Adapted patches for new version

Removed merged upstream.
2019-03-05 21:49:26 +01:00 · 2019-03-05 21:49:26 +01:00 · 1e4169114f
parent 2aa49f0cec
commit 1e4169114f
22 changed files with 655 additions and 1103 deletions
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@ -1,22 +1,3 @@
 From c6c0dc7addd8b27718247aa9c67e3cf3f80a8be3 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 1 Mar 2019 11:10:03 +0100
 Subject: [PATCH] bind-9.10-dist-native-pkcs11.patch
 ---
 bin/Makefile.in               |  4 +--
 bin/dnssec-pkcs11/Makefile.in | 44 ++++++++++++++---------------
 bin/dnssec/Makefile.in        |  2 +-
 bin/named-pkcs11/Makefile.in  | 45 +++++++++++++----------------
 bin/named/Makefile.in         |  2 +-
 bin/pkcs11/Makefile.in        |  6 ++--
 configure.in                  | 53 +++++++++++++++++++++++++++--------
 lib/Makefile.in               |  2 +-
 lib/dns-pkcs11/Makefile.in    | 30 ++++++++++----------
 lib/isc-pkcs11/Makefile.in    | 28 +++++++++---------
 make/includes.in              | 10 +++++++
 11 files changed, 129 insertions(+), 97 deletions(-)
 diff --git a/bin/Makefile.in b/bin/Makefile.in
 index f0c504a..ce7a2da 100644
 --- a/bin/Makefile.in
@ -318,11 +299,11 @@ index a058c91..d4b689a 100644
 DEPLIBS =	${ISCDEPLIBS}
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index b2bb268..d9e0797 100644
+index 5e1ba8c..7aff0e6 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -1109,12 +1109,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1070,12 +1070,14 @@ AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
 AC_SUBST(DNS_GSSAPI_LIBS)
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -337,7 +318,7 @@ index b2bb268..d9e0797 100644
 #
 # was --with-randomdev specified?
-@@ -1499,11 +1501,11 @@ fi
+@@ -1460,11 +1462,11 @@ fi
 AC_MSG_CHECKING(for OpenSSL library)
 OPENSSL_WARNING=
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
@ -354,7 +335,7 @@ index b2bb268..d9e0797 100644
 if test "auto" = "$use_openssl"
 then
-@@ -1516,6 +1518,7 @@ then
+@@ -1477,6 +1479,7 @@ then
 		fi
 	done
 fi
@ -362,7 +343,7 @@ index b2bb268..d9e0797 100644
 OPENSSL_ECDSA=""
 OPENSSL_GOST=""
 OPENSSL_ED25519=""
-@@ -1537,11 +1540,10 @@ case "$with_gost" in
+@@ -1498,11 +1501,10 @@ case "$with_gost" in
 		;;
 esac
@ -377,7 +358,7 @@ index b2bb268..d9e0797 100644
 		CRYPTOLIB="pkcs11"
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
-@@ -1551,7 +1553,9 @@ case "$use_openssl" in
+@@ -1512,7 +1514,9 @@ case "$use_openssl" in
 		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
@ -388,7 +369,7 @@ index b2bb268..d9e0797 100644
 	no)
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
-@@ -1583,7 +1587,7 @@ case "$use_openssl" in
+@@ -1544,7 +1548,7 @@ case "$use_openssl" in
 If you do not want OpenSSL, use --without-openssl])
 		;;
 	*)
@ -397,7 +378,7 @@ index b2bb268..d9e0797 100644
 		then
 			AC_MSG_RESULT()
 			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -2016,6 +2020,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -1972,6 +1976,7 @@ AC_SUBST(OPENSSL_ED25519)
 AC_SUBST(OPENSSL_GOST)
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -405,7 +386,7 @@ index b2bb268..d9e0797 100644
 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
 if test "yes" = "$with_aes"
-@@ -2334,6 +2339,7 @@ esac
+@@ -2295,6 +2300,7 @@ esac
 AC_SUBST(PKCS11LINKOBJS)
 AC_SUBST(PKCS11LINKSRCS)
 AC_SUBST(CRYPTO)
@ -413,7 +394,7 @@ index b2bb268..d9e0797 100644
 AC_SUBST(PKCS11_ECDSA)
 AC_SUBST(PKCS11_GOST)
 AC_SUBST(PKCS11_ED25519)
-@@ -5406,8 +5412,11 @@ AC_CONFIG_FILES([
+@@ -5425,8 +5431,11 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
@ -425,7 +406,7 @@ index b2bb268..d9e0797 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-@@ -5480,6 +5489,10 @@ AC_CONFIG_FILES([
+@@ -5499,6 +5508,10 @@ AC_CONFIG_FILES([
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
 	lib/dns/tests/Makefile
@ -436,7 +417,7 @@ index b2bb268..d9e0797 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
-@@ -5504,6 +5517,24 @@ AC_CONFIG_FILES([
+@@ -5523,6 +5536,24 @@ AC_CONFIG_FILES([
 	lib/isc/unix/include/Makefile
 	lib/isc/unix/include/isc/Makefile
 	lib/isc/unix/include/pkcs11/Makefile
@ -475,7 +456,7 @@ index 81270a0..bcb5312 100644
 @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 4a8549e..6a19906 100644
+index 068bbac..d7f3d95 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
@ -638,6 +619,3 @@ index fa86ad1..3cfbe9f 100644
 +
 +DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
 +	-I${top_srcdir}/lib/dns-pkcs11/include
 -- 
 2.20.1
--- a/bind-9.10-sdb.patch
+++ b/bind-9.10-sdb.patch
@ -1,17 +1,3 @@
 From 09b71a1994d7ea3b299746167b6bcf24021edd76 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 28 Feb 2019 18:37:01 +0100
 Subject: [PATCH] bind-9.10-sdb.patch
 ---
 bin/Makefile.in           |  4 +-
 bin/named-sdb/Makefile.in | 25 +++++-------
 bin/named-sdb/main.c      | 83 +++++++++++++++++++++++++++++++++++++++
 bin/named/Makefile.in     | 16 +++-----
 bin/sdb_tools/Makefile.in | 10 +++--
 configure.in              |  3 ++
 6 files changed, 110 insertions(+), 31 deletions(-)
 diff --git a/bin/Makefile.in b/bin/Makefile.in
 index ce7a2da..4e6a824 100644
 --- a/bin/Makefile.in
@ -102,7 +88,7 @@ index 04dea99..4ff053e 100644
 @DLZ_DRIVER_RULES@
 diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index 8cec1ad..de5e5bb 100644
+index 17f2daa..1bb9d79 100644
 --- a/bin/named-sdb/main.c
 +++ b/bin/named-sdb/main.c
@@ -93,6 +93,10 @@
@ -309,11 +295,11 @@ index c7e0868..95ab742 100644
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index c09c21a..e48bd2e 100644
+index 8374385..0af9b71 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5417,6 +5417,8 @@ AC_CONFIG_FILES([
+@@ -5436,6 +5436,8 @@ AC_CONFIG_FILES([
 	bin/named/unix/Makefile
 	bin/named-pkcs11/Makefile
 	bin/named-pkcs11/unix/Makefile
@ -322,7 +308,7 @@ index c09c21a..e48bd2e 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-@@ -5441,6 +5443,7 @@ AC_CONFIG_FILES([
+@@ -5460,6 +5462,7 @@ AC_CONFIG_FILES([
 	bin/python/isc/tests/dnskey_test.py
 	bin/python/isc/tests/policy_test.py
 	bin/rndc/Makefile
@ -330,6 +316,3 @@ index c09c21a..e48bd2e 100644
 	bin/tests/Makefile
 	bin/tests/headerdep_test.sh
 	bin/tests/optional/Makefile
 -- 
 2.20.1
--- a/bind-9.11-ed448-disable.patch
+++ b/bind-9.11-ed448-disable.patch
@ -1,41 +0,0 @@
 From e6bad0789c731f06de781997e33e864c71510ff2 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 21 Feb 2019 12:36:17 +0100
 Subject: [PATCH] Disable autodetected ED448 algorithm support
 Implementation is broken in bind, disabled also in more recent versions.
 Makes bin/tests/system/dnssec fail.
 ---
 configure.in | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff --git a/configure.in b/configure.in
 index ca84ff3239..da4dd5f249 100644
 --- a/configure.in
 +++ b/configure.in
@@ -1917,6 +1917,9 @@ int main() {
 }
 ],
 		[AC_MSG_RESULT(yes)
 +		# ED448 support is broken in BIND
 +		# https://gitlab.isc.org/isc-projects/bind9/issues/225
 +		# disable if autodetected, can be enabled by --with-eddsa=all
 		have_ed448="yes"],
 		[AC_MSG_RESULT(no)
 		have_ed448="no"],
@@ -1929,8 +1932,10 @@ int main() {
 		esac
 		case $have_ed448 in
 		yes)
 -			AC_DEFINE(HAVE_OPENSSL_ED448, 1,
 -				  [Define if your OpenSSL version supports Ed448.])
 +		# ED448 support is broken in BIND
 +		# https://gitlab.isc.org/isc-projects/bind9/issues/225
 +		#	AC_DEFINE(HAVE_OPENSSL_ED448, 1,
 +		#		  [Define if your OpenSSL version supports Ed448.])
 			;;
 		*)
 			;;
 -- 
 2.20.1
--- a/bind-9.11-export-suffix.patch
+++ b/bind-9.11-export-suffix.patch
@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index e6cd6a4..988b0a7 100644
+index c1bfd62..7c5ad51 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
+@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
 AC_SUBST(BUILD_LDFLAGS)
 AC_SUBST(BUILD_LIBS)
@ -12,10 +12,10 @@ index e6cd6a4..988b0a7 100644
 # Commands to run at the end of config.status.
 # Don't just put these into configure, it won't work right if somebody
 diff --git a/isc-config.sh.in b/isc-config.sh.in
-index 110191a..5a64004 100644
+index b5e94ed..d2857e0 100644
 --- a/isc-config.sh.in
 +++ b/isc-config.sh.in
-@@ -12,16 +12,17 @@ prefix=@prefix@
+@@ -13,16 +13,17 @@ prefix=@prefix@
 exec_prefix=@exec_prefix@
 exec_prefix_set=
 includedir=@includedir@
--- a/bind-9.11-feature-test-dlz.patch
+++ b/bind-9.11-feature-test-dlz.patch
@ -1,4 +1,4 @@
-From fe4074d27f642dd93afb5988a2edc7c173b22520 Mon Sep 17 00:00:00 2001
+From 71627db6c8852d7805ec559506f5f3cb8d89a131 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 30 Jan 2019 15:12:54 +0100
 Subject: [PATCH] Support DLZ filesystem detection in feature-test
@ -8,7 +8,7 @@ Do not use variable from configure to detect the feature.
 bin/tests/system/Makefile.in                     | 2 +-
 bin/tests/system/dlz/{prereq.sh.in => prereq.sh} | 2 +-
 bin/tests/system/feature-test.c                  | 9 +++++++++
- configure.in                                     | 1 -
+ configure.ac                                     | 1 -
 4 files changed, 11 insertions(+), 3 deletions(-)
 rename bin/tests/system/dlz/{prereq.sh.in => prereq.sh} (91%)
@ -42,7 +42,7 @@ index afec653..fb3328e 100644
         exit 255
 fi
 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 5eee6aa..78bd3b9 100644
+index 11863a3..428d107 100644
 --- a/bin/tests/system/feature-test.c
 +++ b/bin/tests/system/feature-test.c
@@ -51,6 +51,7 @@ usage() {
@ -68,11 +68,11 @@ index 5eee6aa..78bd3b9 100644
 	if (strcmp(argv[1], "--ipv6only=no") == 0) {
 #ifdef WIN32
 		return (0);
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index fc1ad41..b2bb268 100644
+index fddc63a..5e1ba8c 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5439,7 +5439,6 @@ AC_CONFIG_FILES([
+@@ -5458,7 +5458,6 @@ AC_CONFIG_FILES([
 	bin/tests/pkcs11/benchmarks/Makefile
 	bin/tests/system/Makefile
 	bin/tests/system/conf.sh
--- a/bind-9.11-fips-code.patch
+++ b/bind-9.11-fips-code.patch
@ -1,4 +1,4 @@
-From 9fa0831af989818eb6f908815967590e56a19ab1 Mon Sep 17 00:00:00 2001
+From 9ff202072b286ef57e0ffcd7c55777f2994d3985 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:34:45 +0200
 Subject: [PATCH] FIPS code changes
@ -96,36 +96,36 @@ Date:   Mon Jan 22 07:21:04 2018 +0100
    Add runtime detection whether MD5 is useable.
 ---
- bin/confgen/keygen.c              | 10 ++++-
+ bin/confgen/keygen.c              | 10 +++-
- bin/confgen/rndc-confgen.c        | 32 ++++------------
+ bin/confgen/rndc-confgen.c        | 32 ++++---------
- bin/dig/dig.c                     |  7 ++--
+ bin/dig/dig.c                     |  7 +--
- bin/dig/dighost.c                 | 14 +++++--
+ bin/dig/dighost.c                 | 14 ++++--
- bin/dnssec/dnssec-keygen.c        | 14 +++++++
+ bin/dnssec/dnssec-keygen.c        | 14 ++++++
- bin/named/config.c                | 25 ++++++++++++-
+ bin/named/config.c                | 25 +++++++++-
- bin/nsupdate/nsupdate.c           | 24 +++++++-----
+ bin/nsupdate/nsupdate.c           | 24 ++++++----
 bin/rndc/rndc.c                   |  3 +-
- bin/tests/optional/hash_test.c    | 78 ++++++++++++++++++++-------------------
+ bin/tests/optional/hash_test.c    | 78 ++++++++++++++++---------------
 bin/tests/system/tkey/keycreate.c |  3 ++
- bin/tests/system/tkey/keydelete.c | 17 ++++++---
+ bin/tests/system/tkey/keydelete.c | 17 ++++---
- lib/bind9/check.c                 | 10 +++++
+ lib/bind9/check.c                 | 10 ++++
- lib/dns/dst_api.c                 | 23 ++++++++----
+ lib/dns/dst_api.c                 | 23 ++++++---
 lib/dns/dst_internal.h            |  3 +-
- lib/dns/dst_parse.c               | 18 +++++++--
+ lib/dns/dst_parse.c               | 18 +++++--
- lib/dns/hmac_link.c               | 18 ++-------
+ lib/dns/hmac_link.c               | 18 ++-----
 lib/dns/opensslrsa_link.c         |  6 +++
- lib/dns/pkcs11rsa_link.c          | 33 +++++++++++++++--
+ lib/dns/pkcs11rsa_link.c          | 33 +++++++++++--
- lib/dns/rcode.c                   | 21 ++++++++++-
+ lib/dns/rcode.c                   | 21 ++++++++-
- lib/dns/tests/rsa_test.c          | 29 ++++++++-------
+ lib/dns/tests/rsa_test.c          |  4 ++
 lib/dns/tests/tsig_test.c         |  1 +
- lib/dns/tkey.c                    |  9 +++++
+ lib/dns/tkey.c                    |  9 ++++
 lib/dns/tsec.c                    |  8 +++-
- lib/dns/tsig.c                    | 17 +++++----
+ lib/dns/tsig.c                    | 17 ++++---
 lib/isc/include/isc/md5.h         |  3 ++
- lib/isc/md5.c                     | 59 +++++++++++++++++++++++++++++
+ lib/isc/md5.c                     | 59 +++++++++++++++++++++++
- lib/isc/pk11.c                    | 44 +++++++++++++++-------
+ lib/isc/pk11.c                    | 44 +++++++++++------
- lib/isc/tests/hash_test.c         |  9 +++--
+ lib/isc/tests/hash_test.c         |  9 ++++
- lib/isccc/cc.c                    | 42 +++++++++++++--------
+ lib/isccc/cc.c                    | 42 +++++++++++------
- 29 files changed, 409 insertions(+), 171 deletions(-)
+ 29 files changed, 400 insertions(+), 155 deletions(-)
 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
 index 8931ad5..5015abb 100644
@ -241,7 +241,7 @@ index 5ca3d76..6b7790a 100644
 	port = DEFAULT_PORT;
 diff --git a/bin/dig/dig.c b/bin/dig/dig.c
-index 39f74be..597e830 100644
+index 2063a3b..8e856c5 100644
 --- a/bin/dig/dig.c
 +++ b/bin/dig/dig.c
@@ -20,6 +20,7 @@
@ -252,7 +252,7 @@ index 39f74be..597e830 100644
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
 #include <isc/platform.h>
-@@ -1760,10 +1761,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
+@@ -1767,10 +1768,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else  {
@ -267,7 +267,7 @@ index 39f74be..597e830 100644
 			digestbits = 0;
 		}
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 1fa711a..341ed80 100644
+index 011b118..5eabc1f 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
@@ -80,6 +80,7 @@
@ -339,7 +339,7 @@ index 1476d0d..f5c9316 100644
 			alg = DST_ALG_HMACMD5;
 #else
 diff --git a/bin/named/config.c b/bin/named/config.c
-index 2732a8f..2c4c93c 100644
+index 7584efb..a153172 100644
 --- a/bin/named/config.c
 +++ b/bin/named/config.c
@@ -18,6 +18,7 @@
@ -350,7 +350,7 @@ index 2732a8f..2c4c93c 100644
 #include <isc/mem.h>
 #include <isc/parseint.h>
 #include <isc/region.h>
-@@ -967,6 +968,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+@@ -969,6 +970,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
 	return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
 }
@ -372,7 +372,7 @@ index 2732a8f..2c4c93c 100644
 isc_result_t
 ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
 			   unsigned int *typep, uint16_t *digestbits)
-@@ -976,7 +992,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+@@ -978,7 +994,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
 	uint16_t bits;
 	isc_result_t result;
@ -381,7 +381,7 @@ index 2732a8f..2c4c93c 100644
 		len = strlen(algorithms[i].str);
 		if (strncasecmp(algorithms[i].str, str, len) == 0 &&
 		    (str[len] == '\0' ||
-@@ -999,7 +1015,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+@@ -1001,7 +1017,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
 	if (name != NULL) {
 		switch (algorithms[i].hmac) {
 #ifndef PK11_MD5_DISABLE
@ -396,7 +396,7 @@ index 2732a8f..2c4c93c 100644
 		case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
 		case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 8d1da3b..5eefc57 100644
+index 548e0ce..509784c 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
@@ -31,6 +31,7 @@
@ -622,7 +622,7 @@ index bde66a4..70a40c3 100644
 	dst_key_free(&dstkey);
 	CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
 diff --git a/lib/bind9/check.c b/lib/bind9/check.c
-index d32a5a1..c749c27 100644
+index d6fba22..ac60ba8 100644
 --- a/lib/bind9/check.c
 +++ b/lib/bind9/check.c
@@ -23,6 +23,7 @@
@ -633,7 +633,7 @@ index d32a5a1..c749c27 100644
 #include <isc/mem.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
-@@ -2592,6 +2593,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+@@ -2589,6 +2590,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 	}
 	algorithm = cfg_obj_asstring(algobj);
@ -650,7 +650,7 @@ index d32a5a1..c749c27 100644
 		len = strlen(algorithms[i].name);
 		if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 97fee68..5703f9c 100644
+index e3c47a9..320c0f8 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -192,6 +192,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@ -766,7 +766,7 @@ index f31c33d..87023a6 100644
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
 diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
-index 94e73b1..d904075 100644
+index 3b6579b..4bdce2f 100644
 --- a/lib/dns/hmac_link.c
 +++ b/lib/dns/hmac_link.c
@@ -340,20 +340,10 @@ static dst_func_t hmacmd5_functions = {
@ -792,13 +792,13 @@ index 94e73b1..d904075 100644
 +	if (!isc_md5_available())
 +		return (ISC_R_SUCCESS);
 #if PK11_FLAVOR != PK11_UTIMACO_FLAVOR
 	/*
 	 * Prevent use of incorrect crypto
 diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index c03fd72..49b66fc 100644
+index ec35f50..c80fabe 100644
 --- a/lib/dns/opensslrsa_link.c
 +++ b/lib/dns/opensslrsa_link.c
-@@ -1802,6 +1802,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
+@@ -1812,6 +1812,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
 	if (*funcp == NULL) {
 		switch (algorithm) {
@ -812,7 +812,7 @@ index c03fd72..49b66fc 100644
 #if defined(HAVE_EVP_SHA256) || !USE_EVP
 			*funcp = &opensslrsa_functions;
 diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
-index eb782c8..46fd844 100644
+index 096c1a8..6c280bf 100644
 --- a/lib/dns/pkcs11rsa_link.c
 +++ b/lib/dns/pkcs11rsa_link.c
@@ -96,10 +96,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
@ -832,7 +832,7 @@ index eb782c8..46fd844 100644
 	case DST_ALG_RSASHA1:
 	case DST_ALG_NSEC3RSASHA1:
 		/* From RFC 3110 */
-@@ -636,6 +641,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+@@ -641,6 +646,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 	switch (key->key_alg) {
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_RSAMD5:
@ -842,7 +842,7 @@ index eb782c8..46fd844 100644
 		mech.mechanism = CKM_MD5;
 		break;
 #endif
-@@ -792,6 +800,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+@@ -799,6 +807,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	switch (key->key_alg) {
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_RSAMD5:
@ -852,7 +852,7 @@ index eb782c8..46fd844 100644
 		der = md5_der;
 		derlen = sizeof(md5_der);
 		hashlen = ISC_MD5_DIGESTLENGTH;
-@@ -1016,6 +1027,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+@@ -1024,6 +1035,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	switch (key->key_alg) {
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_RSAMD5:
@ -862,7 +862,7 @@ index eb782c8..46fd844 100644
 		der = md5_der;
 		derlen = sizeof(md5_der);
 		hashlen = ISC_MD5_DIGESTLENGTH;
-@@ -2219,11 +2233,22 @@ static dst_func_t pkcs11rsa_functions = {
+@@ -2231,11 +2245,22 @@ static dst_func_t pkcs11rsa_functions = {
 };
 isc_result_t
@ -889,7 +889,7 @@ index eb782c8..46fd844 100644
 }
 diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
-index 6a5948e..010dd1b 100644
+index 9c42c50..f51d548 100644
 --- a/lib/dns/rcode.c
 +++ b/lib/dns/rcode.c
@@ -16,6 +16,7 @@
@ -900,7 +900,7 @@ index 6a5948e..010dd1b 100644
 #include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/region.h>
-@@ -349,17 +350,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+@@ -357,17 +358,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
 	return (dns_mnemonic_totext(cert, target, certs));
 }
@ -937,70 +937,48 @@ index 6a5948e..010dd1b 100644
 void
 diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c
-index fb207ef..3ef0a4e 100644
+index 16214c6..9b235ba 100644
 --- a/lib/dns/tests/rsa_test.c
 +++ b/lib/dns/tests/rsa_test.c
-@@ -19,6 +19,7 @@
+@@ -26,6 +26,7 @@
- #include <stdio.h>
+ #define UNIT_TESTING
- #include <string.h>
+ #include <cmocka.h>
 +#include <isc/md5.h>
 #include <isc/util.h>
 #include <isc/print.h>
-@@ -225,23 +226,25 @@ ATF_TC_BODY(isc_rsa_verify, tc) {
+@@ -247,6 +248,8 @@ isc_rsa_verify_test(void **state) {
 	/* RSAMD5 */
 #ifndef PK11_MD5_DISABLE
 -	key->key_alg = DST_ALG_RSAMD5;
 +	if (isc_md5_available()) {
-+		key->key_alg = DST_ALG_RSAMD5;
+		/* wrong indentation is kept for diff minimization */
 	key->key_alg = DST_ALG_RSAMD5;
-	ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+ 	ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
-				  false, &ctx);
+@@ -264,6 +267,7 @@ isc_rsa_verify_test(void **state) {
-	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+ 	assert_int_equal(ret, ISC_R_SUCCESS);
 +		ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
 +					  false, &ctx);
 +		ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
-	r.base = d;
+ 	dst_context_destroy(&ctx);
 -	r.length = 10;
 -	ret = dst_context_adddata(ctx, &r);
 -	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
 +		r.base = d;
 +		r.length = 10;
 +		ret = dst_context_adddata(ctx, &r);
 +		ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
 -	r.base = sigmd5;
 -	r.length = 256;
 -	ret = dst_context_verify(ctx, &r);
 -	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
 +		r.base = sigmd5;
 +		r.length = 256;
 +		ret = dst_context_verify(ctx, &r);
 +		ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
 -	dst_context_destroy(&ctx);
 +		dst_context_destroy(&ctx);
 +	}
 #endif
 	/* RSASHA256 */
 diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
-index 443fb36..f003ff3 100644
+index 4d6847e..1a208b5 100644
 --- a/lib/dns/tests/tsig_test.c
 +++ b/lib/dns/tests/tsig_test.c
-@@ -14,6 +14,7 @@
+@@ -24,6 +24,7 @@
- #include <config.h>
+ #define UNIT_TESTING
- #include <atf-c.h>
+ #include <cmocka.h>
 +#include <isc/md5.h>
 #include <isc/mem.h>
 #include <isc/print.h>
- 
+ #include <isc/util.h>
 diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
-index 5b4ffd9..cc3469d 100644
+index 89cfc79..d07364a 100644
 --- a/lib/dns/tkey.c
 +++ b/lib/dns/tkey.c
@@ -245,6 +245,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
@ -1027,7 +1005,7 @@ index 5b4ffd9..cc3469d 100644
 		tkey_log("process_dhtkey: algorithms other than "
 			 "hmac-md5 are not supported");
 diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
-index c5eca0e..19b9002 100644
+index 9d8ead4..0c82f65 100644
 --- a/lib/dns/tsec.c
 +++ b/lib/dns/tsec.c
@@ -11,6 +11,7 @@
@ -1053,7 +1031,7 @@ index c5eca0e..19b9002 100644
 #endif
 		case DST_ALG_HMACSHA1:
 diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index a94ec69..f74c831 100644
+index 58c1104..00ee1e1 100644
 --- a/lib/dns/tsig.c
 +++ b/lib/dns/tsig.c
@@ -273,7 +273,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
@ -1086,7 +1064,7 @@ index a94ec69..f74c831 100644
 		if (secret != NULL) {
 			isc_buffer_t b;
-@@ -1283,7 +1286,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+@@ -1291,7 +1294,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		return (ret);
 	if (
 #ifndef PK11_MD5_DISABLE
@ -1095,7 +1073,7 @@ index a94ec69..f74c831 100644
 #endif
 	    alg == DST_ALG_HMACSHA1 ||
 	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
-@@ -1452,7 +1455,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+@@ -1460,7 +1463,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	if (
 #ifndef PK11_MD5_DISABLE
@ -1104,7 +1082,7 @@ index a94ec69..f74c831 100644
 #endif
 	    alg == DST_ALG_HMACSHA1 ||
 	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
-@@ -1593,7 +1596,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+@@ -1601,7 +1604,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 			goto cleanup_querystruct;
 		if (
 #ifndef PK11_MD5_DISABLE
@ -1113,7 +1091,7 @@ index a94ec69..f74c831 100644
 #endif
 			alg == DST_ALG_HMACSHA1 ||
 			alg == DST_ALG_HMACSHA224 ||
-@@ -1772,7 +1775,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+@@ -1780,7 +1783,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 			goto cleanup_context;
 		if (
 #ifndef PK11_MD5_DISABLE
@ -1137,7 +1115,7 @@ index 4d29398..e3f5cec 100644
 #endif /* !PK11_MD5_DISABLE */
 diff --git a/lib/isc/md5.c b/lib/isc/md5.c
-index 25c71a2..934a70c 100644
+index 920aed5..a086a57 100644
 --- a/lib/isc/md5.c
 +++ b/lib/isc/md5.c
@@ -37,6 +37,7 @@
@ -1237,7 +1215,7 @@ index 25c71a2..934a70c 100644
 /*
 diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index c5d2310..a01e698 100644
+index 0d5b009..bb9912b 100644
 --- a/lib/isc/pk11.c
 +++ b/lib/isc/pk11.c
@@ -197,8 +197,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
@ -1356,39 +1334,39 @@ index c5d2310..a01e698 100644
 		/* ECDSA requires digest */
 diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c
-index 8f12342..7eb1552 100644
+index 8ddfe70..9c4d299 100644
 --- a/lib/isc/tests/hash_test.c
 +++ b/lib/isc/tests/hash_test.c
-@@ -2009,7 +2009,8 @@ ATF_TP_ADD_TCS(tp) {
+@@ -776,6 +776,9 @@ isc_md5_test(void **state) {
- 	 * various cryptographic hashes.
+ 
- 	 */
+ 	UNUSED(state);
- #ifndef PK11_MD5_DISABLE
+ 
-	ATF_TP_ADD_TC(tp, md5_check);
+	if (!isc_md5_available())
-+	if (isc_md5_available())
+		return;
-+		ATF_TP_ADD_TC(tp, md5_check);
+
- #endif
+ 	/*
- 	ATF_TP_ADD_TC(tp, sha1_check);
+ 	 * These are the various test vectors.  All of these are passed
 	 * through the hash function and the results are compared to the
@@ -1631,6 +1634,9 @@ isc_hmacmd5_test(void **state) {
 	UNUSED(state);
 +	if (!isc_md5_available())
 +		return;
 +
 	/*
 	 * These are the various test vectors.  All of these are passed
 	 * through the hash function and the results are compared to the
@@ -1941,6 +1947,9 @@ static void
 md5_check_test(void **state) {
 	UNUSED(state);
 +	if (!isc_md5_available())
 +		return;
 +
 	assert_true(isc_md5_check(false));
 	assert_false(isc_md5_check(true));
@@ -2017,7 +2018,8 @@ ATF_TP_ADD_TCS(tp) {
 	ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
 	ATF_TP_ADD_TC(tp, isc_hash_initializer);
 #ifndef PK11_MD5_DISABLE
 -	ATF_TP_ADD_TC(tp, isc_hmacmd5);
 +	if (isc_md5_available())
 +		ATF_TP_ADD_TC(tp, isc_hmacmd5);
 #endif
 	ATF_TP_ADD_TC(tp, isc_hmacsha1);
 	ATF_TP_ADD_TC(tp, isc_hmacsha224);
@@ -2025,7 +2027,8 @@ ATF_TP_ADD_TCS(tp) {
 	ATF_TP_ADD_TC(tp, isc_hmacsha384);
 	ATF_TP_ADD_TC(tp, isc_hmacsha512);
 #ifndef PK11_MD5_DISABLE
 -	ATF_TP_ADD_TC(tp, isc_md5);
 +	if (isc_md5_available())
 +		ATF_TP_ADD_TC(tp, isc_md5);
 #endif
 	ATF_TP_ADD_TC(tp, isc_sha1);
 	ATF_TP_ADD_TC(tp, isc_sha224);
 diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
 index c2740cb..c314d76 100644
 --- a/lib/isccc/cc.c
@ -1477,5 +1455,5 @@ index c2740cb..c314d76 100644
 	case ISCCC_ALG_HMACSHA1:
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@ -1,4 +1,4 @@
-From 07876a60a9c2537f536901b214349d67f6b25666 Mon Sep 17 00:00:00 2001
+From 4e6888c1d32071ead4b7faeeb0f1774a6d8a1120 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@ -58,56 +58,54 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
    Use hmac-sha256 instead of default hmac-md5 for allow-query
 ---
- bin/tests/system/acl/ns2/named1.conf.in          |  4 +-
+ bin/tests/system/acl/ns2/named1.conf.in       |  4 +-
- bin/tests/system/acl/ns2/named2.conf.in          |  4 +-
+ bin/tests/system/acl/ns2/named2.conf.in       |  4 +-
- bin/tests/system/acl/ns2/named3.conf.in          |  6 +--
+ bin/tests/system/acl/ns2/named3.conf.in       |  6 +-
- bin/tests/system/acl/ns2/named4.conf.in          |  4 +-
+ bin/tests/system/acl/ns2/named4.conf.in       |  4 +-
- bin/tests/system/acl/ns2/named5.conf.in          |  4 +-
+ bin/tests/system/acl/ns2/named5.conf.in       |  4 +-
- bin/tests/system/acl/tests.sh                    | 32 +++++------
+ bin/tests/system/acl/tests.sh                 | 32 ++++-----
- bin/tests/system/allow-query/ns2/named10.conf.in |  2 +-
+ .../system/allow-query/ns2/named10.conf.in    |  2 +-
- bin/tests/system/allow-query/ns2/named11.conf.in |  4 +-
+ .../system/allow-query/ns2/named11.conf.in    |  4 +-
- bin/tests/system/allow-query/ns2/named12.conf.in |  2 +-
+ .../system/allow-query/ns2/named12.conf.in    |  2 +-
- bin/tests/system/allow-query/ns2/named30.conf.in |  2 +-
+ .../system/allow-query/ns2/named30.conf.in    |  2 +-
- bin/tests/system/allow-query/ns2/named31.conf.in |  4 +-
+ .../system/allow-query/ns2/named31.conf.in    |  4 +-
- bin/tests/system/allow-query/ns2/named32.conf.in |  2 +-
+ .../system/allow-query/ns2/named32.conf.in    |  2 +-
- bin/tests/system/allow-query/ns2/named40.conf.in |  4 +-
+ .../system/allow-query/ns2/named40.conf.in    |  4 +-
- bin/tests/system/allow-query/tests.sh            | 18 +++----
+ bin/tests/system/allow-query/tests.sh         | 18 ++---
- bin/tests/system/catz/ns1/named.conf.in          |  2 +-
+ bin/tests/system/catz/ns1/named.conf.in       |  2 +-
- bin/tests/system/catz/ns2/named.conf.in          |  2 +-
+ bin/tests/system/catz/ns2/named.conf.in       |  2 +-
- bin/tests/system/checkconf/bad-tsig.conf         |  2 +-
+ bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
- bin/tests/system/checkconf/good.conf             |  2 +-
+ bin/tests/system/checkconf/good.conf          |  2 +-
- bin/tests/system/digdelv/ns2/example.db          | 15 +++---
+ bin/tests/system/digdelv/ns2/example.db       | 15 ++--
- bin/tests/system/digdelv/tests.sh                | 28 +++++-----
+ bin/tests/system/digdelv/tests.sh             | 28 ++++----
- bin/tests/system/dlv/ns1/sign.sh                 |  4 +-
+ bin/tests/system/dlv/ns1/sign.sh              |  4 +-
- bin/tests/system/dlv/ns2/sign.sh                 |  4 +-
+ bin/tests/system/dlv/ns2/sign.sh              |  4 +-
- bin/tests/system/dlv/ns3/sign.sh                 | 69 ++++++++++++------------
+ bin/tests/system/dlv/ns3/sign.sh              | 69 ++++++++++---------
- bin/tests/system/dlv/ns6/sign.sh                 | 66 ++++++++++++-----------
+ bin/tests/system/dlv/ns6/sign.sh              | 66 +++++++++---------
- bin/tests/system/dnssec/ns1/sign.sh              |  4 +-
+ bin/tests/system/dnssec/ns1/sign.sh           |  4 +-
- bin/tests/system/dnssec/ns2/sign.sh              | 12 ++---
+ bin/tests/system/dnssec/ns2/sign.sh           | 12 ++--
- bin/tests/system/dnssec/ns3/sign.sh              | 20 +++----
+ bin/tests/system/dnssec/ns3/sign.sh           | 20 +++---
- bin/tests/system/dnssec/ns5/trusted.conf.bad     |  2 +-
+ bin/tests/system/dnssec/ns5/trusted.conf.bad  |  2 +-
- bin/tests/system/dnssec/tests.sh                 |  8 +--
+ bin/tests/system/dnssec/tests.sh              |  8 +--
- bin/tests/system/feature-test.c                  | 14 +++++
+ bin/tests/system/feature-test.c               | 14 ++++
- bin/tests/system/filter-aaaa/ns1/sign.sh         |  4 +-
+ bin/tests/system/filter-aaaa/ns1/sign.sh      |  4 +-
- bin/tests/system/filter-aaaa/ns4/sign.sh         |  4 +-
+ bin/tests/system/filter-aaaa/ns4/sign.sh      |  4 +-
- bin/tests/system/notify/ns5/named.conf.in        |  6 +--
+ bin/tests/system/notify/ns5/named.conf.in     |  6 +-
- bin/tests/system/notify/tests.sh                 |  6 +--
+ bin/tests/system/notify/tests.sh              |  6 +-
- bin/tests/system/nsupdate/ns1/named.conf.in      |  2 +-
+ bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
- bin/tests/system/nsupdate/ns2/named.conf.in      |  2 +-
+ bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
- bin/tests/system/nsupdate/setup.sh               |  7 ++-
+ bin/tests/system/nsupdate/setup.sh            |  7 +-
- bin/tests/system/nsupdate/tests.sh               | 11 +++-
+ bin/tests/system/nsupdate/tests.sh            | 11 ++-
- bin/tests/system/rndc/setup.sh                   |  2 +-
+ bin/tests/system/rndc/setup.sh                |  2 +-
- bin/tests/system/rndc/tests.sh                   | 23 ++++----
+ bin/tests/system/rndc/tests.sh                | 23 ++++---
- bin/tests/system/tsig/clean.sh                   |  1 +
+ bin/tests/system/tsig/clean.sh                |  1 +
- bin/tests/system/tsig/ns1/named.conf.in          | 10 +---
+ bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
- bin/tests/system/tsig/ns1/rndc5.conf.in          | 11 ++++
+ bin/tests/system/tsig/setup.sh                |  5 ++
- bin/tests/system/tsig/setup.sh                   |  4 ++
+ bin/tests/system/tsig/tests.sh                | 67 +++++++++++-------
- bin/tests/system/tsig/tests.sh                   | 67 ++++++++++++++---------
+ bin/tests/system/tsiggss/setup.sh             |  2 +-
- bin/tests/system/tsiggss/setup.sh                |  2 +-
+ bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
- bin/tests/system/upforwd/ns1/named.conf.in       |  2 +-
+ bin/tests/system/upforwd/tests.sh             |  2 +-
- bin/tests/system/upforwd/tests.sh                |  2 +-
+ 47 files changed, 277 insertions(+), 225 deletions(-)
 48 files changed, 287 insertions(+), 225 deletions(-)
 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
 index 0ea6502..026db3f 100644
@ -604,7 +602,7 @@ index f4e30f5..9f53e31 100644
 ; TTL of 3 weeks
 weeks		1814400	A	10.53.0.2
 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
-index 95bd074..b566ecb 100644
+index 24aa7b3..54a3e2a 100644
 --- a/bin/tests/system/digdelv/tests.sh
 +++ b/bin/tests/system/digdelv/tests.sh
@@ -61,7 +61,7 @@ if [ -x ${DIG} ] ; then
@ -670,7 +668,7 @@ index 95bd074..b566ecb 100644
   if [ $ret != 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
-@@ -555,7 +555,7 @@ if [ -x ${DELV} ] ; then
+@@ -564,7 +564,7 @@ if [ -x ${DELV} ] ; then
   echo_i "checking delv +multi +norrcomments works for dnskey (when default is rrcomments)($n)"
   ret=0
   $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -679,7 +677,7 @@ index 95bd074..b566ecb 100644
   if [ $ret != 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
-@@ -563,7 +563,7 @@ if [ -x ${DELV} ] ; then
+@@ -572,7 +572,7 @@ if [ -x ${DELV} ] ; then
   echo_i "checking delv +multi +norrcomments works for soa (when default is rrcomments)($n)"
   ret=0
   $DELV $DELVOPTS +tcp @10.53.0.3 +multi +norrcomments SOA example > delv.out.test$n || ret=1
@ -688,7 +686,7 @@ index 95bd074..b566ecb 100644
   if [ $ret != 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
-@@ -571,7 +571,7 @@ if [ -x ${DELV} ] ; then
+@@ -580,7 +580,7 @@ if [ -x ${DELV} ] ; then
   echo_i "checking delv +rrcomments works for DNSKEY($n)"
   ret=0
   $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -697,7 +695,7 @@ index 95bd074..b566ecb 100644
   if [ $ret != 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
-@@ -579,7 +579,7 @@ if [ -x ${DELV} ] ; then
+@@ -588,7 +588,7 @@ if [ -x ${DELV} ] ; then
   echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
   ret=0
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -706,7 +704,7 @@ index 95bd074..b566ecb 100644
   if [ $ret != 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
-@@ -587,7 +587,7 @@ if [ -x ${DELV} ] ; then
+@@ -596,7 +596,7 @@ if [ -x ${DELV} ] ; then
   echo_i "checking delv +short +rrcomments works ($n)"
   ret=0
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -715,7 +713,7 @@ index 95bd074..b566ecb 100644
   if [ $ret != 0 ]; then echo_i "failed"; fi
   status=`expr $status + $ret`
-@@ -595,7 +595,7 @@ if [ -x ${DELV} ] ; then
+@@ -604,7 +604,7 @@ if [ -x ${DELV} ] ; then
   echo_i "checking delv +short +nosplit works ($n)"
   ret=0
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -724,7 +722,7 @@ index 95bd074..b566ecb 100644
   if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
   f=`awk '{print NF}' < delv.out.test$n`
   test "${f:-0}" -eq 14 || ret=1
-@@ -606,7 +606,7 @@ if [ -x ${DELV} ] ; then
+@@ -615,7 +615,7 @@ if [ -x ${DELV} ] ; then
   echo_i "checking delv +short +nosplit +norrcomments works ($n)"
   ret=0
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -1171,10 +1169,10 @@ index 198d60a..d89a539 100644
 keyid=`expr $keyid + 0`
 echo "$keyid" > managed.key.id
 diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
-index 9078459..9dcd028 100644
+index ca18608..25b6cab 100644
 --- a/bin/tests/system/dnssec/ns2/sign.sh
 +++ b/bin/tests/system/dnssec/ns2/sign.sh
-@@ -29,8 +29,8 @@ do
+@@ -30,8 +30,8 @@ do
 	cp ../ns3/dsset-$subdomain.example$TP .
 done
@ -1185,7 +1183,7 @@ index 9078459..9dcd028 100644
 cat $infile $keyname1.key $keyname2.key >$zonefile
-@@ -89,8 +89,8 @@ zone=in-addr.arpa.
+@@ -91,8 +91,8 @@ zone=in-addr.arpa.
 infile=in-addr.arpa.db.in
 zonefile=in-addr.arpa.db
@ -1196,7 +1194,7 @@ index 9078459..9dcd028 100644
 cat $infile $keyname1.key $keyname2.key >$zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
-@@ -101,7 +101,7 @@ privzone=private.secure.example.
+@@ -103,7 +103,7 @@ privzone=private.secure.example.
 privinfile=private.secure.example.db.in
 privzonefile=private.secure.example.db
@ -1205,7 +1203,7 @@ index 9078459..9dcd028 100644
 cat $privinfile $privkeyname.key >$privzonefile
-@@ -115,7 +115,7 @@ dlvinfile=dlv.db.in
+@@ -117,7 +117,7 @@ dlvinfile=dlv.db.in
 dlvzonefile=dlv.db
 dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP
@ -1215,7 +1213,7 @@ index 9078459..9dcd028 100644
 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
 diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
-index 330abf7..f95a6b7 100644
+index ff55d84..4f6a251 100644
 --- a/bin/tests/system/dnssec/ns3/sign.sh
 +++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -28,7 +28,7 @@ zone=bogus.example.
@ -1292,7 +1290,7 @@ index 330abf7..f95a6b7 100644
 cat $infile $keyname.key >$zonefile
-@@ -498,7 +498,7 @@ zone=badds.example.
+@@ -533,7 +533,7 @@ zone=badds.example.
 infile=bogus.example.db.in
 zonefile=badds.example.db
@ -1313,10 +1311,10 @@ index ed30460..e6b1126 100644
 +    "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
 };
 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
-index bb2315f..3156668 100644
+index 646434f..9a10f9f 100644
 --- a/bin/tests/system/dnssec/tests.sh
 +++ b/bin/tests/system/dnssec/tests.sh
-@@ -1690,7 +1690,7 @@ ret=0
+@@ -1688,7 +1688,7 @@ ret=0
 $RNDCCMD 10.53.0.4 secroots 2>&1 | sed 's/^/ns4 /' | cat_i
 keyid=`cat ns1/managed.key.id`
 cp ns4/named.secroots named.secroots.test$n
@ -1325,7 +1323,7 @@ index bb2315f..3156668 100644
 [ "$linecount" -eq 1 ] || ret=1
 linecount=`cat named.secroots.test$n | wc -l`
 [ "$linecount" -eq 10 ] || ret=1
-@@ -3018,7 +3018,7 @@ echo_i "check dig's +nocrypto flag ($n)"
+@@ -3016,7 +3016,7 @@ echo_i "check dig's +nocrypto flag ($n)"
 ret=0
 $DIG $DIGOPTS +norec +nocrypto DNSKEY . \
 	@10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
@ -1334,7 +1332,7 @@ index bb2315f..3156668 100644
 grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
 $DIG $DIGOPTS +norec +nocrypto DS example \
 	@10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
-@@ -3130,8 +3130,8 @@ do
+@@ -3128,8 +3128,8 @@ do
 	   alg=`expr $alg + 1`
 	   continue;;
 	3) size="-b 512";;
@ -1346,7 +1344,7 @@ index bb2315f..3156668 100644
 	8) size="-b 512";;
 	10) size="-b 1024";;
 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 9612450..5eee6aa 100644
+index f934b63..11863a3 100644
 --- a/bin/tests/system/feature-test.c
 +++ b/bin/tests/system/feature-test.c
@@ -19,6 +19,7 @@
@ -1440,10 +1438,10 @@ index cfcfe8f..0a1614d 100644
 };
 diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
-index ad20e3e..5a9ce46 100644
+index 1f6e6d0..c08bd25 100644
 --- a/bin/tests/system/notify/tests.sh
 +++ b/bin/tests/system/notify/tests.sh
-@@ -186,16 +186,16 @@ ret=0
+@@ -212,16 +212,16 @@ ret=0
 $NSUPDATE << EOF
 server 10.53.0.5 ${PORT}
 zone x21
@ -1477,10 +1475,10 @@ index 1d999ad..26b6b7c 100644
 };
 diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
-index b4ecf96..1adb33e 100644
+index 4549184..cb7dccd 100644
 --- a/bin/tests/system/nsupdate/ns2/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns2/named.conf.in
-@@ -24,7 +24,7 @@ options {
+@@ -33,7 +33,7 @@ controls {
 };
 key altkey {
@ -1490,7 +1488,7 @@ index b4ecf96..1adb33e 100644
 };
 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index d6647fa..715314b 100644
+index 45dfeeb..594db77 100644
 --- a/bin/tests/system/nsupdate/setup.sh
 +++ b/bin/tests/system/nsupdate/setup.sh
@@ -63,7 +63,12 @@ EOF
@ -1508,7 +1506,7 @@ index d6647fa..715314b 100644
 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 9f26572..fd0383f 100755
+index 901cd22..b72b59c 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
@@ -700,7 +700,14 @@ fi
@ -1537,7 +1535,7 @@ index 9f26572..fd0383f 100755
 done
 if [ $ret -ne 0 ]; then
 diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index 850c4d2..09a3e0f 100644
+index 343869e..c30efb0 100644
 --- a/bin/tests/system/rndc/setup.sh
 +++ b/bin/tests/system/rndc/setup.sh
@@ -37,7 +37,7 @@ make_key () {
@ -1550,7 +1548,7 @@ index 850c4d2..09a3e0f 100644
 make_key 3 ${EXTRAPORT3} hmac-sha224
 make_key 4 ${EXTRAPORT4} hmac-sha256
 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index 647730e..7df752d 100644
+index b00056c..f7fad91 100644
 --- a/bin/tests/system/rndc/tests.sh
 +++ b/bin/tests/system/rndc/tests.sh
@@ -356,15 +356,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
@ -1620,31 +1618,15 @@ index fbf30c6..f61657d 100644
 key "sha1-trunc" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
 new file mode 100644
 index 0000000..4117830
 --- /dev/null
 +++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,11 @@
 +
 +key "md5" {
 +	secret "97rnFx24Tfna4mHPfgnerA==";
 +	algorithm hmac-md5;
 +};
 +
 +key "md5-trunc" {
 +	secret "97rnFx24Tfna4mHPfgnerA==";
 +	algorithm hmac-md5-80;
 +};
 +
 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index 656e9bb..628c5bb 100644
+index 4dd4a25..aa0f966 100644
 --- a/bin/tests/system/tsig/setup.sh
 +++ b/bin/tests/system/tsig/setup.sh
-@@ -17,3 +17,7 @@ $SHELL clean.sh
+@@ -17,3 +17,8 @@ $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
- test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
 +
 +if $FEATURETEST --md5
 +then
 +	cat ns1/rndc5.conf.in >> ns1/named.conf
@ -1742,10 +1724,10 @@ index f731fa6..cade35b 100644
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
 diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
-index 5da33cf..fb108b0 100644
+index 0d21c7b..dbcb7b4 100644
 --- a/bin/tests/system/tsiggss/setup.sh
 +++ b/bin/tests/system/tsiggss/setup.sh
-@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
 copy_setports ns1/named.conf.in ns1/named.conf
@ -1779,5 +1761,5 @@ index b0694bb..9adae82 100644
 update add updated.example. 600 A 10.10.10.1
 update add updated.example. 600 TXT Foo
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-host-idn-disable.patch
+++ b/bind-9.11-host-idn-disable.patch
@ -1,4 +1,4 @@
-From ed26f0f0eb4242706d2012e4abe0152071bb305b Mon Sep 17 00:00:00 2001
+From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 25 Sep 2018 18:08:46 +0200
 Subject: [PATCH] Disable IDN from environment as documented
@ -12,16 +12,16 @@ Support variable CHARSET=ASCII to disable IDN, supported in downstream
 RH patch since RHEL 5.
 ---
 bin/dig/dig.docbook      |  4 +++-
- bin/dig/dighost.c        |  9 +++++++--
+ bin/dig/dighost.c        |  5 +++++
 bin/dig/host.docbook     |  2 +-
 bin/dig/nslookup.docbook | 15 +++++++++++++++
- 4 files changed, 26 insertions(+), 4 deletions(-)
+ 4 files changed, 24 insertions(+), 2 deletions(-)
 diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
-index bd7510e..5cc696f 100644
+index 5d19301..933af79 100644
 --- a/bin/dig/dig.docbook
 +++ b/bin/dig/dig.docbook
-@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <parameter>+noidnin</parameter> and
@ -33,15 +33,13 @@ index bd7510e..5cc696f 100644
   </refsection>
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 341ed80..bb8702c 100644
+index 5eabc1f..73aaab8 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
-@@ -825,12 +825,17 @@ make_empty_lookup(void) {
+@@ -826,6 +826,11 @@ make_empty_lookup(void) {
 	looknew->seenbadcookie = false;
 	looknew->badcookie = true;
 #ifdef WITH_IDN_SUPPORT
-	looknew->idnin = true;
+ 	looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
 +	looknew->idnin = (getenv("IDN_DISABLE") == NULL);
 +	if (looknew->idnin) {
 +		const char *charset = getenv("CHARSET");
 +		if (charset && !strcmp(charset, "ASCII"))
@ -50,17 +48,11 @@ index 341ed80..bb8702c 100644
 #else
 	looknew->idnin = false;
 #endif
 #ifdef WITH_IDN_OUT_SUPPORT
 -	looknew->idnout = true;
 +	looknew->idnout = looknew->idnin;
 #else
 	looknew->idnout = false;
 #endif
 diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
-index 9c3aeaa..42cbbf9 100644
+index da0f8fb..9689b5a 100644
 --- a/bin/dig/host.docbook
 +++ b/bin/dig/host.docbook
-@@ -378,7 +378,7 @@
+@@ -379,7 +379,7 @@
       <command>host</command> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
@ -70,10 +62,10 @@ index 9c3aeaa..42cbbf9 100644
       The IDN support is disabled if the variable is set when
       <command>host</command> runs.
 diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
-index 3aff4e9..86a09c6 100644
+index d46fc2d..6d7d181 100644
 --- a/bin/dig/nslookup.docbook
 +++ b/bin/dig/nslookup.docbook
-@@ -478,6 +478,21 @@ nslookup -query=hinfo  -timeout=10
+@@ -495,6 +495,21 @@ nslookup -query=hinfo  -timeout=10
     </para>
   </refsection>
@ -96,5 +88,5 @@ index 3aff4e9..86a09c6 100644
     <para><filename>/etc/resolv.conf</filename>
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-kyua-pkcs11.patch
+++ b/bind-9.11-kyua-pkcs11.patch
@ -1,4 +1,4 @@
-From 3474d13bbf08c441783bd72afbc8cec8857baf46 Mon Sep 17 00:00:00 2001
+From 17998f4feb9590522a0b50943075d9e8c97ec69d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 2 Jan 2018 18:13:07 +0100
 Subject: [PATCH] Fix pkcs11 variants atf tests
@ -7,20 +7,19 @@ Add dns-pkcs11 tests Makefile to configure
 Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
 ---
- configure.in                     |  1 +
+ configure.ac                     |  1 +
 lib/Atffile                      |  2 ++
 lib/Kyuafile                     |  2 ++
 lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
 lib/dns-pkcs11/tests/dh_test.c   |  3 ++-
 lib/isc-pkcs11/tests/Makefile.in |  6 +++---
 lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
- 7 files changed, 40 insertions(+), 16 deletions(-)
+ 6 files changed, 38 insertions(+), 16 deletions(-)
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 1edafd1..5466de1 100644
+index 7aff0e6..8374385 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5489,6 +5489,7 @@ AC_CONFIG_FILES([
+@@ -5512,6 +5512,7 @@ AC_CONFIG_FILES([
 	lib/dns-pkcs11/include/Makefile
 	lib/dns-pkcs11/include/dns/Makefile
 	lib/dns-pkcs11/include/dst/Makefile
@ -28,25 +27,11 @@ index 1edafd1..5466de1 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
 diff --git a/lib/Atffile b/lib/Atffile
 index 93bbb01..4db3dce 100644
 --- a/lib/Atffile
 +++ b/lib/Atffile
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
 prop: test-suite = bind9
 tp: dns
 +tp: dns-pkcs11
 tp: irs
 tp: isc
 +tp: isc-pkcs11
 tp: isccfg
 tp: lwres
 diff --git a/lib/Kyuafile b/lib/Kyuafile
-index ff9fc56..eaaf0dc 100644
+index 7c8bab0..eec9564 100644
 --- a/lib/Kyuafile
 +++ b/lib/Kyuafile
-@@ -2,7 +2,9 @@ syntax(2)
+@@ -2,8 +2,10 @@ syntax(2)
 test_suite('bind9')
 include('dns/Kyuafile')
@ -54,18 +39,19 @@ index ff9fc56..eaaf0dc 100644
 include('irs/Kyuafile')
 include('isc/Kyuafile')
 +include('isc-pkcs11/Kyuafile')
 include('isccc/Kyuafile')
 include('isccfg/Kyuafile')
 include('lwres/Kyuafile')
 diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
-index 625e809..6fd4e36 100644
+index 9f1781a..e50463d 100644
 --- a/lib/dns-pkcs11/tests/Makefile.in
 +++ b/lib/dns-pkcs11/tests/Makefile.in
-@@ -21,12 +21,12 @@ VERSION=@BIND9_VERSION@
+@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
 		@DST_OPENSSL_INC@
 -CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
-+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
+CDEFINES =	@CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
 -ISCLIBS =	../../isc/libisc.@A@
 -ISCDEPLIBS =	../../isc/libisc.@A@
@ -76,45 +62,45 @@ index 625e809..6fd4e36 100644
 +DNSLIBS =	../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
 +DNSDEPLIBS =	../libdns-pkcs11.@A@
- LIBS =		@LIBS@ @ATFLIBS@
+ LIBS =		@LIBS@ @CMOCKA_LIBS@
- 
+ CFLAGS =	@CFLAGS@ @CMOCKA_CFLAGS@
 diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
-index 6216b4e..dd74e58 100644
+index 4dbfd82..a383b8e 100644
 --- a/lib/dns-pkcs11/tests/dh_test.c
 +++ b/lib/dns-pkcs11/tests/dh_test.c
-@@ -64,7 +64,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
+@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
- 	ret = dst_key_computesecret(key, key, &buf);
+ 	result = dst_key_computesecret(key, key, &buf);
- 	ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
+ 	assert_int_equal(result, DST_R_NOTPRIVATEKEY);
- 	ret = key->func->computesecret(key, key, &buf);
+ 	result = key->func->computesecret(key, key, &buf);
-	ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
+-	assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
 +	/* PKCS11 variant gives different result, accept both */
-+	ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
+	assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
 	dst_key_free(&key);
- 	dns_test_end();
+ }
 diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
-index add8068..a928dcf 100644
+index 2fdee0b..a263b35 100644
 --- a/lib/isc-pkcs11/tests/Makefile.in
 +++ b/lib/isc-pkcs11/tests/Makefile.in
-@@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@
+@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 CINCLUDES =	-I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
 -CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
-+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
+CDEFINES =	@CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
 -ISCLIBS =	../libisc.@A@ @ISC_OPENSSL_LIBS@
 -ISCDEPLIBS =	../libisc.@A@
 +ISCLIBS =	../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
 +ISCDEPLIBS =	../libisc-pkcs11.@A@
- LIBS =		@LIBS@ @ATFLIBS@
+ LIBS =		@LIBS@ @CMOCKA_LIBS@
- 
+ CFLAGS =	@CFLAGS@ @CMOCKA_CFLAGS@
 diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
-index 7eb1552..048ae9d 100644
+index 9c4d299..d9deba2 100644
 --- a/lib/isc-pkcs11/tests/hash_test.c
 +++ b/lib/isc-pkcs11/tests/hash_test.c
-@@ -78,7 +78,7 @@ typedef struct hash_testcase {
+@@ -85,7 +85,7 @@ typedef struct hash_testcase {
 typedef struct hash_test_key {
 	const char *key;
@ -123,7 +109,7 @@ index 7eb1552..048ae9d 100644
 } hash_test_key_t;
 /* non-hmac tests */
-@@ -961,8 +961,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
+@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -136,7 +122,7 @@ index 7eb1552..048ae9d 100644
 		isc_hmacsha1_update(&hmacsha1,
 				    (const uint8_t *) testcase->input,
 				    testcase->input_len);
-@@ -1124,8 +1127,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
+@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -149,7 +135,7 @@ index 7eb1552..048ae9d 100644
 		isc_hmacsha224_update(&hmacsha224,
 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1287,8 +1293,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
+@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -162,7 +148,7 @@ index 7eb1552..048ae9d 100644
 		isc_hmacsha256_update(&hmacsha256,
 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1456,8 +1465,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
+@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -175,7 +161,7 @@ index 7eb1552..048ae9d 100644
 		isc_hmacsha384_update(&hmacsha384,
 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1625,8 +1637,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
+@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -188,7 +174,7 @@ index 7eb1552..048ae9d 100644
 		isc_hmacsha512_update(&hmacsha512,
 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1769,8 +1784,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
+@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -202,5 +188,5 @@ index 7eb1552..048ae9d 100644
 				   (const uint8_t *) testcase->input,
 				   testcase->input_len);
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-kyua.patch
+++ b/bind-9.11-kyua.patch
@ -1,209 +0,0 @@
 From b93950dff6b3bf02225ad64d7c3e02e6b04917fd Mon Sep 17 00:00:00 2001
 From: Tinderbox User <tbox@isc.org>
 Date: Fri, 29 Dec 2017 02:23:11 +0000
 Subject: [PATCH] regen v9_11
 ---
 Kyuafile                  |  4 ++++
 lib/Kyuafile              |  8 ++++++++
 lib/dns/Kyuafile          |  4 ++++
 lib/dns/tests/Kyuafile    | 30 ++++++++++++++++++++++++++++++
 lib/irs/Kyuafile          |  4 ++++
 lib/irs/tests/Kyuafile    |  4 ++++
 lib/isc/Kyuafile          |  4 ++++
 lib/isc/tests/Kyuafile    | 28 ++++++++++++++++++++++++++++
 lib/isccfg/Kyuafile       |  4 ++++
 lib/isccfg/tests/Kyuafile |  4 ++++
 lib/lwres/Kyuafile        |  4 ++++
 lib/lwres/tests/Kyuafile  |  4 ++++
 12 files changed, 102 insertions(+)
 create mode 100644 Kyuafile
 create mode 100644 lib/Kyuafile
 create mode 100644 lib/dns/Kyuafile
 create mode 100644 lib/dns/tests/Kyuafile
 create mode 100644 lib/irs/Kyuafile
 create mode 100644 lib/irs/tests/Kyuafile
 create mode 100644 lib/isc/Kyuafile
 create mode 100644 lib/isc/tests/Kyuafile
 create mode 100644 lib/isccfg/Kyuafile
 create mode 100644 lib/isccfg/tests/Kyuafile
 create mode 100644 lib/lwres/Kyuafile
 create mode 100644 lib/lwres/tests/Kyuafile
 diff --git a/Kyuafile b/Kyuafile
 new file mode 100644
 index 0000000..70b2cff
 --- /dev/null
 +++ b/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +include('lib/Kyuafile')
 diff --git a/lib/Kyuafile b/lib/Kyuafile
 new file mode 100644
 index 0000000..ff9fc56
 --- /dev/null
 +++ b/lib/Kyuafile
@@ -0,0 +1,8 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +include('dns/Kyuafile')
 +include('irs/Kyuafile')
 +include('isc/Kyuafile')
 +include('isccfg/Kyuafile')
 +include('lwres/Kyuafile')
 diff --git a/lib/dns/Kyuafile b/lib/dns/Kyuafile
 new file mode 100644
 index 0000000..0739e3a
 --- /dev/null
 +++ b/lib/dns/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +include('tests/Kyuafile')
 diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
 new file mode 100644
 index 0000000..72a581b
 --- /dev/null
 +++ b/lib/dns/tests/Kyuafile
@@ -0,0 +1,30 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +atf_test_program{name='acl_test'}
 +atf_test_program{name='db_test'}
 +atf_test_program{name='dbdiff_test'}
 +atf_test_program{name='dbiterator_test'}
 +atf_test_program{name='dbversion_test'}
 +atf_test_program{name='dh_test'}
 +atf_test_program{name='dispatch_test'}
 +atf_test_program{name='dnstap_test'}
 +atf_test_program{name='geoip_test'}
 +atf_test_program{name='gost_test'}
 +atf_test_program{name='keytable_test'}
 +atf_test_program{name='master_test'}
 +atf_test_program{name='name_test'}
 +atf_test_program{name='nsec3_test'}
 +atf_test_program{name='peer_test'}
 +atf_test_program{name='private_test'}
 +atf_test_program{name='rbt_serialize_test'}
 +atf_test_program{name='rbt_test'}
 +atf_test_program{name='rdata_test'}
 +atf_test_program{name='rdataset_test'}
 +atf_test_program{name='rdatasetstats_test'}
 +atf_test_program{name='rsa_test'}
 +atf_test_program{name='time_test'}
 +atf_test_program{name='tsig_test'}
 +atf_test_program{name='update_test'}
 +atf_test_program{name='zonemgr_test'}
 +atf_test_program{name='zt_test'}
 diff --git a/lib/irs/Kyuafile b/lib/irs/Kyuafile
 new file mode 100644
 index 0000000..0739e3a
 --- /dev/null
 +++ b/lib/irs/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +include('tests/Kyuafile')
 diff --git a/lib/irs/tests/Kyuafile b/lib/irs/tests/Kyuafile
 new file mode 100644
 index 0000000..4ef7136
 --- /dev/null
 +++ b/lib/irs/tests/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +atf_test_program{name='resconf_test'}
 diff --git a/lib/isc/Kyuafile b/lib/isc/Kyuafile
 new file mode 100644
 index 0000000..0739e3a
 --- /dev/null
 +++ b/lib/isc/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +include('tests/Kyuafile')
 diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
 new file mode 100644
 index 0000000..c558cbc
 --- /dev/null
 +++ b/lib/isc/tests/Kyuafile
@@ -0,0 +1,28 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +atf_test_program{name='aes_test'}
 +atf_test_program{name='buffer_test'}
 +atf_test_program{name='counter_test'}
 +atf_test_program{name='errno_test'}
 +atf_test_program{name='file_test'}
 +atf_test_program{name='hash_test'}
 +atf_test_program{name='ht_test'}
 +atf_test_program{name='lex_test'}
 +atf_test_program{name='mem_test'}
 +atf_test_program{name='netaddr_test'}
 +atf_test_program{name='parse_test'}
 +atf_test_program{name='pool_test'}
 +atf_test_program{name='print_test'}
 +atf_test_program{name='queue_test'}
 +atf_test_program{name='radix_test'}
 +atf_test_program{name='random_test'}
 +atf_test_program{name='regex_test'}
 +atf_test_program{name='result_test'}
 +atf_test_program{name='safe_test'}
 +atf_test_program{name='sockaddr_test'}
 +atf_test_program{name='socket_test'}
 +atf_test_program{name='symtab_test'}
 +atf_test_program{name='task_test'}
 +atf_test_program{name='taskpool_test'}
 +atf_test_program{name='time_test'}
 diff --git a/lib/isccfg/Kyuafile b/lib/isccfg/Kyuafile
 new file mode 100644
 index 0000000..0739e3a
 --- /dev/null
 +++ b/lib/isccfg/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +include('tests/Kyuafile')
 diff --git a/lib/isccfg/tests/Kyuafile b/lib/isccfg/tests/Kyuafile
 new file mode 100644
 index 0000000..342d25f
 --- /dev/null
 +++ b/lib/isccfg/tests/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +atf_test_program{name='parser_test'}
 diff --git a/lib/lwres/Kyuafile b/lib/lwres/Kyuafile
 new file mode 100644
 index 0000000..0739e3a
 --- /dev/null
 +++ b/lib/lwres/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +include('tests/Kyuafile')
 diff --git a/lib/lwres/tests/Kyuafile b/lib/lwres/tests/Kyuafile
 new file mode 100644
 index 0000000..6d373e8
 --- /dev/null
 +++ b/lib/lwres/tests/Kyuafile
@@ -0,0 +1,4 @@
 +syntax(2)
 +test_suite('bind9')
 +
 +atf_test_program{name='config_test'}
 -- 
 2.9.5
--- a/bind-9.11-rh1410433.patch
+++ b/bind-9.11-rh1410433.patch
@ -1,14 +1,16 @@
 diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
-index 0ce5e42..556d920 100644
+index 15561ce..e4449b0 100644
 --- a/lib/dns/dyndb.c
 +++ b/lib/dns/dyndb.c
-@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
 		      instname, filename);
 	flags = RTLD_NOW|RTLD_LOCAL;
-#ifdef RTLD_DEEPBIND
+#if 0
-	flags |= RTLD_DEEPBIND;
+	/* Shared global namespace is required for dns-pkcs11 library */
-#endif
+ #if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
 	flags |= RTLD_DEEPBIND;
 +#endif
 #endif
 	handle = dlopen(filename, flags);
 	if (handle == NULL)
--- a/bind-9.11-rh1624100.patch
+++ b/bind-9.11-rh1624100.patch
@ -1,4 +1,4 @@
-From 4fc49ad102fd00343665273caf4349d4edb5e5ac Mon Sep 17 00:00:00 2001
+From 292a0ca28f2e8a49f8c7e62c39ad7160234ce23d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
 Date: Wed, 25 Apr 2018 14:04:31 +0200
 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@ -14,13 +14,13 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
 (cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
 ---
 bin/dnssec/dnssec-signzone.c |  2 +-
- lib/dns/nsec3.c              |  4 +--
+ lib/dns/nsec3.c              |  4 +-
- lib/dns/spnego.c             |  4 +--
+ lib/dns/spnego.c             |  4 +-
- lib/isc/Makefile.in          |  8 ++---
+ lib/isc/Makefile.in          |  8 +---
- lib/isc/include/isc/safe.h   | 18 +++-------
+ lib/isc/include/isc/safe.h   | 18 ++------
- lib/isc/safe.c               | 83 --------------------------------------------
+ lib/isc/safe.c               | 83 ------------------------------------
- lib/isc/tests/safe_test.c    | 20 -----------
+ lib/isc/tests/safe_test.c    | 18 --------
- 7 files changed, 11 insertions(+), 128 deletions(-)
+ 7 files changed, 11 insertions(+), 126 deletions(-)
 delete mode 100644 lib/isc/safe.c
 diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
@ -37,10 +37,10 @@ index 6ddaebe..d921870 100644
 static void
 diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
-index e127893..895519e 100644
+index 6ae7ca8..01426d6 100644
 --- a/lib/dns/nsec3.c
 +++ b/lib/dns/nsec3.c
-@@ -1953,7 +1953,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 	 * Work out what this NSEC3 covers.
 	 * Inside (<0) or outside (>=0).
 	 */
@ -49,7 +49,7 @@ index e127893..895519e 100644
 	/*
 	 * Prepare to compute all the hashes.
-@@ -1977,7 +1977,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 			return (ISC_R_IGNORE);
 		}
@ -241,35 +241,33 @@ index 7a464b6..0000000
 -#endif
 -}
 diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
-index f721cd1..ea3e61f 100644
+index 5775b6e..3451b5d 100644
 --- a/lib/isc/tests/safe_test.c
 +++ b/lib/isc/tests/safe_test.c
-@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
+@@ -44,22 +44,6 @@ isc_safe_memequal_test(void **state) {
- 				     "\x00\x00\x00\x00", 4));
+ 				       "\x00\x00\x00\x00", 4));
 }
-ATF_TC(isc_safe_memcompare);
+-/* test isc_safe_memcompare() */
-ATF_TC_HEAD(isc_safe_memcompare, tc) {
+-static void
-	atf_tc_set_md_var(tc, "descr", "safe memcompare()");
+-isc_safe_memcompare_test(void **state) {
-}
+-	UNUSED(state);
 -ATF_TC_BODY(isc_safe_memcompare, tc) {
 -	UNUSED(tc);
 -
-	ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
+-	assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
-	ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
+-	assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
-	ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
+-	assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
-	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+-	assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
-				      "\x00\x00\x00\x00", 4) == 0);
+-					     "\x00\x00\x00\x00", 4), 0);
-	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+-	assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
-				      "\x00\x00\x00\x01", 4) < 0);
+-					"\x00\x00\x00\x01", 4) < 0);
-	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
+-	assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
-				      "\x00\x00\x00\x00", 4) > 0);
+-					"\x00\x00\x00\x00", 4) > 0);
 -}
 -
- ATF_TC(isc_safe_memwipe);
+ /* test isc_safe_memwipe() */
- ATF_TC_HEAD(isc_safe_memwipe, tc) {
+ static void
- 	atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
+ isc_safe_memwipe_test(void **state) {
-@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
+@@ -68,7 +52,6 @@ isc_safe_memwipe_test(void **state) {
 	/* These should pass. */
 	isc_safe_memwipe(NULL, 0);
 	isc_safe_memwipe((void *) -1, 0);
@ -277,14 +275,14 @@ index f721cd1..ea3e61f 100644
 	/*
 	 * isc_safe_memwipe(ptr, size) should function same as
-@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
+@@ -107,7 +90,6 @@ main(void) {
-  */
+ 	const struct CMUnitTest tests[] = {
- ATF_TP_ADD_TCS(tp) {
+ 		cmocka_unit_test(isc_safe_memequal_test),
- 	ATF_TP_ADD_TC(tp, isc_safe_memequal);
+ 		cmocka_unit_test(isc_safe_memwipe_test),
-	ATF_TP_ADD_TC(tp, isc_safe_memcompare);
+-		cmocka_unit_test(isc_safe_memcompare_test),
- 	ATF_TP_ADD_TC(tp, isc_safe_memwipe);
+ 	};
- 	return (atf_no_error());
+ 
- }
+ 	return (cmocka_run_group_tests(tests, NULL, NULL));
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-rh1647829-2.patch
+++ b/bind-9.11-rh1647829-2.patch
@ -1,28 +1,86 @@
-From 58e1af6ca75d035b6391708be2c2272bb8d04620 Mon Sep 17 00:00:00 2001
+From fdfc8ad6a1069eea6b012972c972798003d58312 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Sun, 4 Nov 2018 02:20:41 +0700
+Date: Tue, 29 Jan 2019 18:07:44 +0100
-Subject: [PATCH] Enable IDN processing (both idnin and idnout) only on tty,
+Subject: [PATCH] Fallback to ASCII on output IDN conversion error
 disable it when the stdout is not a tty
-(cherry picked from commit 0e1bf7d017e4f6d787cbeb72cc2aa74e7f30122e)
+It is possible dig used ACE encoded name in locale, which does not
-(cherry picked from commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2)
+support converting it to unicode. Instead of fatal error, fallback to
 ACE name on output.
 (cherry picked from commit 7f4cb8f9584597fea16de6557124ac8b1bd47440)
 Modify idna test to fallback to ACE
 Test valid A-label on input would be displayed as A-label on output if
 locale does not allow U-label.
 (cherry picked from commit 4ce232f8605bdbe0594ebe5a71383c9d4e6f263b)
 Emit warning on IDN output failure
 Warning is emitted before any dig headers.
 (cherry picked from commit 4b410038c531fbb902cd5fb83174eed1f06cb7d7)
 ---
- bin/dig/dighost.c | 2 +-
+ bin/dig/dighost.c              | 15 +++++++++++++--
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ bin/tests/system/idna/tests.sh | 17 +++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 74791d671e..3b722ba0ff 100644
+index 73aaab8..375f99f 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
-@@ -825,7 +825,7 @@ make_empty_lookup(void) {
+@@ -4877,9 +4877,20 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) {
- 	looknew->seenbadcookie = false;
+ 	 */
- 	looknew->badcookie = true;
+ 	res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0);
- #ifdef WITH_IDN_SUPPORT
+ 	if (res != IDN2_OK) {
-	looknew->idnin = (getenv("IDN_DISABLE") == NULL);
+-		fatal("Cannot represent '%s' in the current locale (%s), "
-+	looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+-		      "use +noidnout or a different locale",
- 	if (looknew->idnin) {
+		static bool warned = false;
- 		const char *charset = getenv("CHARSET");
+
- 		if (charset && !strcmp(charset, "ASCII"))
+		res = idn2_to_ascii_8z(utf8_src, &tmp_str, 0);
 +		if (res != IDN2_OK) {
 +			fatal("Cannot represent '%s' "
 +			      "in the current locale nor ascii (%s), "
 +			      "use +noidnout or a different locale",
 		      from, idn2_strerror(res));
 +		} else if (!warned) {
 +			fprintf(stderr, ";; Warning: cannot represent '%s' "
 +			      "in the current locale",
 +			      tmp_str);
 +			warned = true;
 +		}
 	}
 	/*
 diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh
 index 7acb0fa..0269bcd 100644
 --- a/bin/tests/system/idna/tests.sh
 +++ b/bin/tests/system/idna/tests.sh
@@ -244,6 +244,23 @@ idna_enabled_test() {
     idna_test "$text" "+idnin +noidnout"   "xn--nxasmq6b.com" "xn--nxasmq6b.com."
     idna_test "$text" "+idnin +idnout"     "xn--nxasmq6b.com" "βόλοσ.com."
 +    # Test of valid A-label in locale that cannot display it
 +    #
 +    # +noidnout: The string is sent as-is to the server and the returned qname
 +    #            is displayed in the same form.
 +    # +idnout:   The string is sent as-is to the server and the returned qname
 +    #            is displayed as the corresponding A-label.
 +    #
 +    # The "+[no]idnout" flag has no effect in these cases.
 +    text="Checking valid A-label in C locale"
 +    label="xn--nxasmq6b.com"
 +    LC_ALL=C idna_test "$text" ""                   "$label" "$label."
 +    LC_ALL=C idna_test "$text" "+noidnin +noidnout" "$label" "$label."
 +    LC_ALL=C idna_test "$text" "+noidnin +idnout"   "$label" "$label."
 +    LC_ALL=C idna_test "$text" "+idnin +noidnout"   "$label" "$label."
 +    LC_ALL=C idna_test "$text" "+idnin +idnout"     "$label" "$label."
 +    LC_ALL=C idna_test "$text" "+noidnin +idnout"   "$label" "$label."
 +
     # Tests of invalid A-labels
 -- 
 2.20.1
--- a/bind-9.11-rt31459.patch
+++ b/bind-9.11-rt31459.patch
@ -1,4 +1,4 @@
-From 45209f5153693339c4582795714b6859693673fc Mon Sep 17 00:00:00 2001
+From 99fc89de7b96713a7c82ea9b98d5bc0c70ad1f6e Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Tue, 12 Sep 2017 19:05:46 -0700
 Subject: [PATCH] rebased rt31459c
@ -22,27 +22,25 @@ Include new unit test
 bin/dnssec/dnssec-verify.c               |   8 +-
 bin/dnssec/dnssectool.c                  |  11 +-
 bin/named/server.c                       |   6 +
- bin/nsupdate/nsupdate.c                  |  18 ++-
+ bin/nsupdate/nsupdate.c                  |  18 +-
 bin/tests/makejournal.c                  |   6 +-
- bin/tests/system/pipelined/pipequeries.c |  21 ++-
+ bin/tests/system/pipelined/pipequeries.c |  21 +-
 bin/tests/system/pipelined/tests.sh      |   4 +-
 bin/tests/system/rsabigexponent/bigkey.c |   4 +
- bin/tests/system/tkey/keycreate.c        |  26 +++-
+ bin/tests/system/tkey/keycreate.c        |  26 ++-
- bin/tests/system/tkey/keydelete.c        |  26 +++-
+ bin/tests/system/tkey/keydelete.c        |  26 ++-
 bin/tests/system/tkey/tests.sh           |   8 +-
 bin/tools/mdig.c                         |   3 +-
- configure                                | 250 ++++++++++++++++++-------------
+ configure                                | 250 +++++++++++++----------
- configure.in                             |  77 +++++++++-
+ configure.ac                             |  77 ++++++-
- lib/dns/dst_api.c                        |  21 ++-
+ lib/dns/dst_api.c                        |  21 +-
 lib/dns/include/dst/dst.h                |   8 +
 lib/dns/lib.c                            |  15 +-
- lib/dns/openssl_link.c                   |  72 ++++++++-
+ lib/dns/openssl_link.c                   |  72 ++++++-
- lib/dns/pkcs11.c                         |  29 +++-
+ lib/dns/pkcs11.c                         |  29 ++-
 lib/dns/tests/Atffile                    |   1 +
 lib/dns/tests/Kyuafile                   |   1 +
 lib/dns/tests/Makefile.in                |   7 +
- lib/dns/tests/dnstest.c                  |  14 +-
+ lib/dns/tests/dstrandom_test.c           | 115 +++++++++++
 lib/dns/tests/dstrandom_test.c           |  99 ++++++++++++
 lib/dns/win32/libdns.def.in              |   7 +
 lib/isc/entropy.c                        |  24 +++
 lib/isc/include/isc/entropy.h            |  12 ++
@ -50,8 +48,8 @@ Include new unit test
 lib/isc/include/isc/types.h              |   2 +
 lib/isc/pk11.c                           |  12 +-
 lib/isc/win32/include/isc/platform.h.in  |   5 +
- win32utils/Configure                     |  29 +++-
+ win32utils/Configure                     |  29 ++-
- 38 files changed, 699 insertions(+), 182 deletions(-)
+ 36 files changed, 707 insertions(+), 175 deletions(-)
 create mode 100644 lib/dns/tests/dstrandom_test.c
 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
@ -73,10 +71,10 @@ index 5015abb..295e16f 100644
 							     &entropy_source,
 							     randomfile,
 diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
-index 65fdaaa..6612189 100644
+index 931d5de..864f2ad 100644
 --- a/bin/dnssec/dnssec-dsfromkey.c
 +++ b/bin/dnssec/dnssec-dsfromkey.c
-@@ -497,14 +497,14 @@ main(int argc, char **argv) {
+@@ -494,14 +494,14 @@ main(int argc, char **argv) {
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
@ -94,7 +92,7 @@ index 65fdaaa..6612189 100644
 	isc_entropy_stopcallbacksources(ectx);
 	setup_logging(mctx, &log);
-@@ -566,8 +566,8 @@ main(int argc, char **argv) {
+@@ -563,8 +563,8 @@ main(int argc, char **argv) {
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	cleanup_logging(&log);
@ -137,7 +135,7 @@ index 0d1e7f8..79c4d74 100644
 	dns_name_destroy();
 	if (verbose > 10)
 diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
-index 1a2b545..e33cb8b 100644
+index 7d82dbf..10f9359 100644
 --- a/bin/dnssec/dnssec-revoke.c
 +++ b/bin/dnssec/dnssec-revoke.c
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
@ -295,7 +293,7 @@ index fbc7ece..31a99e7 100644
 					   usekeyboard);
 diff --git a/bin/named/server.c b/bin/named/server.c
-index 7f87ccf..9258e7f 100644
+index b63a386..30e7eac 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@ -306,7 +304,7 @@ index 7f87ccf..9258e7f 100644
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/random.h>
-@@ -8171,6 +8172,10 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8210,6 +8211,10 @@ load_configuration(const char *filename, ns_server_t *server,
 				      "no source of entropy found");
 		} else {
 			const char *randomdev = cfg_obj_asstring(obj);
@ -317,7 +315,7 @@ index 7f87ccf..9258e7f 100644
 			int level = ISC_LOG_ERROR;
 			result = isc_entropy_createfilesource(ns_g_entropy,
 							      randomdev);
-@@ -8205,6 +8210,7 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8244,6 +8249,7 @@ load_configuration(const char *filename, ns_server_t *server,
 				}
 				isc_entropy_detach(&ns_g_fallbackentropy);
 			}
@ -326,7 +324,7 @@ index 7f87ccf..9258e7f 100644
 		}
 	}
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 5eefc57..1559a33 100644
+index 509784c..6d7a02e 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
@@ -35,6 +35,7 @@
@ -469,7 +467,7 @@ index 2fcc064..7b4f617 100644
 	isc_log_destroy(&lctx);
 diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
-index a6720ce..9063b1f 100644
+index 61f1ff7..ed1302a 100644
 --- a/bin/tests/system/pipelined/tests.sh
 +++ b/bin/tests/system/pipelined/tests.sh
@@ -19,7 +19,7 @@ status=0
@ -480,7 +478,7 @@ index a6720ce..9063b1f 100644
 +$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1
 awk '{ print $1 " " $5 }' < raw > output
 sort < output > output-sorted
- diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
+ $DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
@@ -43,7 +43,7 @@ status=`expr $status + $ret`
 echo_i "check keep-response-order"
@ -488,7 +486,7 @@ index a6720ce..9063b1f 100644
 -$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
 +$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1
 awk '{ print $1 " " $5 }' < rawb > outputb
- diff refb outputb || ret=1
+ $DIFF refb outputb || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
 index 4462f2e..f06268d 100644
@ -691,10 +689,10 @@ index 9f90dd7..fad6c83 100644
         echo "I:failed"
 	status=`expr $status + $ret`
 diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
-index 4876875..e46653a 100644
+index b27fc1d..e28871b 100644
 --- a/bin/tools/mdig.c
 +++ b/bin/tools/mdig.c
-@@ -1955,12 +1955,11 @@ main(int argc, char *argv[]) {
+@@ -1969,12 +1969,11 @@ main(int argc, char *argv[]) {
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
@ -709,7 +707,7 @@ index 4876875..e46653a 100644
 	parse_args(false, argc, argv);
 	if (server == NULL)
 diff --git a/configure b/configure
-index 4394755..2e0af33 100755
+index e425720..4f09c96 100755
 --- a/configure
 +++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@ -720,7 +718,7 @@ index 4394755..2e0af33 100755
 BUILD_LIBS
 BUILD_LDFLAGS
 BUILD_CPPFLAGS
-@@ -823,6 +824,7 @@ XMLSTATS
+@@ -824,6 +825,7 @@ XMLSTATS
 NZDTARGETS
 NZDSRCS
 NZD_TOOLS
@ -728,7 +726,7 @@ index 4394755..2e0af33 100755
 PKCS11_TEST
 PKCS11_ED25519
 PKCS11_GOST
-@@ -1035,6 +1037,7 @@ with_eddsa
+@@ -1039,6 +1041,7 @@ with_eddsa
 with_aes
 enable_openssl_hash
 with_cc_alg
@ -736,7 +734,7 @@ index 4394755..2e0af33 100755
 with_lmdb
 with_libxml2
 with_libjson
-@@ -1728,6 +1731,7 @@ Optional Features:
+@@ -1735,6 +1738,7 @@ Optional Features:
   --enable-threads        enable multithreading
   --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
@ -744,7 +742,7 @@ index 4394755..2e0af33 100755
   --enable-largefile      64-bit file support
   --enable-backtrace      log stack backtrace on abort [default=yes]
   --enable-symtable       use internal symbol table for backtrace
-@@ -16631,6 +16635,7 @@ case "$use_openssl" in
+@@ -16684,6 +16688,7 @@ case "$use_openssl" in
 $as_echo "disabled because of native PKCS11" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO="-DPKCS11CRYPTO"
@ -752,7 +750,7 @@ index 4394755..2e0af33 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -16645,6 +16650,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
+@@ -16698,6 +16703,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
 $as_echo "no" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -760,7 +758,7 @@ index 4394755..2e0af33 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -16657,6 +16663,7 @@ $as_echo "no" >&6; }
+@@ -16710,6 +16716,7 @@ $as_echo "no" >&6; }
 	auto)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -768,7 +766,7 @@ index 4394755..2e0af33 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -16666,7 +16673,7 @@ $as_echo "no" >&6; }
+@@ -16719,7 +16726,7 @@ $as_echo "no" >&6; }
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -777,7 +775,7 @@ index 4394755..2e0af33 100755
 		;;
 	*)
 		if test "yes" = "$want_native_pkcs11"
-@@ -16697,6 +16704,7 @@ $as_echo "not found" >&6; }
+@@ -16750,6 +16757,7 @@ $as_echo "not found" >&6; }
 			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
 		fi
 		CRYPTO='-DOPENSSL'
@ -785,7 +783,7 @@ index 4394755..2e0af33 100755
 		if test "/usr" = "$use_openssl"
 		then
 			DST_OPENSSL_INC=""
-@@ -17358,8 +17366,6 @@ fi
+@@ -17411,8 +17419,6 @@ fi
 # Use OpenSSL for hash functions
 #
@ -794,7 +792,7 @@ index 4394755..2e0af33 100755
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
 case $want_openssl_hash in
 	yes)
-@@ -17728,6 +17734,86 @@ if test "rt" = "$have_clock_gt"; then
+@@ -17787,6 +17793,86 @@ if test "rt" = "$have_clock_gt"; then
 	LIBS="-lrt $LIBS"
 fi
@ -881,7 +879,7 @@ index 4394755..2e0af33 100755
 #
 # was --with-lmdb specified?
 #
-@@ -19810,9 +19896,12 @@ _ACEOF
+@@ -19869,9 +19955,12 @@ _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
 $as_echo "size_t for buflen; int for flags" >&6; }
@ -896,7 +894,7 @@ index 4394755..2e0af33 100755
 	 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
-@@ -21123,12 +21212,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -21186,12 +21275,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
 if test "yes" = "$use_atomic"; then
@ -910,7 +908,7 @@ index 4394755..2e0af33 100755
 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
 # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
 # This bug is HP SR number 8606223364.
-@@ -21161,6 +21245,11 @@ cat >>confdefs.h <<_ACEOF
+@@ -21224,6 +21308,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
@ -922,7 +920,7 @@ index 4394755..2e0af33 100755
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -21169,39 +21258,6 @@ _ACEOF
+@@ -21232,39 +21321,6 @@ _ACEOF
 		fi
 	;;
 	x86_64-*|amd64-*)
@ -962,7 +960,7 @@ index 4394755..2e0af33 100755
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -21232,6 +21288,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
+@@ -21295,6 +21351,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
 $as_echo "$arch" >&6; }
 fi
@ -973,7 +971,7 @@ index 4394755..2e0af33 100755
 if test "yes" = "$have_atomic"; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
 $as_echo_n "checking compiler support for inline assembly code... " >&6; }
-@@ -23519,6 +23579,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
+@@ -23848,6 +23908,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
 #
 dlzdir='${DLZ_DRIVER_DIR}'
@ -1004,7 +1002,7 @@ index 4394755..2e0af33 100755
 #
 # Private autoconf macro to simplify configuring drivers:
 #
-@@ -23849,11 +23933,11 @@ $as_echo "no" >&6; }
+@@ -24178,11 +24262,11 @@ $as_echo "no" >&6; }
 $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
 		;;
 	*)
@ -1019,7 +1017,7 @@ index 4394755..2e0af33 100755
 		fi
 	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
-@@ -23938,7 +24022,7 @@ $as_echo "" >&6; }
+@@ -24267,7 +24351,7 @@ $as_echo "" >&6; }
 			# Check other locations for includes.
 			# Order is important (sigh).
@ -1028,7 +1026,7 @@ index 4394755..2e0af33 100755
 			# include a blank element first
 			for d in "" $bdb_incdirs
 			do
-@@ -23963,57 +24047,9 @@ $as_echo "" >&6; }
+@@ -24292,57 +24376,9 @@ $as_echo "" >&6; }
 			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
 			for d in $bdb_libnames
 			do
@ -1088,7 +1086,7 @@ index 4394755..2e0af33 100755
 					break
 				fi
 			done
-@@ -24172,10 +24208,10 @@ $as_echo "no" >&6; }
+@@ -24501,10 +24537,10 @@ $as_echo "no" >&6; }
 		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
 		DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
 	fi
@ -1102,7 +1100,7 @@ index 4394755..2e0af33 100755
 	fi
-@@ -24261,11 +24297,11 @@ fi
+@@ -24590,11 +24626,11 @@ fi
 		odbcdirs="/usr /usr/local /usr/pkg"
 		for d in $odbcdirs
 		do
@ -1116,7 +1114,7 @@ index 4394755..2e0af33 100755
 				break
 			fi
 		done
-@@ -24540,6 +24576,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
+@@ -24869,6 +24905,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@ -1125,7 +1123,7 @@ index 4394755..2e0af33 100755
 #
 # Commands to run at the end of config.status.
 # Don't just put these into configure, it won't work right if somebody
-@@ -26930,6 +26968,8 @@ report() {
+@@ -27248,6 +27286,8 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1134,16 +1132,16 @@ index 4394755..2e0af33 100755
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-@@ -26970,6 +27010,8 @@ report() {
+@@ -27288,6 +27328,8 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
-     test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
+     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
 +    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
 +
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
 	echo "        Berkeley DB (--with-dlz-bdb)"
-@@ -27017,6 +27059,8 @@ report() {
+@@ -27335,6 +27377,8 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
@ -1152,11 +1150,11 @@ index 4394755..2e0af33 100755
     test "yes" = "$enable_seccomp" || \
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index b07895f..898b4ac 100644
+index 7c5ad51..fddc63a 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -1542,6 +1542,7 @@ case "$use_openssl" in
+@@ -1503,6 +1503,7 @@ case "$use_openssl" in
 		AC_MSG_RESULT(disabled because of native PKCS11)
 		DST_OPENSSL_INC=""
 		CRYPTO="-DPKCS11CRYPTO"
@ -1164,7 +1162,7 @@ index b07895f..898b4ac 100644
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -1555,6 +1556,7 @@ case "$use_openssl" in
+@@ -1516,6 +1517,7 @@ case "$use_openssl" in
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -1172,7 +1170,7 @@ index b07895f..898b4ac 100644
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -1567,6 +1569,7 @@ case "$use_openssl" in
+@@ -1528,6 +1530,7 @@ case "$use_openssl" in
 	auto)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -1180,7 +1178,7 @@ index b07895f..898b4ac 100644
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -1577,7 +1580,7 @@ case "$use_openssl" in
+@@ -1538,7 +1541,7 @@ case "$use_openssl" in
 		OPENSSLLINKSRCS=""
 		AC_MSG_ERROR(
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -1189,7 +1187,7 @@ index b07895f..898b4ac 100644
 		;;
 	*)
 		if test "yes" = "$want_native_pkcs11"
-@@ -1607,6 +1610,7 @@ If you don't want OpenSSL, use --without-openssl])
+@@ -1568,6 +1571,7 @@ If you don't want OpenSSL, use --without-openssl])
 			AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
 		fi
 		CRYPTO='-DOPENSSL'
@ -1197,7 +1195,7 @@ index b07895f..898b4ac 100644
 		if test "/usr" = "$use_openssl"
 		then
 			DST_OPENSSL_INC=""
-@@ -2080,7 +2084,6 @@ fi
+@@ -2041,7 +2045,6 @@ fi
 # Use OpenSSL for hash functions
 #
@ -1205,7 +1203,7 @@ index b07895f..898b4ac 100644
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
 case $want_openssl_hash in
 	yes)
-@@ -2347,6 +2350,67 @@ if test "rt" = "$have_clock_gt"; then
+@@ -2313,6 +2316,67 @@ if test "rt" = "$have_clock_gt"; then
 	LIBS="-lrt $LIBS"
 fi
@ -1273,7 +1271,7 @@ index b07895f..898b4ac 100644
 #
 # was --with-lmdb specified?
 #
-@@ -4139,12 +4203,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -4109,12 +4173,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
 if test "yes" = "$use_atomic"; then
@ -1287,7 +1285,7 @@ index b07895f..898b4ac 100644
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -4153,7 +4217,6 @@ if test "yes" = "$use_atomic"; then
+@@ -4123,7 +4187,6 @@ if test "yes" = "$use_atomic"; then
 		fi
 	;;
 	x86_64-*|amd64-*)
@ -1295,7 +1293,7 @@ index b07895f..898b4ac 100644
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -5517,6 +5580,8 @@ report() {
+@@ -5541,6 +5604,8 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1304,16 +1302,16 @@ index b07895f..898b4ac 100644
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-@@ -5557,6 +5622,8 @@ report() {
+@@ -5581,6 +5646,8 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
-     test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
+     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
 +    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
 +
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
 	echo "        Berkeley DB (--with-dlz-bdb)"
-@@ -5604,6 +5671,8 @@ report() {
+@@ -5628,6 +5695,8 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
@ -1323,7 +1321,7 @@ index b07895f..898b4ac 100644
     test "yes" = "$enable_seccomp" || \
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 5703f9c..afb4d80 100644
+index 320c0f8..b55ebe0 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -276,6 +276,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@ -1359,7 +1357,7 @@ index 5703f9c..afb4d80 100644
 	if (dst__memory_pool != NULL)
 		isc_mem_detach(&dst__memory_pool);
 	if (dst_entropy_pool != NULL)
-@@ -1998,13 +2012,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
+@@ -2001,13 +2015,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
 		flags &= ~ISC_ENTROPY_GOODONLY;
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
@ -1378,7 +1376,7 @@ index 5703f9c..afb4d80 100644
 #ifdef GSSAPI
 	unsigned int flags = dst_entropy_flags;
 	isc_result_t ret;
-@@ -2027,6 +2045,7 @@ dst__entropy_status(void) {
+@@ -2030,6 +2048,7 @@ dst__entropy_status(void) {
 #endif
 	return (isc_entropy_status(dst_entropy_pool));
 #else
@ -1387,10 +1385,10 @@ index 5703f9c..afb4d80 100644
 #endif
 }
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index 32b0742..78e1277 100644
+index 1924e74..6813c96 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
-@@ -160,6 +160,14 @@ dst_lib_destroy(void);
+@@ -159,6 +159,14 @@ dst_lib_destroy(void);
  * Releases all resources allocated by DST.
  */
@ -1461,7 +1459,7 @@ index 304814b..60543c4 100644
 	isc_hash_destroy();
   cleanup_db:
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index a30a2ab..d88d643 100644
+index d65ce26..6849732 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
@ -1499,7 +1497,7 @@ index a30a2ab..d88d643 100644
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void
-@@ -190,7 +193,7 @@ _set_thread_id(CRYPTO_THREADID *id)
+@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
 isc_result_t
 dst__openssl_init(const char *engine) {
 	isc_result_t result;
@ -1508,7 +1506,7 @@ index a30a2ab..d88d643 100644
 	ENGINE *re;
 #else
 	UNUSED(engine);
-@@ -220,6 +223,7 @@ dst__openssl_init(const char *engine) {
+@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
 	ERR_load_crypto_strings();
 #endif
@ -1516,7 +1514,7 @@ index a30a2ab..d88d643 100644
 	rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
 	if (rm == NULL) {
 		result = ISC_R_NOMEMORY;
-@@ -231,6 +235,7 @@ dst__openssl_init(const char *engine) {
+@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
 	rm->add = entropy_add;
 	rm->pseudorand = entropy_getpseudo;
 	rm->status = entropy_status;
@ -1524,7 +1522,7 @@ index a30a2ab..d88d643 100644
 #if !defined(OPENSSL_NO_ENGINE)
 #if !defined(CONF_MFLAGS_DEFAULT_SECTION)
-@@ -264,6 +269,7 @@ dst__openssl_init(const char *engine) {
+@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
 		}
 	}
@ -1532,7 +1530,7 @@ index a30a2ab..d88d643 100644
 	re = ENGINE_get_default_RAND();
 	if (re == NULL) {
 		re = ENGINE_new();
-@@ -276,9 +282,21 @@ dst__openssl_init(const char *engine) {
+@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
 		ENGINE_free(re);
 	} else
 		ENGINE_finish(re);
@ -1554,7 +1552,7 @@ index a30a2ab..d88d643 100644
 	return (ISC_R_SUCCESS);
 #if !defined(OPENSSL_NO_ENGINE)
-@@ -286,10 +304,14 @@ dst__openssl_init(const char *engine) {
+@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
 	if (e != NULL)
 		ENGINE_free(e);
 	e = NULL;
@ -1569,7 +1567,7 @@ index a30a2ab..d88d643 100644
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	CRYPTO_set_locking_callback(NULL);
 	DESTROYMUTEXBLOCK(locks, nlocks);
-@@ -304,14 +326,17 @@ void
+@@ -306,14 +328,17 @@ void
 dst__openssl_destroy(void) {
 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
 	OPENSSL_cleanup();
@ -1587,7 +1585,7 @@ index a30a2ab..d88d643 100644
 	if (rm != NULL) {
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 		RAND_cleanup();
-@@ -319,6 +344,7 @@ dst__openssl_destroy(void) {
+@@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
 		mem_free(rm FILELINE);
 		rm = NULL;
 	}
@ -1595,7 +1593,7 @@ index a30a2ab..d88d643 100644
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 	CONF_modules_free();
 #endif
-@@ -454,11 +480,45 @@ dst__openssl_getengine(const char *engine) {
+@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
 }
 #endif
@ -1700,35 +1698,23 @@ index 5a2c502..8eaef53 100644
 #endif /* PKCS11CRYPTO */
 /*! \file */
 diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile
 index 953082d..603c4b5 100644
 --- a/lib/dns/tests/Atffile
 +++ b/lib/dns/tests/Atffile
@@ -10,6 +10,7 @@ tp: dbversion_test
 tp: dh_test
 tp: dispatch_test
 tp: dnstap_test
 +tp: dstrandom_test
 tp: dst_test
 tp: geoip_test
 tp: gost_test
 diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
-index 0353a73..cb2324d 100644
+index 937b548..f3c0e38 100644
 --- a/lib/dns/tests/Kyuafile
 +++ b/lib/dns/tests/Kyuafile
-@@ -10,6 +10,7 @@ atf_test_program{name='dh_test'}
+@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'}
- atf_test_program{name='dispatch_test'}
+ tap_test_program{name='dispatch_test'}
- atf_test_program{name='dnstap_test'}
+ tap_test_program{name='dnstap_test'}
- atf_test_program{name='dst_test'}
+ tap_test_program{name='dst_test'}
-+atf_test_program{name='dstrandom_test'}
+tap_test_program{name='dstrandom_test'}
- atf_test_program{name='geoip_test'}
+ tap_test_program{name='geoip_test'}
- atf_test_program{name='gost_test'}
+ tap_test_program{name='gost_test'}
- atf_test_program{name='keytable_test'}
+ tap_test_program{name='keytable_test'}
 diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
-index 58fa872..625e809 100644
+index 0897579..9f1781a 100644
 --- a/lib/dns/tests/Makefile.in
 +++ b/lib/dns/tests/Makefile.in
-@@ -40,6 +40,7 @@ SRCS =		acl_test.c \
+@@ -37,6 +37,7 @@ SRCS =		acl_test.c \
 		dnstap_test.c \
 		dst_test.c \
 		dnstest.c \
@ -1736,7 +1722,7 @@ index 58fa872..625e809 100644
 		geoip_test.c \
 		gost_test.c \
 		keytable_test.c \
-@@ -71,6 +72,7 @@ TARGETS =	acl_test@EXEEXT@ \
+@@ -69,6 +70,7 @@ TARGETS =	acl_test@EXEEXT@ \
 		dh_test@EXEEXT@ \
 		dispatch_test@EXEEXT@ \
 		dnstap_test@EXEEXT@ \
@ -1744,9 +1730,9 @@ index 58fa872..625e809 100644
 		dst_test@EXEEXT@ \
 		geoip_test@EXEEXT@ \
 		gost_test@EXEEXT@ \
-@@ -255,6 +257,11 @@ tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
- 			tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
+ 		${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \
- 			${ISCLIBS} ${LIBS}
+ 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 +dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 +	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
@ -1756,51 +1742,12 @@ index 58fa872..625e809 100644
 unit::
 	sh ${top_builddir}/unit/unittest.sh
 diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c
 index 51bb90b..1b25b90 100644
 --- a/lib/dns/tests/dnstest.c
 +++ b/lib/dns/tests/dnstest.c
@@ -122,12 +122,12 @@ dns_test_begin(FILE *logfile, bool start_managers) {
 	CHECK(isc_mem_create(0, 0, &mctx));
 	CHECK(isc_entropy_create(mctx, &ectx));
 -	CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
 -	hash_active = true;
 -
 	CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
 	dst_active = true;
 +	CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
 +	hash_active = true;
 +
 	if (logfile != NULL) {
 		isc_logdestination_t destination;
 		isc_logconfig_t *logconfig = NULL;
@@ -171,14 +171,14 @@ dns_test_begin(FILE *logfile, bool start_managers) {
 void
 dns_test_end(void) {
 -	if (dst_active) {
 -		dst_lib_destroy();
 -		dst_active = false;
 -	}
 	if (hash_active) {
 		isc_hash_destroy();
 		hash_active = false;
 	}
 +	if (dst_active) {
 +		dst_lib_destroy();
 +		dst_active = false;
 +	}
 	if (ectx != NULL)
 		isc_entropy_detach(&ectx);
 diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
 new file mode 100644
-index 0000000..b980d8a
+index 0000000..bd3d164
 --- /dev/null
 +++ b/lib/dns/tests/dstrandom_test.c
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,115 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
@ -1812,18 +1759,25 @@ index 0000000..b980d8a
 + * information regarding copyright ownership.
 + */
 +
 +/*! \file */
 +
 +#include <config.h>
 +
-+#include <atf-c.h>
+#if HAVE_CMOCKA
 +
 +#include <stdarg.h>
 +#include <stddef.h>
 +#include <setjmp.h>
 +
 +#include <stdlib.h>
 +#include <stdio.h>
 +#include <string.h>
 +#include <unistd.h>
 +
 +#define UNIT_TESTING
 +#include <cmocka.h>
 +
 +#include <isc/entropy.h>
 +#include <isc/mem.h>
 +#include <isc/print.h>
 +#include <isc/platform.h>
 +#include <isc/util.h>
 +
@ -1833,26 +1787,23 @@ index 0000000..b980d8a
 +isc_entropy_t *ectx = NULL;
 +unsigned char buffer[128];
 +
-+ATF_TC(isc_entropy_getdata);
+/* isc_entropy_getdata() examples */
-+ATF_TC_HEAD(isc_entropy_getdata, tc) {
+static void
-+	atf_tc_set_md_var(tc, "descr",
+isc_entropy_getdata_test(void **state) {
 +			  "isc_entropy_getdata() examples");
 +	atf_tc_set_md_var(tc, "X-randomfile",
 +			  "testdata/dstrandom/random.data");
 +}
 +ATF_TC_BODY(isc_entropy_getdata, tc) {
 +	isc_result_t result;
 +	unsigned int returned, status;
 +	const char *randomfile = "testdata/dstrandom/random.data";
 +	int ret;
-+	const char *randomfile = atf_tc_get_md_var(tc, "X-randomfile");
+
 +	UNUSED(state);
 +
 +	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
 +	result = isc_mem_create(0, 0, &mctx);
-+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
 +	result = isc_entropy_create(mctx, &ectx);
-+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
 +	result = dst_lib_init(mctx, ectx, 0);
-+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
 +
 +#ifdef ISC_PLATFORM_CRYPTORANDOM
 +	isc_entropy_usehook(ectx, true);
@ -1860,51 +1811,63 @@ index 0000000..b980d8a
 +	returned = 0;
 +	result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
 +				     &returned, 0);
-+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
-+	ATF_REQUIRE(returned == sizeof(buffer));
+	assert_int_equal(returned, sizeof(buffer));
 +
 +	status = isc_entropy_status(ectx);
-+	ATF_REQUIRE_EQ(status, 0);
+	assert_int_equal(status, 0);
 +
 +	isc_entropy_usehook(ectx, false);
 +#endif
 +
 +	ret = chdir(TESTS);
-+	ATF_REQUIRE_EQ(ret, 0);
+	assert_int_equal(ret, 0);
 +
 +	result = isc_entropy_createfilesource(ectx, randomfile);
-+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
 +
 +	returned = 0;
 +	result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
 +				     &returned, 0);
-+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	assert_int_equal(result, ISC_R_SUCCESS);
-+	ATF_REQUIRE(returned == sizeof(buffer));
+	assert_int_equal(returned, sizeof(buffer));
 +
 +	status = isc_entropy_status(ectx);
-+	ATF_REQUIRE(status > 0);
+	assert_true(status > 0);
 +
 +	dst_lib_destroy();
 +	isc_entropy_detach(&ectx);
-+	ATF_REQUIRE(ectx == NULL);
+	assert_null(ectx);
 +
 +	isc_mem_destroy(&mctx);
-+	ATF_REQUIRE(mctx == NULL);
+	assert_null(mctx);
 +}
 +
-+/*
+int
-+ * Main
+main(void) {
-+ */
+	const struct CMUnitTest tests[] = {
-+ATF_TP_ADD_TCS(tp) {
+		cmocka_unit_test(isc_entropy_getdata_test),
-+	ATF_TP_ADD_TC(tp, isc_entropy_getdata);
+	};
 +
-+	return (atf_no_error());
+	return (cmocka_run_group_tests(tests, NULL, NULL));
 +}
 +
 +#else /* HAVE_CMOCKA */
 +
 +#include <stdio.h>
 +
 +int
 +main(void) {
 +	printf("1..0 # Skipped: cmocka not available\n");
 +	return (0);
 +}
 +
 +#endif
 diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
-index 62a156c..bf83fe5 100644
+index 5c45d59..34b660c 100644
 --- a/lib/dns/win32/libdns.def.in
 +++ b/lib/dns/win32/libdns.def.in
-@@ -1483,6 +1483,13 @@ dst_lib_destroy
+@@ -1484,6 +1484,13 @@ dst_lib_destroy
 dst_lib_init
 dst_lib_init2
 dst_lib_initmsgcat
@ -2029,7 +1992,7 @@ index 42ff7e0..8d87c44 100644
 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
 diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index a01e698..875c232 100644
+index bb9912b..1f583a3 100644
 --- a/lib/isc/pk11.c
 +++ b/lib/isc/pk11.c
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
@ -2071,7 +2034,7 @@ index 5b8a2c9..913a2ce 100644
  * Define if the hash functions must be provided by OpenSSL.
  */
 diff --git a/win32utils/Configure b/win32utils/Configure
-index ff596b7..09b476f 100644
+index ad99f89..2c55946 100644
 --- a/win32utils/Configure
 +++ b/win32utils/Configure
@@ -381,6 +381,7 @@ my @substdefh = ("AES_CC",
@ -2082,7 +2045,7 @@ index ff596b7..09b476f 100644
                  "ISC_PLATFORM_HAVEATOMICSTORE",
                  "ISC_PLATFORM_HAVEATOMICSTOREQ",
                  "ISC_PLATFORM_HAVECMPXCHG",
-@@ -509,7 +510,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
+@@ -510,7 +511,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
 # enable-xxx/disable-xxx
@ -2092,7 +2055,7 @@ index ff596b7..09b476f 100644
                   "fixed-rrset",
                   "intrinsics",
                   "isc-spnego",
-@@ -571,6 +573,7 @@ my @help = (
+@@ -573,6 +575,7 @@ my @help = (
 "\nOptional Features:\n",
 "  enable-intrinsics     enable instrinsic/atomic functions [default=yes]\n",
 "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
@ -2100,7 +2063,7 @@ index ff596b7..09b476f 100644
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
 "  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n",
-@@ -614,7 +617,9 @@ my $want_clean = "no";
+@@ -617,7 +620,9 @@ my $want_clean = "no";
 my $want_unknown = "no";
 my $unknown_value;
 my $enable_intrinsics = "yes";
@ -2110,7 +2073,7 @@ index ff596b7..09b476f 100644
 my $enable_openssl_hash = "auto";
 my $enable_filter_aaaa = "yes";
 my $enable_isc_spnego = "yes";
-@@ -823,6 +828,10 @@ sub myenable {
+@@ -828,6 +833,10 @@ sub myenable {
         if ($val =~ /^yes$/i) {
             $enable_native_pkcs11 = "yes";
         }
@ -2121,7 +2084,7 @@ index ff596b7..09b476f 100644
     } elsif ($key =~ /^openssl-hash$/i) {
         if ($val =~ /^yes$/i) {
             $enable_openssl_hash = "yes";
-@@ -1106,6 +1115,11 @@ if ($verbose) {
+@@ -1119,6 +1128,11 @@ if ($verbose) {
     } else {
         print "native-pkcs11: disabled\n";
     }
@ -2133,7 +2096,7 @@ index ff596b7..09b476f 100644
     if ($enable_openssl_hash eq "yes") {
         print "openssl-hash: enabled\n";
     } else {
-@@ -1454,6 +1468,7 @@ if ($enable_intrinsics eq "yes") {
+@@ -1472,6 +1486,7 @@ if ($enable_intrinsics eq "yes") {
 # enable-native-pkcs11
 if ($enable_native_pkcs11 eq "yes") {
@ -2141,7 +2104,7 @@ index ff596b7..09b476f 100644
     if ($use_openssl eq "auto") {
         $use_openssl = "no";
     }
-@@ -1663,6 +1678,7 @@ if ($use_openssl eq "yes") {
+@@ -1681,6 +1696,7 @@ if ($use_openssl eq "yes") {
         $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
     }   
@ -2149,7 +2112,7 @@ index ff596b7..09b476f 100644
     $configcond{"OPENSSL"} = 1;
     $configdefd{"CRYPTO"} = "OPENSSL";
     $configvar{"OPENSSL_PATH"} = "$openssl_path";
-@@ -2214,6 +2230,15 @@ if ($cookie_algorithm eq "sha1") {
+@@ -2232,6 +2248,15 @@ if ($cookie_algorithm eq "sha1") {
     die "Unrecognized cookie algorithm: $cookie_algorithm\n";
 }
@ -2165,7 +2128,7 @@ index ff596b7..09b476f 100644
 # enable-openssl-hash
 if ($enable_openssl_hash eq "yes") {
     if ($use_openssl eq "no") {
-@@ -3536,6 +3561,7 @@ exit 0;
+@@ -3558,6 +3583,7 @@ exit 0;
 #  --enable-developer partially supported
 #  --enable-newstats (9.9/9.9sub only)
 #  --enable-native-pkcs11 supported
@ -2173,7 +2136,7 @@ index ff596b7..09b476f 100644
 #  --enable-openssl-version-check included without a way to disable it
 #  --enable-openssl-hash supported
 #  --enable-threads included without a way to disable it
-@@ -3561,6 +3587,7 @@ exit 0;
+@@ -3583,6 +3609,7 @@ exit 0;
 #  --with-gost supported
 #  --with-aes supported
 #  --with-cc-alg supported
@ -2182,5 +2145,5 @@ index ff596b7..09b476f 100644
 #  --with-gssapi supported with MIT (K)erberos (f)or (W)indows
 #  --with-lmdb no supported on WIN32 (port is not reliable)
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@ -1,4 +1,4 @@
-From 9a074d5cd6c6276d95bc1cce3a14afaabc88c6c5 Mon Sep 17 00:00:00 2001
+From 2b7a633f29c2ae8fe801f2a98541013837ebaeaa Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 28 Sep 2017 10:09:22 -0700
 Subject: [PATCH] completed and corrected the crypto-random change
@ -24,29 +24,29 @@ Subject: [PATCH] completed and corrected the crypto-random change
 			"configure --disable-crypto-rand".
 			[RT #31459] [RT #46047]
 ---
- bin/confgen/keygen.c                     | 12 +++----
+ bin/confgen/keygen.c                     | 12 +++---
- bin/dnssec/dnssec-keygen.docbook         | 24 +++++++++-----
+ bin/dnssec/dnssec-keygen.docbook         | 24 +++++++----
- bin/dnssec/dnssectool.c                  | 12 +++----
+ bin/dnssec/dnssectool.c                  | 12 +++---
 bin/named/client.c                       |  3 +-
- bin/named/config.c                       |  4 ++-
+ bin/named/config.c                       |  4 +-
- bin/named/controlconf.c                  | 19 +++++++----
+ bin/named/controlconf.c                  | 19 +++++---
- bin/named/include/named/server.h         |  2 ++
+ bin/named/include/named/server.h         |  2 +
 bin/named/interfacemgr.c                 |  1 +
 bin/named/query.c                        |  1 +
- bin/named/server.c                       | 53 ++++++++++++++++++------------
+ bin/named/server.c                       | 51 ++++++++++++++--------
- bin/nsupdate/nsupdate.c                  |  4 +--
+ bin/nsupdate/nsupdate.c                  |  4 +-
- bin/tests/system/pipelined/pipequeries.c |  4 +--
+ bin/tests/system/pipelined/pipequeries.c |  4 +-
- bin/tests/system/tkey/keycreate.c        |  4 +--
+ bin/tests/system/tkey/keycreate.c        |  4 +-
- bin/tests/system/tkey/keydelete.c        |  4 +--
+ bin/tests/system/tkey/keydelete.c        |  4 +-
- doc/arm/Bv9ARM-book.xml                  | 55 ++++++++++++++++++++++----------
+ doc/arm/Bv9ARM-book.xml                  | 55 +++++++++++++++++-------
- doc/arm/notes.xml                        | 26 +++++++++++++++
+ doc/arm/notes.xml                        | 26 +++++++++++
- lib/dns/dst_api.c                        |  4 ++-
+ lib/dns/dst_api.c                        |  4 +-
- lib/dns/include/dst/dst.h                | 14 ++++++--
+ lib/dns/include/dst/dst.h                | 14 +++++-
 lib/dns/openssl_link.c                   |  3 +-
- lib/isc/include/isc/entropy.h            | 50 +++++++++++++++++++++--------
+ lib/isc/include/isc/entropy.h            | 50 +++++++++++++++------
- lib/isc/include/isc/random.h             | 28 ++++++++++------
+ lib/isc/include/isc/random.h             | 28 +++++++-----
 lib/isccfg/namedconf.c                   |  2 +-
- 22 files changed, 221 insertions(+), 108 deletions(-)
+ 22 files changed, 220 insertions(+), 107 deletions(-)
 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
 index 295e16f..0f79aa8 100644
@ -76,10 +76,10 @@ index 295e16f..0f79aa8 100644
 							     &entropy_source,
 							     randomfile,
 diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
-index 96dfef6..1c84b06 100644
+index ee6a489..17dddb6 100644
 --- a/bin/dnssec/dnssec-keygen.docbook
 +++ b/bin/dnssec/dnssec-keygen.docbook
-@@ -349,15 +349,23 @@
+@@ -350,15 +350,23 @@
 	<term>-r <replaceable class="parameter">randomdev</replaceable></term>
 	<listitem>
 	  <para>
@ -140,10 +140,10 @@ index 31a99e7..38c83ed 100644
 					   usekeyboard);
 diff --git a/bin/named/client.c b/bin/named/client.c
-index 0f6e162..5e39b82 100644
+index d425df2..7ab3dec 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
-@@ -1608,7 +1608,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1609,7 +1609,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
 		isc_buffer_init(&buf, cookie, sizeof(cookie));
 		isc_stdtime_get(&now);
@ -154,7 +154,7 @@ index 0f6e162..5e39b82 100644
 		compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
 diff --git a/bin/named/config.c b/bin/named/config.c
-index 2c4c93c..16ed248 100644
+index a153172..8d46bc3 100644
 --- a/bin/named/config.c
 +++ b/bin/named/config.c
@@ -93,7 +93,9 @@ options {\n\
@ -253,7 +253,7 @@ index 419927b..d721f47 100644
 #include <isc/task.h>
 #include <isc/util.h>
 diff --git a/bin/named/query.c b/bin/named/query.c
-index f8dbef2..2f3c0ca 100644
+index 1d3edbc..193efde 100644
 --- a/bin/named/query.c
 +++ b/bin/named/query.c
@@ -19,6 +19,7 @@
@ -265,10 +265,10 @@ index f8dbef2..2f3c0ca 100644
 #include <isc/serial.h>
 #include <isc/stats.h>
 diff --git a/bin/named/server.c b/bin/named/server.c
-index 9258e7f..f4320df 100644
+index 30e7eac..27ea3bf 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -8164,21 +8164,30 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8203,21 +8203,30 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Open the source of entropy.
 	 */
 	if (first_time) {
@ -277,11 +277,6 @@ index 9258e7f..f4320df 100644
 		obj = NULL;
 		result = ns_config_get(maps, "random-device", &obj);
 -		if (result != ISC_R_SUCCESS) {
 -			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 -				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 -				      "no source of entropy found");
 -		} else {
 -			const char *randomdev = cfg_obj_asstring(obj);
 +		if (result == ISC_R_SUCCESS) {
 +			if (!cfg_obj_isvoid(obj)) {
 +				level = ISC_LOG_INFO;
@ -289,28 +284,32 @@ index 9258e7f..f4320df 100644
 +			}
 +		}
 +		if (randomdev == NULL) {
- #ifdef ISC_PLATFORM_CRYPTORANDOM
+#ifdef ISC_PLATFORM_CRYPTORANDOM
 -			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
 -				isc_entropy_usehook(ns_g_entropy, true);
 +			isc_entropy_usehook(ns_g_entropy, true);
- #else
+#else
 -			int level = ISC_LOG_ERROR;
 -			result = isc_entropy_createfilesource(ns_g_entropy,
 -							      randomdev);
 +			if ((obj != NULL) && !cfg_obj_isvoid(obj))
 +				level = ISC_LOG_INFO;
-+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 -				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 +				      NS_LOGMODULE_SERVER, level,
-+				      "no source of entropy found");
+ 				      "no source of entropy found");
 +			if ((obj == NULL) || cfg_obj_isvoid(obj)) {
 +				CHECK(ISC_R_FAILURE);
 +			}
 +#endif
-+		} else {
+ 		} else {
 -			const char *randomdev = cfg_obj_asstring(obj);
 -#ifdef ISC_PLATFORM_CRYPTORANDOM
 -			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
 -				isc_entropy_usehook(ns_g_entropy, true);
 -#else
 -			int level = ISC_LOG_ERROR;
 -			result = isc_entropy_createfilesource(ns_g_entropy,
 -							      randomdev);
 #ifdef PATH_RANDOMDEV
 			if (ns_g_fallbackentropy != NULL) {
 				level = ISC_LOG_INFO;
-@@ -8189,8 +8198,8 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8228,8 +8237,8 @@ load_configuration(const char *filename, ns_server_t *server,
 					      NS_LOGCATEGORY_GENERAL,
 					      NS_LOGMODULE_SERVER,
 					      level,
@ -321,7 +320,7 @@ index 9258e7f..f4320df 100644
 					      randomdev,
 					      isc_result_totext(result));
 			}
-@@ -8210,7 +8219,6 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8249,7 +8258,6 @@ load_configuration(const char *filename, ns_server_t *server,
 				}
 				isc_entropy_detach(&ns_g_fallbackentropy);
 			}
@ -329,7 +328,7 @@ index 9258e7f..f4320df 100644
 #endif
 		}
 	}
-@@ -8998,6 +9006,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -9040,6 +9048,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
 				      &server->tkeyctx),
 		   "creating TKEY context");
@ -339,7 +338,7 @@ index 9258e7f..f4320df 100644
 	/*
 	 * Setup the server task, which is responsible for coordinating
-@@ -9204,7 +9215,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9246,7 +9257,8 @@ ns_server_destroy(ns_server_t **serverp) {
 	if (server->zonemgr != NULL)
 		dns_zonemgr_detach(&server->zonemgr);
@ -349,7 +348,7 @@ index 9258e7f..f4320df 100644
 	if (server->tkeyctx != NULL)
 		dns_tkeyctx_destroy(&server->tkeyctx);
-@@ -13105,10 +13117,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13197,10 +13209,10 @@ newzone_cfgctx_destroy(void **cfgp) {
 static isc_result_t
 generate_salt(unsigned char *salt, size_t saltlen) {
@ -362,7 +361,7 @@ index 9258e7f..f4320df 100644
 	} rnd;
 	unsigned char text[512 + 1];
 	isc_region_t r;
-@@ -13118,9 +13130,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13210,9 +13222,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
 	if (saltlen > 256U)
 		return (ISC_R_RANGE);
@ -377,7 +376,7 @@ index 9258e7f..f4320df 100644
 	memmove(salt, rnd.rnd, saltlen);
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 1559a33..68b9a99 100644
+index 6d7a02e..626b1cf 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@ -437,10 +436,10 @@ index 2146f9b..ac2c311 100644
 	}
 #endif
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index baff8d3..00a50e4 100644
+index dd5365c..1a463b0 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
-@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5071,22 +5071,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>random-device</command></term>
 	    <listitem>
 	      <para>
@ -503,11 +502,11 @@ index baff8d3..00a50e4 100644
 	    </listitem>
 	  </varlistentry>
 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index d9537a3..5c2cc13 100644
+index ad4b34c..2685b8e 100644
 --- a/doc/arm/notes.xml
 +++ b/doc/arm/notes.xml
-@@ -180,6 +180,32 @@
+@@ -229,6 +229,32 @@
- 	  option. [GL #105]
+ 	  is used from the shell scripts.
 	</para>
       </listitem>
 +       <listitem>
@ -535,15 +534,15 @@ index d9537a3..5c2cc13 100644
 +	  case <filename>/dev/random</filename> will be the default
 +	  entropy source.  [RT #31459] [RT #46047]
 +	</para>
-+       </listitem>
+      </listitem>
     </itemizedlist>
   </section>
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index afb4d80..4e62a97 100644
+index b55ebe0..d2b43d3 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
-@@ -2013,10 +2013,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
+@@ -2016,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -558,10 +557,10 @@ index afb4d80..4e62a97 100644
 }
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index 78e1277..10293d0 100644
+index 6813c96..665574d 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
-@@ -164,8 +164,18 @@ isc_result_t
+@@ -163,8 +163,18 @@ isc_result_t
 dst_random_getdata(void *data, unsigned int length,
 		   unsigned int *returned, unsigned int flags);
 /*%<
@ -583,10 +582,10 @@ index 78e1277..10293d0 100644
 bool
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index d88d643..7a233dd 100644
+index 6849732..e00a0e4 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
-@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
+@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
 isc_result_t
 dst_random_getdata(void *data, unsigned int length,
@ -740,7 +739,7 @@ index f8aed34..17c551b 100644
 ISC_LANG_ENDDECLS
 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index cd797a6..589da07 100644
+index fbc62cc..9cad61d 100644
 --- a/lib/isccfg/namedconf.c
 +++ b/lib/isccfg/namedconf.c
@@ -1109,7 +1109,7 @@ options_clauses[] = {
@ -753,5 +752,5 @@ index cd797a6..589da07 100644
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-tests-variants.patch
+++ b/bind-9.11-tests-variants.patch
@ -1,4 +1,4 @@
-From 118c70ab26f54f8ecd38da36f3e7d7ed66e2e764 Mon Sep 17 00:00:00 2001
+From 7d689f77714430a4ef6cead040ec304dca0b8bd3 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 1 Mar 2019 15:48:20 +0100
 Subject: [PATCH] Make alternative named builds testable in system tests
@ -17,19 +17,19 @@ export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
 1 file changed, 10 insertions(+), 9 deletions(-)
 diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
-index 0b9706a..a446c18 100644
+index b072af8..d2cb8ed 100644
 --- a/bin/tests/system/conf.sh.in
 +++ b/bin/tests/system/conf.sh.in
-@@ -20,7 +20,7 @@ TOP=${SYSTEMTESTTOP:=.}/../../..
+@@ -27,7 +27,7 @@ ALTERNATIVE_ALGORITHM=RSASHA1
- # Make it absolute so that it continues to work after we cd.
+ ALTERNATIVE_ALGORITHM_NUMBER=5
- TOP=`cd $TOP && pwd`
+ ALTERNATIVE_BITS=1280
 -NAMED=$TOP/bin/named/named
 +NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
 # We must use "named -l" instead of "lwresd" because argv[0] is lost
 # if the program is libtoolized.
 LWRESD="$TOP/bin/named/named -l"
-@@ -31,13 +31,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
+@@ -38,13 +38,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
 DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
 TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
 RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
@ -51,7 +51,7 @@ index 0b9706a..a446c18 100644
 CHECKDS=$TOP/bin/python/dnssec-checkds
 COVERAGE=$TOP/bin/python/dnssec-coverage
 KEYMGR=$TOP/bin/python/dnssec-keymgr
-@@ -57,7 +58,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
+@@ -64,7 +65,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
 MDIG=$TOP/bin/tools/mdig
 NZD2NZF=$TOP/bin/tools/named-nzd2nzf
 FSTRM_CAPTURE=@FSTRM_CAPTURE@
--- a/bind-9.11-unit-disable-random.patch
+++ b/bind-9.11-unit-disable-random.patch
@ -1,4 +1,4 @@
-From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001
+From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 21 Feb 2019 22:42:27 +0100
 Subject: [PATCH] Disable random_test
@ -9,37 +9,22 @@ subtests can occasionally fail, stop it.
 It can be used again by defining 'unstable' variable in Kyuafile.
 ---
 lib/isc/tests/Atffile  | 3 ++-
 lib/isc/tests/Kyuafile | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
 index 8681844..74a4a77 100644
 --- a/lib/isc/tests/Atffile
 +++ b/lib/isc/tests/Atffile
@@ -20,7 +20,8 @@ tp: pool_test
 tp: print_test
 tp: queue_test
 tp: radix_test
 -tp: random_test
 +# random test fails too often
 +#tp: random_test
 tp: regex_test
 tp: result_test
 tp: safe_test
 diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
-index 1c510c1..a86824a 100644
+index 4cd2574..9df2340 100644
 --- a/lib/isc/tests/Kyuafile
 +++ b/lib/isc/tests/Kyuafile
-@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'}
+@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
- atf_test_program{name='print_test'}
+ tap_test_program{name='print_test'}
- atf_test_program{name='queue_test'}
+ tap_test_program{name='queue_test'}
- atf_test_program{name='radix_test'}
+ tap_test_program{name='radix_test'}
-atf_test_program{name='random_test'}
+-tap_test_program{name='random_test'}
-+atf_test_program{name='random_test', required_configs='unstable'}
+tap_test_program{name='random_test', required_configs='unstable'}
- atf_test_program{name='regex_test'}
+ tap_test_program{name='regex_test'}
- atf_test_program{name='result_test'}
+ tap_test_program{name='result_test'}
- atf_test_program{name='safe_test'}
+ tap_test_program{name='safe_test'}
 -- 
 2.20.1
--- a/bind-9.11-unit-dnstap-pkcs11.patch
+++ b/bind-9.11-unit-dnstap-pkcs11.patch
@ -1,24 +0,0 @@
 diff --git a/lib/dns/tests/dnstap_test.c b/lib/dns/tests/dnstap_test.c
 index 56e3da4..1f31542 100644
 --- a/lib/dns/tests/dnstap_test.c
 +++ b/lib/dns/tests/dnstap_test.c
@@ -297,6 +297,9 @@ ATF_TC_BODY(totext, tc) {
 	UNUSED(tc);
 +	/* make sure text conversion gets the right local time */
 +	setenv("TZ", "PST8", 1);
 +
 	result = dns_test_begin(NULL, true);
 	ATF_REQUIRE(result == ISC_R_SUCCESS);
@@ -306,9 +309,6 @@ ATF_TC_BODY(totext, tc) {
 	result = isc_stdio_open(TAPTEXT, "r", &fp);
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 -	/* make sure text conversion gets the right local time */
 -	setenv("TZ", "PST8", 1);
 -
 	while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) {
 		dns_dtdata_t *dtdata = NULL;
 		isc_buffer_t *b = NULL;
--- a/bind-9.9.1-P2-multlib-conflict.patch
+++ b/bind-9.9.1-P2-multlib-conflict.patch
@ -1,8 +1,8 @@
 diff --git a/config.h.in b/config.h.in
-index e1364dd921..1dc65cfb21 100644
+index 4ecaa8f..2f65ccc 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
+@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
 #undef PREFER_GOSTASN1
 /* The size of `void *', as computed by sizeof. */
@ -11,39 +11,8 @@ index e1364dd921..1dc65cfb21 100644
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 diff --git a/configure.in b/configure.in
 index 73b1c8ccbb..129fc3f311 100644
 --- a/configure.in
 +++ b/configure.in
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
 #include <sys/socket.h>
 #include <netdb.h>
 int getnameinfo(const struct sockaddr *, socklen_t, char *,
 -		socklen_t, char *, socklen_t, unsigned int);],
 +		socklen_t, char *, socklen_t, int);],
 [ return (0);],
 -	[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
 +	[AC_MSG_RESULT(socklen_t for buflen; int for flags)
 	 AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
 		   [Define to the sockaddr length type used by getnameinfo(3).])
 	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
 		   [Define to the buffer length type used by getnameinfo(3).])
 -	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
 +	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
 		   [Define to the flags type used by getnameinfo(3).])],
 [AC_TRY_COMPILE([
 #include <sys/types.h>
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
 [AC_MSG_RESULT(not match any subspecies; assume standard definition)
 AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
 -AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
 +AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
 #
 # ...and same for gai_strerror().
 diff --git a/isc-config.sh.in b/isc-config.sh.in
-index a8a0a89e88..b5e94ed13e 100644
+index a8a0a89..b5e94ed 100644
 --- a/isc-config.sh.in
 +++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@
--- a/bind.spec
+++ b/bind.spec
@ -128,18 +128,12 @@ Patch159:bind-9.11-rt46047.patch
 Patch160:bind-9.11-rh1624100.patch
 # https://gitlab.isc.org/isc-projects/bind9/issues/555
 Patch161:bind-9.11-host-idn-disable.patch
 # https://gitlab.isc.org/isc-projects/bind9/issues/624
 Patch162:bind-9.11-unit-dnstap-pkcs11.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
 Patch163:bind-9.11-rh1663318.patch
 # https://gitlab.isc.org/isc-projects/bind9/issues/819
 Patch164:bind-9.11-rh1666814.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1647829
 Patch165:bind-9.11-rh1647829.patch
 # commit 8e1cc95c943b7dfaaaaf2d9a4971861735cc3fb2
 Patch166:bind-9.11-rh1647829-2.patch
 # https://gitlab.isc.org/isc-projects/bind9/issues/225
 Patch167:bind-9.11-ed448-disable.patch
 # random_test fails too often by random, disable it
 Patch168:bind-9.11-unit-disable-random.patch
 Patch169:bind-9.11-feature-test-dlz.patch
@ -520,12 +514,9 @@ are used for building ISC DHCP.
 %patch159 -p1 -b .rt46047
 %patch160 -p1 -b .rh1624100
 %patch161 -p1 -b .host-idn-disable
 %patch162 -p1 -b .dnstap-pkcs11
 %patch163 -p1 -b .rh1663318
 %patch164 -p1 -b .rh1666814
 %patch165 -p1 -b .rh1647829
 %patch166 -p1 -b .rh1647829-2
 %patch167 -p1 -b .noed448
 %patch168 -p1 -b .random_test-disable
 %patch169 -p1 -b .featuretest-dlz
 %patch170 -p1 -b .featuretest-named
--- a/bind97-rh478718.patch
+++ b/bind97-rh478718.patch
@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 896e81c1ce..73b1c8ccbb 100644
+index 26c509e..c1bfd62 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
+@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then
 	AC_MSG_RESULT($arch)
 fi
@ -14,10 +14,10 @@ index 896e81c1ce..73b1c8ccbb 100644
 	AC_MSG_CHECKING([compiler support for inline assembly code])
 diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index 2ff522342f..58df86adb3 100644
+index c902d46..9c7c342 100644
 --- a/lib/isc/include/isc/platform.h.in
 +++ b/lib/isc/include/isc/platform.h.in
-@@ -289,19 +289,25 @@
+@@ -284,19 +284,25 @@
  * If the "xaddq" operation (64bit xadd) is available on this architecture,
  * ISC_PLATFORM_HAVEXADDQ will be defined.
  */
--- a/bind98-rh735103.patch
+++ b/bind98-rh735103.patch
@ -1,38 +0,0 @@
 diff -up bind-9.10.1b1/lib/isc/unix/socket.c.rh735103 bind-9.10.1b1/lib/isc/unix/socket.c
 --- bind-9.10.1b1/lib/isc/unix/socket.c.rh735103	2014-06-23 06:47:35.000000000 +0200
 +++ bind-9.10.1b1/lib/isc/unix/socket.c	2014-07-29 16:25:27.172818662 +0200
@@ -67,6 +67,20 @@
 #include <isc/util.h>
 #include <isc/xml.h>
 +/* See task.c about the following definition: */
 +#ifdef BIND9
 +#ifdef ISC_PLATFORM_USETHREADS
 +#define USE_WATCHER_THREAD
 +#else
 +#define USE_SHARED_MANAGER
 +#endif	/* ISC_PLATFORM_USETHREADS */
 +#else /* BIND9 */
 +#undef ISC_PLATFORM_HAVESYSUNH
 +#undef ISC_PLATFORM_HAVEKQUEUE
 +#undef ISC_PLATFORM_HAVEEPOLL
 +#undef ISC_PLATFORM_HAVEDEVPOLL
 +#endif	/* BIND9 */
 +
 #ifdef ISC_PLATFORM_HAVESYSUNH
 #include <sys/un.h>
 #endif
@@ -86,13 +100,6 @@
 #include "errno2result.h"
 -/* See task.c about the following definition: */
 -#ifdef ISC_PLATFORM_USETHREADS
 -#define USE_WATCHER_THREAD
 -#else
 -#define USE_SHARED_MANAGER
 -#endif	/* ISC_PLATFORM_USETHREADS */
 -
 #ifndef USE_WATCHER_THREAD
 #include "socket_p.h"
 #include "../task_p.h"