rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

import bind-9.11.20-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:46:26 -05:00 committed by Andrew Lukoshko
parent c155b2de68
commit 864e18c0c8
26 changed files with 1191 additions and 1811 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.bind.metadata
View File

@ -1,2 +1,2 @@
550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/bind-9.11.13.tar.gz
SOURCES/bind-9.11.20.tar.gz
SOURCES/random.data

18
SOURCES/bind-9.10-sdb.patch
View File

@ -79,10 +79,10 @@ index 03a72d5..4c1cb6d 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index 108b8d6..a943421 100644
index c9fc3cc..148ebb3 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -93,6 +93,10 @@
@@ -97,6 +97,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
@ -93,7 +93,7 @@ index 108b8d6..a943421 100644
#ifdef CONTRIB_DLZ
/*
@@ -1069,6 +1073,11 @@ setup(void) {
@@ -1134,6 +1138,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@ -105,7 +105,7 @@ index 108b8d6..a943421 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1269,6 +1278,75 @@ setup(void) {
@@ -1334,6 +1343,75 @@ setup(void) {
isc_result_totext(result));
#endif
@ -181,7 +181,7 @@ index 108b8d6..a943421 100644
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1311,6 +1389,11 @@ cleanup(void) {
@@ -1376,6 +1454,11 @@ cleanup(void) {
dns_name_destroy();
@ -288,10 +288,10 @@ index c7e0868..95ab742 100644
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.ac b/configure.ac
index eff9f05..d05ad1f 100644
index f85f45f..7d28c52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@ -300,9 +300,9 @@ index eff9f05..d05ad1f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/policy_test.py
bin/python/isc/utils.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile

292
SOURCES/bind-9.11-CVE-2020-8616-test.patch
View File

@ -1,292 +0,0 @@
From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
From: Stephen Morris <stephen@isc.org>
Date: Thu, 5 Mar 2020 18:46:46 +0000
Subject: [PATCH] Add test for reduction in number of fetches
Add a system test that counts how many address fetches are made
for different numbers of NS records and checks that the number
are successfully limited.
(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
---
bin/tests/system/resolver/clean.sh | 4 +-
bin/tests/system/resolver/ns4/named.conf.in | 5 ++
bin/tests/system/resolver/ns4/root.db | 4 +
bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++
bin/tests/system/resolver/ns5/named.conf.in | 9 ++-
bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
bin/tests/system/resolver/ns6/targetns.db | 23 ++++++
bin/tests/system/resolver/tests.sh | 34 ++++++++
8 files changed, 180 insertions(+), 3 deletions(-)
create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
create mode 100644 bin/tests/system/resolver/ns6/targetns.db
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
index 4dfde1f3e7..b3e4bc0b5d 100644
--- a/bin/tests/system/resolver/clean.sh
+++ b/bin/tests/system/resolver/clean.sh
@@ -17,8 +17,7 @@ rm -f */named.memstats
rm -f */named.run
rm -f */ans.run
rm -f */*.jdb
-rm -f dig.out dig.out.*
-rm -f dig.*.out.*
+rm -f dig.out dig.out.* dig.*.out.*
rm -f dig.*.foo.*
rm -f dig.*.bar.*
rm -f dig.*.prime.*
@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
rm -f ns6/dsset-ds.example.net*
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
+rm -f ns6/named.stats*
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
rm -f ns7/server.db ns7/server.db.jnl
rm -f resolve.out.*.test*
diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
index c679dc3151..56fe5d0dd8 100644
--- a/bin/tests/system/resolver/ns4/named.conf.in
+++ b/bin/tests/system/resolver/ns4/named.conf.in
@@ -50,6 +50,11 @@ zone "broken" {
file "broken.db";
};
+zone "sourcens" {
+ type master;
+ file "sourcens.db";
+};
+
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
index 721765d1be..ae541340da 100644
--- a/bin/tests/system/resolver/ns4/root.db
+++ b/bin/tests/system/resolver/ns4/root.db
@@ -24,3 +24,7 @@ example.net. NS ns.example.net.
ns.example.net. A 10.53.0.6
no-questions. NS ns.no-questions.
ns.no-questions. A 10.53.0.8
+sourcens. NS ns.sourcens.
+ns.sourcens. A 10.53.0.4
+targetns. NS ns.targetns.
+ns.targetns. A 10.53.0.6
diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
new file mode 100644
index 0000000000..b02cc6e835
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/sourcens.db
@@ -0,0 +1,89 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This zone contains a set of delegations with varying numbers of NS
+; records. This is used to check that BIND is limiting the number of
+; NS records it follows when resolving a delegation. It tests all
+; numbers of NS records up to twice the number followed.
+
+$TTL 60
+@ IN SOA marka.isc.org. ns.server. (
+ 2010 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+@ NS ns
+ns A 10.53.0.4
+
+target1 NS ns.fake11.targetns.
+
+target2 NS ns.fake21.targetns.
+ NS ns.fake22.targetns.
+
+target3 NS ns.fake31.targetns.
+ NS ns.fake32.targetns.
+ NS ns.fake33.targetns.
+
+target4 NS ns.fake41.targetns.
+ NS ns.fake42.targetns.
+ NS ns.fake43.targetns.
+ NS ns.fake44.targetns.
+
+target5 NS ns.fake51.targetns.
+ NS ns.fake52.targetns.
+ NS ns.fake53.targetns.
+ NS ns.fake54.targetns.
+ NS ns.fake55.targetns.
+
+target6 NS ns.fake61.targetns.
+ NS ns.fake62.targetns.
+ NS ns.fake63.targetns.
+ NS ns.fake64.targetns.
+ NS ns.fake65.targetns.
+ NS ns.fake66.targetns.
+
+target7 NS ns.fake71.targetns.
+ NS ns.fake72.targetns.
+ NS ns.fake73.targetns.
+ NS ns.fake74.targetns.
+ NS ns.fake75.targetns.
+ NS ns.fake76.targetns.
+ NS ns.fake77.targetns.
+
+target8 NS ns.fake81.targetns.
+ NS ns.fake82.targetns.
+ NS ns.fake83.targetns.
+ NS ns.fake84.targetns.
+ NS ns.fake85.targetns.
+ NS ns.fake86.targetns.
+ NS ns.fake87.targetns.
+ NS ns.fake88.targetns.
+
+target9 NS ns.fake91.targetns.
+ NS ns.fake92.targetns.
+ NS ns.fake93.targetns.
+ NS ns.fake94.targetns.
+ NS ns.fake95.targetns.
+ NS ns.fake96.targetns.
+ NS ns.fake97.targetns.
+ NS ns.fake98.targetns.
+ NS ns.fake99.targetns.
+
+target10 NS ns.fake101.targetns.
+ NS ns.fake102.targetns.
+ NS ns.fake103.targetns.
+ NS ns.fake104.targetns.
+ NS ns.fake105.targetns.
+ NS ns.fake106.targetns.
+ NS ns.fake107.targetns.
+ NS ns.fake108.targetns.
+ NS ns.fake109.targetns.
+ NS ns.fake1010.targetns.
diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
index 07205c9938..90818e4556 100644
--- a/bin/tests/system/resolver/ns5/named.conf.in
+++ b/bin/tests/system/resolver/ns5/named.conf.in
@@ -46,4 +46,11 @@ zone "delegation-only" {
type delegation-only;
};
-include "trusted.conf";
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
index 7df48558b8..4b01f9ba14 100644
--- a/bin/tests/system/resolver/ns6/named.conf.in
+++ b/bin/tests/system/resolver/ns6/named.conf.in
@@ -22,6 +22,7 @@ options {
recursion no;
// minimal-responses yes;
querylog yes;
+ statistics-file "named.stats";
/*
* test that named loads with root-delegation-only that
* has a exclude list.
@@ -67,3 +68,17 @@ zone "delegation-only" {
type master;
file "delegation-only.db";
};
+
+zone "targetns" {
+ type master;
+ file "targetns.db";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
new file mode 100644
index 0000000000..036e64580b
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/targetns.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; In the test for checking how many NS records BIND will follow, this
+; zone marks the server as the one to which the NS lookups will be
+; directed.
+
+$TTL 300
+@ IN SOA marka.isc.org. ns.server. (
+ 2010 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+ NS ns
+ns A 10.53.0.6
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 12d2819e30..178ba4d79b 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
status=`expr $status + $ret`
fi
+n=`expr $n + 1`
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
+# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
+# records pointing to non-existent nameservers in the targetns zone on ns6.
+ret=0
+$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
+for nscount in 1 2 3 4 5 6 7 8 9 10
+do
+ # Verify number of NS records at source server
+ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
+ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
+ test $sourcerecs -eq $nscount || ret=1
+ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
+ # Expected queries = 2 * number of NS records, up to a maximum of 10.
+ expected=`expr 2 \* $nscount`
+ if [ $expected -gt 10 ]; then expected=10; fi
+ # Work out the queries made by checking statistics on the target before and after the test
+ $RNDCCMD 10.53.0.6 stats || ret=1
+ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
+ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
+ $RNDCCMD 10.53.0.6 stats || ret=1
+ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
+ # Check number of queries during the test is as expected
+ actual=`expr $final_count - $initial_count`
+ if [ $actual -ne $expected ]; then
+ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
+ ret=1
+ fi
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
--
2.21.1

78
SOURCES/bind-9.11-CVE-2020-8617-test.patch
View File

@ -1,78 +0,0 @@
From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 25 Mar 2020 17:44:51 +1100
Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
request
(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
---
bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++
bin/tests/system/tsig/tests.sh | 9 +++++++++
2 files changed, 46 insertions(+)
create mode 100644 bin/tests/system/tsig/badtime
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
new file mode 100644
index 0000000000..7926404cfb
--- /dev/null
+++ b/bin/tests/system/tsig/badtime
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0000 0001
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: BADSIG
+0010
+# Other Data Length: 0
+0000
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index cade35bc1d..284aea1056 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
+ret=0
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--
2.21.1

57
SOURCES/bind-9.11-CVE-2020-8622.patch Normal file
View File

@ -0,0 +1,57 @@
From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:53:33 +0200
Subject: [PATCH] Fix CVE-2020-8622
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
---
lib/dns/message.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/lib/dns/message.c b/lib/dns/message.c
index d9e341a..7c813a5 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
msg->header_ok = 0;
msg->question_ok = 0;
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
+ isc_buffer_usedregion(&origsource, &msg->saved);
+ } else {
+ msg->saved.length = isc_buffer_usedlength(&origsource);
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+ if (msg->saved.base == NULL) {
+ return (ISC_R_NOMEMORY);
+ }
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
+ msg->saved.length);
+ msg->free_saved = 1;
+ }
+
isc_buffer_remainingregion(source, &r);
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_UNEXPECTEDEND);
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
}
truncated:
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
- isc_buffer_usedregion(&origsource, &msg->saved);
- else {
- msg->saved.length = isc_buffer_usedlength(&origsource);
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
- if (msg->saved.base == NULL)
- return (ISC_R_NOMEMORY);
- memmove(msg->saved.base, isc_buffer_base(&origsource),
- msg->saved.length);
- msg->free_saved = 1;
- }
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
return (DNS_R_RECOVERABLE);
--
2.26.2

400
SOURCES/bind-9.11-CVE-2020-8623.patch Normal file
View File

@ -0,0 +1,400 @@
From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:54:39 +0200
Subject: [PATCH] Fix CVE-2020-8623
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
---
lib/dns/pkcs11dh_link.c | 15 ++++++-
lib/dns/pkcs11dsa_link.c | 8 +++-
lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
lib/isc/include/pk11/internal.h | 3 +-
lib/isc/pk11.c | 61 ++++++++++++++++---------
5 files changed, 121 insertions(+), 45 deletions(-)
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
index e2b60ea..4cd8e32 100644
--- a/lib/dns/pkcs11dh_link.c
+++ b/lib/dns/pkcs11dh_link.c
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
CK_ATTRIBUTE *attr;
int special = 0;
+ unsigned int bits;
isc_result_t result;
isc_buffer_remainingregion(data, &r);
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
pub = r.base;
isc_region_consume(&r, publen);
- key->key_size = pk11_numbits(prime, plen_);
+ result = pk11_numbits(prime, plen_, &bits);
+ if (result != ISC_R_SUCCESS) {
+ goto cleanup;
+ }
+ key->key_size = bits;
dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
if (dh->repr == NULL)
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dh = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx;
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dh, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
index 12d707a..24d4c14 100644
--- a/lib/dns/pkcs11dsa_link.c
+++ b/lib/dns/pkcs11dsa_link.c
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i;
+ unsigned int bits;
pk11_object_t *dsa = NULL;
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(dsa, CKA_PRIME);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
index 6c280bf..86e136a 100644
--- a/lib/dns/pkcs11rsa_link.c
+++ b/lib/dns/pkcs11rsa_link.c
@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
/*
* Reject incorrect RSA key lengths.
@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
for (attr = pk11_attribute_first(rsa);
attr != NULL;
attr = pk11_attribute_next(rsa, attr))
+ {
switch (attr->type) {
case CKA_MODULUS:
INSIST(keyTemplate[5].type == attr->type);
@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen) > maxbits &&
- maxbits != 0)
+ unsigned int bits;
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS ||
+ (bits > maxbits && maxbits != 0)) {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
+ }
pk11_ctx->object = CK_INVALID_HANDLE;
pk11_ctx->ontoken = false;
PK11_RET(pkcs_C_CreateObject,
@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
keyTemplate[5].ulValueLen = attr->ulValueLen;
break;
case CKA_PUBLIC_EXPONENT:
+ unsigned int bits;
INSIST(keyTemplate[6].type == attr->type);
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
attr->ulValueLen);
@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
memmove(keyTemplate[6].pValue, attr->pValue,
attr->ulValueLen);
keyTemplate[6].ulValueLen = attr->ulValueLen;
- if (pk11_numbits(attr->pValue,
- attr->ulValueLen)
- > RSA_MAX_PUBEXP_BITS)
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
+ &bits);
+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
+ {
DST_RET(DST_R_VERIFYFAILURE);
+ }
break;
}
pk11_ctx->object = CK_INVALID_HANDLE;
@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
CK_BYTE *exponent = NULL, *modulus = NULL;
CK_ATTRIBUTE *attr;
unsigned int length;
+ unsigned int bits;
+ isc_result_t ret = ISC_R_SUCCESS;
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (e_bytes == 0) {
if (r.length < 2) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
e_bytes = (*r.base) << 8;
isc_region_consume(&r, 1);
@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
}
if (r.length < e_bytes) {
- isc_safe_memwipe(rsa, sizeof(*rsa));
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (DST_R_INVALIDPUBLICKEY);
+ DST_RET(DST_R_INVALIDPUBLICKEY);
}
exponent = r.base;
isc_region_consume(&r, e_bytes);
modulus = r.base;
mod_bytes = r.length;
- key->key_size = pk11_numbits(modulus, mod_bytes);
+ ret = pk11_numbits(modulus, mod_bytes, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
isc_buffer_forward(data, length);
@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
rsa->repr,
rsa->attrcnt * sizeof(*attr));
}
+ ret = ISC_R_NOMEMORY;
+
+ err:
isc_safe_memwipe(rsa, sizeof(*rsa));
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
- return (ISC_R_NOMEMORY);
+ return (ret);
}
static isc_result_t
@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
pk11_object_t *pubrsa;
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
+ unsigned int bits;
if (label == NULL)
return (DST_R_NOENGINE);
@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
return (ISC_R_SUCCESS);
@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
CK_ATTRIBUTE *attr;
isc_mem_t *mctx = key->mctx;
const char *engine = NULL, *label = NULL;
+ unsigned int bits;
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
dst__privstruct_free(&priv, mctx);
isc_safe_memwipe(&priv, sizeof(priv));
@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
pk11_context_t *pk11_ctx = NULL;
isc_result_t ret;
unsigned int i;
+ unsigned int bits;
UNUSED(pin);
@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
INSIST(attr != NULL);
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ if (bits > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
+ }
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
+ if (ret != ISC_R_SUCCESS) {
+ goto err;
+ }
+ key->key_size = bits;
pk11_return_session(pk11_ctx);
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
index 603712a..b9680bc 100644
--- a/lib/isc/include/pk11/internal.h
+++ b/lib/isc/include/pk11/internal.h
@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size);
CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 4b85527..9c450da 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) {
return (token->slotid);
}
-unsigned int
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+isc_result_t
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
unsigned int bitcnt, i;
CK_BYTE top;
- if (bytecnt == 0)
- return (0);
+ if (bytecnt == 0) {
+ *bits = 0;
+ return (ISC_R_SUCCESS);
+ }
bitcnt = bytecnt * 8;
for (i = 0; i < bytecnt; i++) {
top = data[i];
@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
bitcnt -= 8;
continue;
}
- if (top & 0x80)
- return (bitcnt);
- if (top & 0x40)
- return (bitcnt - 1);
- if (top & 0x20)
- return (bitcnt - 2);
- if (top & 0x10)
- return (bitcnt - 3);
- if (top & 0x08)
- return (bitcnt - 4);
- if (top & 0x04)
- return (bitcnt - 5);
- if (top & 0x02)
- return (bitcnt - 6);
- if (top & 0x01)
- return (bitcnt - 7);
+ if (top & 0x80) {
+ *bits = bitcnt;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x40) {
+ *bits = bitcnt - 1;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x20) {
+ *bits = bitcnt - 2;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x10) {
+ *bits = bitcnt - 3;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x08) {
+ *bits = bitcnt - 4;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x04) {
+ *bits = bitcnt - 5;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x02) {
+ *bits = bitcnt - 6;
+ return (ISC_R_SUCCESS);
+ }
+ if (top & 0x01) {
+ *bits = bitcnt - 7;
+ return (ISC_R_SUCCESS);
+ }
break;
}
- INSIST(0);
- ISC_UNREACHABLE();
+ return (ISC_R_RANGE);
}
CK_ATTRIBUTE *
--
2.26.2

152
SOURCES/bind-9.11-CVE-2020-8624-test.patch Normal file
View File

@ -0,0 +1,152 @@
From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 29 Jul 2020 23:36:03 +1000
Subject: [PATCH] Add a test for update-policy 'subdomain'
The new test checks that 'update-policy subdomain' is properly enforced.
(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e)
Add a test for update-policy 'zonesub'
The new test checks that 'update-policy zonesub' is properly enforced.
(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa)
---
bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++
bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++--
2 files changed, 68 insertions(+), 4 deletions(-)
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 26b6b7c9ab..540a984842 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -36,6 +36,16 @@ key altkey {
secret "1234abcd8765";
};
+key restricted.example.nil {
+ algorithm hmac-md5;
+ secret "1234abcd8765";
+};
+
+key zonesub-key.example.nil {
+ algorithm hmac-md5;
+ secret "1234subk8765";
+};
+
include "ddns.key";
zone "example.nil" {
@@ -44,7 +54,9 @@ zone "example.nil" {
check-integrity no;
check-mx ignore;
update-policy {
+ grant zonesub-key.example.nil zonesub TXT;
grant ddns-key.example.nil subdomain example.nil ANY;
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
};
allow-transfer { any; };
};
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b08c5220e7..5f09e8c5bf 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -428,7 +428,7 @@ EOF
# this also proves that the server is still running.
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -443,7 +443,7 @@ EOF
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -460,7 +460,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -485,7 +485,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -631,6 +631,58 @@ then
echo_i "failed"; status=1
fi
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
+# and thus this UPDATE should succeed.
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add restricted.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
+# thus this UPDATE should fail.
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key restricted.example.nil 1234abcd8765
+update add example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
+# grant zonesub-key.example.nil zonesub TXT;
+# the A record update should be rejected as it is not in the type list
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN A 1.2.3.4
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
+# the TXT record update should be accepted as it is in the type list
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+key zonesub-key.example.nil 1234subk8765
+update add zonesub.example.nil 0 IN TXT everywhere.
+send
+END
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
n=`expr $n + 1`
ret=0
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
--
2.26.2

32
SOURCES/bind-9.11-CVE-2020-8624.patch Normal file
View File

@ -0,0 +1,32 @@
From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 18 Aug 2020 10:55:50 +0200
Subject: [PATCH] Fix CVE-2020-8624
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
---
bin/named/zoneconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 55f191b..b77a07c 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
- if (mtype == dns_ssumatchtype_subdomain) {
+ if (mtype == dns_ssumatchtype_subdomain &&
+ strcasecmp(str, "zonesub") == 0) {
usezone = true;
}
--
2.26.2

35
SOURCES/bind-9.11-export-isc-config.patch
View File

@ -1,35 +0,0 @@
diff --git a/export-libs/Makefile b/export-libs/Makefile
index df15ea8..13f416b 100644
--- a/export-libs/Makefile
+++ b/export-libs/Makefile
@@ -404,20 +404,18 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: isc-config.sh installdirs
- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
- rm -f ${DESTDIR}${bindir}/bind9-config
- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
uninstall::
- rm -f ${DESTDIR}${sysconfdir}/bind.keys
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
- rm -f ${DESTDIR}${bindir}/bind9-config
- rm -f ${DESTDIR}${bindir}/isc-config.sh
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
tags:
rm -f TAGS

34
SOURCES/bind-9.11-kyua-pkcs11.patch
View File

@ -1,4 +1,4 @@
From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001
From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
6 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0532feb..a83ddd5 100644
index 62ecf56..0940a7d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([
@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 7671e1d..e237d5c 100644
index 22a06a8..5df5b15 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 4dbfd82..a383b8e 100644
index a5bf46c..9ff2b76 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644
dst_key_free(&key);
}
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index 2fdee0b..a263b35 100644
index 36d2207..00dfbc9 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 9c4d299..d9deba2 100644
index 4fafc38..5eb2be2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -85,7 +85,7 @@ typedef struct hash_testcase {
@@ -84,7 +84,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644
} hash_test_key_t;
/* non-hmac tests */
@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha1_update(&hmacsha1,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha224_update(&hmacsha224,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha256_update(&hmacsha256,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha384_update(&hmacsha384,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644
isc_hmacsha512_update(&hmacsha512,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644
(const uint8_t *) testcase->input,
testcase->input_len);
--
2.20.1
2.21.1

14
SOURCES/bind-9.11-rh1624100.patch
View File

@ -1,4 +1,4 @@
From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@ -24,10 +24,10 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6ddaebe..d921870 100644
index 6dded0c..a9c5557 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
@ -81,7 +81,7 @@ index ad77f24..670982a 100644
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 0fd0837..8ad54bb 100644
index 149552a..8529a86 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
@ -91,7 +91,7 @@ index 0fd0837..8ad54bb 100644
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ version.@O@ \
tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
netaddr.c netscope.c pool.c ondestroy.c \
@ -100,7 +100,7 @@ index 0fd0837..8ad54bb 100644
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
tm.c utf8.c version.c
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
@ -284,5 +284,5 @@ index 266ac75..60e9181 100644
return (cmocka_run_group_tests(tests, NULL, NULL));
--
2.20.1
2.26.2

65
SOURCES/bind-9.11-rh1790879.patch
View File

@ -1,65 +0,0 @@
From f9a37643528dc83b981156d0a1cf52e3d9a38322 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Mon, 2 Dec 2019 15:15:06 +0100
Subject: [PATCH] Fix GeoIP2 memory leak upon reconfiguration
Loaded GeoIP2 databases are only released when named is shut down, but
not during server reconfiguration. This causes memory to be leaked
every time "rndc reconfig" or "rndc reload" is used, as long as any
GeoIP2 database is in use. Fix by releasing any loaded GeoIP2 databases
before reloading them. Do not call dns_geoip_shutdown() until server
shutdown as that function releases the memory context used for caching
GeoIP2 lookup results.
(cherry picked from commit 670afbe84a87e202fa795079d9d6d1639bcf391d)
(cherry picked from commit 95a5589fa2ac3956fecfef780158a2745718c860)
---
bin/named/geoip.c | 2 --
bin/named/server.c | 6 ++++++
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/bin/named/geoip.c b/bin/named/geoip.c
index d560f8fbcf..0b11f6b803 100644
--- a/bin/named/geoip.c
+++ b/bin/named/geoip.c
@@ -243,6 +243,4 @@ ns_geoip_shutdown(void) {
ns_g_geoip->domain = NULL;
}
#endif /* HAVE_GEOIP2 */
-
- dns_geoip_shutdown();
}
diff --git a/bin/named/server.c b/bin/named/server.c
index ebe7ad4702..4d7d2210ff 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -72,6 +72,7 @@
#include <dns/events.h>
#include <dns/forward.h>
#include <dns/fixedname.h>
+#include <dns/geoip.h>
#include <dns/journal.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
@@ -7684,6 +7685,10 @@ load_configuration(const char *filename, ns_server_t *server,
isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
+ /*
+ * Release any previously opened GeoIP2 databases.
+ */
+ ns_geoip_shutdown();
/*
* Initialize GeoIP databases from the configured location.
* This should happen before configuring any ACLs, so that we
@@ -9030,6 +9035,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
#endif
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
ns_geoip_shutdown();
+ dns_geoip_shutdown();
#endif /* HAVE_GEOIP || HAVE_GEOIP2 */
dns_db_detach(&server->in_roothints);
--
2.21.1

31
SOURCES/bind-9.11-rh1859454.patch Normal file
View File

@ -0,0 +1,31 @@
From 30753514ac06111da5b677fe7cdbafd696b1d620 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 22 Jul 2020 18:55:02 +0200
Subject: [PATCH] Prevent crash on dst initialization failure
server might be created, but not yet fully initialized, when fatal
function is called. Check both server and task before attaching
exclusive task.
(cherry picked from commit c5e7152cf04f75d0fe00163f076f4cc3cafce259)
(cherry picked from commit 35fbfaa4981333286437f26557db26863d4c5299)
---
bin/named/server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 3cd8daf99e..38780ad3d7 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9341,7 +9341,7 @@ ns_server_destroy(ns_server_t **serverp) {
static void
fatal(ns_server_t *server, const char *msg, isc_result_t result) {
- if (server != NULL) {
+ if (server != NULL && server->task != NULL) {
/*
* Prevent races between the OpenSSL on_exit registered
* function and any other OpenSSL calls from other tasks
--
2.26.2

90
SOURCES/bind-9.11-rh1865785.patch
View File

@ -1,90 +0,0 @@
From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 3 Jun 2020 14:42:11 +0200
Subject: [PATCH] Change the invalid CIDR from parser error to warning
In [RT #43367], the BIND 9 changed the strictness of address / prefix
length checks:
Check prefixes in acls to make sure the address and
prefix lengths are consistent. Warn only in
BIND 9.11 and earlier.
Unfortunately, a regression slipped in and the check was made an error
also in the BIND 9.11. This commit fixes the regression, but turning
the error into a warning.
---
bin/tests/system/checkconf/tests.sh | 9 +++++++++
...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--
lib/isccfg/parser.c | 9 ---------
util/copyrights | 2 +-
4 files changed, 20 insertions(+), 12 deletions(-)
rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 85fb4839e9..d2b0daa35c 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo_i "check that invalid address/prefix length generates a warning ($n)"
+ret=0
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
+[ "$LINES" -eq 8 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
ret=0
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
similarity index 70%
rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
index 2c768c7e1a..5e3bc3f6ee 100644
--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
@@ -9,6 +9,14 @@
* information regarding copyright ownership.
*/
-acl myacl {
- 127.1/8; /* No-zero bits */
+zone example {
+ type master;
+ file "example.db";
+ auto-dnssec maintain;
+ allow-update {
+ 192.0.2.64/24;
+ 192.0.2.128/24;
+ 198.51.100.255/24;
+ 203.0.113.2/24;
+ };
};
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index e2af054661..44a1dfc37a 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
"invalid prefix length");
return (ISC_R_RANGE);
}
- result = isc_netaddr_prefixok(&netaddr, prefixlen);
- if (result != ISC_R_SUCCESS) {
- char buf[ISC_NETADDR_FORMATSIZE + 1];
- isc_netaddr_format(&netaddr, buf, sizeof(buf));
- cfg_parser_error(pctx, CFG_LOG_NOPREP,
- "'%s/%u': address/prefix length "
- "mismatch", buf, prefixlen);
- return (ISC_R_FAILURE);
- }
} else {
if (expectprefix) {
cfg_parser_error(pctx, CFG_LOG_NEAR,
--
GitLab

160
SOURCES/bind-9.11-rt31459.patch
View File

@ -1,4 +1,4 @@
From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001
From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c
@ -71,10 +71,10 @@ index 5015abb..295e16f 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 2c0c308..3e585af 100644
index d9d6bb9..de4b15f 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -494,14 +494,14 @@ main(int argc, char **argv) {
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@ -92,7 +92,7 @@ index 2c0c308..3e585af 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@@ -571,8 +571,8 @@ main(int argc, char **argv) {
@@ -574,8 +574,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@ -103,10 +103,10 @@ index 2c0c308..3e585af 100644
dns_name_destroy();
if (verbose > 10)
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
index 0d1e7f8..79c4d74 100644
index d65a514..04b3094 100644
--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c
@@ -407,14 +407,14 @@ main(int argc, char **argv) {
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@ -124,7 +124,7 @@ index 0d1e7f8..79c4d74 100644
isc_entropy_stopcallbacksources(ectx);
setup_logging(mctx, &log);
@@ -458,8 +458,8 @@ main(int argc, char **argv) {
@@ -455,8 +455,8 @@ main(int argc, char **argv) {
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index f355903..6a2ca59 100644
index 7afcaee..1cfa511 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -382,14 +382,14 @@ main(int argc, char **argv) {
@@ -380,14 +380,14 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
@ -188,7 +188,7 @@ index f355903..6a2ca59 100644
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
@@ -674,8 +674,8 @@ main(int argc, char **argv) {
@@ -672,8 +672,8 @@ main(int argc, char **argv) {
if (prevkey != NULL)
dst_key_free(&prevkey);
dst_key_free(&key);
@ -199,7 +199,7 @@ index f355903..6a2ca59 100644
if (verbose > 10)
isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index c6a0313..6ddaebe 100644
index 319a805..27ae4d4 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644
rdclass = strtoclass(classname);
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index fbc7ece..31a99e7 100644
index 618ec5b..5654435 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -34,6 +34,7 @@
@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644
usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c
index 7d85d3b..c782073 100644
index 4e503e5..f27071f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@ -304,7 +304,7 @@ index 7d85d3b..c782073 100644
#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found");
} else {
const char *randomdev = cfg_obj_asstring(obj);
@ -315,7 +315,7 @@ index 7d85d3b..c782073 100644
int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644
parse_args(false, argc, argv);
if (server == NULL)
diff --git a/configure b/configure
index ed002e0..a578874 100755
index 6d05371..33689c9 100755
--- a/configure
+++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@ -699,7 +699,7 @@ index ed002e0..a578874 100755
BUILD_LIBS
BUILD_LDFLAGS
BUILD_CPPFLAGS
@@ -821,6 +822,7 @@ XMLSTATS
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
NZDTARGETS
NZDSRCS
NZD_TOOLS
@ -707,7 +707,7 @@ index ed002e0..a578874 100755
PKCS11_TEST
PKCS11_ED25519
PKCS11_GOST
@@ -1045,6 +1047,7 @@ with_eddsa
@@ -1047,6 +1049,7 @@ with_eddsa
with_aes
enable_openssl_hash
with_cc_alg
@ -715,7 +715,7 @@ index ed002e0..a578874 100755
with_lmdb
with_libxml2
with_libjson
@@ -1744,6 +1747,7 @@ Optional Features:
@@ -1749,6 +1752,7 @@ Optional Features:
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
@ -723,7 +723,7 @@ index ed002e0..a578874 100755
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
@@ -17115,6 +17119,7 @@ case "$use_openssl" in
@@ -17144,6 +17148,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@ -731,7 +731,7 @@ index ed002e0..a578874 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; }
DST_OPENSSL_INC=""
CRYPTO=""
@ -739,7 +739,7 @@ index ed002e0..a578874 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; }
@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; }
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@ -747,7 +747,7 @@ index ed002e0..a578874 100755
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; }
@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -756,7 +756,7 @@ index ed002e0..a578874 100755
;;
*)
if test "yes" = "$want_native_pkcs11"
@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; }
@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
fi
CRYPTO='-DOPENSSL'
@ -764,7 +764,7 @@ index ed002e0..a578874 100755
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@@ -17806,8 +17814,6 @@ fi
@@ -17835,8 +17843,6 @@ fi
# Use OpenSSL for hash functions
#
@ -773,7 +773,7 @@ index ed002e0..a578874 100755
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then
@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@ -860,7 +860,7 @@ index ed002e0..a578874 100755
#
# was --with-lmdb specified?
#
@@ -20264,9 +20350,12 @@ _ACEOF
@@ -20441,9 +20527,12 @@ _ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
$as_echo "size_t for buflen; int for flags" >&6; }
@ -875,7 +875,7 @@ index ed002e0..a578874 100755
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@ -889,7 +889,7 @@ index ed002e0..a578874 100755
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364.
@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF
@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
@ -901,7 +901,7 @@ index ed002e0..a578874 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -21627,39 +21716,6 @@ _ACEOF
@@ -21804,39 +21893,6 @@ _ACEOF
fi
;;
x86_64-*|amd64-*)
@ -941,7 +941,7 @@ index ed002e0..a578874 100755
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
$as_echo "$arch" >&6; }
fi
@ -952,7 +952,7 @@ index ed002e0..a578874 100755
if test "yes" = "$have_atomic"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
#
dlzdir='${DLZ_DRIVER_DIR}'
@ -983,7 +983,7 @@ index ed002e0..a578874 100755
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; }
@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; }
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
;;
*)
@ -998,7 +998,7 @@ index ed002e0..a578874 100755
fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
@@ -24663,7 +24747,7 @@ $as_echo "" >&6; }
@@ -24840,7 +24924,7 @@ $as_echo "" >&6; }
# Check other locations for includes.
# Order is important (sigh).
@ -1007,7 +1007,7 @@ index ed002e0..a578874 100755
# include a blank element first
for d in "" $bdb_incdirs
do
@@ -24688,57 +24772,9 @@ $as_echo "" >&6; }
@@ -24865,57 +24949,9 @@ $as_echo "" >&6; }
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
@ -1067,7 +1067,7 @@ index ed002e0..a578874 100755
break
fi
done
@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; }
@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; }
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
fi
@ -1081,7 +1081,7 @@ index ed002e0..a578874 100755
fi
@@ -24986,11 +25022,11 @@ fi
@@ -25163,11 +25199,11 @@ fi
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
@ -1095,7 +1095,7 @@ index ed002e0..a578874 100755
break
fi
done
@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@ -1104,7 +1104,7 @@ index ed002e0..a578874 100755
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
@@ -27644,6 +27682,8 @@ report() {
@@ -27819,6 +27857,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1113,7 +1113,7 @@ index ed002e0..a578874 100755
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -27684,6 +27724,8 @@ report() {
@@ -27859,6 +27899,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@ -1122,7 +1122,7 @@ index ed002e0..a578874 100755
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
@@ -27731,6 +27773,8 @@ report() {
@@ -27906,6 +27948,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@ -1132,10 +1132,10 @@ index ed002e0..a578874 100755
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/configure.ac b/configure.ac
index 45a8126..bb1345b 100644
index d10cde5..68bead8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1537,6 +1537,7 @@ case "$use_openssl" in
@@ -1550,6 +1550,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO"
@ -1143,7 +1143,7 @@ index 45a8126..bb1345b 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1550,6 +1551,7 @@ case "$use_openssl" in
@@ -1563,6 +1564,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
CRYPTO=""
@ -1151,7 +1151,7 @@ index 45a8126..bb1345b 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1562,6 +1564,7 @@ case "$use_openssl" in
@@ -1575,6 +1577,7 @@ case "$use_openssl" in
auto)
DST_OPENSSL_INC=""
CRYPTO=""
@ -1159,7 +1159,7 @@ index 45a8126..bb1345b 100644
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS=""
@@ -1572,7 +1575,7 @@ case "$use_openssl" in
@@ -1585,7 +1588,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS=""
AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -1168,7 +1168,7 @@ index 45a8126..bb1345b 100644
;;
*)
if test "yes" = "$want_native_pkcs11"
@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl])
@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi
CRYPTO='-DOPENSSL'
@ -1176,7 +1176,7 @@ index 45a8126..bb1345b 100644
if test "/usr" = "$use_openssl"
then
DST_OPENSSL_INC=""
@@ -2037,7 +2041,6 @@ fi
@@ -2050,7 +2054,6 @@ fi
# Use OpenSSL for hash functions
#
@ -1184,7 +1184,7 @@ index 45a8126..bb1345b 100644
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in
yes)
@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then
@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS"
fi
@ -1252,7 +1252,7 @@ index 45a8126..bb1345b 100644
#
# was --with-lmdb specified?
#
@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then
@ -1266,7 +1266,7 @@ index 45a8126..bb1345b 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then
@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then
fi
;;
x86_64-*|amd64-*)
@ -1274,7 +1274,7 @@ index 45a8126..bb1345b 100644
if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64
have_xaddq=yes
@@ -5527,6 +5590,8 @@ report() {
@@ -5518,6 +5581,8 @@ report() {
echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1283,7 +1283,7 @@ index 45a8126..bb1345b 100644
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -5567,6 +5632,8 @@ report() {
@@ -5558,6 +5623,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@ -1292,7 +1292,7 @@ index 45a8126..bb1345b 100644
echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)"
@@ -5614,6 +5681,8 @@ report() {
@@ -5605,6 +5672,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)"
@ -1302,7 +1302,7 @@ index 45a8126..bb1345b 100644
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index ec6e00e..1614afa 100644
index 65bf25d..1eccbe7 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@ -1440,7 +1440,7 @@ index 304814b..60543c4 100644
isc_hash_destroy();
cleanup_db:
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index d65ce26..6849732 100644
index 13e838f..ffe0a69 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
@ -1476,7 +1476,7 @@ index d65ce26..6849732 100644
#endif
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
isc_result_t
@ -1845,10 +1845,10 @@ index 0000000..bd3d164
+
+#endif
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 5c45d59..34b660c 100644
index 63be973..40b21fa 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -1484,6 +1484,13 @@ dst_lib_destroy
@@ -1485,6 +1485,13 @@ dst_lib_destroy
dst_lib_init
dst_lib_init2
dst_lib_initmsgcat
@ -1863,7 +1863,7 @@ index 5c45d59..34b660c 100644
dst_region_computerid
dst_result_register
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
index ab2f617..ed05ed6 100644
index 907e470..451544d 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
@@ -104,11 +104,15 @@ struct isc_entropy {
@ -1921,10 +1921,10 @@ index ab2f617..ed05ed6 100644
+ hook = myhook;
+}
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index 4bba8e1..632166a 100644
index e8733db..c40a18c 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
* isc_entropy_createcallbacksource().
*/
@ -1944,10 +1944,10 @@ index 4bba8e1..632166a 100644
#endif /* ISC_ENTROPY_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 9c7c342..ee8dc3e 100644
index 61960f1..d22993d 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -341,6 +341,11 @@
@@ -359,6 +359,11 @@
*/
@ISC_PLATFORM_HAVESTRINGSH@
@ -1960,10 +1960,10 @@ index 9c7c342..ee8dc3e 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index 42ff7e0..8d87c44 100644
index da9d66f..4205400 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
@@ -97,6 +97,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
typedef struct isc_timer isc_timer_t; /*%< Timer */
typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */
@ -1973,7 +1973,7 @@ index 42ff7e0..8d87c44 100644
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 8e6ed93..ceb5a2c 100644
index 68aebdc..4b85527 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
@ -1999,10 +1999,10 @@ index 8e6ed93..ceb5a2c 100644
cleanup:
if (stream != NULL)
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
index 5b8a2c9..913a2ce 100644
index 8ade705..fa72f9d 100644
--- a/lib/isc/win32/include/isc/platform.h.in
+++ b/lib/isc/win32/include/isc/platform.h.in
@@ -69,6 +69,11 @@
@@ -73,6 +73,11 @@
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
#define ISC_PLATFORM_NORETURN_POST
@ -2015,7 +2015,7 @@ index 5b8a2c9..913a2ce 100644
* Define if the hash functions must be provided by OpenSSL.
*/
diff --git a/win32utils/Configure b/win32utils/Configure
index ccaf067..240fb80 100644
index 79d682e..6c78cb2 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
@ -2036,15 +2036,15 @@ index ccaf067..240fb80 100644
"fixed-rrset",
"intrinsics",
"isc-spnego",
@@ -581,6 +583,7 @@ my @help = (
@@ -580,6 +582,7 @@ my @help = (
"\nOptional Features:\n",
" enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
@@ -630,7 +633,9 @@ my $want_clean = "no";
@@ -628,7 +631,9 @@ my $want_clean = "no";
my $want_unknown = "no";
my $unknown_value;
my $enable_intrinsics = "yes";
@ -2054,7 +2054,7 @@ index ccaf067..240fb80 100644
my $enable_openssl_hash = "auto";
my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes";
@@ -850,6 +855,10 @@ sub myenable {
@@ -847,6 +852,10 @@ sub myenable {
if ($val =~ /^yes$/i) {
$enable_native_pkcs11 = "yes";
}
@ -2065,7 +2065,7 @@ index ccaf067..240fb80 100644
} elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes";
@@ -1158,6 +1167,11 @@ if ($verbose) {
@@ -1153,6 +1162,11 @@ if ($verbose) {
} else {
print "native-pkcs11: disabled\n";
}
@ -2077,7 +2077,7 @@ index ccaf067..240fb80 100644
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") {
@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") {
@ -2085,7 +2085,7 @@ index ccaf067..240fb80 100644
if ($use_openssl eq "auto") {
$use_openssl = "no";
}
@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") {
@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
}
@ -2093,7 +2093,7 @@ index ccaf067..240fb80 100644
$configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") {
@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") {
}
@ -2109,7 +2109,7 @@ index ccaf067..240fb80 100644
# enable-openssl-hash
if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") {
@@ -3671,6 +3696,7 @@ exit 0;
@@ -3665,6 +3690,7 @@ exit 0;
# --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported
@ -2118,5 +2118,5 @@ index ccaf067..240fb80 100644
# --enable-openssl-hash supported
# --enable-threads included without a way to disable it
--
2.20.1
2.21.1

96
SOURCES/bind-9.11-rt46047.patch
View File

@ -1,4 +1,4 @@
From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001
From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@ -39,15 +39,15 @@ Subject: [PATCH] completed and corrected the crypto-random change
bin/tests/system/tkey/keycreate.c | 4 +-
bin/tests/system/tkey/keydelete.c | 5 +--
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++
doc/arm/notes-rh-changes.xml | 42 ++++++++++++++++++
doc/arm/notes.xml | 1 +
lib/dns/dst_api.c | 4 +-
lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
lib/isc/include/isc/entropy.h | 48 +++++++++++++++------
lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
23 files changed, 241 insertions(+), 106 deletions(-)
23 files changed, 240 insertions(+), 104 deletions(-)
create mode 100644 doc/arm/notes-rh-changes.xml
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
@ -78,10 +78,10 @@ index 295e16f..0f79aa8 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 0ae6b41..4562430 100644
index 1826919..96543fc 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -348,15 +348,23 @@
@@ -349,15 +349,23 @@
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
@ -114,7 +114,7 @@ index 0ae6b41..4562430 100644
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 31a99e7..38c83ed 100644
index 5654435..24c0d5a 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@ -142,10 +142,10 @@ index 31a99e7..38c83ed 100644
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
index 50fa2cd..524d9a3 100644
index 9a0d3c8..c573177 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@ -223,7 +223,7 @@ index d955c2f..40621f2 100644
} else
eresult = ns_control_docommand(request, listener->readonly, &text);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 7ee8f66..8982d26 100644
index 3f96b7b..c92922e 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -20,6 +20,7 @@
@ -255,7 +255,7 @@ index 9dea7c1..272d300 100644
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
index c9e5469..0940714 100644
index 203f1e6..25eeced 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -19,6 +19,7 @@
@ -267,10 +267,10 @@ index c9e5469..0940714 100644
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
index 36fc047..3c1eec0 100644
index f27071f..f132c19 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
@ -312,7 +312,7 @@ index 36fc047..3c1eec0 100644
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
@ -323,7 +323,7 @@ index 36fc047..3c1eec0 100644
randomdev,
isc_result_totext(result));
}
@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
@ -331,7 +331,7 @@ index 36fc047..3c1eec0 100644
#endif
}
@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
server->in_roothints = NULL;
server->blackholeacl = NULL;
server->keepresporder = NULL;
@ -339,7 +339,7 @@ index 36fc047..3c1eec0 100644
/* Must be first. */
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
@ -349,7 +349,7 @@ index 36fc047..3c1eec0 100644
/*
* Setup the server task, which is responsible for coordinating
@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) {
@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
@ -359,7 +359,7 @@ index 36fc047..3c1eec0 100644
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) {
@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
@ -372,7 +372,7 @@ index 36fc047..3c1eec0 100644
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
@ -455,10 +455,10 @@ index 2146f9b..64b8e74 100644
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 33e06e6..539973c 100644
index 93c7a08..bb1e81d 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>random-device</command></term>
<listitem>
<para>
@ -522,11 +522,10 @@ index 33e06e6..539973c 100644
</varlistentry>
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
new file mode 100644
index 0000000..11c3a7c
index 0000000..89a4961
--- /dev/null
+++ b/doc/arm/notes-rh-changes.xml
@@ -0,0 +1,43 @@
+
@@ -0,0 +1,42 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
@ -570,10 +569,10 @@ index 0000000..11c3a7c
+</section>
+
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index b16dab6..763ff7e 100644
index 589a347..052a0bd 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -36,6 +36,7 @@
@@ -40,6 +40,7 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
@ -582,7 +581,7 @@ index b16dab6..763ff7e 100644
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
</section>
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 1614afa..0f52df9 100644
index 1eccbe7..1933993 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
@ -625,7 +624,7 @@ index 6813c96..665574d 100644
bool
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 6849732..e00a0e4 100644
index ffe0a69..5e48686 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
@ -639,19 +638,10 @@ index 6849732..e00a0e4 100644
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index 632166a..c7cb17d 100644
index c40a18c..c7cb17d 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
-
#ifndef ISC_ENTROPY_H
#define ISC_ENTROPY_H 1
@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
/*!<
* \brief Create an entropy source that is polled via a callback.
*
@ -663,18 +653,23 @@ index 632166a..c7cb17d 100644
*
* Samples are added via isc_entropy_addcallbacksample(), below.
* _addcallbacksample() is the only function which may be called from
@@ -234,15 +231,32 @@ isc_result_t
@@ -232,15 +231,32 @@ isc_result_t
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*!<
- * \brief Extract data from the entropy pool. This may load the pool from various
- * sources.
+ * \brief Get random data from entropy pool 'ent'.
+ *
*
- * Do this by stirring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
+ * If a hook has been set up using isc_entropy_sethook() and
+ * isc_entropy_usehook(), then the hook function will be called to get
+ * random data.
+ *
*
- * Honor the request from the caller to only return good data, any data,
- * etc.
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
+ * This may cause the pool to be loaded from various sources. Ths is done
+ * by stirring the pool and returning a part of hash as randomness.
@ -685,17 +680,12 @@ index 632166a..c7cb17d 100644
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
+ * not in use. If it is, the flags will be passed to the hook function
+ * but it may ignore them.
*
- * Do this by stiring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
+ *
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
+ * number of bytes copied will be stored in *returned.)
*
- * Honor the request from the caller to only return good data, any data,
- * etc.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS on success
+ * \li ISC_R_NOENTROPY if entropy pool is empty
@ -703,7 +693,7 @@ index 632166a..c7cb17d 100644
*/
void
@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
void
isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
/*!<
@ -782,7 +772,7 @@ index f8aed34..17c551b 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 03890a3..7bad989 100644
index 1c45d5c..91693b5 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1109,7 +1109,7 @@ options_clauses[] = {
@ -795,5 +785,5 @@ index 03890a3..7bad989 100644
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reserved-sockets", &cfg_type_uint32, 0 },
--
2.20.1
2.21.1

219
SOURCES/bind-9.11-serve-stale.patch
View File

@ -1,4 +1,4 @@
From 2bdcb7159b1ac097355e95864e979b4f68bc1a4e Mon Sep 17 00:00:00 2001
From 521fc8dcc0ac064ae8bc521418f5b03f0ceec657 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 7 Nov 2019 14:31:03 +0100
Subject: [PATCH] Implement serve-stale in 9.11
@ -257,13 +257,13 @@ Signed-off-by: Petr Menšík <pemensik@redhat.com>
lib/dns/master.c | 14 +-
lib/dns/masterdump.c | 23 +
lib/dns/rbtdb.c | 207 ++++++-
lib/dns/resolver.c | 78 ++-
lib/dns/resolver.c | 79 ++-
lib/dns/sdb.c | 4 +-
lib/dns/sdlz.c | 4 +-
lib/dns/tests/db_test.c | 198 ++++++-
lib/dns/view.c | 3 +
lib/isccfg/namedconf.c | 5 +
48 files changed, 2121 insertions(+), 102 deletions(-)
48 files changed, 2122 insertions(+), 102 deletions(-)
create mode 100644 bin/tests/system/serve-stale/.gitignore
create mode 100644 bin/tests/system/serve-stale/ans2/ans.pl.in
create mode 100644 bin/tests/system/serve-stale/clean.sh
@ -389,22 +389,22 @@ index 9661f56..445b578 100644
bool root_key_sentinel_is_ta;
bool root_key_sentinel_not_ta;
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 8982d26..919ac28 100644
index c92922e..588bf2d 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -224,7 +224,10 @@ enum {
@@ -226,7 +226,10 @@ enum {
dns_nsstatscounter_tcphighwater = 57,
dns_nsstatscounter_reclimitdropped = 58,
- dns_nsstatscounter_max = 58
+ dns_nsstatscounter_trystale = 58,
+ dns_nsstatscounter_usedstale = 59,
- dns_nsstatscounter_max = 59
+ dns_nsstatscounter_trystale = 59,
+ dns_nsstatscounter_usedstale = 60,
+
+ dns_nsstatscounter_max = 60
+ dns_nsstatscounter_max = 61
};
/*%
@@ -763,4 +766,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
@@ -765,4 +768,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
isc_result_t
ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
@ -430,7 +430,7 @@ index 3aa25e9..12f178b 100644
};
diff --git a/bin/named/query.c b/bin/named/query.c
index 0940714..882d69c 100644
index 25eeced..162e4ea 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -125,10 +125,14 @@
@ -733,10 +733,10 @@ index 0940714..882d69c 100644
(!PARTIALANSWER(client) || WANTRECURSION(client)
|| eresult == DNS_R_DROP)) {
diff --git a/bin/named/server.c b/bin/named/server.c
index 0c1f08b..d195bca 100644
index 1f23cf0..1fa836f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1722,7 +1722,8 @@ static bool
@@ -1720,7 +1720,8 @@ static bool
cache_sharable(dns_view_t *originview, dns_view_t *view,
bool new_zero_no_soattl,
unsigned int new_cleaning_interval,
@ -746,7 +746,7 @@ index 0c1f08b..d195bca 100644
{
/*
* If the cache cannot even reused for the same view, it cannot be
@@ -1737,6 +1738,7 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
@@ -1735,6 +1736,7 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
*/
if (dns_cache_getcleaninginterval(originview->cache) !=
new_cleaning_interval ||
@ -754,7 +754,7 @@ index 0c1f08b..d195bca 100644
dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
return (false);
}
@@ -3292,6 +3294,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
@@ -3290,6 +3292,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
size_t max_acache_size;
size_t max_adb_size;
uint32_t lame_ttl, fail_ttl;
@ -762,7 +762,7 @@ index 0c1f08b..d195bca 100644
dns_tsig_keyring_t *ring = NULL;
dns_view_t *pview = NULL; /* Production view */
isc_mem_t *cmctx = NULL, *hmctx = NULL;
@@ -3320,6 +3323,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
@@ -3318,6 +3321,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
bool old_rpz_ok = false;
isc_dscp_t dscp4 = -1, dscp6 = -1;
dns_dyndbctx_t *dctx = NULL;
@ -770,7 +770,7 @@ index 0c1f08b..d195bca 100644
REQUIRE(DNS_VIEW_VALID(view));
@@ -3734,6 +3738,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
@@ -3732,6 +3736,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
if (view->maxncachettl > 7 * 24 * 3600)
view->maxncachettl = 7 * 24 * 3600;
@ -795,7 +795,7 @@ index 0c1f08b..d195bca 100644
/*
* Configure the view's cache.
*
@@ -3767,7 +3789,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
@@ -3765,7 +3787,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
nsc = cachelist_find(cachelist, cachename, view->rdclass);
if (nsc != NULL) {
if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
@ -805,7 +805,7 @@ index 0c1f08b..d195bca 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"views %s and %s can't share the cache "
@@ -3866,9 +3889,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
@@ -3864,9 +3887,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_cache_setcleaninginterval(cache, cleaning_interval);
dns_cache_setcachesize(cache, max_cache_size);
@ -821,7 +821,7 @@ index 0c1f08b..d195bca 100644
/*
* Resolver.
*
@@ -4057,6 +4086,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
@@ -4055,6 +4084,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
maxbits = 4096;
view->maxbits = maxbits;
@ -843,7 +843,7 @@ index 0c1f08b..d195bca 100644
/*
* Set supported DNSSEC algorithms.
*/
@@ -14423,3 +14467,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
@@ -14456,3 +14500,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
return (ISC_R_NOTIMPLEMENTED);
#endif
}
@ -977,13 +977,13 @@ index 0c1f08b..d195bca 100644
+ return (result);
+}
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 4cdf7d6..5b413e7 100644
index 4b8d972..8c68737 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -297,6 +297,12 @@ init_desc(void) {
"QryNXRedirRLookup");
SET_NSSTATDESC(badcookie, "sent badcookie response", "QryBADCOOKIE");
SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt");
@@ -300,6 +300,12 @@ init_desc(void) {
SET_NSSTATDESC(reclimitdropped,
"queries dropped due to recursive client limit",
"RecLimitDropped");
+ SET_NSSTATDESC(trystale,
+ "attempts to use stale cache data after lookup failure",
+ "QryTryStale");
@ -1007,10 +1007,10 @@ index 8083654..d519983 100644
Print a zone's configuration.\n\
sign zone [class [view]]\n\
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index 06b073a..6ae8e5d 100644
index e14a17e..eaf32d3 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -688,6 +688,25 @@
@@ -689,6 +689,25 @@
</listitem>
</varlistentry>
@ -1052,10 +1052,10 @@ index f3f1939..9ff3f07 100644
+ exit 1
+fi
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index f781966..d20a830 100644
index 22749b9..a247fd5 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -125,7 +125,7 @@ PARALLELDIRS="dnssec rpzrecurse \
@@ -128,7 +128,7 @@ PARALLELDIRS="dnssec rpzrecurse \
reclimit redirect resolver rndc rootkeysentinel rpz \
rrchecker rrl rrsetorder rsabigexponent runtime \
sfcache smartsign sortlist \
@ -2039,10 +2039,10 @@ index 0000000..201c996
+echo "I:exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 539973c..8528649 100644
index bb1e81d..6dbbfad 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4376,6 +4376,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@@ -4381,6 +4381,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
statement in the <filename>named.conf</filename> file:
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="options.grammar.xml"/>
@ -2052,7 +2052,7 @@ index 539973c..8528649 100644
</section>
<section xml:id="options"><info><title><command>options</command> Statement Definition and
@@ -4469,6 +4472,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@@ -4474,6 +4477,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<command>dnssec-validation</command>,
<command>max-cache-ttl</command>,
<command>max-ncache-ttl</command>,
@ -2060,7 +2060,7 @@ index 539973c..8528649 100644
<command>max-cache-size</command>, and
<command>zero-no-soa-ttl</command>.
</para>
@@ -5480,7 +5484,6 @@ options {
@@ -5485,7 +5489,6 @@ options {
</listitem>
</varlistentry>
@ -2068,7 +2068,7 @@ index 539973c..8528649 100644
<varlistentry>
<term><command>max-zone-ttl</command></term>
<listitem>
@@ -5516,6 +5519,21 @@ options {
@@ -5521,6 +5524,21 @@ options {
</listitem>
</varlistentry>
@ -2090,7 +2090,7 @@ index 539973c..8528649 100644
<varlistentry>
<term><command>serial-update-method</command></term>
<listitem>
@@ -6275,6 +6293,22 @@ options {
@@ -6280,6 +6298,22 @@ options {
</listitem>
</varlistentry>
@ -2113,7 +2113,7 @@ index 539973c..8528649 100644
<varlistentry>
<term><command>nocookie-udp-size</command></term>
<listitem>
@@ -7483,14 +7517,20 @@ options {
@@ -7501,14 +7535,20 @@ options {
<term><command>resolver-query-timeout</command></term>
<listitem>
<para>
@ -2137,7 +2137,7 @@ index 539973c..8528649 100644
</listitem>
</varlistentry>
</variablelist>
@@ -8976,6 +9016,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
@@ -8994,6 +9034,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</listitem>
</varlistentry>
@ -2188,10 +2188,10 @@ index 181def7..59f6afb 100644
<entry colname="1">
<para><command>spill</command></para>
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
index 11c3a7c..ba3c2cc 100644
index 89a4961..80b7dee 100644
--- a/doc/arm/notes-rh-changes.xml
+++ b/doc/arm/notes-rh-changes.xml
@@ -13,6 +13,9 @@
@@ -12,6 +12,9 @@
<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
<itemizedlist>
<listitem>
@ -2201,7 +2201,7 @@ index 11c3a7c..ba3c2cc 100644
<para>
By default, BIND now uses the random number generation functions
in the cryptographic library (i.e., OpenSSL or a PKCS#11
@@ -37,7 +40,16 @@
@@ -36,7 +39,16 @@
case <filename>/dev/random</filename> will be the default
entropy source. [RT #31459] [RT #46047]
</para>
@ -2278,7 +2278,7 @@ index e11beed..fde93c7 100644
topology { <address_match_element>; ... }; // not implemented
transfer-format ( many-answers | one-answer );
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 5c057a4..7b82618 100644
index eaac5ba..a89d78f 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -99,7 +99,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
@ -2379,7 +2379,7 @@ index 5c057a4..7b82618 100644
}
}
}
@@ -1267,7 +1276,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1271,7 +1280,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"auto-dnssec may only be activated at the "
"zone level");
@ -2389,7 +2389,7 @@ index 5c057a4..7b82618 100644
}
}
@@ -1287,7 +1297,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1291,7 +1301,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
{
obj = cfg_listelt_value(element);
tresult = mustbesecure(obj, symtab, logctx, mctx);
@ -2398,7 +2398,7 @@ index 5c057a4..7b82618 100644
result = tresult;
}
if (symtab != NULL)
@@ -1306,7 +1316,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1310,7 +1320,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s: invalid name '%s'",
server_contact[i], str);
@ -2408,7 +2408,7 @@ index 5c057a4..7b82618 100644
}
}
}
@@ -1326,7 +1337,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1330,7 +1341,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"disable-empty-zone: invalid name '%s'",
str);
@ -2418,7 +2418,7 @@ index 5c057a4..7b82618 100644
}
}
@@ -1340,11 +1352,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1344,11 +1356,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
strlen(cfg_obj_asstring(obj)) > 1024U) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'server-id' too big (>1024 bytes)");
@ -2433,7 +2433,7 @@ index 5c057a4..7b82618 100644
result = tresult;
obj = NULL;
@@ -1354,11 +1367,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1358,11 +1371,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (lifetime > 604800) { /* 7 days */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'nta-lifetime' cannot exceed one week");
@ -2449,7 +2449,7 @@ index 5c057a4..7b82618 100644
}
}
@@ -1369,7 +1384,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1373,7 +1388,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (recheck > 604800) { /* 7 days */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'nta-recheck' cannot exceed one week");
@ -2459,7 +2459,7 @@ index 5c057a4..7b82618 100644
}
if (recheck > lifetime)
@@ -1387,7 +1403,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1391,7 +1407,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
if (strcasecmp(ccalg, "aes") == 0) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"cookie-algorithm: '%s' not supported", ccalg);
@ -2469,7 +2469,7 @@ index 5c057a4..7b82618 100644
}
#endif
@@ -1476,7 +1493,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1480,7 +1497,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s out of range (%u < %u)",
fstrm[i].name, value, fstrm[i].min);
@ -2479,7 +2479,7 @@ index 5c057a4..7b82618 100644
}
if (strcmp(fstrm[i].name, "fstrm-set-input-queue-size") == 0) {
@@ -1490,7 +1508,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1494,7 +1512,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"%s '%u' not a power-of-2",
fstrm[i].name,
cfg_obj_asuint32(obj));
@ -2489,7 +2489,7 @@ index 5c057a4..7b82618 100644
}
}
}
@@ -1508,7 +1527,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1512,7 +1531,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"%" PRId64 "' "
"is too small",
mapsize);
@ -2499,7 +2499,7 @@ index 5c057a4..7b82618 100644
} else if (mapsize > (1ULL << 40)) { /* 1 terabyte */
cfg_obj_log(obj, logctx,
ISC_LOG_ERROR,
@@ -1516,10 +1536,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
@@ -1520,10 +1540,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
"%" PRId64 "' "
"is too large",
mapsize);
@ -2669,10 +2669,10 @@ index 62797db..714b78e 100644
dns_cache_flush(dns_cache_t *cache);
/*%<
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index ae6ae36..5079053 100644
index 6f0eed0..e3917f2 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -197,6 +197,8 @@ typedef struct dns_dbmethods {
@@ -195,6 +195,8 @@ typedef struct dns_dbmethods {
dns_name_t *name);
isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version,
uint64_t *records, uint64_t *bytes);
@ -2681,7 +2681,7 @@ index ae6ae36..5079053 100644
} dns_dbmethods_t;
typedef isc_result_t
@@ -255,6 +257,7 @@ struct dns_dbonupdatelistener {
@@ -253,6 +255,7 @@ struct dns_dbonupdatelistener {
#define DNS_DBFIND_FORCENSEC3 0x0080
#define DNS_DBFIND_ADDITIONALOK 0x0100
#define DNS_DBFIND_NOZONECUT 0x0200
@ -2689,7 +2689,7 @@ index ae6ae36..5079053 100644
/*@}*/
/*@{*/
@@ -1685,6 +1688,38 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
@@ -1683,6 +1686,38 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
* \li 'db' is a valid database
* \li 'node' and 'name' are not NULL
*/
@ -2783,7 +2783,7 @@ index 5295d8e..97071ed 100644
/*%
* _OMITDNSSEC:
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 6da41b7..7b397cb 100644
index 0b66c75..4b4b6bd 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -547,9 +547,12 @@ dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
@ -2883,7 +2883,7 @@ index c849dec..647ca2a 100644
#define DNS_VIEW_MAGIC ISC_MAGIC('V','i','e','w')
diff --git a/lib/dns/master.c b/lib/dns/master.c
index 2a87bca..ac4bb19 100644
index 8edd732..8c9f00e 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -1948,12 +1948,18 @@ load_text(dns_loadctx_t *lctx) {
@ -2979,10 +2979,10 @@ index 13d1a3e..873b694 100644
RUNTIME_CHECK(result == ISC_R_SUCCESS);
isc_buffer_usedregion(&buffer, &r);
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 738aa20..5055fcb 100644
index 02f2c84..fda991d 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -488,6 +488,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t;
@@ -490,6 +490,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t;
typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
#define RDATASET_ATTR_NONEXISTENT 0x0001
@ -2990,7 +2990,7 @@ index 738aa20..5055fcb 100644
#define RDATASET_ATTR_STALE 0x0002
#define RDATASET_ATTR_IGNORE 0x0004
#define RDATASET_ATTR_RETAIN 0x0008
@@ -500,6 +501,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
@@ -502,6 +503,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
#define RDATASET_ATTR_CASESET 0x0400
#define RDATASET_ATTR_ZEROTTL 0x0800
#define RDATASET_ATTR_CASEFULLYLOWER 0x1000
@ -2999,7 +2999,7 @@ index 738aa20..5055fcb 100644
typedef struct acache_cbarg {
dns_rdatasetadditional_t type;
@@ -550,6 +553,8 @@ struct acachectl {
@@ -552,6 +555,8 @@ struct acachectl {
(((header)->attributes & RDATASET_ATTR_ZEROTTL) != 0)
#define CASEFULLYLOWER(header) \
(((header)->attributes & RDATASET_ATTR_CASEFULLYLOWER) != 0)
@ -3008,7 +3008,7 @@ index 738aa20..5055fcb 100644
#define ACTIVE(header, now) \
@@ -609,6 +614,12 @@ typedef enum {
@@ -611,6 +616,12 @@ typedef enum {
expire_flush
} expire_t;
@ -3021,7 +3021,7 @@ index 738aa20..5055fcb 100644
typedef struct rbtdb_version {
/* Not locked */
rbtdb_serial_t serial;
@@ -676,6 +687,12 @@ struct dns_rbtdb {
@@ -678,6 +689,12 @@ struct dns_rbtdb {
dns_dbnode_t *soanode;
dns_dbnode_t *nsnode;
@ -3034,7 +3034,7 @@ index 738aa20..5055fcb 100644
/*
* This is a linked list used to implement the LRU cache. There will
* be node_lock_count linked lists here. Nodes in bucket 1 will be
@@ -719,6 +736,8 @@ struct dns_rbtdb {
@@ -721,6 +738,8 @@ struct dns_rbtdb {
#define RBTDB_ATTR_LOADED 0x01
#define RBTDB_ATTR_LOADING 0x02
@ -3043,7 +3043,7 @@ index 738aa20..5055fcb 100644
/*%
* Search Context
*/
@@ -1784,15 +1803,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
@@ -1791,15 +1810,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
}
static inline void
@ -3063,7 +3063,7 @@ index 738aa20..5055fcb 100644
header->node->dirty = 1;
/*
@@ -1833,8 +1852,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
@@ -1840,8 +1859,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
/*
* If current is nonexistent or stale, we can clean it up.
*/
@ -3074,7 +3074,7 @@ index 738aa20..5055fcb 100644
if (top_prev != NULL)
top_prev->next = current->next;
else
@@ -2076,6 +2095,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
@@ -2086,6 +2105,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
}
}
@ -3155,7 +3155,7 @@ index 738aa20..5055fcb 100644
/*
* Caller must be holding the node lock.
*/
@@ -3308,6 +3401,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
@@ -3313,6 +3406,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
rdataset->attributes |= DNS_RDATASETATTR_OPTOUT;
if (PREFETCH(header))
rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
@ -3168,7 +3168,7 @@ index 738aa20..5055fcb 100644
rdataset->private1 = rbtdb;
rdataset->private2 = node;
raw = (unsigned char *)header + sizeof(*header);
@@ -4648,6 +4747,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
@@ -4653,6 +4752,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
#endif
if (!ACTIVE(header, search->now)) {
@ -3188,7 +3188,7 @@ index 738aa20..5055fcb 100644
/*
* This rdataset is stale. If no one else is using the
* node, we can clean it up right now, otherwise we mark
@@ -4687,7 +4799,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
@@ -4692,7 +4804,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
node->data = header->next;
free_rdataset(search->rbtdb, mctx, header);
} else {
@ -3197,7 +3197,7 @@ index 738aa20..5055fcb 100644
*header_prev = header;
}
} else
@@ -5125,7 +5237,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
@@ -5130,7 +5242,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
&locktype, lock, &search,
&header_prev)) {
/* Do nothing. */
@ -3206,7 +3206,7 @@ index 738aa20..5055fcb 100644
/*
* We now know that there is at least one active
* non-stale rdataset at this node.
@@ -5603,7 +5715,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
@@ -5608,7 +5720,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
* refcurrent(rbtnode) must be non-zero. This is so
* because 'node' is an argument to the function.
*/
@ -3215,7 +3215,7 @@ index 738aa20..5055fcb 100644
if (log)
isc_log_write(dns_lctx, category, module,
level, "overmem cache: stale %s",
@@ -5611,7 +5723,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
@@ -5616,7 +5728,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
} else if (force_expire) {
if (! RETAIN(header)) {
set_ttl(rbtdb, header, 0);
@ -3224,7 +3224,7 @@ index 738aa20..5055fcb 100644
} else if (log) {
isc_log_write(dns_lctx, category, module,
level, "overmem cache: "
@@ -5868,9 +5980,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
@@ -5873,9 +5985,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
* non-zero. This is so because 'node' is an
* argument to the function.
*/
@ -3236,7 +3236,7 @@ index 738aa20..5055fcb 100644
if (header->type == matchtype)
found = header;
else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
@@ -6160,7 +6272,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
@@ -6167,7 +6279,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
topheader = topheader->next)
{
set_ttl(rbtdb, topheader, 0);
@ -3245,7 +3245,7 @@ index 738aa20..5055fcb 100644
}
goto find_header;
}
@@ -6218,7 +6330,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
@@ -6225,7 +6337,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* ncache entry.
*/
set_ttl(rbtdb, topheader, 0);
@ -3254,7 +3254,7 @@ index 738aa20..5055fcb 100644
topheader = NULL;
goto find_header;
}
@@ -6256,8 +6368,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
@@ -6263,8 +6375,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
/*
@ -3268,7 +3268,7 @@ index 738aa20..5055fcb 100644
*/
if (rbtversion == NULL && trust < header->trust &&
(ACTIVE(header, now) || header_nx)) {
@@ -6286,6 +6401,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
@@ -6293,6 +6408,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
if ((options & DNS_DBADD_EXACT) != 0)
flags |= DNS_RDATASLAB_EXACT;
@ -3279,7 +3279,7 @@ index 738aa20..5055fcb 100644
if ((options & DNS_DBADD_EXACTTTL) != 0 &&
newheader->rdh_ttl != header->rdh_ttl)
result = DNS_R_NOTEXACT;
@@ -6329,11 +6448,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
@@ -6336,11 +6455,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
}
/*
@ -3297,7 +3297,7 @@ index 738aa20..5055fcb 100644
*/
if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
header->type == dns_rdatatype_ns &&
@@ -6508,10 +6628,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
@@ -6511,10 +6631,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
changed->dirty = true;
if (rbtversion == NULL) {
set_ttl(rbtdb, header, 0);
@ -3310,7 +3310,7 @@ index 738aa20..5055fcb 100644
}
}
if (rbtversion != NULL && !header_nx) {
@@ -8310,6 +8430,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
@@ -8331,6 +8451,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
return (result);
}
@ -3341,7 +3341,7 @@ index 738aa20..5055fcb 100644
static dns_dbmethods_t zone_methods = {
attach,
detach,
@@ -8355,7 +8499,9 @@ static dns_dbmethods_t zone_methods = {
@@ -8376,7 +8520,9 @@ static dns_dbmethods_t zone_methods = {
NULL,
hashsize,
nodefullname,
@ -3352,7 +3352,7 @@ index 738aa20..5055fcb 100644
};
static dns_dbmethods_t cache_methods = {
@@ -8403,7 +8549,9 @@ static dns_dbmethods_t cache_methods = {
@@ -8424,7 +8570,9 @@ static dns_dbmethods_t cache_methods = {
setcachestats,
hashsize,
nodefullname,
@ -3363,7 +3363,7 @@ index 738aa20..5055fcb 100644
};
isc_result_t
@@ -8674,7 +8822,7 @@ dns_rbtdb_create
@@ -8695,7 +8843,7 @@ dns_rbtdb_create
rbtdb->rpzs = NULL;
rbtdb->load_rpzs = NULL;
rbtdb->rpz_num = DNS_RPZ_INVALID_NUM;
@ -3372,7 +3372,7 @@ index 738aa20..5055fcb 100644
/*
* Version Initialization.
*/
@@ -9092,7 +9240,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
@@ -9113,7 +9261,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
* rdatasets to work.
*/
if (NONEXISTENT(header) ||
@ -3382,7 +3382,7 @@ index 738aa20..5055fcb 100644
header = NULL;
break;
} else
@@ -10280,7 +10429,7 @@ static inline bool
@@ -10322,7 +10471,7 @@ static inline bool
need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
if ((header->attributes &
(RDATASET_ATTR_NONEXISTENT |
@ -3391,7 +3391,7 @@ index 738aa20..5055fcb 100644
RDATASET_ATTR_ZEROTTL)) != 0)
return (false);
@@ -10386,7 +10535,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
@@ -10428,7 +10577,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
bool tree_locked, expire_t reason)
{
set_ttl(rbtdb, header, 0);
@ -3401,7 +3401,7 @@ index 738aa20..5055fcb 100644
/*
* Caller must hold the node (write) lock.
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 04a58c0..164fc01 100644
index 337a2f3..24e14d2 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -141,16 +141,17 @@
@ -3434,18 +3434,19 @@ index 04a58c0..164fc01 100644
#endif
/* The default maximum number of recursions to follow before giving up. */
@@ -496,6 +497,10 @@ struct dns_resolver {
unsigned int maxqueries;
isc_result_t quotaresp[2];
+ /* Additions for serve-stale feature. */
@@ -515,6 +516,11 @@ struct dns_resolver {
dns_fetch_t * primefetch;
/* Locked by nlock. */
unsigned int nfctx;
+
+ /* Unlocked. Additions for serve-stale feature. */
+ unsigned int retryinterval; /* in milliseconds */
+ unsigned int nonbackofftries;
+
/* Locked by lock. */
unsigned int references;
bool exiting;
@@ -1617,14 +1622,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
};
#define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!')
@@ -1625,14 +1631,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
unsigned int seconds;
unsigned int us;
@ -3464,7 +3465,7 @@ index 04a58c0..164fc01 100644
/*
* Add a fudge factor to the expected rtt based on the current
@@ -4481,7 +4484,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
@@ -4494,7 +4498,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
/*
* Compute an expiration time for the entire fetch.
*/
@ -3474,7 +3475,7 @@ index 04a58c0..164fc01 100644
iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
if (iresult != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -8965,6 +8969,8 @@ dns_resolver_create(dns_view_t *view,
@@ -8983,6 +8988,8 @@ dns_resolver_create(dns_view_t *view,
res->spillattimer = NULL;
res->zspill = 0;
res->zero_no_soa_ttl = false;
@ -3483,7 +3484,7 @@ index 04a58c0..164fc01 100644
res->query_timeout = DEFAULT_QUERY_TIMEOUT;
res->maxdepth = DEFAULT_RECURSION_DEPTH;
res->maxqueries = DEFAULT_MAX_QUERIES;
@@ -10291,17 +10297,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) {
@@ -10317,17 +10324,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) {
}
void
@ -3512,7 +3513,7 @@ index 04a58c0..164fc01 100644
}
void
@@ -10398,3 +10407,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which)
@@ -10424,3 +10434,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which)
return (resolver->quotaresp[which]);
}
@ -3578,7 +3579,7 @@ index 0b9620c..331992e 100644
/*
diff --git a/lib/dns/tests/db_test.c b/lib/dns/tests/db_test.c
index 35cf21d..bf39545 100644
index 2849775..812f750 100644
--- a/lib/dns/tests/db_test.c
+++ b/lib/dns/tests/db_test.c
@@ -28,8 +28,9 @@
@ -3809,7 +3810,7 @@ index 35cf21d..bf39545 100644
_setup, _teardown),
cmocka_unit_test_setup_teardown(dbtype_test,
diff --git a/lib/dns/view.c b/lib/dns/view.c
index a1a4301..abf6a4c 100644
index 0fca1d9..55ede81 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -229,6 +229,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
@ -3823,7 +3824,7 @@ index a1a4301..abf6a4c 100644
view->maxbits = 0;
view->v4_aaaa = dns_aaaa_ok;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 7bad989..bbf4b45 100644
index 91693b5..5771774 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1778,6 +1778,7 @@ view_clauses[] = {
@ -3854,5 +3855,5 @@ index 7bad989..bbf4b45 100644
{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
{ "transfer-format", &cfg_type_transferformat, 0 },
--
2.20.1
2.21.1

39
SOURCES/bind-9.11-zone2ldap.patch
View File

@ -1,18 +1,18 @@
From 0430b3ac66169eea7a74aaa8bfca50400d3497cf Mon Sep 17 00:00:00 2001
From 9683a4d2524b870c4cee09259cb5eb7b8075a507 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 18 Dec 2018 16:06:26 +0100
Subject: [PATCH] Make absolute hostname by dns API instead of strings
Duplicate all strings in dc_list. Free allocated memory on each record.
---
bin/sdb_tools/zone2ldap.c | 71 +++++++++++++++++++++++++--------------
1 file changed, 45 insertions(+), 26 deletions(-)
bin/sdb_tools/zone2ldap.c | 70 +++++++++++++++++++++++++--------------
1 file changed, 45 insertions(+), 25 deletions(-)
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index 76186b5..28df191 100644
index d59936c..9ba73b8 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
@@ -84,6 +84,10 @@ int get_attr_list_size (char **tmp);
/* Get a DN */
char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
@ -23,7 +23,7 @@ index 76186b5..28df191 100644
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
unsigned int ttl, unsigned int flags);
@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL";
@@ -120,6 +124,7 @@ static char dNSTTL []="dNSTTL";
static char zoneName []="zoneName";
static char dc []="dc";
static char sameZone []="@";
@ -31,7 +31,7 @@ index 76186b5..28df191 100644
/* LDAPMod mod_values: */
static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
@@ -396,6 +401,8 @@ main (int argc, char **argv)
@@ -391,6 +396,8 @@ main (int argc, char **argv)
}
}
@ -40,7 +40,7 @@ index 76186b5..28df191 100644
}
else
{
@@ -451,12 +458,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
@@ -446,12 +453,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
char data[2048];
char **dc_list;
char *dn;
@ -59,7 +59,7 @@ index 76186b5..28df191 100644
isc_result_check (result, "dns_name_totext");
name[isc_buffer_usedlength (&buff)] = 0;
@@ -478,6 +491,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
@@ -473,6 +486,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
@ -67,7 +67,7 @@ index 76186b5..28df191 100644
}
@@ -538,12 +552,9 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -533,12 +547,9 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs == (LDAPMod **) NULL)
fatal("calloc");
@ -83,7 +83,7 @@ index 76186b5..28df191 100644
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
tmp->attrs[0]->mod_type = objectClass;
@@ -559,9 +570,18 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -554,9 +565,18 @@ add_to_rr_list (char *dn, char *name, char *type,
return;
}
@ -103,12 +103,11 @@ index 76186b5..28df191 100644
if (tmp->attrs[1]->mod_values == (char **)NULL)
fatal("calloc");
@@ -705,25 +725,16 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -701,24 +721,16 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
- int i = 0;
+ int i = 0, j = 0;
int i = 0;
+ int j = 0;
char *hname=0L, *last=0L;
int hlen=strlen(hostname), zlen=(strlen(zone));
@ -131,7 +130,7 @@ index 76186b5..28df191 100644
last = strdup(sameZone);
}else
{
@@ -731,8 +742,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -726,8 +738,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
||( strcmp( hostname + (hlen - zlen), zone ) != 0)
)
{
@ -140,7 +139,7 @@ index 76186b5..28df191 100644
hname=(char*)malloc( hlen + zlen + 1);
if( *zone == '.' )
sprintf(hname, "%s%s", hostname, zone);
@@ -740,8 +749,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -735,8 +745,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
sprintf(hname,"%s",zone);
}else
{
@ -150,7 +149,7 @@ index 76186b5..28df191 100644
}
last = hname;
}
@@ -754,18 +762,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -749,18 +758,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
tmp = strrchr (hname, '.'))
{
@ -176,7 +175,7 @@ index 76186b5..28df191 100644
if( ( last != hname ) && (tmp != hname) )
dn_buffer[i++] = hname;
dn_buffer[i++] = last;
@@ -825,6 +836,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
@@ -820,6 +832,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
return dn;
}
@ -192,5 +191,5 @@ index 76186b5..28df191 100644
/* Initialize LDAP Conn */
void
--
2.20.1
2.21.1

222
SOURCES/bind-9.11.13-CVE-2020-8616.patch
View File

@ -1,222 +0,0 @@
From 165181b794e185af8621300e2a68777a04af8358 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 15 May 2020 14:55:26 +0200
Subject: [PATCH] CVE-2020-8616
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
---
lib/dns/adb.c | 33 +++++++++++++----------
lib/dns/include/dns/adb.h | 4 +++
lib/dns/resolver.c | 55 ++++++++++++++++++++++++++-------------
3 files changed, 60 insertions(+), 32 deletions(-)
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 3d12221..ec183d0 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
*/
#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
- != 0)
-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
- != 0)
-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
/*
* These are currently used on simple unsigned ints, so they are
@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
* Listen to negative cache hints, and don't start
* another query.
*/
- if (NCACHE_RESULT(result) || AUTH_NX(result))
+ if (NCACHE_RESULT(result) || AUTH_NX(result)) {
goto fetch;
+ }
- if (!NAME_FETCH_V6(adbname))
+ if (!NAME_FETCH_V6(adbname)) {
wanted_fetches |= DNS_ADBFIND_INET6;
+ }
}
fetch:
if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
(WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
+ {
have_address = true;
- else
+ } else {
have_address = false;
- if (wanted_fetches != 0 &&
- ! (FIND_AVOIDFETCHES(find) && have_address)) {
+ }
+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
+ !FIND_NOFETCH(find))
+ {
/*
* We're missing at least one address family. Either the
* caller hasn't instructed us to avoid fetches, or we don't
@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
* be acceptable so we have to launch fetches.
*/
- if (FIND_STARTATZONE(find))
+ if (FIND_STARTATZONE(find)) {
start_at_zone = true;
+ }
/*
* Start V4.
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
index ca35bac..3e27c9e 100644
--- a/lib/dns/include/dns/adb.h
+++ b/lib/dns/include/dns/adb.h
@@ -207,6 +207,10 @@ struct dns_adbfind {
* lame for this query.
*/
#define DNS_ADBFIND_OVERQUOTA 0x00000400
+/*%
+ * Don't perform a fetch even if there are no address records available.
+ */
+#define DNS_ADBFIND_NOFETCH 0x00000800
/*%
* The answers to queries come back as a list of these.
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 164fc01..79ad212 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -173,6 +173,14 @@
#define DEFAULT_MAX_QUERIES 75
#endif
+/*
+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
+ * stop trying to fetch, in order to avoid wasting resources.
+ */
+#define NS_FAIL_LIMIT 4
+#define NS_RR_LIMIT 5
+
/* Number of hash buckets for zone counters */
#ifndef RES_DOMAIN_BUCKETS
#define RES_DOMAIN_BUCKETS 523
@@ -3121,8 +3129,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
static void
findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
unsigned int options, unsigned int flags, isc_stdtime_t now,
- bool *overquota, bool *need_alternate)
-{
+ bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
dns_adbaddrinfo_t *ai;
dns_adbfind_t *find;
dns_resolver_t *res;
@@ -3210,7 +3217,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
find->result_v6 != DNS_R_NXDOMAIN) ||
(res->dispatches6 == NULL &&
find->result_v4 != DNS_R_NXDOMAIN)))
+ {
*need_alternate = true;
+ }
+ if (no_addresses != NULL) {
+ (*no_addresses)++;
+ }
} else {
if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
if (overquota != NULL)
@@ -3261,6 +3273,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
dns_rdata_ns_t ns;
bool need_alternate = false;
bool all_spilled = true;
+ unsigned int no_addresses = 0;
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3428,20 +3441,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
* Extract the name from the NS record.
*/
result = dns_rdata_tostruct(&rdata, &ns, NULL);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
continue;
+ }
- findname(fctx, &ns.name, 0, stdoptions, 0, now,
- &overquota, &need_alternate);
+ if (no_addresses > NS_FAIL_LIMIT &&
+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
+ {
+ stdoptions |= DNS_ADBFIND_NOFETCH;
+ }
+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
+ &need_alternate, &no_addresses);
- if (!overquota)
+ if (!overquota) {
all_spilled = false;
+ }
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
}
- if (result != ISC_R_NOMORE)
+ if (result != ISC_R_NOMORE) {
return (result);
+ }
/*
* Do we need to use 6 to 4?
@@ -3456,7 +3477,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
if (!a->isaddress) {
findname(fctx, &a->_u._n.name, a->_u._n.port,
stdoptions, FCTX_ADDRINFO_FORWARDER,
- now, NULL, NULL);
+ now, NULL, NULL, NULL);
continue;
}
if (isc_sockaddr_pf(&a->_u.addr) != family)
@@ -3818,16 +3839,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
}
}
- if (dns_name_countlabels(&fctx->domain) > 2) {
- result = isc_counter_increment(fctx->qc);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
- "exceeded max queries resolving '%s'",
- fctx->info);
- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
- return;
- }
+ result = isc_counter_increment(fctx->qc);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+ "exceeded max queries resolving '%s'",
+ fctx->info);
+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+ return;
}
bucketnum = fctx->bucketnum;
--
2.21.1

40
SOURCES/bind-9.11.13-CVE-2020-8617.patch
View File

@ -1,40 +0,0 @@
From f6ca6392adf7f5a94c804d8a8a1233d90170f490 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 15 May 2020 14:56:33 +0200
Subject: [PATCH] CVE-2020-8617
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
---
lib/dns/tsig.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index c6f9d1b..aee8eb0 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1431,8 +1431,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
goto cleanup_context;
}
msg->verified_sig = 1;
- } else if (tsig.error != dns_tsigerror_badsig &&
- tsig.error != dns_tsigerror_badkey) {
+ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
+ tsig.error != dns_tsigerror_badkey))
+ {
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
@@ -1488,7 +1489,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
}
}
- if (tsig.error != dns_rcode_noerror) {
+ if (response && tsig.error != dns_rcode_noerror) {
msg->tsigstatus = tsig.error;
if (tsig.error == dns_tsigerror_badtime)
ret = DNS_R_CLOCKSKEW;
--
2.21.1

513
SOURCES/bind-9.11.13-rwlock.patch
View File

@ -1,513 +0,0 @@
From bc9a36bad14b014340244bfc35a20df6809a5568 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 27 Feb 2020 15:35:31 +0100
Subject: [PATCH] Fix rwlock to be thread-safe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a backport of the following commits
commit 4cf275ba8aa1caf47ed763b51c37fa561005cb8d
Author: Ondřej Surý <ondrej@isc.org>
Date: Wed Feb 12 09:17:55 2020 +0100
Replace non-loop usage of atomic_compare_exchange_weak with strong variant
commit b43f5e023885dac9f1ffdace54720150768a333b
Author: Ondřej Surý <ondrej@isc.org>
Date: Sat Feb 1 10:48:20 2020 +0100
Convert all atomic operations in isc_rwlock to release-acquire memory ordering
commit 49462cf9747261cbc39d5fa4c691b64ac5472af4
Author: Ondřej Surý <ondrej@sury.org>
Date: Tue May 14 00:19:11 2019 +0700
Make isc_rwlock.c thread-safe
commit 9d5df99a9d9d13c9487969b6fa3818a8b83b4ee2
Author: Ondřej Surý <ondrej@sury.org>
Date: Thu Aug 23 15:30:06 2018 +0200
Directly use return value of atomic_compare_exchange_strong_explicit insteaf of comparing expected value
commit b5709e5531d9d45f9fc3db129c11ad474477d7b6
Author: Ondřej Surý <ondrej@sury.org>
Date: Fri Aug 17 19:21:12 2018 +0200
Explicitly load atomic values in lib/isc/rwlock.c
---
lib/isc/rwlock.c | 275 ++++++++++++++++++-----------------------------
1 file changed, 107 insertions(+), 168 deletions(-)
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
index 9533c0f828..5591eff719 100644
--- a/lib/isc/rwlock.c
+++ b/lib/isc/rwlock.c
@@ -46,6 +46,26 @@
#if defined(ISC_RWLOCK_USEATOMIC)
static isc_result_t
isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+#ifndef ISC_RWLOCK_USESTDATOMIC
+#error non-stdatomic support removed
+#endif
+
+#define atomic_load_acquire(o) \
+ atomic_load_explicit((o), memory_order_acquire)
+#define atomic_store_release(o, v) \
+ atomic_store_explicit((o), (v), memory_order_release)
+#define atomic_fetch_add_release(o, v) \
+ atomic_fetch_add_explicit((o), (v), memory_order_release)
+#define atomic_fetch_sub_release(o, v) \
+ atomic_fetch_sub_explicit((o), (v), memory_order_release)
+#define atomic_compare_exchange_weak_acq_rel(o, e, d) \
+ atomic_compare_exchange_weak_explicit((o), (e), (d), \
+ memory_order_acq_rel, \
+ memory_order_acquire)
+#define atomic_compare_exchange_strong_acq_rel(o, e, d) \
+ atomic_compare_exchange_strong_explicit( \
+ (o), (e), (d), memory_order_acq_rel, memory_order_acquire)
#endif
#ifdef ISC_RWLOCK_TRACE
@@ -108,13 +128,13 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
*/
rwl->magic = 0;
- rwl->spins = 0;
#if defined(ISC_RWLOCK_USEATOMIC)
- rwl->write_requests = 0;
- rwl->write_completions = 0;
- rwl->cnt_and_flag = 0;
+ atomic_init(&rwl->spins, 0);
+ atomic_init(&rwl->write_requests, 0);
+ atomic_init(&rwl->write_completions, 0);
+ atomic_init(&rwl->cnt_and_flag, 0);
rwl->readers_waiting = 0;
- rwl->write_granted = 0;
+ atomic_init(&rwl->write_granted, 0);
if (read_quota != 0) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"read quota is not supported");
@@ -123,6 +143,7 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
rwl->write_quota = write_quota;
#else
+ rwl->spins = 0;
rwl->type = isc_rwlocktype_read;
rwl->original = isc_rwlocktype_none;
rwl->active = 0;
@@ -178,16 +199,9 @@ void
isc_rwlock_destroy(isc_rwlock_t *rwl) {
REQUIRE(VALID_RWLOCK(rwl));
-#if defined(ISC_RWLOCK_USEATOMIC)
- REQUIRE(rwl->write_requests == rwl->write_completions &&
- rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
-#else
- LOCK(&rwl->lock);
- REQUIRE(rwl->active == 0 &&
- rwl->readers_waiting == 0 &&
- rwl->writers_waiting == 0);
- UNLOCK(&rwl->lock);
-#endif
+ REQUIRE(atomic_load_acquire(&rwl->write_requests) ==
+ atomic_load_acquire(&rwl->write_completions) &&
+ atomic_load_acquire(&rwl->cnt_and_flag) == 0 && rwl->readers_waiting == 0);
rwl->magic = 0;
(void)isc_condition_destroy(&rwl->readable);
@@ -274,10 +288,13 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
#endif
if (type == isc_rwlocktype_read) {
- if (rwl->write_requests != rwl->write_completions) {
+ if (atomic_load_acquire(&rwl->write_requests) !=
+ atomic_load_acquire(&rwl->write_completions))
+ {
/* there is a waiting or active writer */
LOCK(&rwl->lock);
- if (rwl->write_requests != rwl->write_completions) {
+ if (atomic_load_acquire(&rwl->write_requests) !=
+ atomic_load_acquire(&rwl->write_completions)) {
rwl->readers_waiting++;
WAIT(&rwl->readable, &rwl->lock);
rwl->readers_waiting--;
@@ -285,23 +302,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
UNLOCK(&rwl->lock);
}
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
- READER_INCR,
- memory_order_relaxed);
-#else
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-#endif
+ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
+ READER_INCR);
POST(cntflag);
while (1) {
- if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
+ if ((atomic_load_acquire(&rwl->cnt_and_flag)
+ & WRITER_ACTIVE) == 0)
+ {
break;
+ }
/* A writer is still working */
LOCK(&rwl->lock);
rwl->readers_waiting++;
- if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0)
+ if ((atomic_load_acquire(&rwl->cnt_and_flag)
+ & WRITER_ACTIVE) != 0)
+ {
WAIT(&rwl->readable, &rwl->lock);
+ }
rwl->readers_waiting--;
UNLOCK(&rwl->lock);
@@ -336,20 +354,19 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
* quota, reset the condition (race among readers doesn't
* matter).
*/
- rwl->write_granted = 0;
+ atomic_store_release(&rwl->write_granted, 0);
} else {
int32_t prev_writer;
/* enter the waiting queue, and wait for our turn */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- prev_writer = atomic_fetch_add_explicit(&rwl->write_requests, 1,
- memory_order_relaxed);
-#else
- prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
-#endif
- while (rwl->write_completions != prev_writer) {
+ prev_writer = atomic_fetch_add_release(&rwl->write_requests, 1);
+ while (atomic_load_acquire(&rwl->write_completions)
+ != prev_writer)
+ {
LOCK(&rwl->lock);
- if (rwl->write_completions != prev_writer) {
+ if (atomic_load_acquire(&rwl->write_completions)
+ != prev_writer)
+ {
WAIT(&rwl->writeable, &rwl->lock);
UNLOCK(&rwl->lock);
continue;
@@ -359,29 +376,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
}
while (1) {
-#if defined(ISC_RWLOCK_USESTDATOMIC)
int_fast32_t cntflag2 = 0;
- atomic_compare_exchange_strong_explicit
- (&rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE,
- memory_order_relaxed, memory_order_relaxed);
-#else
- int32_t cntflag2;
- cntflag2 = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
- WRITER_ACTIVE);
-#endif
-
- if (cntflag2 == 0)
+ if (atomic_compare_exchange_weak_acq_rel(
+ &rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE))
+ {
break;
+ }
/* Another active reader or writer is working. */
LOCK(&rwl->lock);
- if (rwl->cnt_and_flag != 0)
+ if (atomic_load_acquire(&rwl->cnt_and_flag) != 0) {
WAIT(&rwl->writeable, &rwl->lock);
+ }
UNLOCK(&rwl->lock);
}
- INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0);
- rwl->write_granted++;
+ INSIST((atomic_load_acquire(&rwl->cnt_and_flag)
+ & WRITER_ACTIVE));
+ atomic_fetch_add_release(&rwl->write_granted, 1);
}
#ifdef ISC_RWLOCK_TRACE
@@ -395,12 +407,10 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
isc_result_t
isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
int32_t cnt = 0;
- int32_t max_cnt = rwl->spins * 2 + 10;
+ int32_t spins = atomic_load_acquire(&rwl->spins) * 2 + 10;
+ int32_t max_cnt = ISC_MAX(spins, RWLOCK_MAX_ADAPTIVE_COUNT);
isc_result_t result = ISC_R_SUCCESS;
- if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT)
- max_cnt = RWLOCK_MAX_ADAPTIVE_COUNT;
-
do {
if (cnt++ >= max_cnt) {
result = isc__rwlock_lock(rwl, type);
@@ -411,7 +421,7 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
#endif
} while (isc_rwlock_trylock(rwl, type) != ISC_R_SUCCESS);
- rwl->spins += (cnt - rwl->spins) / 8;
+ atomic_fetch_add_release(&rwl->spins, (cnt - spins) / 8);
return (result);
}
@@ -429,36 +439,28 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
if (type == isc_rwlocktype_read) {
/* If a writer is waiting or working, we fail. */
- if (rwl->write_requests != rwl->write_completions)
+ if (atomic_load_acquire(&rwl->write_requests) !=
+ atomic_load_acquire(&rwl->write_completions))
return (ISC_R_LOCKBUSY);
/* Otherwise, be ready for reading. */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
- READER_INCR,
- memory_order_relaxed);
-#else
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-#endif
+ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
+ READER_INCR);
if ((cntflag & WRITER_ACTIVE) != 0) {
/*
* A writer is working. We lose, and cancel the read
* request.
*/
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- cntflag = atomic_fetch_sub_explicit
- (&rwl->cnt_and_flag, READER_INCR,
- memory_order_relaxed);
-#else
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
- -READER_INCR);
-#endif
+ cntflag = atomic_fetch_sub_release(
+ &rwl->cnt_and_flag, READER_INCR);
/*
* If no other readers are waiting and we've suspended
* new writers in this short period, wake them up.
*/
if (cntflag == READER_INCR &&
- rwl->write_completions != rwl->write_requests) {
+ atomic_load_acquire(&rwl->write_completions) !=
+ atomic_load_acquire(&rwl->write_requests))
+ {
LOCK(&rwl->lock);
BROADCAST(&rwl->writeable);
UNLOCK(&rwl->lock);
@@ -468,31 +470,19 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
}
} else {
/* Try locking without entering the waiting queue. */
-#if defined(ISC_RWLOCK_USESTDATOMIC)
int_fast32_t zero = 0;
- if (!atomic_compare_exchange_strong_explicit
- (&rwl->cnt_and_flag, &zero, WRITER_ACTIVE,
- memory_order_relaxed, memory_order_relaxed))
+ if (!atomic_compare_exchange_strong_acq_rel(
+ &rwl->cnt_and_flag, &zero, WRITER_ACTIVE))
+ {
return (ISC_R_LOCKBUSY);
-#else
- cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
- WRITER_ACTIVE);
- if (cntflag != 0)
- return (ISC_R_LOCKBUSY);
-#endif
+ }
/*
* XXXJT: jump into the queue, possibly breaking the writer
* order.
*/
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- atomic_fetch_sub_explicit(&rwl->write_completions, 1,
- memory_order_relaxed);
-#else
- (void)isc_atomic_xadd(&rwl->write_completions, -1);
-#endif
-
- rwl->write_granted++;
+ atomic_fetch_sub_release(&rwl->write_completions, 1);
+ atomic_fetch_add_release(&rwl->write_granted, 1);
}
#ifdef ISC_RWLOCK_TRACE
@@ -507,14 +497,12 @@ isc_result_t
isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
REQUIRE(VALID_RWLOCK(rwl));
-#if defined(ISC_RWLOCK_USESTDATOMIC)
{
int_fast32_t reader_incr = READER_INCR;
/* Try to acquire write access. */
- atomic_compare_exchange_strong_explicit
- (&rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE,
- memory_order_relaxed, memory_order_relaxed);
+ atomic_compare_exchange_strong_acq_rel(
+ &rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE);
/*
* There must have been no writer, and there must have
* been at least one reader.
@@ -527,36 +515,11 @@ isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
* We are the only reader and have been upgraded.
* Now jump into the head of the writer waiting queue.
*/
- atomic_fetch_sub_explicit(&rwl->write_completions, 1,
- memory_order_relaxed);
+ atomic_fetch_sub_release(&rwl->write_completions, 1);
} else
return (ISC_R_LOCKBUSY);
}
-#else
- {
- int32_t prevcnt;
-
- /* Try to acquire write access. */
- prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
- READER_INCR, WRITER_ACTIVE);
- /*
- * There must have been no writer, and there must have
- * been at least one reader.
- */
- INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
- (prevcnt & ~WRITER_ACTIVE) != 0);
-
- if (prevcnt == READER_INCR) {
- /*
- * We are the only reader and have been upgraded.
- * Now jump into the head of the writer waiting queue.
- */
- (void)isc_atomic_xadd(&rwl->write_completions, -1);
- } else
- return (ISC_R_LOCKBUSY);
- }
-#endif
return (ISC_R_SUCCESS);
}
@@ -567,33 +530,15 @@ isc_rwlock_downgrade(isc_rwlock_t *rwl) {
REQUIRE(VALID_RWLOCK(rwl));
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- {
- /* Become an active reader. */
- prev_readers = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
- READER_INCR,
- memory_order_relaxed);
- /* We must have been a writer. */
- INSIST((prev_readers & WRITER_ACTIVE) != 0);
-
- /* Complete write */
- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
- memory_order_relaxed);
- atomic_fetch_add_explicit(&rwl->write_completions, 1,
- memory_order_relaxed);
- }
-#else
- {
- /* Become an active reader. */
- prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
- /* We must have been a writer. */
- INSIST((prev_readers & WRITER_ACTIVE) != 0);
-
- /* Complete write */
- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
- (void)isc_atomic_xadd(&rwl->write_completions, 1);
- }
-#endif
+ /* Become an active reader. */
+ prev_readers = atomic_fetch_add_release(&rwl->cnt_and_flag,
+ READER_INCR);
+ /* We must have been a writer. */
+ INSIST((prev_readers & WRITER_ACTIVE) != 0);
+
+ /* Complete write */
+ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
+ atomic_fetch_add_release(&rwl->write_completions, 1);
/* Resume other readers */
LOCK(&rwl->lock);
@@ -614,20 +559,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
#endif
if (type == isc_rwlocktype_read) {
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- prev_cnt = atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
- READER_INCR,
- memory_order_relaxed);
-#else
- prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
-#endif
+ prev_cnt = atomic_fetch_sub_release(&rwl->cnt_and_flag,
+ READER_INCR);
/*
* If we're the last reader and any writers are waiting, wake
* them up. We need to wake up all of them to ensure the
* FIFO order.
*/
if (prev_cnt == READER_INCR &&
- rwl->write_completions != rwl->write_requests) {
+ atomic_load_acquire(&rwl->write_completions) !=
+ atomic_load_acquire(&rwl->write_requests)) {
LOCK(&rwl->lock);
BROADCAST(&rwl->writeable);
UNLOCK(&rwl->lock);
@@ -639,19 +580,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
* Reset the flag, and (implicitly) tell other writers
* we are done.
*/
-#if defined(ISC_RWLOCK_USESTDATOMIC)
- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
- memory_order_relaxed);
- atomic_fetch_add_explicit(&rwl->write_completions, 1,
- memory_order_relaxed);
-#else
- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
- (void)isc_atomic_xadd(&rwl->write_completions, 1);
-#endif
-
- if (rwl->write_granted >= rwl->write_quota ||
- rwl->write_requests == rwl->write_completions ||
- (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) {
+ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
+ atomic_fetch_add_release(&rwl->write_completions, 1);
+
+ if ((atomic_load_acquire(&rwl->write_granted) >=
+ rwl->write_quota) ||
+ (atomic_load_acquire(&rwl->write_requests) ==
+ atomic_load_acquire(&rwl->write_completions)) ||
+ (atomic_load_acquire(&rwl->cnt_and_flag)
+ & ~WRITER_ACTIVE))
+ {
/*
* We have passed the write quota, no writer is
* waiting, or some readers are almost ready, pending
@@ -668,7 +606,8 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
UNLOCK(&rwl->lock);
}
- if (rwl->write_requests != rwl->write_completions &&
+ if ((atomic_load_acquire(&rwl->write_requests) !=
+ atomic_load_acquire(&rwl->write_completions)) &&
wakeup_writers) {
LOCK(&rwl->lock);
BROADCAST(&rwl->writeable);
--
2.21.0

202
SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
View File

@ -1,5 +1,5 @@
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index 95ab742..6069f09 100644
index 95ab742..5059a17 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@ -7,49 +7,46 @@ index 95ab742..6069f09 100644
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
MANPAGES = zone2ldap.1
@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
@@ -47,6 +47,9 @@ EXT_CFLAGS =
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
@@ -62,6 +65,7 @@ installdirs:
install:: ${TARGETS} installdirs
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index aa2c711..76186b5 100644
index e0e9207..d59936c 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -66,6 +66,9 @@ ldap_info;
/* usage Info */
void usage (void);
@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
void init_ldap_conn (void);
+/* Check for existence of (and possibly add) containing dNSZone objects */
+int lookup_dns_zones( ldap_info *ldinfo);
+
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
/* Ldap error checking */
-void ldap_result_check (const char *msg, char *dn, int err);
+void ldap_result_check (const char *msg, const char *dn, int err);
@@ -82,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
/* Put a hostname into a char ** array */
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
int get_attr_list_size (char **tmp);
/* Get a DN */
@ -58,7 +55,7 @@ index aa2c711..76186b5 100644
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
@@ -104,11 +107,27 @@ void
@@ -104,11 +104,26 @@ void
init_ldap_conn ();
void usage();
@ -87,11 +84,19 @@ index aa2c711..76186b5 100644
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
+static char *dn_buffer [64]={NULL};
+
LDAP *conn;
unsigned int debug = 0;
@@ -132,12 +151,12 @@ main (int argc, char **argv)
@@ -120,7 +135,7 @@ static void
fatal(const char *msg) {
perror(msg);
if (conn != NULL)
- ldap_unbind_s(conn);
+ ldap_unbind_ext_s(conn, NULL, NULL);
exit(1);
}
@@ -132,12 +147,13 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
@ -102,12 +107,12 @@ index aa2c711..76186b5 100644
isc_buffer_t buff;
char *zonefile=0L;
char fullbasedn[1024];
- char *ctmp;
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
char *ctmp;
+ char *zn, *dcp[2], *znp[2], *rdn[2];
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
@@ -150,7 +169,7 @@ main (int argc, char **argv)
@@ -150,7 +166,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
@ -116,7 +121,7 @@ index aa2c711..76186b5 100644
if (argc < 2)
{
@@ -158,7 +177,7 @@ main (int argc, char **argv)
@@ -158,7 +174,7 @@ main (int argc, char **argv)
exit (-1);
}
@ -125,7 +130,7 @@ index aa2c711..76186b5 100644
{
switch (topt)
{
@@ -181,6 +200,9 @@ main (int argc, char **argv)
@@ -181,6 +197,9 @@ main (int argc, char **argv)
if (bindpw == NULL)
fatal("strdup");
break;
@ -135,34 +140,26 @@ index aa2c711..76186b5 100644
case 'b':
ldapbase = strdup (optarg);
if (ldapbase == NULL)
@@ -300,27 +322,62 @@ main (int argc, char **argv)
{
if (debug)
@@ -302,17 +321,51 @@ main (int argc, char **argv)
printf ("Creating base zone DN %s\n", argzone);
-
+
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
+ if (debug)
+ printf ("base DN %s\n", basedn);
+
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
{
- if ((*ctmp == ',') || (ctmp == &basedn[0]))
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
+
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = (char*)"objectClass";
- base.mod_values = (char**)topObjectClasses;
+ base.mod_type = objectClass;
+ base.mod_values = topObjectClasses;
base.mod_values = (char**)topObjectClasses;
base_attrs[0] = (void*)&base;
- base_attrs[1] = NULL;
-
+
+ dcBase.mod_op = LDAP_MOD_ADD;
+ dcBase.mod_type = dc;
@ -196,19 +193,10 @@ index aa2c711..76186b5 100644
+
+ base.mod_values = topObjectClasses;
+ base_attrs[4] = NULL;
+
if (ldapbase)
{
if (ctmp != &basedn[0])
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
else
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
-
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
}
else
{
@@ -329,8 +386,13 @@ main (int argc, char **argv)
@@ -329,6 +382,10 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
@ -217,12 +205,9 @@ index aa2c711..76186b5 100644
+ printf("Full base dn: %s\n", fullbasedn);
+
result = ldap_add_s (conn, fullbasedn, base_attrs);
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
+
ldap_result_check ("initial ldap_add_s", fullbasedn, result);
}
}
@@ -408,14 +470,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
@ -240,7 +225,7 @@ index aa2c711..76186b5 100644
}
@@ -455,7 +517,8 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
@ -250,7 +235,7 @@ index aa2c711..76186b5 100644
if ((tmp = locate_by_dn (dn)) == NULL)
{
@@ -482,13 +545,13 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
@ -262,12 +247,8 @@ index aa2c711..76186b5 100644
+ tmp->attrs[0]->mod_values = objectClasses;
else
{
- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
+ tmp->attrs[0]->mod_values =topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -497,7 +560,7 @@ add_to_rr_list (char *dn, char *name, char *type,
tmp->attrs[0]->mod_values = (char**)topObjectClasses;
@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@ -276,7 +257,7 @@ index aa2c711..76186b5 100644
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -526,7 +589,7 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
@ -285,16 +266,16 @@ index aa2c711..76186b5 100644
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -539,14 +602,25 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs[3]->mod_values[0] == NULL)
fatal("strdup");
+ znlen=strlen(gbl_zone);
+ if ( *(gbl_zone + (znlen-1)) == '.' )
+ if ( gbl_zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ zn = (char*)malloc(znlen);
+ strncpy(zn,gbl_zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ memcpy(zn, gbl_zone, znlen-1);
+ zn[znlen-1]='\0';
+ }else
+ {
+ zn = gbl_zone;
@ -313,7 +294,7 @@ index aa2c711..76186b5 100644
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
@@ -557,7 +631,7 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
else
{
@ -322,7 +303,7 @@ index aa2c711..76186b5 100644
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
@@ -631,44 +705,70 @@ char **
@@ -631,44 +700,70 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
@ -430,7 +411,7 @@ index aa2c711..76186b5 100644
dn_buffer[i] = NULL;
return dn_buffer;
@@ -680,24 +780,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
* exception of "@"/SOA. */
char *
@ -439,19 +420,21 @@ index aa2c711..76186b5 100644
{
int size;
- int x;
- static char dn[1024];
- char tmp[128];
+ int x, znlen;
static char dn[1024];
char tmp[128];
+ static char dn[DNS_NAME_MAXTEXT*3/2];
+ char tmp[DNS_NAME_MAXTEXT*3/2];
+ char zn[DNS_NAME_MAXTEXT+1];
bzero (tmp, sizeof (tmp));
bzero (dn, sizeof (dn));
size = get_attr_list_size (dc_list);
+ znlen = strlen(zone);
+ if ( *(zone + (znlen-1)) == '.' )
+ if ( zone[znlen-1] == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ memcpy(&(zn[0]),zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ zn[znlen-1]='\0';
+ zone = zn;
+ }
for (x = size - 2; x > 0; x--)
@ -460,40 +443,47 @@ index aa2c711..76186b5 100644
{
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
+ snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else if (x == (size - 2))
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else
sprintf(tmp,"dc=%s,", dc_list[x]);
- sprintf(tmp,"dc=%s,", dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
}
@@ -723,6 +831,7 @@ void
init_ldap_conn ()
else
{
int result;
+ char ldb_tag[]="LDAP Bind";
conn = ldap_open (ldapsystem, LDAP_PORT);
if (conn == NULL)
{
@@ -732,7 +841,7 @@ init_ldap_conn ()
- sprintf(tmp, "dc=%s,", dc_list[x]);
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
}
@@ -732,19 +835,18 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
+ ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
}
/* Like isc_result_check, only for LDAP */
@@ -749,8 +858,6 @@ ldap_result_check (const char *msg, char *dn, int err)
}
}
-
-
/* For running the ldap_info run queue. */
void
add_ldap_values (ldap_info * ldinfo)
@@ -758,14 +865,14 @@ add_ldap_values (ldap_info * ldinfo)
-ldap_result_check (const char *msg, char *dn, int err)
+ldap_result_check (const char *msg, const char *dn, int err)
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
- fprintf(stderr, "Error while adding %s (%s):\n",
- dn, msg);
- ldap_perror (conn, dn);
- ldap_unbind_s (conn);
+ fprintf(stderr, "Error while adding %s (%s):\n%s",
+ dn, msg, ldap_err2string(err));
+ ldap_unbind_ext_s (conn, NULL, NULL);
exit (-1);
}
}
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
@ -505,12 +495,14 @@ index aa2c711..76186b5 100644
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
- ldap_result_check ("ldap_add_s", dnbuffer, result);
-}
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
+
}
+}
@@ -776,5 +883,5 @@ void
@@ -776,5 +877,5 @@ void
usage ()
{
fprintf (stderr,

19
SOURCES/bind97-rh645544.patch
View File

@ -1,7 +1,8 @@
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ecb3ddb..f7f73cd 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
*/
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
"success resolving '%s' (in '%s'?) after %s",
fctx->info, domainbuf, fctx->reason);
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
"lame server resolving '%s' (in '%s'?): %s",
namebuf, domainbuf, addrbuf);
}
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
}
@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"DNS format error from %s resolving %s%s%s: %s",
nsbuf, fctx->info, clmsg, clbuf, msgbuf);
"DNS format error from %s resolving %s for %s: %s",
nsbuf, fctx->info, fctx->clientstr, msgbuf);
}

1
SOURCES/trusted-key.key
View File

@ -1,2 +1 @@
. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

159
SPECS/bind.spec
View File

@ -19,6 +19,7 @@
%bcond_with LMDB
%bcond_with DLZ
%bcond_without EXPORT_LIBS
%bcond_without BDB
# Legacy GeoIP support
%bcond_with GEOIP
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
@ -26,6 +27,7 @@
%else
%bcond_with UNITTEST
%endif
%bcond_with TSAN
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
# New MaxMind GeoLite support
%bcond_without GEOIP2
@ -54,16 +56,16 @@
#
# lib*.so.X versions of selected libraries
%global sover_dns 1107
%global sover_isc 1104
%global sover_dns 1110
%global sover_isc 1105
%global sover_irs 161
%global sover_isccfg 163
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
Version: 9.11.13
Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.1
Version: 9.11.20
Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
#
@ -153,21 +155,19 @@ Patch174:bind-9.11-fips-disable.patch
Patch175:bind-9.11-json-c.patch
Patch177:bind-9.11-serve-stale.patch
Patch178:bind-9.11-dhcp-time-monotonic.patch
Patch179:bind-9.11-rh1790879.patch
Patch180:bind-9.11.13-rwlock.patch
Patch181:bind-9.11.13-CVE-2020-8617.patch
Patch182:bind-9.11.13-CVE-2020-8616.patch
Patch183:bind-9.11-CVE-2020-8616-test.patch
Patch184:bind-9.11-CVE-2020-8617-test.patch
Patch185:bind-9.11-rh1865785.patch
Patch179:bind-9.11-rh1859454.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/ae9af802b5e7169c55cc5ef04dcfbded351c743d
Patch180:bind-9.11-CVE-2020-8622.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/0660b022fc6130dda2a27d6164fc7decdcabce8d
Patch181:bind-9.11-CVE-2020-8623.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/8e919cf6e47c4f52612069ac0868f8caa5089e74
Patch182:bind-9.11-CVE-2020-8624.patch
Patch183:bind-9.11-CVE-2020-8624-test.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
Patch12: bind-9.10-sdb.patch
# export lib patches
Patch135:bind-9.11-export-isc-config.patch
# needs inpection
Patch17: bind-9.3.2b1-fix_sdb_ldap.patch
Patch18: bind-9.11-zone2ldap.patch
@ -181,6 +181,7 @@ Requires(post): shadow-utils
Requires(post): glibc-common
Requires(post): grep
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: bind-config < 30:9.3.2-34.fc6
Provides: bind-config = 30:9.3.2-34.fc6
Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
@ -197,6 +198,8 @@ BuildRequires: python3-ply
BuildRequires: findutils sed
%if %{with SDB}
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mariadb-connector-c-devel
%endif
%if %{with BDB}
BuildRequires: libdb-devel
%endif
%if %{with UNITTEST}
@ -226,6 +229,9 @@ BuildRequires: libmaxminddb-devel
%endif
# Needed to regenerate dig.1 manpage
BuildRequires: docbook-style-xsl, libxslt
%if %{with TSAN}
BuildRequires: libtsan
%endif
%description
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
@ -239,6 +245,8 @@ tools for verifying that the DNS server is operating properly.
Summary: Bind with native PKCS#11 functionality for crypto
Requires: systemd
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: softhsm
@ -282,6 +290,7 @@ Summary: BIND server with database backends and DLZ support
Requires: systemd
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
%description sdb
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
@ -323,6 +332,7 @@ Contains license of the BIND DNS suite.
%package utils
Summary: Utilities for querying DNS name servers
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: python3-bind = %{epoch}:%{version}-%{release}
%description utils
@ -352,12 +362,6 @@ required for development with ISC BIND 9
Summary: Lite version of header files and libraries needed for BIND DNS development
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
%if %{with GEOIP}
Requires: GeoIP-devel%{?_isa}
%endif
%if %{with GEOIP2}
Requires: libmaxminddb-devel%{?_isa}
%endif
%description lite-devel
The bind-lite-devel package contains lite version of the header
@ -391,6 +395,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
%if %{with DLZ}
%if %{with BDB}
%package dlz-bdb
Summary: BIND server bdb DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
@ -398,6 +403,10 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-bdb
Dynamic Loadable Zones module for BIND server.
%end
%endif
%package dlz-filesystem
Summary: BIND server filesystem DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
@ -438,7 +447,7 @@ Dynamic Loadable Zones module for BIND server.
%package -n python3-bind
Summary: A module allowing rndc commands to be sent from Python programs
Requires: bind-license = %{epoch}:%{version}-%{release}
Requires: %{?__python3} python3-ply %{py3_dist ply}
Requires: %{?__python3} python3-ply %{?py3_dist:%py3_dist ply}
BuildArch: noarch
%{?python_provide:%python_provide python3-bind}
%{?python_provide:%python_provide python3-isc}
@ -512,13 +521,11 @@ are used for building ISC DHCP.
%patch175 -p1 -b .json-c
%patch177 -p1 -b .serve-stale
%patch178 -p1 -b .time-monotonic
%patch179 -p1 -b .rh1790879
%patch180 -p1 -b .rwlock
%patch181 -p1 -b .CVE-2020-8617
%patch182 -p1 -b .CVE-2020-8616
%patch183 -p1 -b .CVE-2020-8616-test
%patch184 -p1 -b .CVE-2020-8616-test
%patch185 -p1 -b .rh1865785
%patch179 -p1 -b .rh1859454
%patch180 -p1 -b .CVE-2020-8622
%patch181 -p1 -b .CVE-2020-8623
%patch182 -p1 -b .CVE-2020-8624
%patch183 -p1 -b .CVE-2020-8624-test
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -590,10 +597,15 @@ done
cp -Tuav bin/tests "%{1}/bin/tests/" \
cp -uv version "%{1}" \
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
%if %{with TSAN}
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
%endif
export CFLAGS
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
export STD_CDEFINES="$CPPFLAGS"
sed -i -e \
's/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \
version
@ -633,6 +645,8 @@ export LIBDIR_SUFFIX
--with-dlz-postgres=yes \
--with-dlz-mysql=yes \
--with-dlz-filesystem=yes \
%endif
%if %{with BDB}
--with-dlz-bdb=yes \
%endif
%if %{with GSSTSIG}
@ -670,14 +684,19 @@ popd
%if %{with DLZ}
pushd contrib/dlz
pushd modules
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
done
popd
%if %{with BDB}
pushd bin/dlzbdb
make
popd
pushd modules
for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
done
make -C bdbhpt CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
popd
%endif
popd
%endif
popd # build
@ -686,6 +705,8 @@ popd # build
%systemtest_prepare_build build
%if %{with EXPORT_LIBS}
cp isc-config.sh.1 isc-export-config.sh.1
## Create export libs ##
mkdir -p export-libs
pushd export-libs
@ -722,8 +743,12 @@ export LIBDIR_SUFFIX
## FIXME this should be in patch instead of SED'ing
## but do we really like/want to patch generated files?
sed -i -e \
'/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
mv isc-config.sh isc-export-config.sh
sed -i \
-e '/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
-e 's/isc-config.sh/isc-export-config.sh/g' \
-e 's/bind9-config/bind9-export-config/g' \
Makefile
sed -i -e \
@ -735,9 +760,9 @@ do
find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
sed -e "s/-l${lib}\([^[:alpha:]]\)/-l${lib}-export\1/g" \
-e "s/lib${lib}\./lib${lib}-export\./g" \
-i isc-config.sh
-i isc-export-config.sh
done;
%{__patch} -p2 -b --suffix .export-isc-config < %{PATCH135}
make %{?_smp_mflags}
popd
@ -763,6 +788,10 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
%endif
%if %{with TSAN}
export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
%endif
%if %{with UNITTEST}
pushd build
make unit
@ -910,15 +939,20 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/
%if %{with DLZ}
pushd contrib/dlz
pushd bin/dlzbdb
make DESTDIR=${RPM_BUILD_ROOT} install
popd
pushd modules
for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
make -C $DIR DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
done
mv mysqldyn/testing/README mysqldyn/testing/README.testing
%if %{with BDB}
make -C bdbhpt DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
%endif
popd
%if %{with BDB}
pushd bin/dlzbdb
make DESTDIR=${RPM_BUILD_ROOT} install
popd
%endif
popd
%endif
@ -956,6 +990,7 @@ pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
ln -s named.8.gz named-pkcs11.8.gz
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
@ -1462,12 +1497,15 @@ rm -rf ${RPM_BUILD_ROOT}
%{_bindir}/bind9-export-config
%endif
%if %{with DLZ}
%if %{with DLZ} && %{with BDB}
%files dlz-bdb
%{_sbindir}/dlzbdb
%{_libdir}/bind/dlz_bdbhpt_dynamic.so
%doc contrib/dlz/modules/bdbhpt/testing/*
%endif
%if %{with DLZ}
%files dlz-filesystem
%{_libdir}/bind/dlz_filesystem_dynamic.so
@ -1496,17 +1534,40 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
* Tue Aug 04 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.13-6.1
- Validate configuration files with CIDRs host bits set (#1865785)
* Tue Aug 18 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-5
- Fix tsig-request verify (CVE-2020-8622)
- Prevent PKCS11 daemon crash on crafted packet (CVE-2020-8623)
- Correct update-policy type subdomain to match documentation (CVE-2020-8624)
- Include available test
* Fri May 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-5.1
- Add CVE tests to codebase
* Wed Jul 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-4
- Prevent crash on dstlib initialization failure (#1859454)
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-5
- Limit number of queries triggered by a request (CVE-2020-8616)
* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-3
- Add remaining require to bind package (#1633169)
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-4
- Fix invalid tsig request (CVE-2020-8617)
* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-2
- Add manual page for dnssec-importkey-pkcs11 (#1666785)
- Add versioned depends to all library subpackages
* Wed Jun 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-1
- Update to 9.11.20
* Mon Jun 08 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-2
- Remove old KSK 19036 from remaining trusted-key.key
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-1
- Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617)
* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.18-1
- Update to 9.11.18
* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.17-1
- Update to 9.11.17
* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-1
- Update to 9.11.14
- Remove libmaxminddb-devel from devel package dependencies
* Thu Feb 27 2020 Miroslav Lichvar <mlichvar@redhat.com> - 32:9.11.13-3
- Fix rwlock to be thread-safe (#1740511)