echo_i "checking sibling glue below zone ($n)"
++ret=0
++# prime
++dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
++# check for glue A record for sub.local.tld is not used
++dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
++grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
++grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=$((status+ret))
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
+index d0eb9fa61d..8b9212c3e0 100755
+--- a/bin/tests/system/ifconfig.sh
++++ b/bin/tests/system/ifconfig.sh
+@@ -12,10 +12,10 @@
+ #
+ # Set up interface aliases for bind9 system tests.
+ #
+-# IPv4: 10.53.0.{1..10} RFC 1918
++# IPv4: 10.53.0.{1..11} RFC 1918
+ # 10.53.1.{1..2}
+ # 10.53.2.{1..2}
+-# IPv6: fd92:7065:b8e:ffff::{1..10} ULA
++# IPv6: fd92:7065:b8e:ffff::{1..11} ULA
+ # fd92:7065:b8e:99ff::{1..2}
+ # fd92:7065:b8e:ff::{1..2}
+ #
+@@ -65,7 +65,7 @@ case "$1" in
+ 2) ipv6="00" ;;
+ *) ipv6="" ;;
+ esac
+- for ns in 1 2 3 4 5 6 7 8 9 10
++ for ns in 1 2 3 4 5 6 7 8 9 10 11
+ do
+ [ $i -gt 0 -a $ns -gt 2 ] && break
+ int=`expr $i \* 10 + $ns`
+@@ -165,7 +165,7 @@ case "$1" in
+ 2) ipv6="00" ;;
+ *) ipv6="" ;;
+ esac
+- for ns in 10 9 8 7 6 5 4 3 2 1
++ for ns in 11 10 9 8 7 6 5 4 3 2 1
+ do
+ [ $i -gt 0 -a $ns -gt 2 ] && continue
+ int=`expr $i \* 10 + $ns - 1`
+--
+2.34.1
+
diff --git a/SOURCES/bind-9.11-CVE-2021-25220.patch b/SOURCES/bind-9.11-CVE-2021-25220.patch
new file mode 100644
index 0000000..37f3c41
--- /dev/null
+++ b/SOURCES/bind-9.11-CVE-2021-25220.patch
@@ -0,0 +1,254 @@
+From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 1 Mar 2022 09:48:05 +1100
+Subject: [PATCH] Add additional name checks when using a forwarder
+
+When using a forwarder, check that the owner name of response
+records are within the bailiwick of the forwarded name space.
+
+(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028)
+
+Check that the forward declaration is unchanged and not overridden
+
+If we are using a fowarder, in addition to checking that names to
+be cached are subdomains of the forwarded namespace, we must also
+check that there are no subsidiary forwarded namespaces which would
+take precedence. To be safe, we don't cache any responses if the
+forwarding configuration has changed since the query was sent.
+
+(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972)
+
+Check cached names for possible "forward only" clause
+
+When caching additional and glue data *not* from a forwarder, we must
+check that there is no "forward only" clause covering the owner name
+that would take precedence. Such names would normally be allowed by
+baliwick rules, but a "forward only" zone introduces a new baliwick
+scope.
+
+(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe)
+
+Look for zones deeper than the current domain or forward name
+
+When caching glue, we need to ensure that there is no closer
+source of truth for the name. If the owner name for the glue
+record would be answered by a locally configured zone, do not
+cache.
+
+(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754)
+
+Avoid use of compound literals
+
+Compound literals are not used in BIND 9.11, in order to ensure backward
+compatibility with ancient compilers. Rework the relevant parts of the
+BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
+are not used.
+
+(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15)
+---
+ lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 125 insertions(+), 5 deletions(-)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index c912f3aea8..2c68973899 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -63,6 +63,7 @@
+ #include <dns/stats.h>
+ #include <dns/tsig.h>
+ #include <dns/validator.h>
++#include <dns/zone.h>
+
+ #ifdef WANT_QUERYTRACE
+ #define RTRACE(m) isc_log_write(dns_lctx, \
+@@ -312,6 +313,8 @@ struct fetchctx {
+ bool ns_ttl_ok;
+ uint32_t ns_ttl;
+ isc_counter_t * qc;
++ dns_fixedname_t fwdfname;
++ dns_name_t *fwdname;
+
+ /*%
+ * The number of events we're waiting for.
+@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ if (result == ISC_R_SUCCESS) {
+ fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+ fctx->fwdpolicy = forwarders->fwdpolicy;
++ dns_name_copy(domain, fctx->fwdname, NULL);
+ if (fctx->fwdpolicy == dns_fwdpolicy_only &&
+ isstrictsubdomain(domain, &fctx->domain)) {
+ fcount_decr(fctx);
+@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ fctx->restarts = 0;
+ fctx->querysent = 0;
+ fctx->referrals = 0;
++
++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
++
+ TIME_NOW(&fctx->start);
+ fctx->timeouts = 0;
+ fctx->lamecount = 0;
+@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+ domain = dns_fixedname_initname(&fixed);
+ result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
+ domain, &forwarders);
+- if (result == ISC_R_SUCCESS)
++ if (result == ISC_R_SUCCESS) {
+ fctx->fwdpolicy = forwarders->fwdpolicy;
++ dns_name_copy(domain, fctx->fwdname, NULL);
++ }
+
+ if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+ /*
+@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
+ rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
+ }
+
++/*
++ * Returns true if 'name' is external to the namespace for which
++ * the server being queried can answer, either because it's not a
++ * subdomain or because it's below a forward declaration or a
++ * locally served zone.
++ */
++static inline bool
++name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
++ isc_result_t result;
++ dns_forwarders_t *forwarders = NULL;
++ dns_fixedname_t fixed, zfixed;
++ dns_name_t *fname = dns_fixedname_initname(&fixed);
++ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
++ dns_name_t *apex = NULL;
++ dns_name_t suffix;
++ dns_zone_t *zone = NULL;
++ unsigned int labels;
++ dns_namereln_t rel;
++ /*
++ * The following two variables do not influence code flow; they are
++ * only necessary for calling dns_name_fullcompare().
++ */
++ int _orderp = 0;
++ unsigned int _nlabelsp = 0;
++
++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
++
++ /*
++ * The name is outside the queried namespace.
++ */
++ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
++ return (true);
++ }
++
++ /*
++ * If the record lives in the parent zone, adjust the name so we
++ * look for the correct zone or forward clause.
++ */
++ labels = dns_name_countlabels(name);
++ if (dns_rdatatype_atparent(type) && labels > 1U) {
++ dns_name_init(&suffix, NULL);
++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
++ name = &suffix;
++ } else if (rel == dns_namereln_equal) {
++ /* If 'name' is 'apex', no further checking is needed. */
++ return (false);
++ }
++
++ /*
++ * If there is a locally served zone between 'apex' and 'name'
++ * then don't cache.
++ */
++ LOCK(&fctx->res->view->lock);
++ if (fctx->res->view->zonetable != NULL) {
++ unsigned int options = DNS_ZTFIND_NOEXACT;
++ result = dns_zt_find(fctx->res->view->zonetable, name, options,
++ zfname, &zone);
++ if (zone != NULL) {
++ dns_zone_detach(&zone);
++ }
++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
++ if (dns_name_fullcompare(zfname, apex, &_orderp,
++ &_nlabelsp) ==
++ dns_namereln_subdomain)
++ {
++ UNLOCK(&fctx->res->view->lock);
++ return (true);
++ }
++ }
++ }
++ UNLOCK(&fctx->res->view->lock);
++
++ /*
++ * Look for a forward declaration below 'name'.
++ */
++ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
++ &forwarders);
++
++ if (ISFORWARDER(fctx->addrinfo)) {
++ /*
++ * See if the forwarder declaration is better.
++ */
++ if (result == ISC_R_SUCCESS) {
++ return (!dns_name_equal(fname, fctx->fwdname));
++ }
++
++ /*
++ * If the lookup failed, the configuration must have
++ * changed: play it safe and don't cache.
++ */
++ return (true);
++ } else if (result == ISC_R_SUCCESS &&
++ forwarders->fwdpolicy == dns_fwdpolicy_only &&
++ !ISC_LIST_EMPTY(forwarders->fwdrs))
++ {
++ /*
++ * If 'name' is covered by a 'forward only' clause then we
++ * can't cache this repsonse.
++ */
++ return (true);
++ }
++
++ return (false);
++}
++
+ static isc_result_t
+ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+ dns_section_t section)
+@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+ result = dns_message_findname(rmessage, section, addname,
+ dns_rdatatype_any, 0, &name, NULL);
+ if (result == ISC_R_SUCCESS) {
+- external = !dns_name_issubdomain(name, &fctx->domain);
++ external = name_external(name, type, fctx);
+ if (type == dns_rdatatype_a) {
+ for (rdataset = ISC_LIST_HEAD(name->list);
+ rdataset != NULL;
+@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ break;
+
+ case dns_namereln_subdomain:
++ /*
++ * Don't accept DNAME from parent namespace.
++ */
++ if (name_external(name, dns_rdatatype_dname, fctx)) {
++ continue;
++ }
++
+ /*
+ * In-scope DNAME records must have at least
+ * as many labels as the domain being queried.
+@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
+ */
+ result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+ while (!done && result == ISC_R_SUCCESS) {
+- bool external;
+ name = NULL;
+ dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+- external = !dns_name_issubdomain(name, &fctx->domain);
+- if (!external) {
++ if (!name_external(name, dns_rdatatype_ns, fctx)) {
+ /*
+ * We expect to find NS or SIG NS rdatasets, and
+ * nothing else.
+--
+2.34.1
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index e4f85d3..2c9acdc 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -68,7 +68,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.11.36
-Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release: 4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@@ -158,6 +158,8 @@ Patch178:bind-9.11-dhcp-time-monotonic.patch
Patch183:bind-9.11-rh1980757.patch
# modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067
Patch184: bind-9.15-resolver-ntasks.patch
+Patch185: bind-9.11-CVE-2021-25220.patch
+Patch186: bind-9.11-CVE-2021-25220-test.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -553,6 +555,8 @@ are used for building ISC DHCP.
%patch178 -p1 -b .time-monotonic
%patch183 -p1 -b .rh1980757
%patch184 -p1 -b .rh2030239
+%patch185 -p1 -b .CVE-2021-25220
+%patch186 -p1 -b .CVE-2021-25220-test
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1605,6 +1609,10 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Wed Apr 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-4
+- Tighten cache protection against record from forwarders (CVE-2021-25220)
+- Include test of forwarders
+
* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
- Reduce memory used per-view on machine with few processors (#2030239)