rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Import version from branch v9_18

Browse Source 
Uses git checkout 38726e67340b2b60715fa2f342dc800273d3772f -- .

Remove unused patches from distgit.
This commit is contained in:
Petr Menšík 2022-07-12 15:40:10 +02:00
parent d540d034df
commit 8a47aa2c75
23 changed files with 670 additions and 1631 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitignore vendored
View File

@ -176,3 +176,13 @@ bind-9.7.2b1.tar.gz
/bind-9.16.29.tar.xz.asc
/bind-9.16.30.tar.xz
/bind-9.16.30.tar.xz.asc
/bind-9.18.0.tar.xz
/bind-9.18.0.tar.xz.asc
/bind-9.18.1.tar.xz
/bind-9.18.1.tar.xz.asc
/bind-9.18.2.tar.xz
/bind-9.18.2.tar.xz.asc
/bind-9.18.3.tar.xz
/bind-9.18.3.tar.xz.asc
/bind-9.18.4.tar.xz
/bind-9.18.4.tar.xz.asc

6
README.md
View File

@ -22,10 +22,8 @@ The package contains several subpackages, some of them can be disabled on rebuil
* **bind-utils** -- set of tools to analyse DNS responses or update entries (dig, host)
* **bind-doc** -- documentation for current bind, *BIND 9 Administrator Reference Manual*.
* **bind-license** -- Shared license for all packages but bind-export-libs.
* **bind-pkcs11** -- *named* daemon built with native PKCS#11 support. Can be disabled by `--without PKCS11`.
* **bind-libs** and **bind-libs-lite** -- Shared libraries used by some others programs
* **bind-devel** -- Development headers for libs.
* **bind-dlz-\*** -- Dynamic loadable [DLZ plugins](http://bind-dlz.sourceforge.net/) with support for external databases
* **bind-libs** -- Shared libraries used by some others programs
* **bind-devel** -- Development headers for libs. Can be disabled by `--without DEVEL`
## Optional features

541
bind-9.10-dist-native-pkcs11.patch
View File

@ -1,541 +0,0 @@
From 1cbffe7e8b5bced9134abbae23a2a20c83d39a6a Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Jan 2021 10:46:20 +0100
Subject: [PATCH] Enable custom pkcs11 native build
Share common parts like libisc, libcc and others. But provide native
pkcs11 libraries as a new copy of libdns and libns.
---
bin/Makefile.in | 2 +-
bin/confgen/Makefile.in | 2 +-
bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++---------------
bin/named-pkcs11/Makefile.in | 31 +++++++++++++------------
configure.ac | 19 ++++++++++++++++
lib/Makefile.in | 2 +-
lib/dns-pkcs11/Makefile.in | 22 +++++++++---------
lib/dns-pkcs11/tests/Makefile.in | 8 +++----
lib/ns-pkcs11/Makefile.in | 26 ++++++++++-----------
lib/ns-pkcs11/tests/Makefile.in | 12 +++++-----
make/includes.in | 7 ++++++
11 files changed, 100 insertions(+), 70 deletions(-)
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 9ad7f62..094775a 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,7 +11,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
TARGETS =
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index c126bf3..1b7512d 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-CDEFINES = @USE_PKCS11@
+CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index ace0e5a..e0f6a00 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+# Add suffix to all targets
+EXEEXT = -pkcs11@EXEEXT@
+
# Alphabetically
-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-verify@EXEEXT@
+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
+ dnssec-verify${EXEEXT}
OBJS = dnssectool.@O@
@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
@BIND9_MAKE_RULES@
-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index debb906..ecfdb6c 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
+# Skip building on PKCS11 variant
+DLZDRIVER_OBJS =
+DLZDRIVER_SRCS =
+DLZDRIVER_INCLUDES =
+DLZDRIVER_LIBS =
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${NS_INCLUDES} ${DNS_INCLUDES} \
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
${DBDRIVER_INCLUDES} \
@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LIBXML2_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @CONTRIB_DLZ@
+CDEFINES =
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-NSLIBS = ../../lib/ns/libns.@A@
+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
-NSDEPLIBS = ../../lib/ns/libns.@A@
+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@
GEOIP2LINKOBJS = geoip.@O@
@@ -151,7 +152,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -170,11 +171,11 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-install:: named@EXEEXT@ installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/configure.ac b/configure.ac
index e405eaf..efaa5a7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1269,12 +1269,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
#
# Applications linking with libdns also need to link with these libraries.
#
AC_SUBST(DNS_CRYPTO_LIBS)
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
#
# was --with-lmdb specified?
@@ -2345,6 +2347,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
AC_SUBST(BIND9_NS_BUILDINCLUDE)
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
if test "X$srcdir" != "X"; then
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -2353,6 +2357,8 @@ if test "X$srcdir" != "X"; then
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
else
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
@@ -2361,6 +2367,8 @@ else
BIND9_NS_BUILDINCLUDE=""
BIND9_BIND9_BUILDINCLUDE=""
BIND9_IRS_BUILDINCLUDE=""
+ BIND9_DNS_PKCS11_BUILDINCLUDE=""
+ BIND9_NS_PKCS11_BUILDINCLUDE=""
fi
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@@ -2816,8 +2824,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
+ bin/dnssec-pkcs11/Makefile
bin/named/Makefile
bin/named/unix/Makefile
+ bin/named-pkcs11/Makefile
+ bin/named-pkcs11/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/plugins/Makefile
@@ -2879,6 +2890,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
+ lib/dns-pkcs11/Makefile
+ lib/dns-pkcs11/include/Makefile
+ lib/dns-pkcs11/include/dns/Makefile
+ lib/dns-pkcs11/include/dst/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -2911,6 +2926,10 @@ AC_CONFIG_FILES([
lib/ns/include/Makefile
lib/ns/include/ns/Makefile
lib/ns/tests/Makefile
+ lib/ns-pkcs11/Makefile
+ lib/ns-pkcs11/include/Makefile
+ lib/ns-pkcs11/include/ns/Makefile
+ lib/ns-pkcs11/tests/Makefile
make/Makefile
make/mkdep
unit/unittest.sh
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 833964e..058ba2f 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns ns isccfg bind9 irs
+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 58bda3c..d6a45df 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
${ISC_INCLUDES} \
${FSTRM_CFLAGS} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
${LMDB_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @USE_GSSAPI@
+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
CWARNINGS =
@@ -135,15 +135,15 @@ version.@O@: version.c
-DMAPAPI=\"${MAPAPI}\" \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
include: gen
${MAKE} include/dns/enumtype.h
@@ -174,22 +174,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}
-timestamp: include libdns.@A@
+timestamp: include libdns-pkcs11.@A@
touch timestamp
-testdirs: libdns.@A@
+testdirs: libdns-pkcs11.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index da91394..aadb73f 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../libdns.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
index bc683ce..7a9d2f2 100644
--- a/lib/ns-pkcs11/Makefile.in
+++ b/lib/ns-pkcs11/Makefile.in
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
${FSTRM_CFLAGS}
-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
CWARNINGS =
@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
LIBS = @LIBS@
@@ -60,28 +60,28 @@ version.@O@: version.c
-DMAJOR=\"${MAJOR}\" \
-c ${srcdir}/version.c
-libns.@SA@: ${OBJS}
+libns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libns.la: ${OBJS}
+libns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
-timestamp: libns.@A@
+timestamp: libns-pkcs11.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
clean distclean::
- rm -f libns.@A@ timestamp
+ rm -f libns-pkcs11.@A@ timestamp
diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
index 4c3e694..c1b6d99 100644
--- a/lib/ns-pkcs11/tests/Makefile.in
+++ b/lib/ns-pkcs11/tests/Makefile.in
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} \
@CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../dns/libdns.@A@
-NSLIBS = ../libns.@A@
-NSDEPLIBS = ../libns.@A@
+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@
+NSLIBS = ../libns-pkcs11.@A@
+NSDEPLIBS = ../libns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/make/includes.in b/make/includes.in
index b8317d3..b73b0c4 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include
+
+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/ns-pkcs11/include
+
--
2.31.1

341
bind-9.11-fips-tests.patch
View File

@ -1,4 +1,4 @@
From 9575852be2344244ac182d7d019869406d3bd963 Mon Sep 17 00:00:00 2001
From 8bbfacc1a90301a71a487e776db071fa2ef6c8dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes
@ -73,8 +73,6 @@ Date: Wed Mar 7 10:44:23 2018 +0100
.../system/allow-query/ns2/named40.conf.in | 4 +-
bin/tests/system/allow-query/tests.sh | 18 ++---
bin/tests/system/catz/ns1/named.conf.in | 2 +-
bin/tests/system/catz/ns2/named1.conf.in | 2 +-
bin/tests/system/catz/ns2/named2.conf.in | 2 +-
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
bin/tests/system/checkconf/good.conf | 2 +-
bin/tests/system/feature-test.c | 14 ++++
@ -83,23 +81,21 @@ Date: Wed Mar 7 10:44:23 2018 +0100
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
bin/tests/system/nsupdate/setup.sh | 6 +-
bin/tests/system/nsupdate/tests.sh | 15 +++--
bin/tests/system/nsupdate/tests.sh | 11 ++-
bin/tests/system/rndc/setup.sh | 2 +-
bin/tests/system/rndc/tests.sh | 23 ++++---
bin/tests/system/rndc/tests.sh | 22 +++---
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
bin/tests/system/tsig/setup.sh | 5 ++
bin/tests/system/tsig/tests.sh | 65 ++++++++++++-------
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +-
34 files changed, 163 insertions(+), 109 deletions(-)
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
31 files changed, 149 insertions(+), 106 deletions(-)
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
index 60f22e1..249f672 100644
index 745048a..93cb411 100644
--- a/bin/tests/system/acl/ns2/named1.conf.in
+++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -33,12 +33,12 @@ options {
@@ -35,12 +35,12 @@ options {
};
key one {
@ -115,10 +111,10 @@ index 60f22e1..249f672 100644
};
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
index ada97bc..f82d858 100644
index 21aa991..78e71cc 100644
--- a/bin/tests/system/acl/ns2/named2.conf.in
+++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -33,12 +33,12 @@ options {
@@ -35,12 +35,12 @@ options {
};
key one {
@ -134,10 +130,10 @@ index ada97bc..f82d858 100644
};
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
index 97684e4..de6a2e9 100644
index 3208c92..bed6325 100644
--- a/bin/tests/system/acl/ns2/named3.conf.in
+++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -33,17 +33,17 @@ options {
@@ -35,17 +35,17 @@ options {
};
key one {
@ -159,28 +155,9 @@ index 97684e4..de6a2e9 100644
};
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
index 462b3fa..994b35c 100644
index 14e82ed..a22cafe 100644
--- a/bin/tests/system/acl/ns2/named4.conf.in
+++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -33,12 +33,12 @@ options {
};
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
index 728da58..8f00d09 100644
--- a/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -35,12 +35,12 @@ options {
};
@ -196,11 +173,30 @@ index 728da58..8f00d09 100644
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
index f43f33c..f4a865a 100644
--- a/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -37,12 +37,12 @@ options {
};
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
index be59d64..13d5bdc 100644
index 9ee3984..f7d4388 100644
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing"
# key "one" should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@ -217,7 +213,7 @@ index be59d64..13d5bdc 100644
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
copy_setports ns2/named2.conf.in ns2/named.conf
@@ -39,18 +39,18 @@ sleep 5
@@ -40,18 +40,18 @@ sleep 5
# prefix 10/8 should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@ -239,7 +235,7 @@ index be59d64..13d5bdc 100644
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
echo_i "testing nested ACL processing"
@@ -62,31 +62,31 @@ sleep 5
@@ -63,31 +63,31 @@ sleep 5
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@ -276,7 +272,7 @@ index be59d64..13d5bdc 100644
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
t=`expr $t + 1`
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
# and other values? right out
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@ -285,7 +281,7 @@ index be59d64..13d5bdc 100644
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
@@ -108,31 +108,31 @@ sleep 5
@@ -109,31 +109,31 @@ sleep 5
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@ -323,10 +319,10 @@ index be59d64..13d5bdc 100644
echo_i "testing allow-query-on ACL processing"
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
index 7d43e36..f7b25f9 100644
index b91d19a..7d777c2 100644
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -10,7 +10,7 @@
@@ -12,7 +12,7 @@
*/
key one {
@ -336,10 +332,10 @@ index 7d43e36..f7b25f9 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
index 2952518..121557e 100644
index 308c4ca..00f6f40 100644
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -10,12 +10,12 @@
@@ -12,12 +12,12 @@
*/
key one {
@ -355,10 +351,10 @@ index 2952518..121557e 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
index 0c01071..ceabbb5 100644
index 6b0fe55..491e514 100644
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -10,7 +10,7 @@
@@ -12,7 +12,7 @@
*/
key one {
@ -368,10 +364,10 @@ index 0c01071..ceabbb5 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
index 4c17292..9cd9d1f 100644
index aefc474..7c06596 100644
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -10,7 +10,7 @@
@@ -12,7 +12,7 @@
*/
key one {
@ -381,10 +377,10 @@ index 4c17292..9cd9d1f 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
index a2690a4..f488730 100644
index 27eccc2..eecb990 100644
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -10,12 +10,12 @@
@@ -12,12 +12,12 @@
*/
key one {
@ -400,10 +396,10 @@ index a2690a4..f488730 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
index a0708c8..51fa457 100644
index adbb203..744d122 100644
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -10,7 +10,7 @@
@@ -12,7 +12,7 @@
*/
key one {
@ -413,10 +409,10 @@ index a0708c8..51fa457 100644
};
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
index 687768e..d24d6d2 100644
index 364f94b..9518f82 100644
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
acl badaccept { 10.53.0.1; };
key one {
@ -432,10 +428,10 @@ index 687768e..d24d6d2 100644
};
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
index fe40635..543c663 100644
index bbffe07..80da0fe 100644
--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key allowed - query allowed"
ret=0
@ -444,25 +440,25 @@ index fe40635..543c663 100644
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key allowed - query allowed"
ret=0
@ -471,25 +467,25 @@ index fe40635..543c663 100644
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
@@ -533,7 +533,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "test $n: zone key allowed - query allowed"
ret=0
@ -498,51 +494,29 @@ index fe40635..543c663 100644
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -510,7 +510,7 @@ status=`expr $status + $ret`
@@ -543,7 +543,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "test $n: zone key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
@@ -554,7 +554,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "test $n: zone key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
index 1218669..e62715e 100644
index 5a46d39..fc1bd07 100644
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -61,5 +61,5 @@ zone "catalog4.example" {
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
index 30333e6..4005152 100644
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -70,5 +70,5 @@ zone "catalog4.example" {
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
index fcd99ca..84c97ca 100644
--- a/bin/tests/system/catz/ns2/named2.conf.in
+++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -56,5 +56,5 @@ zone "catalog4.example" {
@@ -63,5 +63,5 @@ zone "catalog4.example" {
key tsig_key. {
secret "LSAnCU+Z";
@ -550,10 +524,10 @@ index fcd99ca..84c97ca 100644
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
index 21be03e..e57c308 100644
index 4af25b0..9f202d5 100644
--- a/bin/tests/system/checkconf/bad-tsig.conf
+++ b/bin/tests/system/checkconf/bad-tsig.conf
@@ -11,7 +11,7 @@
@@ -13,7 +13,7 @@
/* Bad secret */
key "badtsig" {
@ -563,10 +537,10 @@ index 21be03e..e57c308 100644
};
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 616a544..e3a59a5 100644
index 897dc86..e4b6dc1 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -268,6 +268,6 @@ dyndb "name" "library.so" {
@@ -270,6 +270,6 @@ dyndb "name" "library.so" {
system;
};
key "mykey" {
@ -575,10 +549,10 @@ index 616a544..e3a59a5 100644
secret "qwertyuiopasdfgh";
};
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index 877504f..577660a 100644
index 30e6e14..ba7f98e 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -14,6 +14,7 @@
@@ -16,6 +16,7 @@
#include <string.h>
#include <unistd.h>
@ -586,8 +560,8 @@ index 877504f..577660a 100644
#include <isc/net.h>
#include <isc/print.h>
#include <isc/util.h>
@@ -186,6 +187,19 @@ main(int argc, char **argv) {
#endif /* ifdef DLZ_FILESYSTEM */
@@ -140,6 +141,19 @@ main(int argc, char **argv) {
#endif
}
+ if (strcmp(argv[1], "--md5") == 0) {
@ -603,14 +577,14 @@ index 877504f..577660a 100644
+ }
+ }
+
if (strcmp(argv[1], "--with-idn") == 0) {
#ifdef HAVE_LIBIDN2
return (0);
if (strcmp(argv[1], "--ipv6only=no") == 0) {
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
int s;
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
index 1ee8df4..2b75d9a 100644
index 5cab276..d4a7bf3 100644
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -10,17 +10,17 @@
@@ -12,17 +12,17 @@
*/
key "a" {
@ -632,10 +606,10 @@ index 1ee8df4..2b75d9a 100644
};
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
index 3d7e0b7..ec4d9a7 100644
index 52d2f81..1fd02d4 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -212,16 +212,16 @@ ret=0
@@ -187,7 +187,7 @@ test_start "checking notify to multiple views using tsig"
$NSUPDATE << EOF
server 10.53.0.5 ${PORT}
zone x21
@ -644,22 +618,23 @@ index 3d7e0b7..ec4d9a7 100644
update add added.x21 0 in txt "test string"
send
EOF
@@ -195,9 +195,9 @@ fnb="dig.out.b.ns5.test$n"
fnc="dig.out.c.ns5.test$n"
for i in 1 2 3 4 5 6 7 8 9
do
- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
txt > dig.out.b.ns5.test$n || ret=1
- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
txt > dig.out.c.ns5.test$n || ret=1
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
- dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ dig_plus_opts added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
txt > "$fnb" || ret=1
- dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
+ dig_plus_opts added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
txt > "$fnc" || ret=1
grep "test string" "$fnb" > /dev/null &&
grep "test string" "$fnc" > /dev/null &&
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index b51e700..436c97d 100644
index 81d0c99..effbe2e 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -37,7 +37,7 @@ controls {
@@ -39,7 +39,7 @@ controls {
};
key altkey {
@ -669,10 +644,10 @@ index b51e700..436c97d 100644
};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
index da6b3b4..c547e47 100644
index f1a1735..da2b3d1 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -32,7 +32,7 @@ controls {
@@ -34,7 +34,7 @@ controls {
};
key altkey {
@ -682,27 +657,27 @@ index da6b3b4..c547e47 100644
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 5593a2e..7cd1a74 100644
index 50056dc..a4a1a3f 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -71,7 +71,11 @@ EOF
@@ -72,7 +72,11 @@ EOF
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
$TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
+if $FEATURETEST --md5; then
+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+ $TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
+else
+ echo -n > ns1/md5.key
+fi
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
$TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
$TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
$TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 8839131..fde6135 100755
index 0863d0a..559def7 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -824,7 +824,14 @@ fi
@@ -841,7 +841,14 @@ fi
n=`expr $n + 1`
ret=0
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
@ -718,7 +693,7 @@ index 8839131..fde6135 100755
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -832,7 +839,7 @@ send
@@ -849,7 +856,7 @@ send
END
done
sleep 2
@ -727,29 +702,11 @@ index 8839131..fde6135 100755
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
@@ -843,7 +850,7 @@ fi
n=`expr $n + 1`
ret=0
echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
$NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
@@ -852,7 +859,7 @@ send
END
done
sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index 225722f..63ac938 100644
index 4dd6fa7..1b79263 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -38,7 +38,7 @@ make_key () {
@@ -47,7 +47,7 @@ make_key () {
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
}
@ -759,13 +716,13 @@ index 225722f..63ac938 100644
make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 9bf86c6..b8a7a1f 100644
index 85c271b..ac69f32 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -349,15 +349,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=`expr $n + 1`
n=$((n+1))
-echo_i "testing rndc with hmac-md5 ($n)"
-ret=0
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
@ -774,29 +731,28 @@ index 9bf86c6..b8a7a1f 100644
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
-done
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-status=$((status+ret))
+if $FEATURETEST --md5
+then
+ echo_i "testing rndc with hmac-md5 ($n)"
+ ret=0
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+ for i in 2 3 4 5 6
+ do
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ status=$((status+ret))
+else
+ echo_i "skipping rndc with hmac-md5 ($n)"
+fi
n=`expr $n + 1`
n=$((n+1))
echo_i "testing rndc with hmac-sha1 ($n)"
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
index 3470c4f..cf539cd 100644
index 76cf970..22637af 100644
--- a/bin/tests/system/tsig/ns1/named.conf.in
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -21,10 +21,7 @@ options {
@@ -23,10 +23,7 @@ options {
notify no;
};
@ -808,7 +764,7 @@ index 3470c4f..cf539cd 100644
key "sha1" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
@@ -51,10 +48,7 @@ key "sha512" {
@@ -53,10 +50,7 @@ key "sha512" {
algorithm hmac-sha512;
};
@ -820,27 +776,11 @@ index 3470c4f..cf539cd 100644
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000..0682194
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index e3b4a45..ae21d04 100644
index 34cc73b..d51ff21 100644
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
@@ -16,3 +16,8 @@
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
@ -850,10 +790,10 @@ index e3b4a45..ae21d04 100644
+ cat ns1/rndc5.conf.in >> ns1/named.conf
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index 38d842a..668aa6f 100644
index 1067227..ee05e83 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
status=0
@ -864,6 +804,13 @@ index 38d842a..668aa6f 100644
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
-fi
-
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (old form)"
@ -873,13 +820,7 @@ index 38d842a..668aa6f 100644
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+
+ echo_i "fetching using hmac-md5 (new form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
@ -892,7 +833,7 @@ index 38d842a..668aa6f 100644
fi
echo_i "fetching using hmac-sha1"
@@ -87,12 +92,17 @@ fi
@@ -88,12 +93,17 @@ fi
# Truncated TSIG
#
#
@ -916,7 +857,7 @@ index 38d842a..668aa6f 100644
fi
echo_i "fetching using hmac-sha1 (trunc)"
@@ -141,12 +151,17 @@ fi
@@ -142,12 +152,17 @@ fi
# Check for bad truncation.
#
#
@ -941,10 +882,10 @@ index 38d842a..668aa6f 100644
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 3873c7c..b359a5a 100644
index c2b57dd..cb13aa1 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -10,7 +10,7 @@
@@ -12,7 +12,7 @@
*/
key "update.example." {
@ -954,10 +895,10 @@ index 3873c7c..b359a5a 100644
};
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index a50c896..8062d68 100644
index a6de312..ebcadb1 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "updating zone (signed) ($n)"
ret=0
@ -967,5 +908,5 @@ index a50c896..8062d68 100644
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
--
2.31.1
2.34.1

58
bind-9.11-kyua-pkcs11.patch
View File

@ -1,58 +0,0 @@
From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
Add dns-pkcs11 tests Makefile to configure
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
configure.ac | 1 +
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index d80ae31..0fb9328 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
+ lib/dns-pkcs11/tests/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
diff --git a/lib/Kyuafile b/lib/Kyuafile
index 39ce986..037e5ef 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
@@ -2,8 +2,10 @@ syntax(2)
test_suite('bind9')
include('dns/Kyuafile')
+include('dns-pkcs11/Kyuafile')
include('irs/Kyuafile')
include('isc/Kyuafile')
include('isccc/Kyuafile')
include('isccfg/Kyuafile')
include('ns/Kyuafile')
+include('ns-pkcs11/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 934e8fd..658d1af 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
+ /* PKCS11 variant gives different result, accept both */
+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
dst_key_free(&key);
}
--
2.20.1

29
bind-9.11-rh1666814.patch
View File

@ -1,29 +0,0 @@
From d05d116da39c0a5c580ceaac6ba069899b82c5a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 16 Jan 2019 16:27:33 +0100
Subject: [PATCH] Fix possible crash when loading corrupted file
Some values passes internal triggers by coincidence. Fix the check and
check also first_node_offset before even passing it further.
---
lib/dns/rbt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 5aee5f6..7f2c2d2 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
header->first_node_offset);
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
+ || header->first_node_offset > filesize) {
+
result = ISC_R_INVALIDFILE;
goto cleanup;
}
--
2.31.1

83
bind-9.14-config-pkcs11.patch
View File

@ -1,83 +0,0 @@
From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 18 Oct 2019 21:30:52 +0200
Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
Building two variants with the same common code requires to unset
USE_PKCS11 on part of build. That is not possible with config.h value.
Move it as normal define to CDEFINES.
---
bin/confgen/Makefile.in | 2 +-
configure.ac | 8 ++++++--
lib/dns/dst_internal.h | 12 +++++++++---
3 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 1b7512d..c126bf3 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-CDEFINES =
+CDEFINES = @USE_PKCS11@
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
diff --git a/configure.ac b/configure.ac
index f5483fe..08a7d8a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
AC_SUBST([PKCS11_TOOLS])
AC_SUBST([PKCS11_MANS])
+USE_PKCS11='-DUSE_PKCS11=0'
+USE_OPENSSL='-DUSE_OPENSSL=0'
AC_SUBST([CRYPTO])
AS_CASE([$CRYPTO],
- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
+ [USE_OPENSSL='-DUSE_OPENSSL=1'])
+AC_SUBST(USE_PKCS11)
+AC_SUBST(USE_OPENSSL)
# preparation for automake
# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 2c3b4a3..55e9dc4 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -38,6 +38,13 @@
#include <isc/stdtime.h>
#include <isc/types.h>
+#ifndef USE_PKCS11
+#define USE_PKCS11 0
+#endif
+#ifndef USE_OPENSSL
+#define USE_OPENSSL (! USE_PKCS11)
+#endif
+
#if USE_PKCS11
#include <pk11/pk11.h>
#include <pk11/site.h>
@@ -116,11 +123,10 @@ struct dst_key {
void *generic;
dns_gss_ctx_id_t gssctx;
DH *dh;
-#if USE_OPENSSL
- EVP_PKEY *pkey;
-#endif /* if USE_OPENSSL */
#if USE_PKCS11
pk11_object_t *pkey;
+#else
+ EVP_PKEY *pkey;
#endif /* if USE_PKCS11 */
dst_hmac_key_t *hmac_key;
} keydata; /*%< pointer to key in crypto pkg fmt */
--
2.26.2

40
bind-9.16-redhat_doc.patch
View File

@ -1,4 +1,4 @@
From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 17 Jun 2020 23:17:13 +0200
Subject: [PATCH] Update man named with Red Hat specifics
@ -6,15 +6,15 @@ Subject: [PATCH] Update man named with Red Hat specifics
This is almost unmodified text and requires revalidation. Some of those
statements are no longer correct.
---
bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/bin/named/named.rst b/bin/named/named.rst
index 6fd8f87..3cd6350 100644
index ea440b2..fa51984 100644
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -228,6 +228,41 @@ Files
``/var/run/named/named.pid``
@@ -212,6 +212,47 @@ Files
|named_pid|
The default process-id file.
+Notes
@ -24,7 +24,7 @@ index 6fd8f87..3cd6350 100644
+
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities. See the selinux(8) man page
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+
+It is not necessary to run named in a chroot environment if the Red Hat
@ -34,27 +34,33 @@ index 6fd8f87..3cd6350 100644
+
+*With this extra security comes some restrictions:*
+
+By default, the SELinux policy does not allow named to write outside directory
+/var/named. That directory used to be read-only for named, but write access is
+enabled by default now.
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+Any file updated by named must be writeable by named user or named group.
+
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context *named_zone_t* .
+
+By default, SELinux prevents any role from modifying *named_zone_t* files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
+*/var/named/data*. The service is able to write and file under */var/named* with appropriate
+permissions. They are used for better organisation of zones and backward compatibility.
+Files in these directories are automatically assigned the '*named_cache_t*'
+file context, which SELinux always allows named to write.
+named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
+*/var/named/data*. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the '*named_cache_t*'
+file context, which SELinux allows named to write.
+
+
See Also
~~~~~~~~
--
2.26.2
2.34.1

113
bind-9.16-resolv.conf-options-timeout-test.patch
View File

@ -1,113 +0,0 @@
From 7270604440268bb17b39ae734ff33003a67c8343 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 20 Jul 2021 19:34:42 +0200
Subject: [PATCH] Check parsed resconf values
Add 'attempts' check, fix 'ndots' data. Create a bunch of verification
functions and check parsed values, not just return codes.
---
lib/irs/tests/resconf_test.c | 46 ++++++++++++++++++--
lib/irs/tests/testdata/options-attempts.conf | 10 +++++
lib/irs/tests/testdata/options-ndots.conf | 2 +-
3 files changed, 54 insertions(+), 4 deletions(-)
create mode 100644 lib/irs/tests/testdata/options-attempts.conf
diff --git a/lib/irs/tests/resconf_test.c b/lib/irs/tests/resconf_test.c
index 6951758..ce94345 100644
--- a/lib/irs/tests/resconf_test.c
+++ b/lib/irs/tests/resconf_test.c
@@ -45,6 +45,43 @@ setup_test() {
assert_return_code(chdir(TESTS), 0);
}
+static isc_result_t
+check_number(unsigned int n, unsigned int expected) {
+ return ((n == expected) ? ISC_R_SUCCESS : ISC_R_BADNUMBER);
+}
+
+static isc_result_t
+check_attempts(irs_resconf_t *resconf) {
+ return (check_number(irs_resconf_getattempts(resconf), 4));
+}
+
+static isc_result_t
+check_timeout(irs_resconf_t *resconf) {
+ return (check_number(irs_resconf_gettimeout(resconf), 1));
+}
+
+static isc_result_t
+check_ndots(irs_resconf_t *resconf) {
+ return (check_number(irs_resconf_getndots(resconf), 2));
+}
+
+static isc_result_t
+check_options(irs_resconf_t *resconf) {
+ if (irs_resconf_getattempts(resconf) != 3) {
+ return ISC_R_BADNUMBER; /* default value only */
+ }
+
+ if (irs_resconf_getndots(resconf) != 2) {
+ return ISC_R_BADNUMBER;
+ }
+
+ if (irs_resconf_gettimeout(resconf) != 1) {
+ return ISC_R_BADNUMBER;
+ }
+
+ return (ISC_R_SUCCESS);
+}
+
/* test irs_resconf_load() */
static void
irs_resconf_load_test(void **state) {
@@ -64,15 +101,18 @@ irs_resconf_load_test(void **state) {
ISC_R_SUCCESS },
{ "testdata/nameserver-v6-scoped.conf", ISC_R_SUCCESS, NULL,
ISC_R_SUCCESS },
+ { "testdata/options-attempts.conf", ISC_R_SUCCESS,
+ check_attempts, ISC_R_SUCCESS },
{ "testdata/options-debug.conf", ISC_R_SUCCESS, NULL,
ISC_R_SUCCESS },
- { "testdata/options-ndots.conf", ISC_R_SUCCESS, NULL,
+ { "testdata/options-ndots.conf", ISC_R_SUCCESS, check_ndots,
ISC_R_SUCCESS },
- { "testdata/options-timeout.conf", ISC_R_SUCCESS, NULL,
+ { "testdata/options-timeout.conf", ISC_R_SUCCESS, check_timeout,
ISC_R_SUCCESS },
{ "testdata/options-unknown.conf", ISC_R_SUCCESS, NULL,
ISC_R_SUCCESS },
- { "testdata/options.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
+ { "testdata/options.conf", ISC_R_SUCCESS, check_options,
+ ISC_R_SUCCESS },
{ "testdata/options-bad-ndots.conf", ISC_R_RANGE, NULL,
ISC_R_SUCCESS },
{ "testdata/options-empty.conf", ISC_R_UNEXPECTEDEND, NULL,
diff --git a/lib/irs/tests/testdata/options-attempts.conf b/lib/irs/tests/testdata/options-attempts.conf
new file mode 100644
index 0000000..4538643
--- /dev/null
+++ b/lib/irs/tests/testdata/options-attempts.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options attempts:4
diff --git a/lib/irs/tests/testdata/options-ndots.conf b/lib/irs/tests/testdata/options-ndots.conf
index 5d18d26..f37c712 100644
--- a/lib/irs/tests/testdata/options-ndots.conf
+++ b/lib/irs/tests/testdata/options-ndots.conf
@@ -9,4 +9,4 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
-option ndots:2
+options ndots:2
--
2.35.3

203
bind-9.16-resolv.conf-options-timeout.patch
View File

@ -1,203 +0,0 @@
From b0e79979672935ff07bf23703c675ee788940c59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 22 Jun 2021 16:35:46 +0200
Subject: [PATCH] Parse 'timeout' and 'attempts' from resolv.conf
It was supported by lwres in BIND 9.11, and is still mentioned in
the manual page. Restore support for it by adding it to libirs.
---
bin/dig/dighost.c | 13 ++++++-
lib/irs/include/irs/resconf.h | 20 +++++++++++
lib/irs/resconf.c | 64 ++++++++++++++++++++++++++++-------
3 files changed, 84 insertions(+), 13 deletions(-)
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 0222454..274e894 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -133,7 +133,7 @@ int sendcount = 0;
int recvcount = 0;
int sockcount = 0;
int ndots = -1;
-int tries = 3;
+int tries = -1;
int lookup_counter = 0;
static char servercookie[256];
@@ -1330,6 +1330,17 @@ setup_system(bool ipv4only, bool ipv6only) {
ndots = irs_resconf_getndots(resconf);
debug("ndots is %d.", ndots);
}
+ if (timeout == 0) {
+ timeout = irs_resconf_gettimeout(resconf);
+ debug("timeout is %d.", timeout);
+ }
+ if (tries == -1) {
+ tries = irs_resconf_getattempts(resconf);
+ if (tries == 0) {
+ tries = 3;
+ }
+ debug("retries is %d.", tries);
+ }
/* If user doesn't specify server use nameservers from resolv.conf. */
if (ISC_LIST_EMPTY(server_list)) {
diff --git a/lib/irs/include/irs/resconf.h b/lib/irs/include/irs/resconf.h
index 424b795..74fc84a 100644
--- a/lib/irs/include/irs/resconf.h
+++ b/lib/irs/include/irs/resconf.h
@@ -113,6 +113,26 @@ irs_resconf_getndots(irs_resconf_t *conf);
*\li 'conf' is a valid resconf object.
*/
+unsigned int
+irs_resconf_getattempts(irs_resconf_t *conf);
+/*%<
+ * Return the 'attempts' value stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li 'conf' is a valid resconf object.
+ */
+
+unsigned int
+irs_resconf_gettimeout(irs_resconf_t *conf);
+/*%<
+ * Return the 'timeout' value stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li 'conf' is a valid resconf object.
+ */
+
ISC_LANG_ENDDECLS
#endif /* IRS_RESCONF_H */
diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
index 096064b..dd51d71 100644
--- a/lib/irs/resconf.c
+++ b/lib/irs/resconf.c
@@ -80,6 +80,13 @@
#define RESCONFMAXLINELEN 256U /*%< max size of a line */
#define RESCONFMAXSORTLIST 10U /*%< max 10 */
+#define CHECK(op) \
+ do { \
+ result = (op); \
+ if (result != ISC_R_SUCCESS) \
+ goto cleanup; \
+ } while (0)
+
/*!
* configuration data structure
*/
@@ -114,6 +121,10 @@ struct irs_resconf {
uint8_t resdebug;
/*%< set to n in 'options ndots:n' */
uint8_t ndots;
+ /*%< set to n in 'options attempts:n' */
+ uint8_t attempts;
+ /*%< set to n in 'options timeout:n' */
+ uint8_t timeout;
};
static isc_result_t
@@ -176,8 +187,8 @@ eatwhite(FILE *fp) {
*/
static int
getword(FILE *fp, char *buffer, size_t size) {
+ char *p = NULL;
int ch;
- char *p;
REQUIRE(buffer != NULL);
REQUIRE(size > 0U);
@@ -457,11 +468,26 @@ resconf_parsesortlist(irs_resconf_t *conf, FILE *fp) {
return (ISC_R_SUCCESS);
}
+static isc_result_t
+resconf_optionnumber(const char *word, uint8_t *number) {
+ char *p;
+ long n;
+
+ n = strtol(word, &p, 10);
+ if (*p != '\0') { /* Bad string. */
+ return (ISC_R_UNEXPECTEDTOKEN);
+ }
+ if (n < 0 || n > 0xff) { /* Out of range. */
+ return (ISC_R_RANGE);
+ }
+ *number = n;
+ return (ISC_R_SUCCESS);
+}
+
static isc_result_t
resconf_parseoption(irs_resconf_t *conf, FILE *fp) {
int delim;
- long ndots;
- char *p;
+ isc_result_t result = ISC_R_SUCCESS;
char word[RESCONFMAXLINELEN];
delim = getword(fp, word, sizeof(word));
@@ -473,14 +499,11 @@ resconf_parseoption(irs_resconf_t *conf, FILE *fp) {
if (strcmp("debug", word) == 0) {
conf->resdebug = 1;
} else if (strncmp("ndots:", word, 6) == 0) {
- ndots = strtol(word + 6, &p, 10);
- if (*p != '\0') { /* Bad string. */
- return (ISC_R_UNEXPECTEDTOKEN);
- }
- if (ndots < 0 || ndots > 0xff) { /* Out of range. */
- return (ISC_R_RANGE);
- }
- conf->ndots = (uint8_t)ndots;
+ CHECK(resconf_optionnumber(word + 6, &conf->ndots));
+ } else if (strncmp("attempts:", word, 9) == 0) {
+ CHECK(resconf_optionnumber(word + 9, &conf->attempts));
+ } else if (strncmp("timeout:", word, 8) == 0) {
+ CHECK(resconf_optionnumber(word + 8, &conf->timeout));
}
if (delim == EOF || delim == '\n') {
@@ -490,7 +513,8 @@ resconf_parseoption(irs_resconf_t *conf, FILE *fp) {
}
}
- return (ISC_R_SUCCESS);
+cleanup:
+ return (result);
}
static isc_result_t
@@ -532,6 +556,8 @@ irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp) {
conf->sortlistnxt = 0;
conf->resdebug = 0;
conf->ndots = 1;
+ conf->attempts = 3;
+ conf->timeout = 0;
for (i = 0; i < RESCONFMAXSEARCH; i++) {
conf->search[i] = NULL;
}
@@ -687,3 +713,17 @@ irs_resconf_getndots(irs_resconf_t *conf) {
return ((unsigned int)conf->ndots);
}
+
+unsigned int
+irs_resconf_getattempts(irs_resconf_t *conf) {
+ REQUIRE(IRS_RESCONF_VALID(conf));
+
+ return ((unsigned int)conf->attempts);
+}
+
+unsigned int
+irs_resconf_gettimeout(irs_resconf_t *conf) {
+ REQUIRE(IRS_RESCONF_VALID(conf));
+
+ return ((unsigned int)conf->timeout);
+}
--
2.35.3

46
bind-9.5-PIE.patch
View File

@ -1,30 +1,20 @@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index eb622d1..37053a7 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \
tkeyconf.c tsigconf.c zoneconf.c \
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
index 7065a90..e2e485b 100644
--- a/bin/named/Makefile.am
+++ b/bin/named/Makefile.am
@@ -32,6 +32,7 @@ AM_CPPFLAGS += \
endif HAVE_LIBXML2
+EXT_CFLAGS = -fpie
AM_CPPFLAGS += \
+ -fpie \
-DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
@@ -122,5 +123,7 @@ named_LDADD += \
$(LIBNGHTTP2_LIBS)
endif HAVE_LIBNGHTTP2
+AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index fd9ca8d..f1c102c 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -11,6 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
+EXT_CFLAGS = -fpie
+
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
MAINTAINERCLEANFILES = \
named.conf.rst

53
bind-9.5-dlz-64bit.patch
View File

@ -1,53 +0,0 @@
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
index 47525af..eefe3c3 100644
--- a/contrib/dlz/config.dlz.in
+++ b/contrib/dlz/config.dlz.in
@@ -17,6 +17,13 @@
#
dlzdir='${DLZ_DRIVER_DIR}'
+AC_MSG_CHECKING([for target libdir])
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
+ [target_lib=lib64],
+ [target_lib=lib],
+)
+AC_MSG_RESULT(["$target_lib"])
+
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
then
break
fi
- elif test -f "$dd/lib/lib${d}.so"
+ elif test -f "$dd/${target_lib}/lib${d}.so"
then
- dlz_bdb_libs="-L${dd}/lib -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
break
fi
done
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
*)
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
[-I$use_dlz_ldap/include],
- [-L$use_dlz_ldap/lib -lldap -llber])
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
AC_MSG_RESULT(
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
@@ -432,11 +439,11 @@ then
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
then
use_dlz_odbc=$d
dlz_odbc_include="-I$use_dlz_odbc/include"
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
break
fi
done

31
bind-9.9.1-P2-dlz-libdb.patch
View File

@ -1,31 +0,0 @@
diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
# Check other locations for includes.
# Order is important (sigh).
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
# include a blank element first
for d in "" $bdb_incdirs
do
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
- if test "$dd" = "/usr"
+ if test -f "$dd/${target_lib}/lib${d}.so"
then
- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
- if test $dlz_bdb_libs != "yes"
- then
- break
- fi
- elif test -f "$dd/${target_lib}/lib${d}.so"
- then
- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
break
fi
done

288
bind.spec
View File

@ -9,15 +9,19 @@
%bcond_without GSSTSIG
# it is not possible to build the package without PKCS11 sub-package
# due to extensive changes to Makefiles
%bcond_without PKCS11
%bcond_with PKCS11 # TODO: Remove
%bcond_without JSON
# FIXME: Not ready. Should it be worked on?
%bcond_without DLZ
# New MaxMind GeoLite support
%bcond_without GEOIP2
# Disabled temporarily until kyua is fixed on rawhide, bug #1926779
%bcond_without UNITTEST
%bcond_without DNSTAP
%bcond_without LMDB
%bcond_without DOC
# Because of issues with PDF rebuild, include only HTML pages
# Current error: unable top find isc-logo.pdf
%if 0%{?fedora}
# RHEL and ELN do not have all required packages
%bcond_without DOCPDF
@ -47,18 +51,26 @@
# lib*.so.X versions of selected libraries no longer provided,
# lib*-%%{version}-RH.so is provided as an internal implementation detail
# Upstream package name
%global upname bind
%define upname_compat() \
%if "%{name}" != "%{upname}" \
Provides: %1 = %{epoch}:%{version}-%{release} \
Obsoletes: %1 < 32:9.17.0 \
Conflicts: %1 \
%endif
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
Version: 9.16.30
Version: 9.18.4
Release: 2%{?dist}
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
Source0: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
Source0: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz
Source1: named.sysconfig
Source2: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.asc
Source2: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz.asc
Source3: named.logrotate
Source4: https://downloads.isc.org/isc/pgpkeys/codesign2021.txt
Source16: named.conf
@ -84,27 +96,11 @@ Source47: named-pkcs11.service
Source48: setup-named-softhsm.sh
Source49: named-chroot.files
# Make PKCS11 used only for pkcs11 parts
Patch1: bind-9.14-config-pkcs11.patch
# Fedora specific patch to distribute native-pkcs#11 functionality
Patch2: bind-9.10-dist-native-pkcs11.patch
# Do not use isc-pkcs11.
Patch3: bind-9.11-kyua-pkcs11.patch
# Common patches
Patch18: bind-9.5-PIE.patch
Patch19: bind-9.16-redhat_doc.patch
Patch20: bind-9.5-dlz-64bit.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5601
Patch21: bind93-rh490837.patch
# FIXME: Is this still required?
Patch10: bind-9.5-PIE.patch
Patch16: bind-9.16-redhat_doc.patch
Patch22: bind-9.11-fips-tests.patch
Patch24: bind-9.9.1-P2-dlz-libdb.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689
Patch25:bind-9.11-rh1666814.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5273
Patch27: bind-9.16-resolv.conf-options-timeout.patch
Patch28: bind-9.16-resolv.conf-options-timeout-test.patch
%{?systemd_ordering}
Requires: coreutils
@ -112,22 +108,23 @@ Requires(pre): shadow-utils
Requires(post): shadow-utils
Requires(post): glibc-common
Requires(post): grep
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
# This wild require should satisfy %%selinux_set_boolean macro only
# in case it needs to be used
Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
Recommends: bind-utils bind-dnssec-utils
Recommends: %{name}-utils %{name}-dnssec-utils
%upname_compat %{upname}
BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires: libidn2-devel, libxml2-devel
BuildRequires: systemd-rpm-macros
BuildRequires: selinux-policy
# needed for %%{__python3} macro
BuildRequires: python3-devel
BuildRequires: python3-ply
BuildRequires: findutils sed
BuildRequires: libnghttp2-devel
%if 0%{?fedora}
BuildRequires: jemalloc-devel
BuildRequires: gnupg2
%endif
BuildRequires: libuv-devel
@ -136,7 +133,7 @@ BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d
%endif
%if %{with UNITTEST}
# make unit dependencies
BuildRequires: libcmocka-devel kyua
BuildRequires: libcmocka-devel
%endif
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
BuildRequires: softhsm
@ -185,9 +182,9 @@ tools for verifying that the DNS server is operating properly.
%if %{with PKCS11}
%package pkcs11
Summary: Bind with native PKCS#11 functionality for crypto
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: softhsm
%description pkcs11
@ -195,21 +192,27 @@ This is a version of BIND server built with native PKCS#11 functionality.
It is important to have SoftHSM v2+ installed and some token initialized.
For other supported HSM modules please check the BIND documentation.
# TODO: Those utils can be used also without pkcs11 variant, but are not?
%package pkcs11-utils
Summary: Bind tools with native PKCS#11 for using DNSSEC
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2
Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2
Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
%if %{with PKCS11}
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
%endif
%description pkcs11-utils
This is a set of PKCS#11 utilities that when used together create rsa
keys in a PKCS11 keystore. Also utilities for working with DNSSEC
keys in a PKCS11 keystore.
%if %{with PKCS11}
Also utilities for working with DNSSEC
compiled with native PKCS#11 functionality are included.
%endif
%package pkcs11-libs
Summary: Bind libraries compiled with native PKCS#11
Requires: bind-license = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-license = %{epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
%description pkcs11-libs
This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
@ -217,8 +220,8 @@ functionality.
%package pkcs11-devel
Summary: Development files for Bind libraries compiled with native PKCS#11
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-devel%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
%description pkcs11-devel
This a set of development files for BIND libraries (dns, isc) compiled
@ -227,13 +230,13 @@ with native PKCS#11 functionality.
%package libs
Summary: Libraries used by the BIND DNS packages
Requires: bind-license = %{epoch}:%{version}-%{release}
Provides: bind-libs-lite = %{epoch}:%{version}-%{release}
Obsoletes: bind-libs-lite < 32:9.16.13
Requires: %{name}-license = %{epoch}:%{version}-%{release}
Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-libs-lite < 32:9.16.13
%description libs
Contains heavyweight version of BIND suite libraries used by both named DNS
server and utilities in bind-utils package.
server and utilities in %{name}-utils package.
%package license
Summary: License of the BIND DNS suite
@ -244,9 +247,10 @@ Contains license of the BIND DNS suite.
%package utils
Summary: Utilities for querying DNS name servers
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
# For compatibility with Debian package
Provides: dnsutils = %{epoch}:%{version}-%{release}
%upname_compat %{upname}-utils
%description utils
Bind-utils contains a collection of utilities for querying DNS (Domain
@ -255,37 +259,37 @@ hosts. These tools will provide you with the IP addresses for given
host names, as well as other information about registered domains and
network addresses.
You should install bind-utils if you need to get information from DNS name
You should install %{name}-utils if you need to get information from DNS name
servers.
%package dnssec-utils
Summary: DNSSEC keys and zones management utilities
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: bind-utils
Requires: python3-bind = %{epoch}:%{version}-%{release}
Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: %{name}-utils
Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
%upname_compat %{upname}-dnssec-utils
%description dnssec-utils
Bind-dnssec-utils contains a collection of utilities for editing
%{name}-dnssec-utils contains a collection of utilities for editing
DNSSEC keys and BIND zone files. These tools provide generation,
revocation and verification of keys and DNSSEC signatures in zone files.
You should install bind-dnssec-utils if you need to sign a DNS zone
You should install %{name}-dnssec-utils if you need to sign a DNS zone
or maintain keys for it.
%package dnssec-doc
Summary: Manual pages of DNSSEC utilities
Requires: bind-license = %{epoch}:%{version}-%{release}
Requires: %{name}-license = %{epoch}:%{version}-%{release}
BuildArch:noarch
%description dnssec-doc
Bind-dnssec-doc contains manual pages for bind-dnssec-utils.
%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils.
%package devel
Summary: Header files and libraries needed for bind-dyndb-ldap
Provides: bind-lite-devel = %{epoch}:%{version}-%{release}
Obsoletes: bind-lite-devel < 32:9.16.6-3
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-lite-devel < 32:9.16.6-3
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
Requires: libcap-devel%{?_isa}
%if %{with GSSTSIG}
@ -305,7 +309,7 @@ Requires: libmaxminddb-devel%{?_isa}
%endif
%description devel
The bind-devel package contains full version of the header files and libraries
The %{name}-devel package contains full version of the header files and libraries
required for building bind-dyndb-ldap. Upstream no longer supports nor recommends
bind libraries for third party applications.
@ -314,7 +318,7 @@ Summary: A chroot runtime environment for the ISC BIND DNS server, named(
Prefix: %{chroot_prefix}
# grep is required due to setup-named-chroot.sh script
Requires: grep
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description chroot
This package contains a tree of files which can be used as a
@ -325,21 +329,21 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
%if %{with DLZ}
%package dlz-filesystem
Summary: BIND server filesystem DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-filesystem
Dynamic Loadable Zones filesystem module for BIND server.
%package dlz-ldap
Summary: BIND server ldap DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-ldap
Dynamic Loadable Zones LDAP module for BIND server.
%package dlz-mysql
Summary: BIND server mysql and mysqldyn DLZ modules
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3
@ -349,28 +353,16 @@ Contains also mysqldyn module with dynamic DNS updates (DDNS) support.
%package dlz-sqlite3
Summary: BIND server sqlite3 DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
%description dlz-sqlite3
Dynamic Loadable Zones sqlite3 module for BIND server.
%endif
%package -n python3-bind
Summary: A module allowing rndc commands to be sent from Python programs
Requires: bind-license = %{epoch}:%{version}-%{release}
Requires: python3 python3-ply %{?py3_dist:%py3_dist ply}
BuildArch: noarch
%{?python_provide:%python_provide python3-bind}
%{?python_provide:%python_provide python3-isc}
%description -n python3-bind
This package provides a module which allows commands to be sent to rndc directly from Python programs.
%if %{with DOC}
%package doc
Summary: BIND 9 Administrator Reference Manual
Requires: bind-license = %{epoch}:%{version}-%{release}
Requires: %{name}-license = %{epoch}:%{version}-%{release}
Requires: python3-sphinx_rtd_theme
BuildArch: noarch
@ -392,25 +384,15 @@ in HTML and PDF format.
# RHEL does not yet support this verification
%{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}'
%endif
%autosetup -n %{name}-%{version} -N
%autopatch -p1 -m 18
%if %{with PKCS11}
%autopatch -p1 -m 1 -M 1
cp -r bin/named{,-pkcs11}
cp -r bin/dnssec{,-pkcs11}
cp -r lib/dns{,-pkcs11}
cp -r lib/ns{,-pkcs11}
%autopatch -p1 -m 2 -M 17
%endif
%autosetup -n %{upname}-%{version} -p1
# Sparc and s390 arches need to use -fPIE
%ifarch sparcv9 sparc64 s390 s390x
for i in bin/named/{,unix}/Makefile.in; do
for i in bin/named/Makefile.am; do
sed -i 's|fpie|fPIE|g' $i
done
%endif
sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh
:;
@ -420,15 +402,12 @@ sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/i
# normal and pkcs11 unit tests
%define unit_prepare_build() \
cp -uv Kyuafile "%{1}/" \
find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
%define systemtest_prepare_build() \
cp -Tuav bin/tests "%{1}/bin/tests/" \
cp -uv version "%{1}" \
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
%if %{with TSAN}
@ -439,10 +418,10 @@ export STD_CDEFINES="$CPPFLAGS"
sed -i -e \
's/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \
version
's/([bind_VERSION_EXTRA],\s*\([^)]*\))/([bind_VERSION_EXTRA], \1-RH)/' \
configure.ac
libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
autoreconf --force --install
mkdir build
@ -456,8 +435,6 @@ pushd build
LIBDIR_SUFFIX=
export LIBDIR_SUFFIX
%configure \
--with-python=%{__python3} \
--with-libtool \
--localstatedir=%{_var} \
--with-pic \
--disable-static \
@ -471,7 +448,6 @@ export LIBDIR_SUFFIX
--enable-native-pkcs11 \
--with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
%endif
--with-dlopen=yes \
%if %{with GSSTSIG}
--with-gssapi=yes \
%endif
@ -481,7 +457,7 @@ export LIBDIR_SUFFIX
--with-lmdb=no \
%endif
%if %{with JSON}
--without-libjson --with-json-c \
--with-json-c \
%endif
%if %{with DNSTAP}
--enable-dnstap \
@ -496,9 +472,6 @@ export LIBDIR_SUFFIX
pushd lib
SRCLIB="../../../lib"
(cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
%if %{with PKCS11}
(cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
%endif
popd
%endif
@ -512,27 +485,14 @@ fmtutil-user --missing || :
%make_build
# Regenerate dig.1 manpage
pushd bin/dig
make man
popd
pushd bin/python
make man
popd
%if %{with DOC}
make doc
%endif
%if %{with DLZ}
pushd contrib/dlz/modules
for DIR in mysql mysqldyn; do
sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \
-e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \
$DIR/Makefile.in > $DIR/Makefile
done
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS -DPTHREADS=1" LDFLAGS="$LDFLAGS"
done
popd
%endif
@ -639,11 +599,6 @@ install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
%if %{with PKCS11}
install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
%else
# Not packaged without PKCS11
find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \
-name '*.h' \! -name site.h -delete
%endif
mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
@ -659,14 +614,22 @@ mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
pushd ${RPM_BUILD_ROOT}%{_sbindir}
# Compatibility with previous major versions, only for selected binaries
for BIN in named-checkconf named-checkzone named-compilezone
do
ln -s ../bin/$BIN $BIN
done
popd
%if %{with DLZ}
pushd build
pushd contrib/dlz/modules
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
%make_install -C $DIR libdir=%{_libdir}/named
%make_install -C $DIR libdir=%{_libdir}/bind
done
pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind
cp -s ../named/dlz_*.so .
pushd ${RPM_BUILD_ROOT}/%{_libdir}/named
cp -s ../bind/dlz_*.so .
popd
mkdir -p doc/{mysql,mysqldyn}
cp -p mysqldyn/testing/README doc/mysqldyn/README.testing
@ -676,9 +639,6 @@ install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
popd
%endif
# Install isc/errno2result.h header
install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc
# Remove libtool .la files:
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
@ -708,15 +668,15 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
ln -s ddns-confgen.8.gz tsig-keygen.8.gz
ln -s named-checkzone.8.gz named-compilezone.8.gz
popd
pushd ${RPM_BUILD_ROOT}%{_mandir}/man1
ln -s named-checkzone.1.gz named-compilezone.1.gz
popd
%if %{with DOC}
mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir}
rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees}
# Backward compatible link to 9.11 documentation
(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html)
# Share static data from original sphinx package
for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/*
do
@ -729,7 +689,7 @@ do
done
%endif
%if %{with DOCPDF}
cp -a build/doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
cp -p build/doc/arm/_build/latex/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
%endif
# Ghost config files:
@ -795,7 +755,7 @@ else
/sbin/usermod -s /sbin/nologin named
fi
# Checkconf will parse out comments
if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
if /usr/bin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
then
echo "Replacing obsolete named.iscdlv.key with named.root.key..."
if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then
@ -880,10 +840,10 @@ fi;
%files
# TODO: Move from lib/bind to lib/named, as used by upstream
# FIXME: current build targets filters into %%_libdir/bind again?
%dir %{_libdir}/bind
%{_libdir}/bind/filter*.so
%dir %{_libdir}/named
%{_libdir}/named/*.so
%exclude %{_libdir}/named/dlz_*.so
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
%config(noreplace) %{_sysconfdir}/logrotate.d/named
@ -891,12 +851,13 @@ fi;
%{_sysconfdir}/rwtab.d/named
%{_unitdir}/named.service
%{_unitdir}/named-setup-rndc.service
%{_sbindir}/named-journalprint
%{_sbindir}/named-checkconf
%{_bindir}/named-journalprint
%{_bindir}/named-checkconf
%{_bindir}/named-rrchecker
%{_bindir}/mdig
%{_sbindir}/named
%{_sbindir}/rndc*
%{_sbindir}/named-checkconf
%{_libexecdir}/generate-rndc-key.sh
%{_mandir}/man1/mdig.1*
%{_mandir}/man1/named-rrchecker.1*
@ -904,11 +865,11 @@ fi;
%{_mandir}/man5/rndc.conf.5*
%{_mandir}/man8/rndc.8*
%{_mandir}/man8/named.8*
%{_mandir}/man8/named-checkconf.8*
%{_mandir}/man1/named-checkconf.1*
%{_mandir}/man8/rndc-confgen.8*
%{_mandir}/man8/named-journalprint.8*
%{_mandir}/man8/filter-aaaa.8.gz
%doc CHANGES README named.conf.default
%{_mandir}/man1/named-journalprint.1*
%{_mandir}/man8/filter-*.8.gz
%doc CHANGES README.md named.conf.default
%doc sample/
# Hide configuration
@ -958,7 +919,9 @@ fi;
%{_bindir}/arpaname
%{_sbindir}/ddns-confgen
%{_sbindir}/tsig-keygen
%{_sbindir}/nsec3hash
%{_bindir}/nsec3hash
%{_bindir}/named-checkzone
%{_bindir}/named-compilezone
%{_sbindir}/named-checkzone
%{_sbindir}/named-compilezone
%if %{with DNSTAP}
@ -966,8 +929,8 @@ fi;
%{_mandir}/man1/dnstap-read.1*
%endif
%if %{with LMDB}
%{_sbindir}/named-nzd2nzf
%{_mandir}/man8/named-nzd2nzf.8*
%{_bindir}/named-nzd2nzf
%{_mandir}/man1/named-nzd2nzf.1*
%endif
%{_mandir}/man1/host.1*
%{_mandir}/man1/nsupdate.1*
@ -977,21 +940,21 @@ fi;
%{_mandir}/man1/arpaname.1*
%{_mandir}/man8/ddns-confgen.8*
%{_mandir}/man8/tsig-keygen.8*
%{_mandir}/man8/nsec3hash.8*
%{_mandir}/man8/named-checkzone.8*
%{_mandir}/man8/named-compilezone.8*
%{_mandir}/man1/nsec3hash.1*
%{_mandir}/man1/named-checkzone.1*
%{_mandir}/man1/named-compilezone.1*
%{_sysconfdir}/trusted-key.key
%files dnssec-utils
%{_sbindir}/dnssec*
%{_bindir}/dnssec*
%if %{with PKCS11}
%exclude %{_sbindir}/dnssec*pkcs11
%endif
%files dnssec-doc
%{_mandir}/man8/dnssec*.8*
%{_mandir}/man1/dnssec*.1*
%if %{with PKCS11}
%exclude %{_mandir}/man8/dnssec*-pkcs11.8*
%exclude %{_mandir}/man1/dnssec*-pkcs11.1*
%endif
%files devel
@ -1010,8 +973,6 @@ fi;
%{_includedir}/bind9/dst
%{_includedir}/bind9/irs
%{_includedir}/bind9/isc
%dir %{_includedir}/bind9/pk11
%{_includedir}/bind9/pk11/site.h
%{_includedir}/bind9/isccfg
%files chroot
@ -1059,22 +1020,21 @@ fi;
%{_libexecdir}/setup-named-softhsm.sh
%files pkcs11-utils
%{_sbindir}/dnssec*pkcs11
%{_sbindir}/pkcs11-destroy
%{_sbindir}/pkcs11-keygen
%{_sbindir}/pkcs11-list
%{_sbindir}/pkcs11-tokens
%{_mandir}/man8/pkcs11*.8*
%{_mandir}/man8/dnssec*-pkcs11.8*
%{_bindir}/pkcs11-destroy
%{_bindir}/pkcs11-keygen
%{_bindir}/pkcs11-list
%{_bindir}/pkcs11-tokens
%{_mandir}/man1/pkcs11-*.1*
%if %{with PKCS11}
%{_bindir}/dnssec*pkcs11
%{_mandir}/man1/dnssec*-pkcs11.1*
%endif
%files pkcs11-libs
%{_libdir}/libdns-pkcs11-%{version}*.so
%{_libdir}/libns-pkcs11-%{version}*.so
%files pkcs11-devel
%{_includedir}/bind9/pk11/*.h
%exclude %{_includedir}/bind9/pk11/site.h
%{_includedir}/bind9/pkcs11
%{_libdir}/libdns-pkcs11.so
%{_libdir}/libns-pkcs11.so
%endif
@ -1099,14 +1059,9 @@ fi;
%endif
%files -n python3-bind
%{python3_sitelib}/*.egg-info
%{python3_sitelib}/isc/
%if %{with DOC}
%files doc
%dir %{_pkgdocdir}
%doc %{_pkgdocdir}/Bv9ARM.html
%doc %{_pkgdocdir}/html
%endif
%if %{with DOCPDF}
@ -1114,6 +1069,9 @@ fi;
%endif
%changelog
* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
- Update to 9.18.4 (#2057493)
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.30-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

34
bind93-rh490837.patch
View File

@ -1,34 +0,0 @@
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index cd44fe3..5b7c539 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -27,6 +27,8 @@
#include <isc/string.h>
#include <isc/util.h>
+#include "../errno2result.h"
+
typedef struct inputsource {
isc_result_t result;
bool is_file;
@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
#endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
if (c == EOF) {
if (ferror(stream)) {
- source->result = ISC_R_IOERROR;
+ source->result = isc__errno2result(errno);
result = source->result;
goto done;
}
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index e3e2644..5e58600 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
+ case EISDIR:
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);

252
codesign2019.txt Normal file
View File

@ -0,0 +1,252 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - http://gpgtools.org
mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
6f2op3tMiQEzBBABCAAdFiEEFcm6uMUTPAcGawLtlumWUDlMmawFAlwuSqAACgkQ
lumWUDlMmaz+igf/ZW8OY5aWjRk7QiXp93jkWRIbMi8kB9jW5u6tfYXFjMADpqiQ
yYdzEHFayRF92PQwj81UzIWzOWjErFWLDE2xol9sP5LdzeqoyED+XTqKggpVsIs+
Lq672qnumQoZKp1YGb8MDocU2DNg/VsMdi7kCnEnPbcSuBxksmxGYomusXNrAF94
1OJ2sqd9BuFamLIyn8XUCGGYlsvMoe4kTCg6Cc1sQvx0lDG8urKN57jBKWbP4alV
+JBV5KQcf74gzPmE3ypgY1tMEwxyH/WyS9ekDbai0qauX6eUAsM1bduH8fIcknLS
Zl5hrJTrzWFF9/DKOth8QOwhJ9zoIF1fcAsx9okBMwQQAQgAHRYhBHpqR7X54SM6
0lUrXL2X3GOe6MR7BQJcLktcAAoJEL2X3GOe6MR7jwEH/iaolMeno1oeWAgzN6Mg
bx3maweh/9Vqty1fwk7Crq1G78X5i1OCkknEL2p0Bfle4ApwcC4HZVcqCgoYpRV3
/EEXtwkMNy3plWdBbLCQSev/E1D39GzgAHiMnv7NUJnkoJbvMrvrAiUTXPTtARMM
gjEpvgEs60wuJxS8ESomRhe/KW4myxDoBxF+K+e5bOkOvvWVcAYJHWZ1BIZs4n6b
+C2vO8q5aKTkQ/XvNT7utbTOqj1SGhItRaAQKXHBdzkQ1Et3wTA4+uRg4gK12624
9LperYs26w9X9UzApl+qVxQhtWUw3tnUXMastDfQrRcvJgq1xpv++OqX5Uc93RTf
SNWJAjMEEAEIAB0WIQS+DpdItxglOii7if/xsRvwXPAuVwUCXC5LlQAKCRDxsRvw
XPAuV29KEACEwlTVVKe4gnBYHnlAD7csoQ0+gJ6C+Ofzlw+UItRIcFeVCAknSGBs
NPxr9JStIvKpmsbSKpCNUEAYnRP2immh94y/C6BuTe1uUUmqBGr1f4OAUwZpmI29
ixYeY/uUs9FZO3bS0/WtG46tdcJK41qtM0DYAGT3oeZhJMTW15dfvMGlFukauSOU
+BbR+6sZhqdbWl/AOTE/6x5otnAaW0GObY/BW240Xq/KTgBrzVdK5qNoYsMVsiTd
0im0JKvFG08ED+ZfcILhlO6G9jRhoTkhtYuf8CKN1dPf2IoB5FrRFf0xqRr9hNlk
X7ViNMP9OPb8i3BubWvRi5rNSquCwrFATSiAgaA9Yi1BNzQsmQxOql9lsh7eCH7m
+8zzUg9umWI6PkSv8vHBo2kPX73wmtEsF6vxJlk0yDBuQw7y0uuKh406tEEk4cP2
8U4baq+ihpioupDhNuEII1h1Eh/RBE408RAOpcr+2F0m/fKOoJyz7u+AxyV81Ia6
fyBnUfZnlfKo16w87c1HJRs9dKkRa5yGziBf9TcED3sru58Pftes2Nr80/iOh26i
P2pRihcIyrmeAqDWnneErVCmPMDTe6zkMrm/0iZ25/Jfq+M8IHEzFEw3Y1FBOeFg
9TyMDwYG2biJPTNTDO0BQ+Rrvs4SjFWEYSxgJSvG1jMfSPt5AR6MJrkCDQRcKvQU
ARAAufZX5WzJr0lZAhxaGpHY6JMBr4jVOCP4TrDZhwC2K4CXNM/PLLNisWzquiWa
FvUDhB89kCxrEhipwVFYhBr16CDQxrr8yhah3RIxrBMYhRTxgIAkANgkhGWfDJSE
zXauA7krYtS3rYwhfXe4cNsTkLPbnMUlyLJcqj2wnZcZIt97aL+NFRPyfIw1KfUb
9u3tB9seDYbvTEULeL07aTnHpWM5f3bTwJrJ2OFPzXseCCzPiVNh3Bv+YtJ1pMTr
c/UHO5DoJuHLsF0wicPSrpD0twspFdR/0rT6eNycsaCtV4GQzBcMPvY7qai5XrZm
Cqgluo1W6l6+F5YrKvRMtyyFkUNGcPywdjSlP44JyRrS2uzvFUViSsJArcmFG2TJ
LCohnse8wqjw0dIUVbmDbE4zjaG56zkvu0k+04Wwp3XPgOZrbl6cbhX3yLhu/Gt0
dzd9EReoNfKXk32hBzKas/vdeB5DZejbOOOWYftqyZC1LvDvvrYFhFK6VGozfZ6L
Fml1hzn+xPahp5tRv93/T9zXeVPm9zilGMqm/gjRgh8ojWxNQoNzJyqTPWIvWmbu
EIP3T3cTFq6lJpJsg3+sfzofGWZCGnBZQGqm8rEOoUWiaKe1BvQCX1x8p4/x8/tX
TaVDpQCGoqxXt09plkDuGMuiDICxBlaHWUR2jLoHc2cLrB8AEQEAAYkCPAQYAQgA
JhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcKvQUAhsMBQkD7JcAAAoJEHS7a5pM
uz04pB8P/Amfg54IFeALiPOrKbjC3bVAQzrsf09IL8sUln/LCZIx9HgGAJj/f35S
Q35sK2ucjWiDX6qCxVrWmC6caQXFgXOFSKIlqladmmgj4sIdLM5wj4nbomHChpB5
rqV/GgkFwWBQ3kPCatXvc8Bg+zKJ+wXgTuPFXefyE9R+SLuas2grQ9hAjvTGHYbq
iYxSlNDFc1aHLAQ3bS76351MHuMHOpLzoB0OkZDCVNW4GNEqrLbINdr50RAK+Loo
Z2UBIobEZjXYor9A2FWkSvdjyz6X1QKMdQMath6R91k/O0abBa7ly4/805eAGXM3
w1Xf2eMlpiUs69BeYoJBklK8aNMntpDREunJjhiPU4JoDzSxl5Qv7LuXylyo0YJA
9YmydKhTTcRdwsKc//nGr/ckg4BRl+VbtJBYvd3xGB7IQ+pT/TOakv9qCospAhr3
EQjVP/XpnWJRd+x+dq8UXqwWmTenWDE42cNr7BDFJdOqS5ZWy4sIz4sdjpSxXMB9
8iiRtKSpKRCJgXScB7SYebh835EgG2YyQGdhJMO7C6ok9POYQBqL8sBqRzImJKoT
VDvOH42WArKwJWTHa4mPdiDHEIZlkONerec3JXtl4Mfv8cwZ5Lb8fSiB/x8AWvqs
puc/7hQtkus4TcgutS1fwhAwpnFItpVF6+73CMQrJsblBdTjW0T+uQINBFxbVHwB
EADebZOJbhPdhHeBPdlZYE3rRjB8scDpWdjrCupfmeTC9MM6JgCE4DEMBtBXk+h1
+7wfpblYYNFwGVFvytG5nvGRDtHWxwd1Z9O8Fx4Zqu0Fx/wAn7ZL3ryE+tdHR7JK
7SLxOa2X49T/8LY0U8Q65I4ZRo/b4VMcXApCmncw3QSRqHT/mYdNnf+HHPvi3jza
md3iVptCS4Iaisc079DFda+htWXspBc13lmPi2vGQkWjjS3B4yO8JackyQPVhpsg
KYbRBzOH0Kii8bXmyA6O5uIJYEddp5Veged4FE/ej3CrgGP1D0Yk1epx8lLbi9RB
kwFS7DA5rQ23UnbSy1WyV1ZgPrWqQAWuGpjMTVTWN0ElI3AGxAnE8lZlSXyE+XyV
uHjjIVrayBjLKVqDuSLdKZeCvI4QsyHH6F0NKJQkngvXxLZYxO6s0c2EFFLzdVWT
1V9GMP8UsDrrb+JsZjUVmPR1tTP4xqEQG6KjfFoQm5XWpGtFwh91OK1lwf/Bx2/C
j+PquLLFcj7hEP79VDTUZPQAduTTxIeTzHXH+x1PCHFB10xxH3e82VSdJeBUrJxn
riXzK50SKTTmF+uYpHqE8Jg1N2Y1n5ksuxeYUy8PFjhAeBCqZ6ZcldUDf4999e/z
PT8bwfCDr8jRdqJHrq7RxTJiP5RsMudWpKeohzJGwQ5uZwARAQABiQRyBBgBCAAm
FiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVHwCGwIFCQO9IQACQAkQdLtrmky7
PTjBdCAEGQEIAB0WIQSVztolaxygoV8wL7WVIaftXazpGAUCXFtUfAAKCRCVIaft
XazpGPeMEACm9nxA/VKf8RxDo2ZuTgyuSwlR8tCjAE4k3+UoiYUbamkW4pjx9Vgd
1zC5bNxSWZ5vlJ4CH8ArKFqNK5LBVDZqhYureAo/1Af2b9vRJw0/QQHhuXz/jqeT
wwrLuKpy796Gpt+aFfcmS0ZC4QXfxJERhAP6tu1p6YmAsSb+bjziQVkKrt9mhOrL
dtz6WP0Fg1joRj33FgnnLtayHvtgQrNFI3ztCjk/B2FjYZxqbBGfk5gyo0cTE2Fi
oLhG/XrxIoZepFMJkGYETnYQXrOt2KuJLvawV70YQmG8EqHYY8drKA0XDZs8TVdT
5cvGvtm8ERz5znsssRBxQMI5Ml6O2ahrXp8Eq4htCzlvO8t2MOtzvqAJRiyAd6bA
Uo+MGVRpnvePOR1SAgBXCd416rF0iCXc1utZxnqwdq9kJAZ+8mCLx4N4jk6AdGpX
zcNkLg7QmUzXn75RxZ6GrIUYZJNMlswXq5XhSW4o8ePlaxWjh9+QTtU964AZhpA1
uoHsKGTBxHJs0w6McZm14kb2PuaO2/rpf8s8IZyc93+Y5O/gHZ6/agBjA9qN6wkQ
R1d5UhJC4QS/m35rBGBKK9X3fqQxaBCio6Qz+m4A3GchrztJpq+2P+ma5ylsTq5j
V4njky26WNtrV7+N0C4Moj3I4Qn6YU/eSManTXzHzoiPZCEH/IOxgXIiD/9Zm3Zz
I+h4NCfSGyP11/w1gEzlTHQ4at/FXIIDh0Y2ZNpWPffuFQLtcER2vyKPwhDYpGMy
NNHXks4azfrXVCv0wmSNBbeS8pJrYtopZpCEBrAbg/YLv9m5lpDSRHaR3gv/qMZ7
QxY+NwqciqTwGq68PuF4mDSvtfuFmbEES9Iybiie+eL/6DU2knfBjgshUe6vElR+
LYoPQ45GY2IxRTJ1pMXaZw1+evwH3UvseRGkRygiaBgoU/qR4prynvjMQcacCa+C
aRnXZJYp/usVBeY0xut9toc9/OcLGoBr5h9l5YjruO2vu8VHou8N0tarVQn3YbQR
Fi+YtNtclWJa8Pq1AsKRTCFwDwP6eODv6mNOrEFydNRcpiQmzp47VWF/YHRfHzCq
A1wHLxLUrpQTaVw6J4FqedAQ31aAO4faA7MS+ZMNBqZCZ7lTGC6TvojqqBAN2yX7
AnnYpZHM+lGpi2/ukVzLqSkGmdNOgbu+UZvoej3YnHYig4yWP+z2xrlJl8bkhU/d
r9IQE5aRCEPB/JWhHJ2/GqYl9qjshlB52+6X2KDarwptOtzT9ooArYhpMwKIYh34
c7X8tlAKYk7V5j7txIRFDKKAftC7dM82PntXJxSkWyR70GYnYjiXyrqqerqT7xIC
mDEQgFOPpy09zFW62paO9uiZw6qwybwqgGpoX7kCDQRcW1TbARAA3ERo2mPv2VVg
ZUFr4MtPDm4UG00YJW/LYa3D3k0e9tdSScACXprk1sAoxUlQx/CSdErPKwXG4rax
iN4t5nICUUNYSC0dh09G25jC7nwsWc0AYyZu+h/FzfvpOm3fBwmBlzILlGh0URwH
Ffj9fHt6hos4C+3PFZZ/X24aMJF/cov1oYi9rqFwt/l0mgtPE88Iyj2/Vp3Lergg
QMzKfEuyluj9fL2cgU0Qa7oAPXmaxhHtua4cvbM5SXGo3FXjIgzH9OfM+2orebeN
wH1M3ec6w+nPmRmCJLvPKGOeS7GVXL5/aOyPlDWzSXYnpCKS2ntw4K4nt0IA8n8z
1db109l/C2noDrDSJEqOo843ShNGTYOMVUrj3a+Y7o2ATc9pNZalf0PwnKas7NDb
IJ152PEQw665iYXcv2awjLF6W0yuSq8kfiaAxIrsie2Dto0zgqOs0Ot9Y74u11Hh
wBSHUO3mEZJScAAcI/yDF2PvjvCQSzu4mdXb77t6X2O6YHULz4A7bVQCMazcTDI9
/S0W2+ixPnnJVnE3xgjK9zuizji8JDJw1hJCQM+yTLVqq9pfvcRfQ6uwpMRzz/O3
S0zDRiA69/GyfNwkpgz5QaGpY02IK5WrQU1doRjIz4BHAYzoIOkMkRqTtjdElQZw
/D3wSO2uwsEMNwRzibR/Lz1JF2aGn6EAEQEAAYkEcgQYAQgAJhYhBK4/rHlnEexZ
/AB6pHS7a5pMuz04BQJcW1TbAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkBCAAd
FiEE1wyE5ktVjlvM7AchMuIXXx11eioFAlxbVNsACgkQMuIXXx11eiqCfQ//SFDf
rOIEoslp6n6vlCuavOg02wvjskKQGP1P1Q4v40Fw1Gl87n9uXAoMpeF4H+pzUxOi
BHYCQi+EemwocSThzaWfPzd3JG/0OcRymf+ZOcBb+58VJL7p88QdMFIAi5J+KMuA
fEG0zLkc9anEnXoVMmQJX5K+6PyeVDvBbYGjLjQAsWTZTiVuQI0w3WxFtDGWqQII
8e/qE0DA7c/auGn7j2hid308+FcdfpmLefW9YesWjE1yYvHoCRdFOJ/7Sft4MQCI
Re7UET3TRMBvtisP2DcqyzGPp22s4ZYFCCJJNiB92bXdEl5zXe4Ff7JTfNE/QrR7
Wg5R9hZHgHdbp8p8bA3f0y29YCx3puYg7BbmQWiMh3rXWE5b090pSpw0K9BQU3vO
irr+5/2TaFOJXHl4VF03GrWsSncShCbdsdRIv4TB0lY2mN4q+e7bjlAzJJeoaS97
GIqu3DBlAJyx/ZwWW23DXXwoQ4jNuJhpl2jaCE7rVQB0uLjbp0i9Zdd4SdYZxmO/
Y+JfgoJz8eyx8wZi4eDz1ijN0WKsIGjxJH5VUK9STjijDMeG6ZZRLc6b1QCGhe97
ZbDkEUTdQGoeu4L5Fiqoma13NEsf8ofBDv+myJm/O67Va9JI3gxhIrhmF7LMzQQp
lYx2peZC1CmhEnn83dtt83mhXvX6Dth657BW/Qd+GQ//SVuTPuNkBXfrTi4dbnv+
cU6IsoIBodTF/WsQ6h4kbtsPhO5DbrsLNuNumrqVEN8jw+HUsEeNvFNeMrTPdG2V
87ShQ4BQGkCf+GFRBj0myxxXOFZYQx6RpY5fCe7yOcTzpkbnPWmm7V8HdOuZ0NnL
JNQ5YogOI6UvXVKv35R9qBo+G9jkhhb0eaAu6BERzKVANKfsGN7545ElZ1qlffMh
AQhXGb6TsvCeSg2cWGb2cnVL2d58uVukD4PDiq4qqwgClkF3bOO70SIgGrCteHbi
4Hseopex5m6GqqjoUYXr7QQBwSaQdc+gKtEjMHCsHbUyHRk0qEHdEe+2RmL0d0ra
QMJfKyYQjcCR7tnrgN4WD1h4NKRdC/KRW31MDmH9XVPrkOMQCUCnArXkOwdKWsKf
h8af9HqweXOT1FHJN/M3tWaBpv6KoduF2f2pj1VhPZ2EqFUycJ26lrHyOpsynQR6
+TD+c1uXotDwKN5RW+YL1cydk6mhib64fdOyPUeTcHehjMAFgM2f5wi35Ujcj8id
37cWOqRsggSbMnGO4AUA/YtcVNG8TjZbakson8ENK7e8q4sEiNFUZ7/CtzNokwHQ
5uOG1+qB85Y4ImGnIZVeiBpjt73VVawg4Zvm/omtW50P9R+4rVhMJZZFAgrWg8BH
H/KNznW0vUuShG8B+2FA/eu5Ag0EXFtVDAEQAL5ftI1GgVJEFgX5VsuFnfBnH95c
zqmwEXaTP4s7Xm3O0Wy579EzRUD1eEw/UaD/q2OHScwvMP65cZYQ9w4hnCN6H96P
96Teo7LOMCssvSXIO7gqP33LKTqDzsIoAFHwWE3dq1jbyP6T1Je85mr0Edvk8kOC
B1hudswAARno/7X9zGulhhwuEHk5Iey7R59yRUQqBctdNcetGyaiFjjX0evuVADi
/z/s07XhDLDt7+3Vglh1/7XGC64QhB9QjZ8j0u7+0xfmLLjhi+7EpkDlAHIJXX1H
0wAsPOGKlYruQUmIsMNfBINZeulHEBZ4cAd30xsM296DzJ6QL9sAGfYMhRs0YHB/
EJ10Zv0iw1pU2jCCUv/9Kf4F4nwgHQWQP7JAbfhOIUOUq/YlxjTLnkd25+7vD3KH
NQ6UiRDROR9Jwetpd/zokpf5O5iTBpVL+sCq+NsTZyDOjITve2sY0V8v10M+Z+pL
cp/cUZ4JEDS/WJ4/ovBNJP8b+YwN/RBgCjl8UBX/N+e7AA52eYP2H9GK9XPkzSCE
VxEf5PyjGrwedpoLkzagrHsDuWo3uBquLyneT/ozihqKQAuInUy5B7rWU4mpKHe5
Vto5o6Zuj+6MgHgIQzRK6Da2ziMNEmroxwZibcYCtUPdvcvxGh+byclnzBclKjOw
kAalFPx0SxEbHmzPABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9
OAUCXFtVDAIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBK7WIv4CB360
tcFGwUKiedJIzcMQBQJcW1UMAAoJEEKiedJIzcMQH+cQAIQYXDnqi4Hl21LtAgky
pZxug+x/LECVlwkrIfaQF337+fG+H9J7SdU87Sn1Xe/YUgQnF0XP/fjIVFM0e/Tb
xVlmTFqiejLnIwJJDgUaHO3POT2sGEyO3tc0mqSzyRBxtMQ8yvApccBhL5QODv3h
hlRWgk5MXU0IPeXw134IWm+o/PRiPBoXPawvVfEVIBlUFaiSZASf4BAiSad4aJQe
P8PyP7FPvQB1xiib0iSetn6ZmNeN2OSUJPiPA8aE9JCKuFtomVQEDM0BqQDl5A7h
5O2uyf0Li+/ArqBvfBjrH03e5zbID02dO3D2BjsV3jUeVPQ5WDgVg8LH+nfg/rRy
wfCsx9zFp1mt3K4xN2v7IKwxGndApgCcx17gsjzMvLz0J7sSGov4MNjzqvGEDKCl
uUvNKXqy7je9xcQLpoyvWtoWFXWTbQAcK5Vv+hC67r9bHpjI1KuqA8hYqNKxsv7s
wiLZdd4SK9SIuwf0j8/XTZwmoFfGolJil0ZNxyqBF39+CMVpaHdLM1qKZz99TVzS
h4obOOjkUjK458xSo0XCbJ4qXYp7PgxyWK6GIbTozbbG/1ldw+LUnqxt8Shf797L
J9lbI3ICuR2P5PYlKJf3b6D9GyfqyrP387fKAKhHsYkZ1XD54/8wIgTrdfeNPtL0
1mjWDjw5KvO9kuPBjcmzgt+NrtsQAJwKeZsiqLLcY8kJ9xP+/xtTlh2iVuZMfxwq
hwlo4MMCzpobLDZ/JKU398m77eboTKJSBfeUYxQd4ATn1L8NLKjLxKAaBkjEk0nN
8w9OUQbFlhQ/asLzzF7Z9IGGh9/SEgBZ8V67a0O3Qw9Xdi3ARK3bbZ8RIVJ0+P9G
CGrfq9j4ZmGA2L4irLjsvDAv7CSMb4WBKW8j0Jz5LFMwOMJgG1TT5c6lNqFj6y09
rZcVLnt8+lUv2Bw3LC0oI1TjFkrrCzIdfg++mPi3K/ZFc50bvnWF4eCOjgZ5U9Vb
sxFZq3+vTRcIfI9z2lZ9CNDRA1O5jGvuVtEGLiSLF2aJ6kiNriLuuGTlXfg/Fpgh
GTvyppOTzF7PtHzHBQ/ZjnhWojnc/jyJRwLK8cCl6+EOc887v8BDmqgFWtmycsE2
5fDJ7UFGP13g/eDL3ZUgMDty5dQaUOTX145t2KT+lMqpY6ZK2EC+eoqrnIGJ+tYy
0l4RRxi10mbNhuPIIDdph7X+mUHgCeA9gyF0Y+LqiB6CX+zFg7ovLvnCbMPxdGXq
z7AjfwqZBKI+BVuBeDtyW4onmElCu5cXNKsg3W0IlQlZf9PMDU6Ht0XLUs7EPfbQ
sH1Vqi1XE1W/tGnkmjcpG/qlt9Gx1uwFGLP6iomqUBc2c0GZ6R1xplXvd3w3yC8d
8lAgPGImuQINBFxbVToBEADkuxhQx9gxlzzCc0nUu2v82XsD+GzONp9irt14gslx
te96eKaTXTi0t5eya0X5TIY3wbREwjlfAeM9AfcAmWcsM4izrfPtANM6WOxB2Tbz
EY2cqv7NBQii7Z5aqPyjcIiT0b0Gs2evlDkn3xEBBqTSrNcnGSA29bZPIkaUb7Qo
p/Ani0S3/tgcR21gXsJwkgpfNKwvPT03Lz3/o5rXAyag0M/25adgk9SVKNcXc8h2
HSGv5ENjwUKNNnowVbNLw4287mFUM2Vd6unGJ2MBj7aUwTrfBl7gNV96mMdDJWcB
hGKYkxUvibuHCa2KH7gTrnV6X7sdrgD5CbJMPq6OZNSP6n6bUVg22eHxoETplFwT
4NvV3clRMWIAG1XgXR1l99LAh7PPnPMM1pHQGPwYHQskoBFS4g5knzHpB9h9TfZ3
MM4cDZR5NgWmE0fYVnWe5ax+wW0/IOklUoHv3qoL4yiN9wFJq2oLzUNQd9+tsqiy
vxSTh8iYmHegyn5KuBPsrMPgvqiKOdalTZKkak9DOx4cGQL2qHspKxiBOb6uox2v
fjMQ5bDeUn+4DYMdnZNHeywCUegJmDakUtlfvN+136IDHGwfdGcitqzswzd3+PI2
qlwPE19gkrp9NUaD3Qj2ZtDP7sU2cThc6Gra5KRFW8f98bI77j1Wu6pCnYFLqPz4
QQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVToCGwIF
CQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQR5HX64jryNAThDSqwz3zWa56YK
eQUCXFtVOgAKCRAz3zWa56YKeSWOEADK8u03LESGSQlZQqnnCAI8iYs1s+XRMEnG
2tAQ1OK7/4eNgr1yZckmaW4FBMgeEgYIBJ7v3SlW7Hf7dE10TYPNGbP6UxVW8HIP
rA4CINcGZXWWwpS374JNMS6A5eb6viuEgEMEi00jx0MmLvCMZKypmwXQUl5YJ5nB
ytpQ1681mCQxGBMhT1eKQt3B4nAsoEnP+HnqVM/nKxBemSBNXX+C0b/YeQoLC3sD
L+Z0NRI8U6PZl9Rokod3uynH0vfBYCEJd6MvsjtnJlVVaseYIA3ESNrFG12tw95I
wKNrVCANZ1DBSyK4ovmmWsDrH+uFTHSLNjlxIuVxUfmXcLfgcepVCmd/7Z7UrWYr
SXSvP0VG4ZmEPE7tNb8bfyADftO1cVsmcHBQeSrgvpSrTv9L8MocojpR5vJc1f+a
sBT7rAeGzZP9riz1GmryXawaZgdLfaaJfzRQkc1uTChb7kMN+UMhVUdCAXmho0XO
SfcsW84u/LpjdYh2Ww41xQO6EWvbZDNgD/Fdmp8Uh1MqJ1Dejri6kjNn6wPImXJd
Eu6nHqWDRdYsfT4XUB18tB+4aIpFzCyIgpf7p1uaVU7Oqip5sZkc/WXKr77lV23m
PQvpGRNCzgU2TJY7ktR3LOvUVN6wNfLMHzeQk18NdmcEGUrJ0YYtl9vE5/Eg9L6x
LBH9PKt17IQ8D/9DLwQX8pl3fuTM8ZbzIPLxiXhbgzBBTXKRE2u1888+RIq9xE7c
aVFjwq4qpgqZ5SFonTcG4Pi5ck3mFAzyA5zLRF+ckpmBpwSPMpLwCpv10369D1jh
AF3JsUwt6DIb2BISMhh2ThSUMSKO75q8GSotsKjJyjD6vl1x4L7WXubTWxEiNuwD
3kAjFWS1Z1VWtA9SURWAbsDaCV4VmwCCpSIwRr9OTbyu9XuMdMxGNpl8SwW7MVQb
x4aYNvR7Hl/wIR71AHAXoSfrKp3p12anXjYYASHmbm16ugP4H7HLMBfznKet2f76
gIxJr1CsAMTSqypcC1UoVb6Gz8djeIR+GU+6efHI4TIUMy5uMIUx8tYbwSEeo/y6
NnjpJFYYjJa671iSABInNxs4+X+1zrFa+wl45EnaFxziEet2Qzv/VsusoLvLwnYi
BZckclAS5xoVGFW0WJ01OfLUDHxGMt9GSheL8c+GLMaMtaCWunpmmt9zZ9WdpBOu
AGluMG1Cee50TrhXaGE8CdNr8nOdSeLNAveBAPmuVa0JDSe20/D/RuYJLKeG9Vsq
BZvjuGlOUsfl6UjtiGRbgS9OWpxeez5ugc9yyV+rBGIpmnIb+9quz2HmGxE65eA2
cRNsZRIjFLzeAx/0RMaT1nlLFTBbUuZ+tJ+fgFtRGMhifZn1pb2dMQo0N7kCDQRc
W1VuARAAv4LYaNq2Zev/v7M5DnxLpgHRcMkG7TOQpycrlK5653llpZzTy3mh5peW
vcq3IDmdeUIJxQ+WDh2f0vS+NIKDC/HAddfHrZPbhO7zLxLcMW5KmV05ancaRSP0
s0+IyQmvVxUNrgPinZiphlvRGoLXS6pdgfc4jIR9B2umPecfvfu/6EWFPnXZgG8K
yY3Z+mwrmEO0FaXHBQuu6nactiPe79N4bLe8hk9RW6yIxLBeJzIoOlIcJmuRHapt
nS2lV3mfhZdFnkAp1o6a2TL5BwgMY0wZUKZr78HEMKh6LbPN9rPepf0neUeq/k1l
NJU7V6XMS+rezF31vgSJ5KoNGYhxtWZ54uksH2rcw7+ltpSVtqY91G/vibpRCJG3
LdX/kxHni1NEWyZlpS/6ntuH6HSoNYsR9IMsbESs3QVCH74ApK88CxYCRB0SEo0M
yAElbQ3bfEKCKl/FwC4IzAYAJ2arWKwBHRSJlsrNCtczrjG7j3EyJrn8+Tm5yjO6
0THQjvc/nBxrNE09r1Lzz7jrDWC9Rl+BH6wqdniymoYyUAQsX2rZ+Jhah1Zkf+Gu
76qtY+EH494dPM+0FazcBlgBd6/J5mh3Wk9JuecXLTEUGtzd1GmI9CENPAklCauX
tNOWeTop27djuKWsZxuP1GyV6UYixFVOSWteyAbA32cncVv/2ZUAEQEAAYkEcgQY
AQgAJhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcW1VuAhsCBQkDvSEAAkAJEHS7
a5pMuz04wXQgBBkBCAAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlxbVW4ACgkQ
F8xdsfAIhAd4jxAAiO9+VRQQ3eBOsJRgANdgL/l51kq7qE3u8xnSqNkrmdYDdT2H
TYH5W4n2AmGo50BDafdjd6tut0qtzA3/hGWCooydxKFOsnIYziUeoHvlICj3RkHO
y7utcFhAgRWi+kzFwnnXGf13dMU9iG7yvKrCrCEw44gzoQ1KnY1Xsj18n5JkqxeT
94bzcSbz20OpOSIMfSQPrpy18WrZYwHodcIZ3IUUACCpMZdfTa9c/qHRQ/rcwl+B
0JlHx0V4AYiSAsiMVgflO1Eqi7apPuwxPPd5nnHkrdDM9CYC3LdBORBXwncG3oZ5
eTSXmsvFxHXH41JHsm/1QFcVmFAYhu9qJFCGiD+8UeTFtT+nnHU69BszgtUskqX8
k9PqLdK7Vxkp16wc6WOp1NeIQ6Fd4PxTGrPqs9bJk7TlYtTFWpA0X+EMj/San+Ku
PxqLEa4Ab12R4vs1pCrn/g1z3C/6ujH4B70HOrRTIeTjULJ6xdwXGtwUA09hio0r
pHhtyZhAh5irUJNto4ZOk/Qyd+dfMsNvRJfbVIK2mmeRaBnp902AsQNgYVdi2Aki
0h4kz3bVLGw7iD/xV2hV69+JwLSijkkmOpz/EjMwj0hDDYrHH3Y3o0dV3dNdk/5i
6lQgcxSVsl9kWlHcoEllKbf0Hb1muKVwoGGYxFYna2jsLFVjG29M7iPSgrHjmg/+
I3fmsLZ0VI9kmxniUlZ6gz5NB5PJ3RXmwKO9LkBgE5C1wpuZbNEQ1NsR2bprlJPm
++GNSo8HaheuTRJn42kkOgfIJwjuvXih3FE/NtRA/W8H2uF6YLDjBKGZJbxQcmsd
CTEuCRCVP8X7C5n3rl1YqzfWfNr8QFxvH7ivG7KOlSxvyTKcYatWb9uDUPrnr74f
ZaMljHGsNyKj70MzZcrrsmt61yWGR0h+02rmIKlskl4hkh+qF5ehI+Bkd7eblsBy
rxEREHq/ij2Vd7l0Z606YCE8vj8WfcsJj8JjwR3A+nND/oNJTTbQ3b8OvasvqIey
WqqmGg73nbHjd/VIAUsfvnsEYatDk4pAA/wQr9c4T4s5Q/QRwDrAsa4J89FrDjWC
hQBPL7TaP8Af/3Y3/86jLCN4lnW1qjPXv5rhBFeI0EVi1k1qdV06qr5HOk7CwQTT
uc4rCdFcEnw8kVKZa/yFnlJfRa0Z4IwSahdp5fdFEuad6LpOcFFnYxWtIWhcg4GT
RcMha/OZnsfqOqiAt6In+1IwuJBz3uMM7xw2AMaxzAejGEL63F81C5iJ6Ld6kQK+
XblDW0G643bVbzkBb46MAT+UnLuWQUs3NDtk1FEioJyWUgbO/srMH4MoWM7rG8ZT
nQPohNmPBrqL2phmE27HQsQ0rTjH2Z2ol7iy9OFMtT0=
=MkGo
-----END PGP PUBLIC KEY BLOCK-----

2
named-chroot.files
View File

@ -16,8 +16,6 @@
/etc/named
/usr/lib64/bind
/usr/lib/bind
/usr/lib64/named
/usr/lib/named
/usr/share/GeoIP
/run/named
/proc/sys/net/ipv4/ip_local_port_range

2
named-chroot.service
View File

@ -17,7 +17,7 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'

2
named-pkcs11.service
View File

@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'

153
named.root
View File

@ -1,61 +1,92 @@
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: June 24, 2021
; related version of root zone: 2021062401
;
; FORMERLY NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

2
named.service
View File

@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'

8
setup-named-chroot.sh
View File

@ -10,7 +10,7 @@ usage()
echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
}
if ! [ "$#" -ge 2 ] && [ "$#" -le 3 ]; then
if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
echo 'Wrong number of arguments'
usage
exit 1
@ -34,9 +34,9 @@ dev_create()
DEVNAME="$ROOTDIR/dev/$1"
shift
if ! [ -e "$DEVNAME" ]; then
/bin/mknod -m 0664 "$DEVNAME" "$@"
/bin/mknod -m 0664 "$DEVNAME" $@
/bin/chgrp named "$DEVNAME"
if [ -x /usr/sbin/selinuxenabled ] && [ -x /sbin/restorecon ]; then
if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
/usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
fi
fi
@ -78,7 +78,7 @@ mount_chroot_conf()
else
# Mount source is a directory. Mount it only if directory in chroot is
# empty.
if [ -e "$all" ] && [ `ls -1A "$ROOTDIR$all" | wc -l` -eq 0 ]; then
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
mount --bind --make-private "$all" "$ROOTDIR$all"
fi
fi

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (bind-9.16.30.tar.xz) = cc9bcbedf63c2efe0a23f14db3e57fdae46f0509aac58e5840a6805ce4fbd76cad5bfde4d461442adb88c4d947f8d79bf979aeb24aeb9303b6adc8d169b7118c
SHA512 (bind-9.16.30.tar.xz.asc) = 943ff140aaa413f125d039748a0c10d7ae20b0fa4075227ab0b9d065816e7960a3c4e0fb2a4498946926409568c71076026cbd0be33a78db73966366d43bfdb1
SHA512 (bind-9.18.4.tar.xz) = 5deb46f6549e42087734fe80f8cd8de8f3fa54590e4635f8c0e2e8d362f8756404e911e46d7fe1cd75f0f19217532ca402e7a5947111f16e412c8aaa754b9e16
SHA512 (bind-9.18.4.tar.xz.asc) = dfe7b24c499e6e54bc836350b73ef24deb78e1394059d75acc434512b3a60ab44708d3e1faa861be161afa0e69f789fd6b75dd881777679e4845a56f2fd6ab9a