Adjust patches to 9.11.12

Few changes occured, remove one upstream applied patch.
2019-10-21 14:40:42 +02:00 · 2019-10-21 14:40:42 +02:00 · 176d144f32
commit 176d144f32
parent d0053ae530
4 changed files with 141 additions and 209 deletions
--- a/bind-9.11-rh1647829.patch
+++ b/bind-9.11-rh1647829.patch
@ -1,86 +0,0 @@
-From 2eca7f5fa97a24997e4d8f900460ba43ae167e97 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Tue, 29 Jan 2019 18:07:44 +0100
-Subject: [PATCH] Fallback to ASCII on output IDN conversion error
-
-It is possible dig used ACE encoded name in locale, which does not
-support converting it to unicode. Instead of fatal error, fallback to
-ACE name on output.
-
-(cherry picked from commit 7f4cb8f9584597fea16de6557124ac8b1bd47440)
-
-Modify idna test to fallback to ACE
-
-Test valid A-label on input would be displayed as A-label on output if
-locale does not allow U-label.
-
-(cherry picked from commit 4ce232f8605bdbe0594ebe5a71383c9d4e6f263b)
-
-Emit warning on IDN output failure
-
-Warning is emitted before any dig headers.
-
-(cherry picked from commit 4b410038c531fbb902cd5fb83174eed1f06cb7d7)
---
- bin/dig/dighost.c              | 15 +++++++++++++--
- bin/tests/system/idna/tests.sh | 17 +++++++++++++++++
- 2 files changed, 30 insertions(+), 2 deletions(-)
-
-diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index bb8702c..d7cfc33 100644
--- a/bin/dig/dighost.c
-+++ b/bin/dig/dighost.c
-@@ -4860,9 +4860,20 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) {
- 	 */
- 	res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0);
- 	if (res != IDN2_OK) {
-		fatal("Cannot represent '%s' in the current locale (%s), "
-		      "use +noidnout or a different locale",
-+		static bool warned = false;
-+
-+		res = idn2_to_ascii_8z(utf8_src, &tmp_str, 0);
-+		if (res != IDN2_OK) {
-+			fatal("Cannot represent '%s' "
-+			      "in the current locale nor ascii (%s), "
-+			      "use +noidnout or a different locale",
- 		      from, idn2_strerror(res));
-+		} else if (!warned) {
-+			fprintf(stderr, ";; Warning: cannot represent '%s' "
-+			      "in the current locale",
-+			      tmp_str);
-+			warned = true;
-+		}
- 	}
- 
- 	/*
-diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh
-index 6637bf6..215a9d5 100644
--- a/bin/tests/system/idna/tests.sh
-+++ b/bin/tests/system/idna/tests.sh
-@@ -244,6 +244,23 @@ idna_enabled_test() {
-     idna_test "$text" "+idnin +noidnout"   "xn--nxasmq6b.com" "xn--nxasmq6b.com."
-     idna_test "$text" "+idnin +idnout"     "xn--nxasmq6b.com" "βόλοσ.com."
- 
-+    # Test of valid A-label in locale that cannot display it
-+    #
-+    # +noidnout: The string is sent as-is to the server and the returned qname
-+    #            is displayed in the same form.
-+    # +idnout:   The string is sent as-is to the server and the returned qname
-+    #            is displayed as the corresponding A-label.
-+    #
-+    # The "+[no]idnout" flag has no effect in these cases.
-+    text="Checking valid A-label in C locale"
-+    label="xn--nxasmq6b.com"
-+    LC_ALL=C idna_test "$text" ""                   "$label" "$label."
-+    LC_ALL=C idna_test "$text" "+noidnin +noidnout" "$label" "$label."
-+    LC_ALL=C idna_test "$text" "+noidnin +idnout"   "$label" "$label."
-+    LC_ALL=C idna_test "$text" "+idnin +noidnout"   "$label" "$label."
-+    LC_ALL=C idna_test "$text" "+idnin +idnout"     "$label" "$label."
-+    LC_ALL=C idna_test "$text" "+noidnin +idnout"   "$label" "$label."
-+
- 
- 
-     # Tests of invalid A-labels
-- 
-2.20.1
-
--- a/bind-9.11-rt31459.patch
+++ b/bind-9.11-rt31459.patch
@ -1,4 +1,4 @@
-From 108a0f57f423a27995ac96272832278f4aa3a612 Mon Sep 17 00:00:00 2001
+From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Tue, 12 Sep 2017 19:05:46 -0700
 Subject: [PATCH] rebased rt31459c
@ -71,7 +71,7 @@ index 5015abb..295e16f 100644
 							     &entropy_source,
 							     randomfile,
 diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
-index 060892b..c2cc9c7 100644
+index 2c0c308..3e585af 100644
 --- a/bin/dnssec/dnssec-dsfromkey.c
 +++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -494,14 +494,14 @@ main(int argc, char **argv) {
@ -92,7 +92,7 @@ index 060892b..c2cc9c7 100644
 	isc_entropy_stopcallbacksources(ectx);
 
 	setup_logging(mctx, &log);
-@@ -563,8 +563,8 @@ main(int argc, char **argv) {
+@@ -571,8 +571,8 @@ main(int argc, char **argv) {
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	cleanup_logging(&log);
@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644
 					   usekeyboard);
 
 diff --git a/bin/named/server.c b/bin/named/server.c
-index c917cad..436a93a 100644
+index 7d85d3b..c782073 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@ -304,7 +304,7 @@ index c917cad..436a93a 100644
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/random.h>
-@@ -8209,6 +8210,10 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server,
 				      "no source of entropy found");
 		} else {
 			const char *randomdev = cfg_obj_asstring(obj);
@ -315,14 +315,14 @@ index c917cad..436a93a 100644
 			int level = ISC_LOG_ERROR;
 			result = isc_entropy_createfilesource(ns_g_entropy,
 							      randomdev);
-@@ -8243,6 +8248,7 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server,
 				}
 				isc_entropy_detach(&ns_g_fallbackentropy);
 			}
 +#endif
 #endif
 		}
- 	}
+ 
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
 index bbb3936..0286987 100644
 --- a/bin/nsupdate/nsupdate.c
@ -670,7 +670,7 @@ index 9f90dd7..fad6c83 100644
         echo "I:failed"
 	status=`expr $status + $ret`
 diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
-index 53579d4..e2f6810 100644
+index bf6dbb6..0416b21 100644
 --- a/bin/tools/mdig.c
 +++ b/bin/tools/mdig.c
@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) {
@ -688,7 +688,7 @@ index 53579d4..e2f6810 100644
 	parse_args(false, argc, argv);
 	if (server == NULL)
 diff --git a/configure b/configure
-index 2a4d9ed..e4e8ea6 100755
+index ed002e0..a578874 100755
 --- a/configure
 +++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@ -699,7 +699,7 @@ index 2a4d9ed..e4e8ea6 100755
 BUILD_LIBS
 BUILD_LDFLAGS
 BUILD_CPPFLAGS
-@@ -823,6 +824,7 @@ XMLSTATS
+@@ -821,6 +822,7 @@ XMLSTATS
 NZDTARGETS
 NZDSRCS
 NZD_TOOLS
@ -707,7 +707,7 @@ index 2a4d9ed..e4e8ea6 100755
 PKCS11_TEST
 PKCS11_ED25519
 PKCS11_GOST
-@@ -1047,6 +1049,7 @@ with_eddsa
+@@ -1045,6 +1047,7 @@ with_eddsa
 with_aes
 enable_openssl_hash
 with_cc_alg
@ -715,7 +715,7 @@ index 2a4d9ed..e4e8ea6 100755
 with_lmdb
 with_libxml2
 with_libjson
-@@ -1746,6 +1749,7 @@ Optional Features:
+@@ -1744,6 +1747,7 @@ Optional Features:
   --enable-threads        enable multithreading
   --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
@ -723,7 +723,7 @@ index 2a4d9ed..e4e8ea6 100755
   --enable-largefile      64-bit file support
   --enable-backtrace      log stack backtrace on abort [default=yes]
   --enable-symtable       use internal symbol table for backtrace
-@@ -17117,6 +17121,7 @@ case "$use_openssl" in
+@@ -17115,6 +17119,7 @@ case "$use_openssl" in
 $as_echo "disabled because of native PKCS11" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO="-DPKCS11CRYPTO"
@ -731,7 +731,7 @@ index 2a4d9ed..e4e8ea6 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -17131,6 +17136,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
+@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
 $as_echo "no" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -739,7 +739,7 @@ index 2a4d9ed..e4e8ea6 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -17143,6 +17149,7 @@ $as_echo "no" >&6; }
+@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; }
 	auto)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -747,7 +747,7 @@ index 2a4d9ed..e4e8ea6 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -17152,7 +17159,7 @@ $as_echo "no" >&6; }
+@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; }
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -756,7 +756,7 @@ index 2a4d9ed..e4e8ea6 100755
 		;;
 	*)
 		if test "yes" = "$want_native_pkcs11"
-@@ -17183,6 +17190,7 @@ $as_echo "not found" >&6; }
+@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; }
 			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
 		fi
 		CRYPTO='-DOPENSSL'
@ -764,7 +764,7 @@ index 2a4d9ed..e4e8ea6 100755
 		if test "/usr" = "$use_openssl"
 		then
 			DST_OPENSSL_INC=""
-@@ -17808,8 +17816,6 @@ fi
+@@ -17806,8 +17814,6 @@ fi
 # Use OpenSSL for hash functions
 #
 
@ -773,7 +773,7 @@ index 2a4d9ed..e4e8ea6 100755
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
 case $want_openssl_hash in
 	yes)
-@@ -18184,6 +18190,86 @@ if test "rt" = "$have_clock_gt"; then
+@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then
 	LIBS="-lrt $LIBS"
 fi
 
@ -860,7 +860,7 @@ index 2a4d9ed..e4e8ea6 100755
 #
 # was --with-lmdb specified?
 #
-@@ -20266,9 +20352,12 @@ _ACEOF
+@@ -20264,9 +20350,12 @@ _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
 $as_echo "size_t for buflen; int for flags" >&6; }
@ -875,7 +875,7 @@ index 2a4d9ed..e4e8ea6 100755
 
 	 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
 
-@@ -21583,12 +21672,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
 if test "yes" = "$use_atomic"; then
@ -889,7 +889,7 @@ index 2a4d9ed..e4e8ea6 100755
 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
 # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
 # This bug is HP SR number 8606223364.
-@@ -21621,6 +21705,11 @@ cat >>confdefs.h <<_ACEOF
+@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
@ -901,7 +901,7 @@ index 2a4d9ed..e4e8ea6 100755
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -21629,39 +21718,6 @@ _ACEOF
+@@ -21627,39 +21716,6 @@ _ACEOF
 		fi
 	;;
 	x86_64-*|amd64-*)
@ -941,7 +941,7 @@ index 2a4d9ed..e4e8ea6 100755
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -21692,6 +21748,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
+@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
 $as_echo "$arch" >&6; }
 fi
 
@ -952,7 +952,7 @@ index 2a4d9ed..e4e8ea6 100755
 if test "yes" = "$have_atomic"; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
 $as_echo_n "checking compiler support for inline assembly code... " >&6; }
-@@ -24297,6 +24357,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
+@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
 #
 dlzdir='${DLZ_DRIVER_DIR}'
 
@ -983,7 +983,7 @@ index 2a4d9ed..e4e8ea6 100755
 #
 # Private autoconf macro to simplify configuring drivers:
 #
-@@ -24627,11 +24711,11 @@ $as_echo "no" >&6; }
+@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; }
 $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
 		;;
 	*)
@ -998,7 +998,7 @@ index 2a4d9ed..e4e8ea6 100755
 		fi
 
 	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
-@@ -24716,7 +24800,7 @@ $as_echo "" >&6; }
+@@ -24663,7 +24747,7 @@ $as_echo "" >&6; }
 			# Check other locations for includes.
 			# Order is important (sigh).
 
@ -1007,7 +1007,7 @@ index 2a4d9ed..e4e8ea6 100755
 			# include a blank element first
 			for d in "" $bdb_incdirs
 			do
-@@ -24741,57 +24825,9 @@ $as_echo "" >&6; }
+@@ -24688,57 +24772,9 @@ $as_echo "" >&6; }
 			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
 			for d in $bdb_libnames
 			do
@ -1067,7 +1067,7 @@ index 2a4d9ed..e4e8ea6 100755
 					break
 				fi
 			done
-@@ -24950,10 +24986,10 @@ $as_echo "no" >&6; }
+@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; }
 		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
 		DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
 	fi
@ -1081,7 +1081,7 @@ index 2a4d9ed..e4e8ea6 100755
 	fi
 
 
-@@ -25039,11 +25075,11 @@ fi
+@@ -24986,11 +25022,11 @@ fi
 		odbcdirs="/usr /usr/local /usr/pkg"
 		for d in $odbcdirs
 		do
@ -1095,7 +1095,7 @@ index 2a4d9ed..e4e8ea6 100755
 				break
 			fi
 		done
-@@ -25318,6 +25354,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
+@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
 
 
 
@ -1104,7 +1104,7 @@ index 2a4d9ed..e4e8ea6 100755
 #
 # Commands to run at the end of config.status.
 # Don't just put these into configure, it won't work right if somebody
-@@ -27697,6 +27735,8 @@ report() {
+@@ -27644,6 +27682,8 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1113,7 +1113,7 @@ index 2a4d9ed..e4e8ea6 100755
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-@@ -27737,6 +27777,8 @@ report() {
+@@ -27684,6 +27724,8 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
 
@ -1122,7 +1122,7 @@ index 2a4d9ed..e4e8ea6 100755
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
 	echo "        Berkeley DB (--with-dlz-bdb)"
-@@ -27784,6 +27826,8 @@ report() {
+@@ -27731,6 +27773,8 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
@ -1132,7 +1132,7 @@ index 2a4d9ed..e4e8ea6 100755
     test "yes" = "$enable_seccomp" || \
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
 diff --git a/configure.ac b/configure.ac
-index 0e22d02..828581e 100644
+index 45a8126..bb1345b 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1537,6 +1537,7 @@ case "$use_openssl" in
@ -1274,7 +1274,7 @@ index 0e22d02..828581e 100644
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -5534,6 +5597,8 @@ report() {
+@@ -5527,6 +5590,8 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1283,7 +1283,7 @@ index 0e22d02..828581e 100644
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-@@ -5574,6 +5639,8 @@ report() {
+@@ -5567,6 +5632,8 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
 
@ -1292,7 +1292,7 @@ index 0e22d02..828581e 100644
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
 	echo "        Berkeley DB (--with-dlz-bdb)"
-@@ -5621,6 +5688,8 @@ report() {
+@@ -5614,6 +5681,8 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
@ -1302,10 +1302,10 @@ index 0e22d02..828581e 100644
     test "yes" = "$enable_seccomp" || \
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 320c0f8..b55ebe0 100644
+index ec6e00e..1614afa 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
-@@ -276,6 +276,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 #ifdef GSSAPI
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
 #endif
@ -1318,7 +1318,7 @@ index 320c0f8..b55ebe0 100644
 	dst_initialized = true;
 	return (ISC_R_SUCCESS);
 
-@@ -295,11 +301,19 @@ dst_lib_destroy(void) {
+@@ -296,11 +302,19 @@ dst_lib_destroy(void) {
 	for (i = 0; i < DST_MAX_ALGS; i++)
 		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
 			dst_t_func[i]->cleanup();
@ -1338,7 +1338,7 @@ index 320c0f8..b55ebe0 100644
 	if (dst__memory_pool != NULL)
 		isc_mem_detach(&dst__memory_pool);
 	if (dst_entropy_pool != NULL)
-@@ -2001,13 +2015,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
+@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
 		flags &= ~ISC_ENTROPY_GOODONLY;
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
@ -1357,7 +1357,7 @@ index 320c0f8..b55ebe0 100644
 #ifdef GSSAPI
 	unsigned int flags = dst_entropy_flags;
 	isc_result_t ret;
-@@ -2030,6 +2048,7 @@ dst__entropy_status(void) {
+@@ -2031,6 +2049,7 @@ dst__entropy_status(void) {
 #endif
 	return (isc_entropy_status(dst_entropy_pool));
 #else
@ -1973,7 +1973,7 @@ index 42ff7e0..8d87c44 100644
 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
 
 diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index 7809e7b..c43357a 100644
+index 8e6ed93..ceb5a2c 100644
 --- a/lib/isc/pk11.c
 +++ b/lib/isc/pk11.c
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
@ -2015,10 +2015,10 @@ index 5b8a2c9..913a2ce 100644
  * Define if the hash functions must be provided by OpenSSL.
  */
 diff --git a/win32utils/Configure b/win32utils/Configure
-index 6f93814..4286baf 100644
+index ccaf067..240fb80 100644
 --- a/win32utils/Configure
 +++ b/win32utils/Configure
-@@ -378,6 +378,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
+@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
 my %configdefp;
 
 my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
@ -2026,7 +2026,7 @@ index 6f93814..4286baf 100644
                  "ISC_PLATFORM_HAVEATOMICSTORE",
                  "ISC_PLATFORM_HAVEATOMICSTOREQ",
                  "ISC_PLATFORM_HAVECMPXCHG",
-@@ -508,7 +509,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
+@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
 
 # enable-xxx/disable-xxx
 
@ -2036,7 +2036,7 @@ index 6f93814..4286baf 100644
                   "fixed-rrset",
                   "intrinsics",
                   "isc-spnego",
-@@ -572,6 +574,7 @@ my @help = (
+@@ -581,6 +583,7 @@ my @help = (
 "\nOptional Features:\n",
 "  enable-intrinsics     enable instrinsic/atomic functions [default=yes]\n",
 "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
@ -2044,7 +2044,7 @@ index 6f93814..4286baf 100644
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
 "  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n",
-@@ -617,7 +620,9 @@ my $want_clean = "no";
+@@ -630,7 +633,9 @@ my $want_clean = "no";
 my $want_unknown = "no";
 my $unknown_value;
 my $enable_intrinsics = "yes";
@ -2054,7 +2054,7 @@ index 6f93814..4286baf 100644
 my $enable_openssl_hash = "auto";
 my $enable_filter_aaaa = "yes";
 my $enable_isc_spnego = "yes";
-@@ -837,6 +842,10 @@ sub myenable {
+@@ -850,6 +855,10 @@ sub myenable {
         if ($val =~ /^yes$/i) {
             $enable_native_pkcs11 = "yes";
         }
@ -2065,7 +2065,7 @@ index 6f93814..4286baf 100644
     } elsif ($key =~ /^openssl-hash$/i) {
         if ($val =~ /^yes$/i) {
             $enable_openssl_hash = "yes";
-@@ -1139,6 +1148,11 @@ if ($verbose) {
+@@ -1158,6 +1167,11 @@ if ($verbose) {
     } else {
         print "native-pkcs11: disabled\n";
     }
@ -2077,7 +2077,7 @@ index 6f93814..4286baf 100644
     if ($enable_openssl_hash eq "yes") {
         print "openssl-hash: enabled\n";
     } else {
-@@ -1497,6 +1511,7 @@ if ($enable_intrinsics eq "yes") {
+@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") {
 
 # enable-native-pkcs11
 if ($enable_native_pkcs11 eq "yes") {
@ -2085,7 +2085,7 @@ index 6f93814..4286baf 100644
     if ($use_openssl eq "auto") {
         $use_openssl = "no";
     }
-@@ -1706,6 +1721,7 @@ if ($use_openssl eq "yes") {
+@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") {
         $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
     }   
 
@ -2093,7 +2093,7 @@ index 6f93814..4286baf 100644
     $configcond{"OPENSSL"} = 1;
     $configdefd{"CRYPTO"} = "OPENSSL";
     $configvar{"OPENSSL_PATH"} = "$openssl_path";
-@@ -2242,6 +2258,15 @@ if ($use_aes eq "yes") {
+@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") {
 }
 
 
@ -2109,7 +2109,7 @@ index 6f93814..4286baf 100644
 # enable-openssl-hash
 if ($enable_openssl_hash eq "yes") {
     if ($use_openssl eq "no") {
-@@ -3617,6 +3642,7 @@ exit 0;
+@@ -3671,6 +3696,7 @@ exit 0;
 #  --enable-developer partially supported
 #  --enable-newstats (9.9/9.9sub only)
 #  --enable-native-pkcs11 supported
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@ -1,4 +1,4 @@
-From ab9ee91f596c14cfc55a67ba3523b42a54e3e244 Mon Sep 17 00:00:00 2001
+From 4c7b644910e21e690e5f51d5596a9fe46d9c7b7a Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 28 Sep 2017 10:09:22 -0700
 Subject: [PATCH] completed and corrected the crypto-random change
@ -39,14 +39,16 @@ Subject: [PATCH] completed and corrected the crypto-random change
 bin/tests/system/tkey/keycreate.c        |  4 +-
 bin/tests/system/tkey/keydelete.c        |  5 +--
 doc/arm/Bv9ARM-book.xml                  | 55 +++++++++++++++++-------
- doc/arm/notes.xml                        | 31 +++++++++++++
+ doc/arm/notes-rh-changes.xml             | 43 ++++++++++++++++++
+ doc/arm/notes.xml                        |  1 +
 lib/dns/dst_api.c                        |  4 +-
 lib/dns/include/dst/dst.h                | 14 +++++-
 lib/dns/openssl_link.c                   |  3 +-
 lib/isc/include/isc/entropy.h            | 50 +++++++++++++++------
 lib/isc/include/isc/random.h             | 28 +++++++-----
 lib/isccfg/namedconf.c                   |  2 +-
- 22 files changed, 228 insertions(+), 106 deletions(-)
+ 23 files changed, 241 insertions(+), 106 deletions(-)
+ create mode 100644 doc/arm/notes-rh-changes.xml

 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
 index 295e16f..0f79aa8 100644
@ -140,10 +142,10 @@ index 31a99e7..38c83ed 100644
 					   usekeyboard);
 
 diff --git a/bin/named/client.c b/bin/named/client.c
-index 29fecad..a12623a 100644
+index 2169954..c6c59f7 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
-@@ -1752,7 +1752,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1754,7 +1754,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
 
 		isc_buffer_init(&buf, cookie, sizeof(cookie));
 		isc_stdtime_get(&now);
@ -154,10 +156,10 @@ index 29fecad..a12623a 100644
 		compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
 
 diff --git a/bin/named/config.c b/bin/named/config.c
-index a153172..8d46bc3 100644
+index de64ca5..833c1dc 100644
 --- a/bin/named/config.c
 +++ b/bin/named/config.c
-@@ -93,7 +93,9 @@ options {\n\
+@@ -98,7 +98,9 @@ options {\n\
 #	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
 	port 53;\n\
 	prefetch 2 9;\n"
@ -241,7 +243,7 @@ index f5ed2b7..b2c1d05 100644
 
 struct ns_altsecret {
 diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index 135533b..4546831 100644
+index 9bd1f93..851d3c9 100644
 --- a/bin/named/interfacemgr.c
 +++ b/bin/named/interfacemgr.c
@@ -17,6 +17,7 @@
@ -253,7 +255,7 @@ index 135533b..4546831 100644
 #include <isc/task.h>
 #include <isc/util.h>
 diff --git a/bin/named/query.c b/bin/named/query.c
-index f85cc76..43a3661 100644
+index 86417c7..55b7b7c 100644
 --- a/bin/named/query.c
 +++ b/bin/named/query.c
@@ -19,6 +19,7 @@
@ -265,10 +267,10 @@ index f85cc76..43a3661 100644
 #include <isc/serial.h>
 #include <isc/stats.h>
 diff --git a/bin/named/server.c b/bin/named/server.c
-index 405ff71..700f83d 100644
+index c782073..bc59cbc 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -8203,21 +8203,32 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8204,21 +8204,32 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Open the source of entropy.
 	 */
 	if (first_time) {
@ -310,7 +312,7 @@ index 405ff71..700f83d 100644
 #ifdef PATH_RANDOMDEV
 			if (ns_g_fallbackentropy != NULL) {
 				level = ISC_LOG_INFO;
-@@ -8228,8 +8239,8 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8229,8 +8240,8 @@ load_configuration(const char *filename, ns_server_t *server,
 					      NS_LOGCATEGORY_GENERAL,
 					      NS_LOGMODULE_SERVER,
 					      level,
@ -321,15 +323,15 @@ index 405ff71..700f83d 100644
 					      randomdev,
 					      isc_result_totext(result));
 			}
-@@ -8249,7 +8260,6 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8250,7 +8261,6 @@ load_configuration(const char *filename, ns_server_t *server,
 				}
 				isc_entropy_detach(&ns_g_fallbackentropy);
 			}
 -#endif
 #endif
 		}
- 	}
-@@ -9014,6 +9024,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+ 
+@@ -9018,6 +9028,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->in_roothints = NULL;
 	server->blackholeacl = NULL;
 	server->keepresporder = NULL;
@ -337,7 +339,7 @@ index 405ff71..700f83d 100644
 
 	/* Must be first. */
 	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
-@@ -9040,6 +9051,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -9044,6 +9055,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
 				      &server->tkeyctx),
 		   "creating TKEY context");
@ -347,7 +349,7 @@ index 405ff71..700f83d 100644
 
 	/*
 	 * Setup the server task, which is responsible for coordinating
-@@ -9246,7 +9260,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9250,7 +9264,8 @@ ns_server_destroy(ns_server_t **serverp) {
 
 	if (server->zonemgr != NULL)
 		dns_zonemgr_detach(&server->zonemgr);
@ -357,7 +359,7 @@ index 405ff71..700f83d 100644
 	if (server->tkeyctx != NULL)
 		dns_tkeyctx_destroy(&server->tkeyctx);
 
-@@ -13197,10 +13212,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13221,10 +13236,10 @@ newzone_cfgctx_destroy(void **cfgp) {
 
 static isc_result_t
 generate_salt(unsigned char *salt, size_t saltlen) {
@ -370,7 +372,7 @@ index 405ff71..700f83d 100644
 	} rnd;
 	unsigned char text[512 + 1];
 	isc_region_t r;
-@@ -13210,9 +13225,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13234,9 +13249,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
 	if (saltlen > 256U)
 		return (ISC_R_RANGE);
 
@ -400,10 +402,10 @@ index 0286987..0376377 100644
 	}
 #endif
 diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
-index 7b4f617..507bf0a 100644
+index f0a6ff2..55064f6 100644
 --- a/bin/tests/system/pipelined/pipequeries.c
 +++ b/bin/tests/system/pipelined/pipequeries.c
-@@ -282,9 +282,7 @@ main(int argc, char *argv[]) {
+@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -453,10 +455,10 @@ index 2146f9b..64b8e74 100644
 	}
 #endif
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index b40cb05..8a81438 100644
+index 9bf100f..c161e71 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
-@@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>random-device</command></term>
 	    <listitem>
 	      <para>
@ -518,53 +520,72 @@ index b40cb05..8a81438 100644
 	      </para>
 	    </listitem>
 	  </varlistentry>
+diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
+new file mode 100644
+index 0000000..11c3a7c
+--- /dev/null
+++ b/doc/arm/notes-rh-changes.xml
+@@ -0,0 +1,43 @@
+
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
+  <itemizedlist>
+     <listitem>
+      <para>
+        By default, BIND now uses the random number generation functions
+        in the cryptographic library (i.e., OpenSSL or a PKCS#11
+        provider) as a source of high-quality randomness rather than
+        <filename>/dev/random</filename>.  This is suitable for virtual
+        machine environments, which may have limited entropy pools and
+        lack hardware random number generators.
+      </para>
+      <para>
+        This can be overridden by specifying another entropy source via
+        the <command>random-device</command> option in
+        <filename>named.conf</filename>, or via the <command>-r</command>
+        command line option.  However, for functions requiring full
+        cryptographic strength, such as DNSSEC key generation, this
+        <emphasis>cannot</emphasis> be overridden. In particular, the
+        <command>-r</command> command line option no longer has any
+        effect on <command>dnssec-keygen</command>.
+      </para>
+      <para>
+        This can be disabled by building with
+        <command>configure --disable-crypto-rand</command>, in which
+        case <filename>/dev/random</filename> will be the default
+        entropy source.  [RT #31459] [RT #46047]
+      </para>
+    </listitem>
+  </itemizedlist>
+</section>
+
 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index 00ce8f1..527135a 100644
+index 3a9cfcf..ded2000 100644
 --- a/doc/arm/notes.xml
 +++ b/doc/arm/notes.xml
-@@ -124,6 +124,37 @@
-     </itemizedlist>
-   </section>
- 
-+  <section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
-+    <itemizedlist>
-+       <listitem>
-+	<para>
-+	  By default, BIND now uses the random number generation functions
-+	  in the cryptographic library (i.e., OpenSSL or a PKCS#11
-+	  provider) as a source of high-quality randomness rather than
-+	  <filename>/dev/random</filename>.  This is suitable for virtual
-+	  machine environments, which may have limited entropy pools and
-+	  lack hardware random number generators.
-+	</para>
-+	<para>
-+	  This can be overridden by specifying another entropy source via
-+	  the <command>random-device</command> option in
-+	  <filename>named.conf</filename>, or via the <command>-r</command>
-+	  command line option.  However, for functions requiring full
-+	  cryptographic strength, such as DNSSEC key generation, this
-+	  <emphasis>cannot</emphasis> be overridden. In particular, the
-+	  <command>-r</command> command line option no longer has any
-+	  effect on <command>dnssec-keygen</command>.
-+	</para>
-+	<para>
-+	  This can be disabled by building with
-+	  <command>configure --disable-crypto-rand</command>, in which
-+	  case <filename>/dev/random</filename> will be the default
-+	  entropy source.  [RT #31459] [RT #46047]
-+	</para>
-+      </listitem>
-+    </itemizedlist>
-+  </section>
-+
-   <section xml:id="end_of_life"><info><title>End of Life</title></info>
-     <para>
-       BIND 9.11 (Extended Support Version) will be supported until at
+@@ -23,6 +23,7 @@
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-sec-fixes.xml"/>
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-new-features.xml"/>
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-bug-fixes.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-rh-changes.xml"/>
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
+   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
+ </section>
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index b55ebe0..d2b43d3 100644
+index 1614afa..0f52df9 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
-@@ -2016,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
+@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -761,7 +782,7 @@ index f8aed34..17c551b 100644
 
 ISC_LANG_ENDDECLS
 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index fbc62cc..9cad61d 100644
+index 03890a3..7bad989 100644
 --- a/lib/isccfg/namedconf.c
 +++ b/lib/isccfg/namedconf.c
@@ -1109,7 +1109,7 @@ options_clauses[] = {
--- a/bind.spec
+++ b/bind.spec
@ -141,8 +141,6 @@ Patch161:bind-9.11-host-idn-disable.patch
 Patch163:bind-9.11-rh1663318.patch
 # https://gitlab.isc.org/isc-projects/bind9/issues/819
 Patch164:bind-9.11-rh1666814.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1647829
-Patch165:bind-9.11-rh1647829.patch
 # random_test fails too often by random, disable it
 Patch168:bind-9.11-unit-disable-random.patch
 Patch170:bind-9.11-feature-test-named.patch
@ -534,7 +532,6 @@ are used for building ISC DHCP.
 %patch161 -p1 -b .host-idn-disable
 %patch163 -p1 -b .rh1663318
 %patch164 -p1 -b .rh1666814
-%patch165 -p1 -b .rh1647829
 %patch168 -p1 -b .random_test-disable
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant