From 8a47aa2c7580550df27a8543922dd319450acd6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 12 Jul 2022 15:40:10 +0200 Subject: [PATCH] Import version from branch v9_18 Uses git checkout 38726e67340b2b60715fa2f342dc800273d3772f -- . Remove unused patches from distgit. --- .gitignore | 10 + README.md | 6 +- bind-9.10-dist-native-pkcs11.patch | 541 ------------------ bind-9.11-fips-tests.patch | 341 +++++------ bind-9.11-kyua-pkcs11.patch | 58 -- bind-9.11-rh1666814.patch | 29 - bind-9.14-config-pkcs11.patch | 83 --- bind-9.16-redhat_doc.patch | 40 +- ....16-resolv.conf-options-timeout-test.patch | 113 ---- bind-9.16-resolv.conf-options-timeout.patch | 203 ------- bind-9.5-PIE.patch | 46 +- bind-9.5-dlz-64bit.patch | 53 -- bind-9.9.1-P2-dlz-libdb.patch | 31 - bind.spec | 288 ++++------ bind93-rh490837.patch | 34 -- codesign2019.txt | 252 ++++++++ named-chroot.files | 2 - named-chroot.service | 2 +- named-pkcs11.service | 2 +- named.root | 153 +++-- named.service | 2 +- setup-named-chroot.sh | 8 +- sources | 4 +- 23 files changed, 670 insertions(+), 1631 deletions(-) delete mode 100644 bind-9.10-dist-native-pkcs11.patch delete mode 100644 bind-9.11-kyua-pkcs11.patch delete mode 100644 bind-9.11-rh1666814.patch delete mode 100644 bind-9.14-config-pkcs11.patch delete mode 100644 bind-9.16-resolv.conf-options-timeout-test.patch delete mode 100644 bind-9.16-resolv.conf-options-timeout.patch delete mode 100644 bind-9.5-dlz-64bit.patch delete mode 100644 bind-9.9.1-P2-dlz-libdb.patch delete mode 100644 bind93-rh490837.patch create mode 100644 codesign2019.txt diff --git a/.gitignore b/.gitignore index c7d7172..4bfd826 100644 --- a/.gitignore +++ b/.gitignore @@ -176,3 +176,13 @@ bind-9.7.2b1.tar.gz /bind-9.16.29.tar.xz.asc /bind-9.16.30.tar.xz /bind-9.16.30.tar.xz.asc +/bind-9.18.0.tar.xz +/bind-9.18.0.tar.xz.asc +/bind-9.18.1.tar.xz +/bind-9.18.1.tar.xz.asc +/bind-9.18.2.tar.xz +/bind-9.18.2.tar.xz.asc +/bind-9.18.3.tar.xz +/bind-9.18.3.tar.xz.asc +/bind-9.18.4.tar.xz +/bind-9.18.4.tar.xz.asc diff --git a/README.md b/README.md index 22359bb..42aad62 100644 --- a/README.md +++ b/README.md @@ -22,10 +22,8 @@ The package contains several subpackages, some of them can be disabled on rebuil * **bind-utils** -- set of tools to analyse DNS responses or update entries (dig, host) * **bind-doc** -- documentation for current bind, *BIND 9 Administrator Reference Manual*. * **bind-license** -- Shared license for all packages but bind-export-libs. -* **bind-pkcs11** -- *named* daemon built with native PKCS#11 support. Can be disabled by `--without PKCS11`. -* **bind-libs** and **bind-libs-lite** -- Shared libraries used by some others programs -* **bind-devel** -- Development headers for libs. -* **bind-dlz-\*** -- Dynamic loadable [DLZ plugins](http://bind-dlz.sourceforge.net/) with support for external databases +* **bind-libs** -- Shared libraries used by some others programs +* **bind-devel** -- Development headers for libs. Can be disabled by `--without DEVEL` ## Optional features diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch deleted file mode 100644 index e4f1ebd..0000000 --- a/bind-9.10-dist-native-pkcs11.patch +++ /dev/null @@ -1,541 +0,0 @@ -From 1cbffe7e8b5bced9134abbae23a2a20c83d39a6a Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Thu, 21 Jan 2021 10:46:20 +0100 -Subject: [PATCH] Enable custom pkcs11 native build - -Share common parts like libisc, libcc and others. But provide native -pkcs11 libraries as a new copy of libdns and libns. ---- - bin/Makefile.in | 2 +- - bin/confgen/Makefile.in | 2 +- - bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++--------------- - bin/named-pkcs11/Makefile.in | 31 +++++++++++++------------ - configure.ac | 19 ++++++++++++++++ - lib/Makefile.in | 2 +- - lib/dns-pkcs11/Makefile.in | 22 +++++++++--------- - lib/dns-pkcs11/tests/Makefile.in | 8 +++---- - lib/ns-pkcs11/Makefile.in | 26 ++++++++++----------- - lib/ns-pkcs11/tests/Makefile.in | 12 +++++----- - make/includes.in | 7 ++++++ - 11 files changed, 100 insertions(+), 70 deletions(-) - -diff --git a/bin/Makefile.in b/bin/Makefile.in -index 9ad7f62..094775a 100644 ---- a/bin/Makefile.in -+++ b/bin/Makefile.in -@@ -11,7 +11,7 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ -+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \ - @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests - TARGETS = - -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index c126bf3..1b7512d 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} - --CDEFINES = @USE_PKCS11@ -+CDEFINES = - CWARNINGS = - - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index ace0e5a..e0f6a00 100644 ---- a/bin/dnssec-pkcs11/Makefile.in -+++ b/bin/dnssec-pkcs11/Makefile.in -@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ -+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ - ${OPENSSL_CFLAGS} - --CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1 - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - -@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ - - NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@ - -+# Add suffix to all targets -+EXEEXT = -pkcs11@EXEEXT@ -+ - # Alphabetically --TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ -- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \ -- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \ -- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ -- dnssec-verify@EXEEXT@ -+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \ -+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ -+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ -+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ -+ dnssec-verify${EXEEXT} - - OBJS = dnssectool.@O@ - -@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ - - @BIND9_MAKE_RULES@ - --dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} -+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-signzone.c - --dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} -+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-verify.c - --dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} -+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} -+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-revoke.@O@ ${OBJS} ${LIBS} - --dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} -+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-settime.@O@ ${OBJS} ${LIBS} - --dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-importkey.@O@ ${OBJS} ${LIBS} - -diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index debb906..ecfdb6c 100644 ---- a/bin/named-pkcs11/Makefile.in -+++ b/bin/named-pkcs11/Makefile.in -@@ -37,13 +37,14 @@ DBDRIVER_LIBS = - - DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers - --DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ --DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ --DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ --DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ -+# Skip building on PKCS11 variant -+DLZDRIVER_OBJS = -+DLZDRIVER_SRCS = -+DLZDRIVER_INCLUDES = -+DLZDRIVER_LIBS = - - CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ -- ${NS_INCLUDES} ${DNS_INCLUDES} \ -+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \ - ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ - ${DBDRIVER_INCLUDES} \ -@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${LIBXML2_CFLAGS} \ - ${MAXMINDDB_CFLAGS} - --CDEFINES = @CONTRIB_DLZ@ -+CDEFINES = - - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCLIBS = ../../lib/isccc/libisccc.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ - BIND9LIBS = ../../lib/bind9/libbind9.@A@ --NSLIBS = ../../lib/ns/libns.@A@ -+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ --NSDEPLIBS = ../../lib/ns/libns.@A@ -+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ - - DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} -@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ - - SUBDIRS = unix - --TARGETS = named@EXEEXT@ -+TARGETS = named-pkcs11@EXEEXT@ - - GEOIP2LINKOBJS = geoip.@O@ - -@@ -151,7 +152,7 @@ server.@O@: server.c - -DPRODUCT=\"${PRODUCT}\" \ - -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c - --named@EXEEXT@: ${OBJS} ${DEPLIBS} -+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} - export MAKE_SYMTABLE="yes"; \ - export BASEOBJS="${OBJS} ${UOBJS}"; \ - ${FINALBUILDCMD} -@@ -170,11 +171,11 @@ statschannel.@O@: bind9.xsl.h - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - --install:: named@EXEEXT@ installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} -+install:: named-pkcs11@EXEEXT@ installdirs -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ - - @DLZ_DRIVER_RULES@ - -diff --git a/configure.ac b/configure.ac -index e405eaf..efaa5a7 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1269,12 +1269,14 @@ AC_SUBST(USE_GSSAPI) - AC_SUBST(DST_GSSAPI_INC) - AC_SUBST(DNS_GSSAPI_LIBS) - DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" -+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" - - # - # Applications linking with libdns also need to link with these libraries. - # - - AC_SUBST(DNS_CRYPTO_LIBS) -+AC_SUBST(DNS_CRYPTO_PK11_LIBS) - - # - # was --with-lmdb specified? -@@ -2345,6 +2347,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) - AC_SUBST(BIND9_NS_BUILDINCLUDE) - AC_SUBST(BIND9_BIND9_BUILDINCLUDE) - AC_SUBST(BIND9_IRS_BUILDINCLUDE) -+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE) -+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE) - if test "X$srcdir" != "X"; then - BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" - BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" -@@ -2353,6 +2357,8 @@ if test "X$srcdir" != "X"; then - BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" - BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" - BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" -+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include" -+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include" - else - BIND9_ISC_BUILDINCLUDE="" - BIND9_ISCCC_BUILDINCLUDE="" -@@ -2361,6 +2367,8 @@ else - BIND9_NS_BUILDINCLUDE="" - BIND9_BIND9_BUILDINCLUDE="" - BIND9_IRS_BUILDINCLUDE="" -+ BIND9_DNS_PKCS11_BUILDINCLUDE="" -+ BIND9_NS_PKCS11_BUILDINCLUDE="" - fi - - AC_SUBST_FILE(BIND9_MAKE_INCLUDES) -@@ -2816,8 +2824,11 @@ AC_CONFIG_FILES([ - bin/delv/Makefile - bin/dig/Makefile - bin/dnssec/Makefile -+ bin/dnssec-pkcs11/Makefile - bin/named/Makefile - bin/named/unix/Makefile -+ bin/named-pkcs11/Makefile -+ bin/named-pkcs11/unix/Makefile - bin/nsupdate/Makefile - bin/pkcs11/Makefile - bin/plugins/Makefile -@@ -2879,6 +2890,10 @@ AC_CONFIG_FILES([ - lib/dns/include/dns/Makefile - lib/dns/include/dst/Makefile - lib/dns/tests/Makefile -+ lib/dns-pkcs11/Makefile -+ lib/dns-pkcs11/include/Makefile -+ lib/dns-pkcs11/include/dns/Makefile -+ lib/dns-pkcs11/include/dst/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -@@ -2911,6 +2926,10 @@ AC_CONFIG_FILES([ - lib/ns/include/Makefile - lib/ns/include/ns/Makefile - lib/ns/tests/Makefile -+ lib/ns-pkcs11/Makefile -+ lib/ns-pkcs11/include/Makefile -+ lib/ns-pkcs11/include/ns/Makefile -+ lib/ns-pkcs11/tests/Makefile - make/Makefile - make/mkdep - unit/unittest.sh -diff --git a/lib/Makefile.in b/lib/Makefile.in -index 833964e..058ba2f 100644 ---- a/lib/Makefile.in -+++ b/lib/Makefile.in -@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ - # Attempt to disable parallel processing. - .NOTPARALLEL: - .NO_PARALLEL: --SUBDIRS = isc isccc dns ns isccfg bind9 irs -+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs - TARGETS = - - @BIND9_MAKE_RULES@ -diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 58bda3c..d6a45df 100644 ---- a/lib/dns-pkcs11/Makefile.in -+++ b/lib/dns-pkcs11/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ - ${ISC_INCLUDES} \ - ${FSTRM_CFLAGS} \ - ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ -@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ - ${LMDB_CFLAGS} \ - ${MAXMINDDB_CFLAGS} - --CDEFINES = @USE_GSSAPI@ -+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ - - CWARNINGS = - -@@ -135,15 +135,15 @@ version.@O@: version.c - -DMAPAPI=\"${MAPAPI}\" \ - -c ${srcdir}/version.c - --libdns.@SA@: ${OBJS} -+libdns-pkcs11.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns.la: ${OBJS} -+libdns-pkcs11.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ - -release "${VERSION}" \ -- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - - include: gen - ${MAKE} include/dns/enumtype.h -@@ -174,22 +174,22 @@ gen: gen.c - ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ - ${BUILD_LIBS} ${LFS_LIBS} - --timestamp: include libdns.@A@ -+timestamp: include libdns-pkcs11.@A@ - touch timestamp - --testdirs: libdns.@A@ -+testdirs: libdns-pkcs11.@A@ - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ - - clean distclean:: -- rm -f libdns.@A@ timestamp -+ rm -f libdns-pkcs11.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - rm -f dnstap.pb-c.c dnstap.pb-c.h -diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index da91394..aadb73f 100644 ---- a/lib/dns-pkcs11/tests/Makefile.in -+++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ - ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ --CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" - - ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@ --DNSDEPLIBS = ../libdns.@A@ -+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSDEPLIBS = ../libdns-pkcs11.@A@ - - LIBS = @LIBS@ @CMOCKA_LIBS@ - -diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in -index bc683ce..7a9d2f2 100644 ---- a/lib/ns-pkcs11/Makefile.in -+++ b/lib/ns-pkcs11/Makefile.in -@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ -- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \ -+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ - ${FSTRM_CFLAGS} - --CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\" -+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\" - - CWARNINGS = - -@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ - - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - - LIBS = @LIBS@ - -@@ -60,28 +60,28 @@ version.@O@: version.c - -DMAJOR=\"${MAJOR}\" \ - -c ${srcdir}/version.c - --libns.@SA@: ${OBJS} -+libns-pkcs11.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libns.la: ${OBJS} -+libns-pkcs11.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ - -release "${VERSION}" \ -- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - --timestamp: libns.@A@ -+timestamp: libns-pkcs11.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \ - ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@ - - clean distclean:: -- rm -f libns.@A@ timestamp -+ rm -f libns-pkcs11.@A@ timestamp -diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in -index 4c3e694..c1b6d99 100644 ---- a/lib/ns-pkcs11/tests/Makefile.in -+++ b/lib/ns-pkcs11/tests/Makefile.in -@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@ - - WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach - --CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} \ - @CMOCKA_CFLAGS@ --CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" -+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ - - ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ --DNSDEPLIBS = ../../dns/libdns.@A@ --NSLIBS = ../libns.@A@ --NSDEPLIBS = ../libns.@A@ -+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ -+NSLIBS = ../libns-pkcs11.@A@ -+NSDEPLIBS = ../libns-pkcs11.@A@ - - LIBS = @LIBS@ @CMOCKA_LIBS@ - -diff --git a/make/includes.in b/make/includes.in -index b8317d3..b73b0c4 100644 ---- a/make/includes.in -+++ b/make/includes.in -@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ - - TEST_INCLUDES = \ - -I${top_srcdir}/lib/tests/include -+ -+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/dns-pkcs11/include -+ -+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/ns-pkcs11/include -+ --- -2.31.1 - diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 651db2a..6fae234 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From 9575852be2344244ac182d7d019869406d3bd963 Mon Sep 17 00:00:00 2001 +From 8bbfacc1a90301a71a487e776db071fa2ef6c8dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -73,8 +73,6 @@ Date: Wed Mar 7 10:44:23 2018 +0100 .../system/allow-query/ns2/named40.conf.in | 4 +- bin/tests/system/allow-query/tests.sh | 18 ++--- bin/tests/system/catz/ns1/named.conf.in | 2 +- - bin/tests/system/catz/ns2/named1.conf.in | 2 +- - bin/tests/system/catz/ns2/named2.conf.in | 2 +- bin/tests/system/checkconf/bad-tsig.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +- bin/tests/system/feature-test.c | 14 ++++ @@ -83,23 +81,21 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 15 +++-- + bin/tests/system/nsupdate/tests.sh | 11 ++- bin/tests/system/rndc/setup.sh | 2 +- - bin/tests/system/rndc/tests.sh | 23 ++++--- + bin/tests/system/rndc/tests.sh | 22 +++--- bin/tests/system/tsig/ns1/named.conf.in | 10 +-- - bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ bin/tests/system/tsig/setup.sh | 5 ++ - bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- + bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 34 files changed, 163 insertions(+), 109 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + 31 files changed, 149 insertions(+), 106 deletions(-) diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 60f22e1..249f672 100644 +index 745048a..93cb411 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in -@@ -33,12 +33,12 @@ options { +@@ -35,12 +35,12 @@ options { }; key one { @@ -115,10 +111,10 @@ index 60f22e1..249f672 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index ada97bc..f82d858 100644 +index 21aa991..78e71cc 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in -@@ -33,12 +33,12 @@ options { +@@ -35,12 +35,12 @@ options { }; key one { @@ -134,10 +130,10 @@ index ada97bc..f82d858 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 97684e4..de6a2e9 100644 +index 3208c92..bed6325 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in -@@ -33,17 +33,17 @@ options { +@@ -35,17 +35,17 @@ options { }; key one { @@ -159,28 +155,9 @@ index 97684e4..de6a2e9 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 462b3fa..994b35c 100644 +index 14e82ed..a22cafe 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 728da58..8f00d09 100644 ---- a/bin/tests/system/acl/ns2/named5.conf.in -+++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -35,12 +35,12 @@ options { }; @@ -196,11 +173,30 @@ index 728da58..8f00d09 100644 secret "1234abcd8765"; }; +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index f43f33c..f4a865a 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -37,12 +37,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index be59d64..13d5bdc 100644 +index 9ee3984..f7d4388 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh -@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" +@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing" # key "one" should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -217,7 +213,7 @@ index be59d64..13d5bdc 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } copy_setports ns2/named2.conf.in ns2/named.conf -@@ -39,18 +39,18 @@ sleep 5 +@@ -40,18 +40,18 @@ sleep 5 # prefix 10/8 should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -239,7 +235,7 @@ index be59d64..13d5bdc 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } echo_i "testing nested ACL processing" -@@ -62,31 +62,31 @@ sleep 5 +@@ -63,31 +63,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -276,7 +272,7 @@ index be59d64..13d5bdc 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } t=`expr $t + 1` -@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 +@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 # and other values? right out t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -285,7 +281,7 @@ index be59d64..13d5bdc 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two -@@ -108,31 +108,31 @@ sleep 5 +@@ -109,31 +109,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -323,10 +319,10 @@ index be59d64..13d5bdc 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 7d43e36..f7b25f9 100644 +index b91d19a..7d777c2 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -336,10 +332,10 @@ index 7d43e36..f7b25f9 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 2952518..121557e 100644 +index 308c4ca..00f6f40 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in -@@ -10,12 +10,12 @@ +@@ -12,12 +12,12 @@ */ key one { @@ -355,10 +351,10 @@ index 2952518..121557e 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 0c01071..ceabbb5 100644 +index 6b0fe55..491e514 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -368,10 +364,10 @@ index 0c01071..ceabbb5 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index 4c17292..9cd9d1f 100644 +index aefc474..7c06596 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -381,10 +377,10 @@ index 4c17292..9cd9d1f 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index a2690a4..f488730 100644 +index 27eccc2..eecb990 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in -@@ -10,12 +10,12 @@ +@@ -12,12 +12,12 @@ */ key one { @@ -400,10 +396,10 @@ index a2690a4..f488730 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index a0708c8..51fa457 100644 +index adbb203..744d122 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -413,10 +409,10 @@ index a0708c8..51fa457 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index 687768e..d24d6d2 100644 +index 364f94b..9518f82 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in -@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; +@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { @@ -432,10 +428,10 @@ index 687768e..d24d6d2 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fe40635..543c663 100644 +index bbffe07..80da0fe 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh -@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 +@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 @@ -444,25 +440,25 @@ index fe40635..543c663 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 +@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 +@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 +@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 @@ -471,25 +467,25 @@ index fe40635..543c663 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 +@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 +@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -500,7 +500,7 @@ status=`expr $status + $ret` +@@ -533,7 +533,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key allowed - query allowed" ret=0 @@ -498,51 +494,29 @@ index fe40635..543c663 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -510,7 +510,7 @@ status=`expr $status + $ret` +@@ -543,7 +543,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key not allowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -520,7 +520,7 @@ status=`expr $status + $ret` +@@ -554,7 +554,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key disallowed - query refused" ret=0 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 1218669..e62715e 100644 +index 5a46d39..fc1bd07 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in -@@ -61,5 +61,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; -diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in -index 30333e6..4005152 100644 ---- a/bin/tests/system/catz/ns2/named1.conf.in -+++ b/bin/tests/system/catz/ns2/named1.conf.in -@@ -70,5 +70,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; -diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in -index fcd99ca..84c97ca 100644 ---- a/bin/tests/system/catz/ns2/named2.conf.in -+++ b/bin/tests/system/catz/ns2/named2.conf.in -@@ -56,5 +56,5 @@ zone "catalog4.example" { +@@ -63,5 +63,5 @@ zone "catalog4.example" { key tsig_key. { secret "LSAnCU+Z"; @@ -550,10 +524,10 @@ index fcd99ca..84c97ca 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e..e57c308 100644 +index 4af25b0..9f202d5 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf -@@ -11,7 +11,7 @@ +@@ -13,7 +13,7 @@ /* Bad secret */ key "badtsig" { @@ -563,10 +537,10 @@ index 21be03e..e57c308 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 616a544..e3a59a5 100644 +index 897dc86..e4b6dc1 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -268,6 +268,6 @@ dyndb "name" "library.so" { +@@ -270,6 +270,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -575,10 +549,10 @@ index 616a544..e3a59a5 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 877504f..577660a 100644 +index 30e6e14..ba7f98e 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c -@@ -14,6 +14,7 @@ +@@ -16,6 +16,7 @@ #include #include @@ -586,8 +560,8 @@ index 877504f..577660a 100644 #include #include #include -@@ -186,6 +187,19 @@ main(int argc, char **argv) { - #endif /* ifdef DLZ_FILESYSTEM */ +@@ -140,6 +141,19 @@ main(int argc, char **argv) { + #endif } + if (strcmp(argv[1], "--md5") == 0) { @@ -603,14 +577,14 @@ index 877504f..577660a 100644 + } + } + - if (strcmp(argv[1], "--with-idn") == 0) { - #ifdef HAVE_LIBIDN2 - return (0); + if (strcmp(argv[1], "--ipv6only=no") == 0) { + #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) + int s; diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 1ee8df4..2b75d9a 100644 +index 5cab276..d4a7bf3 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in -@@ -10,17 +10,17 @@ +@@ -12,17 +12,17 @@ */ key "a" { @@ -632,10 +606,10 @@ index 1ee8df4..2b75d9a 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index 3d7e0b7..ec4d9a7 100644 +index 52d2f81..1fd02d4 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh -@@ -212,16 +212,16 @@ ret=0 +@@ -187,7 +187,7 @@ test_start "checking notify to multiple views using tsig" $NSUPDATE << EOF server 10.53.0.5 ${PORT} zone x21 @@ -644,22 +618,23 @@ index 3d7e0b7..ec4d9a7 100644 update add added.x21 0 in txt "test string" send EOF - +@@ -195,9 +195,9 @@ fnb="dig.out.b.ns5.test$n" + fnc="dig.out.c.ns5.test$n" for i in 1 2 3 4 5 6 7 8 9 do -- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ - txt > dig.out.b.ns5.test$n || ret=1 -- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ - txt > dig.out.c.ns5.test$n || ret=1 - grep "test string" dig.out.b.ns5.test$n > /dev/null && - grep "test string" dig.out.c.ns5.test$n > /dev/null && +- dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ dig_plus_opts added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > "$fnb" || ret=1 +- dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ dig_plus_opts added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > "$fnc" || ret=1 + grep "test string" "$fnb" > /dev/null && + grep "test string" "$fnc" > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index b51e700..436c97d 100644 +index 81d0c99..effbe2e 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -37,7 +37,7 @@ controls { +@@ -39,7 +39,7 @@ controls { }; key altkey { @@ -669,10 +644,10 @@ index b51e700..436c97d 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index da6b3b4..c547e47 100644 +index f1a1735..da2b3d1 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in -@@ -32,7 +32,7 @@ controls { +@@ -34,7 +34,7 @@ controls { }; key altkey { @@ -682,27 +657,27 @@ index da6b3b4..c547e47 100644 }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 5593a2e..7cd1a74 100644 +index 50056dc..a4a1a3f 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh -@@ -71,7 +71,11 @@ EOF +@@ -72,7 +72,11 @@ EOF - $DDNSCONFGEN -q -z example.nil > ns1/ddns.key + $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key --$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key +if $FEATURETEST --md5; then -+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++ $TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key +else + echo -n > ns1/md5.key +fi - $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key - $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key - $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key + $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key + $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key + $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 8839131..fde6135 100755 +index 0863d0a..559def7 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -824,7 +824,14 @@ fi +@@ -841,7 +841,14 @@ fi n=`expr $n + 1` ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" @@ -718,7 +693,7 @@ index 8839131..fde6135 100755 $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -832,7 +839,7 @@ send +@@ -849,7 +856,7 @@ send END done sleep 2 @@ -727,29 +702,11 @@ index 8839131..fde6135 100755 $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then -@@ -843,7 +850,7 @@ fi - n=`expr $n + 1` - ret=0 - echo_i "check TSIG key algorithms (nsupdate -y) ($n)" --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) - $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 - server 10.53.0.1 ${PORT} -@@ -852,7 +859,7 @@ send - END - done - sleep 2 --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 - done - if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index 225722f..63ac938 100644 +index 4dd6fa7..1b79263 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh -@@ -38,7 +38,7 @@ make_key () { +@@ -47,7 +47,7 @@ make_key () { sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf } @@ -759,13 +716,13 @@ index 225722f..63ac938 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 9bf86c6..b8a7a1f 100644 +index 85c271b..ac69f32 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh -@@ -349,15 +349,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` +@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) - n=`expr $n + 1` + n=$((n+1)) -echo_i "testing rndc with hmac-md5 ($n)" -ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 @@ -774,29 +731,28 @@ index 9bf86c6..b8a7a1f 100644 - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -done -if [ $ret != 0 ]; then echo_i "failed"; fi --status=`expr $status + $ret` +-status=$((status+ret)) +if $FEATURETEST --md5 -+then + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6 + do -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=`expr $status + $ret` ++ status=$((status+ret)) +else + echo_i "skipping rndc with hmac-md5 ($n)" +fi - n=`expr $n + 1` + n=$((n+1)) echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index 3470c4f..cf539cd 100644 +index 76cf970..22637af 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in -@@ -21,10 +21,7 @@ options { +@@ -23,10 +23,7 @@ options { notify no; }; @@ -808,7 +764,7 @@ index 3470c4f..cf539cd 100644 key "sha1" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -@@ -51,10 +48,7 @@ key "sha512" { +@@ -53,10 +50,7 @@ key "sha512" { algorithm hmac-sha512; }; @@ -820,27 +776,11 @@ index 3470c4f..cf539cd 100644 key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000..0682194 ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,10 @@ -+# Conditionally included when support for MD5 is available -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index e3b4a45..ae21d04 100644 +index 34cc73b..d51ff21 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh -@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. +@@ -16,3 +16,8 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf @@ -850,10 +790,10 @@ index e3b4a45..ae21d04 100644 + cat ns1/rndc5.conf.in >> ns1/named.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index 38d842a..668aa6f 100644 +index 1067227..ee05e83 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh -@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f +@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f status=0 @@ -864,6 +804,13 @@ index 38d842a..668aa6f 100644 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 -fi +- +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (old form)" @@ -873,13 +820,7 @@ index 38d842a..668aa6f 100644 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi - --echo_i "fetching using hmac-md5 (new form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 ++ + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 @@ -892,7 +833,7 @@ index 38d842a..668aa6f 100644 fi echo_i "fetching using hmac-sha1" -@@ -87,12 +92,17 @@ fi +@@ -88,12 +93,17 @@ fi # Truncated TSIG # # @@ -916,7 +857,7 @@ index 38d842a..668aa6f 100644 fi echo_i "fetching using hmac-sha1 (trunc)" -@@ -141,12 +151,17 @@ fi +@@ -142,12 +152,17 @@ fi # Check for bad truncation. # # @@ -941,10 +882,10 @@ index 38d842a..668aa6f 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index 3873c7c..b359a5a 100644 +index c2b57dd..cb13aa1 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key "update.example." { @@ -954,10 +895,10 @@ index 3873c7c..b359a5a 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index a50c896..8062d68 100644 +index a6de312..ebcadb1 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh -@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi echo_i "updating zone (signed) ($n)" ret=0 @@ -967,5 +908,5 @@ index a50c896..8062d68 100644 update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 TXT Foo -- -2.31.1 +2.34.1 diff --git a/bind-9.11-kyua-pkcs11.patch b/bind-9.11-kyua-pkcs11.patch deleted file mode 100644 index ea9a51a..0000000 --- a/bind-9.11-kyua-pkcs11.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 2 Jan 2018 18:13:07 +0100 -Subject: [PATCH] Fix pkcs11 variants atf tests - -Add dns-pkcs11 tests Makefile to configure - -Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode ---- - configure.ac | 1 + - lib/Kyuafile | 2 ++ - lib/dns-pkcs11/tests/dh_test.c | 3 ++- - 3 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index d80ae31..0fb9328 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([ - lib/dns-pkcs11/include/Makefile - lib/dns-pkcs11/include/dns/Makefile - lib/dns-pkcs11/include/dst/Makefile -+ lib/dns-pkcs11/tests/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -diff --git a/lib/Kyuafile b/lib/Kyuafile -index 39ce986..037e5ef 100644 ---- a/lib/Kyuafile -+++ b/lib/Kyuafile -@@ -2,8 +2,10 @@ syntax(2) - test_suite('bind9') - - include('dns/Kyuafile') -+include('dns-pkcs11/Kyuafile') - include('irs/Kyuafile') - include('isc/Kyuafile') - include('isccc/Kyuafile') - include('isccfg/Kyuafile') - include('ns/Kyuafile') -+include('ns-pkcs11/Kyuafile') -diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 934e8fd..658d1af 100644 ---- a/lib/dns-pkcs11/tests/dh_test.c -+++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -87,7 +87,8 @@ dh_computesecret(void **state) { - result = dst_key_computesecret(key, key, &buf); - assert_int_equal(result, DST_R_NOTPRIVATEKEY); - result = key->func->computesecret(key, key, &buf); -- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); -+ /* PKCS11 variant gives different result, accept both */ -+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY); - - dst_key_free(&key); - } --- -2.20.1 - diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch deleted file mode 100644 index 533781d..0000000 --- a/bind-9.11-rh1666814.patch +++ /dev/null @@ -1,29 +0,0 @@ -From d05d116da39c0a5c580ceaac6ba069899b82c5a0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 16 Jan 2019 16:27:33 +0100 -Subject: [PATCH] Fix possible crash when loading corrupted file - -Some values passes internal triggers by coincidence. Fix the check and -check also first_node_offset before even passing it further. ---- - lib/dns/rbt.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c -index 5aee5f6..7f2c2d2 100644 ---- a/lib/dns/rbt.c -+++ b/lib/dns/rbt.c -@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, - rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset + - header->first_node_offset); - -- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { -+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize -+ || header->first_node_offset > filesize) { -+ - result = ISC_R_INVALIDFILE; - goto cleanup; - } --- -2.31.1 - diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch deleted file mode 100644 index 0d62df6..0000000 --- a/bind-9.14-config-pkcs11.patch +++ /dev/null @@ -1,83 +0,0 @@ -From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 18 Oct 2019 21:30:52 +0200 -Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h - -Building two variants with the same common code requires to unset -USE_PKCS11 on part of build. That is not possible with config.h value. -Move it as normal define to CDEFINES. ---- - bin/confgen/Makefile.in | 2 +- - configure.ac | 8 ++++++-- - lib/dns/dst_internal.h | 12 +++++++++--- - 3 files changed, 16 insertions(+), 6 deletions(-) - -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 1b7512d..c126bf3 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} - --CDEFINES = -+CDEFINES = @USE_PKCS11@ - CWARNINGS = - - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -diff --git a/configure.ac b/configure.ac -index f5483fe..08a7d8a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) - AC_SUBST([PKCS11_TOOLS]) - AC_SUBST([PKCS11_MANS]) - -+USE_PKCS11='-DUSE_PKCS11=0' -+USE_OPENSSL='-DUSE_OPENSSL=0' - AC_SUBST([CRYPTO]) - AS_CASE([$CRYPTO], -- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], -- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) -+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'], -+ [USE_OPENSSL='-DUSE_OPENSSL=1']) -+AC_SUBST(USE_PKCS11) -+AC_SUBST(USE_OPENSSL) - - # preparation for automake - # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) -diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 2c3b4a3..55e9dc4 100644 ---- a/lib/dns/dst_internal.h -+++ b/lib/dns/dst_internal.h -@@ -38,6 +38,13 @@ - #include - #include - -+#ifndef USE_PKCS11 -+#define USE_PKCS11 0 -+#endif -+#ifndef USE_OPENSSL -+#define USE_OPENSSL (! USE_PKCS11) -+#endif -+ - #if USE_PKCS11 - #include - #include -@@ -116,11 +123,10 @@ struct dst_key { - void *generic; - dns_gss_ctx_id_t gssctx; - DH *dh; --#if USE_OPENSSL -- EVP_PKEY *pkey; --#endif /* if USE_OPENSSL */ - #if USE_PKCS11 - pk11_object_t *pkey; -+#else -+ EVP_PKEY *pkey; - #endif /* if USE_PKCS11 */ - dst_hmac_key_t *hmac_key; - } keydata; /*%< pointer to key in crypto pkg fmt */ --- -2.26.2 - diff --git a/bind-9.16-redhat_doc.patch b/bind-9.16-redhat_doc.patch index ef76e16..fe8ed11 100644 --- a/bind-9.16-redhat_doc.patch +++ b/bind-9.16-redhat_doc.patch @@ -1,4 +1,4 @@ -From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001 +From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Wed, 17 Jun 2020 23:17:13 +0200 Subject: [PATCH] Update man named with Red Hat specifics @@ -6,15 +6,15 @@ Subject: [PATCH] Update man named with Red Hat specifics This is almost unmodified text and requires revalidation. Some of those statements are no longer correct. --- - bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++ - 1 file changed, 35 insertions(+) + bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) diff --git a/bin/named/named.rst b/bin/named/named.rst -index 6fd8f87..3cd6350 100644 +index ea440b2..fa51984 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst -@@ -228,6 +228,41 @@ Files - ``/var/run/named/named.pid`` +@@ -212,6 +212,47 @@ Files + |named_pid| The default process-id file. +Notes @@ -24,7 +24,7 @@ index 6fd8f87..3cd6350 100644 + +By default, Red Hat ships BIND with the most secure SELinux policy +that will not prevent normal BIND operation and will prevent exploitation -+of all known BIND security vulnerabilities. See the selinux(8) man page ++of all known BIND security vulnerabilities . See the selinux(8) man page +for information about SElinux. + +It is not necessary to run named in a chroot environment if the Red Hat @@ -34,27 +34,33 @@ index 6fd8f87..3cd6350 100644 + +*With this extra security comes some restrictions:* + -+By default, the SELinux policy does not allow named to write outside directory -+/var/named. That directory used to be read-only for named, but write access is -+enabled by default now. ++By default, the SELinux policy does not allow named to write any master ++zone database files. Only the root user may create files in the $ROOTDIR/var/named ++zone database file directory (the options { "directory" } option), where ++$ROOTDIR is set in /etc/sysconfig/named. + +The "named" group must be granted read privelege to +these files in order for named to be enabled to read them. -+Any file updated by named must be writeable by named user or named group. + +Any file created in the zone database file directory is automatically assigned +the SELinux file context *named_zone_t* . + ++By default, SELinux prevents any role from modifying *named_zone_t* files; this ++means that files in the zone database directory cannot be modified by dynamic ++DNS (DDNS) updates or zone transfers. ++ +The Red Hat BIND distribution and SELinux policy creates three directories where -+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* -+*/var/named/data*. The service is able to write and file under */var/named* with appropriate -+permissions. They are used for better organisation of zones and backward compatibility. -+Files in these directories are automatically assigned the '*named_cache_t*' -+file context, which SELinux always allows named to write. ++named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* ++*/var/named/data*. By placing files you want named to modify, such as ++slave or DDNS updateable zone files and database / statistics dump files in ++these directories, named will work normally and no further operator action is ++required. Files in these directories are automatically assigned the '*named_cache_t*' ++file context, which SELinux allows named to write. ++ + See Also ~~~~~~~~ -- -2.26.2 +2.34.1 diff --git a/bind-9.16-resolv.conf-options-timeout-test.patch b/bind-9.16-resolv.conf-options-timeout-test.patch deleted file mode 100644 index 16cf020..0000000 --- a/bind-9.16-resolv.conf-options-timeout-test.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 7270604440268bb17b39ae734ff33003a67c8343 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 20 Jul 2021 19:34:42 +0200 -Subject: [PATCH] Check parsed resconf values - -Add 'attempts' check, fix 'ndots' data. Create a bunch of verification -functions and check parsed values, not just return codes. ---- - lib/irs/tests/resconf_test.c | 46 ++++++++++++++++++-- - lib/irs/tests/testdata/options-attempts.conf | 10 +++++ - lib/irs/tests/testdata/options-ndots.conf | 2 +- - 3 files changed, 54 insertions(+), 4 deletions(-) - create mode 100644 lib/irs/tests/testdata/options-attempts.conf - -diff --git a/lib/irs/tests/resconf_test.c b/lib/irs/tests/resconf_test.c -index 6951758..ce94345 100644 ---- a/lib/irs/tests/resconf_test.c -+++ b/lib/irs/tests/resconf_test.c -@@ -45,6 +45,43 @@ setup_test() { - assert_return_code(chdir(TESTS), 0); - } - -+static isc_result_t -+check_number(unsigned int n, unsigned int expected) { -+ return ((n == expected) ? ISC_R_SUCCESS : ISC_R_BADNUMBER); -+} -+ -+static isc_result_t -+check_attempts(irs_resconf_t *resconf) { -+ return (check_number(irs_resconf_getattempts(resconf), 4)); -+} -+ -+static isc_result_t -+check_timeout(irs_resconf_t *resconf) { -+ return (check_number(irs_resconf_gettimeout(resconf), 1)); -+} -+ -+static isc_result_t -+check_ndots(irs_resconf_t *resconf) { -+ return (check_number(irs_resconf_getndots(resconf), 2)); -+} -+ -+static isc_result_t -+check_options(irs_resconf_t *resconf) { -+ if (irs_resconf_getattempts(resconf) != 3) { -+ return ISC_R_BADNUMBER; /* default value only */ -+ } -+ -+ if (irs_resconf_getndots(resconf) != 2) { -+ return ISC_R_BADNUMBER; -+ } -+ -+ if (irs_resconf_gettimeout(resconf) != 1) { -+ return ISC_R_BADNUMBER; -+ } -+ -+ return (ISC_R_SUCCESS); -+} -+ - /* test irs_resconf_load() */ - static void - irs_resconf_load_test(void **state) { -@@ -64,15 +101,18 @@ irs_resconf_load_test(void **state) { - ISC_R_SUCCESS }, - { "testdata/nameserver-v6-scoped.conf", ISC_R_SUCCESS, NULL, - ISC_R_SUCCESS }, -+ { "testdata/options-attempts.conf", ISC_R_SUCCESS, -+ check_attempts, ISC_R_SUCCESS }, - { "testdata/options-debug.conf", ISC_R_SUCCESS, NULL, - ISC_R_SUCCESS }, -- { "testdata/options-ndots.conf", ISC_R_SUCCESS, NULL, -+ { "testdata/options-ndots.conf", ISC_R_SUCCESS, check_ndots, - ISC_R_SUCCESS }, -- { "testdata/options-timeout.conf", ISC_R_SUCCESS, NULL, -+ { "testdata/options-timeout.conf", ISC_R_SUCCESS, check_timeout, - ISC_R_SUCCESS }, - { "testdata/options-unknown.conf", ISC_R_SUCCESS, NULL, - ISC_R_SUCCESS }, -- { "testdata/options.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS }, -+ { "testdata/options.conf", ISC_R_SUCCESS, check_options, -+ ISC_R_SUCCESS }, - { "testdata/options-bad-ndots.conf", ISC_R_RANGE, NULL, - ISC_R_SUCCESS }, - { "testdata/options-empty.conf", ISC_R_UNEXPECTEDEND, NULL, -diff --git a/lib/irs/tests/testdata/options-attempts.conf b/lib/irs/tests/testdata/options-attempts.conf -new file mode 100644 -index 0000000..4538643 ---- /dev/null -+++ b/lib/irs/tests/testdata/options-attempts.conf -@@ -0,0 +1,10 @@ -+# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, you can obtain one at https://mozilla.org/MPL/2.0/. -+# -+# See the COPYRIGHT file distributed with this work for additional -+# information regarding copyright ownership. -+ -+options attempts:4 -diff --git a/lib/irs/tests/testdata/options-ndots.conf b/lib/irs/tests/testdata/options-ndots.conf -index 5d18d26..f37c712 100644 ---- a/lib/irs/tests/testdata/options-ndots.conf -+++ b/lib/irs/tests/testdata/options-ndots.conf -@@ -9,4 +9,4 @@ - # See the COPYRIGHT file distributed with this work for additional - # information regarding copyright ownership. - --option ndots:2 -+options ndots:2 --- -2.35.3 - diff --git a/bind-9.16-resolv.conf-options-timeout.patch b/bind-9.16-resolv.conf-options-timeout.patch deleted file mode 100644 index 2c28b6d..0000000 --- a/bind-9.16-resolv.conf-options-timeout.patch +++ /dev/null @@ -1,203 +0,0 @@ -From b0e79979672935ff07bf23703c675ee788940c59 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Tue, 22 Jun 2021 16:35:46 +0200 -Subject: [PATCH] Parse 'timeout' and 'attempts' from resolv.conf - -It was supported by lwres in BIND 9.11, and is still mentioned in -the manual page. Restore support for it by adding it to libirs. ---- - bin/dig/dighost.c | 13 ++++++- - lib/irs/include/irs/resconf.h | 20 +++++++++++ - lib/irs/resconf.c | 64 ++++++++++++++++++++++++++++------- - 3 files changed, 84 insertions(+), 13 deletions(-) - -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 0222454..274e894 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -133,7 +133,7 @@ int sendcount = 0; - int recvcount = 0; - int sockcount = 0; - int ndots = -1; --int tries = 3; -+int tries = -1; - int lookup_counter = 0; - - static char servercookie[256]; -@@ -1330,6 +1330,17 @@ setup_system(bool ipv4only, bool ipv6only) { - ndots = irs_resconf_getndots(resconf); - debug("ndots is %d.", ndots); - } -+ if (timeout == 0) { -+ timeout = irs_resconf_gettimeout(resconf); -+ debug("timeout is %d.", timeout); -+ } -+ if (tries == -1) { -+ tries = irs_resconf_getattempts(resconf); -+ if (tries == 0) { -+ tries = 3; -+ } -+ debug("retries is %d.", tries); -+ } - - /* If user doesn't specify server use nameservers from resolv.conf. */ - if (ISC_LIST_EMPTY(server_list)) { -diff --git a/lib/irs/include/irs/resconf.h b/lib/irs/include/irs/resconf.h -index 424b795..74fc84a 100644 ---- a/lib/irs/include/irs/resconf.h -+++ b/lib/irs/include/irs/resconf.h -@@ -113,6 +113,26 @@ irs_resconf_getndots(irs_resconf_t *conf); - *\li 'conf' is a valid resconf object. - */ - -+unsigned int -+irs_resconf_getattempts(irs_resconf_t *conf); -+/*%< -+ * Return the 'attempts' value stored in 'conf'. -+ * -+ * Requires: -+ * -+ *\li 'conf' is a valid resconf object. -+ */ -+ -+unsigned int -+irs_resconf_gettimeout(irs_resconf_t *conf); -+/*%< -+ * Return the 'timeout' value stored in 'conf'. -+ * -+ * Requires: -+ * -+ *\li 'conf' is a valid resconf object. -+ */ -+ - ISC_LANG_ENDDECLS - - #endif /* IRS_RESCONF_H */ -diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c -index 096064b..dd51d71 100644 ---- a/lib/irs/resconf.c -+++ b/lib/irs/resconf.c -@@ -80,6 +80,13 @@ - #define RESCONFMAXLINELEN 256U /*%< max size of a line */ - #define RESCONFMAXSORTLIST 10U /*%< max 10 */ - -+#define CHECK(op) \ -+ do { \ -+ result = (op); \ -+ if (result != ISC_R_SUCCESS) \ -+ goto cleanup; \ -+ } while (0) -+ - /*! - * configuration data structure - */ -@@ -114,6 +121,10 @@ struct irs_resconf { - uint8_t resdebug; - /*%< set to n in 'options ndots:n' */ - uint8_t ndots; -+ /*%< set to n in 'options attempts:n' */ -+ uint8_t attempts; -+ /*%< set to n in 'options timeout:n' */ -+ uint8_t timeout; - }; - - static isc_result_t -@@ -176,8 +187,8 @@ eatwhite(FILE *fp) { - */ - static int - getword(FILE *fp, char *buffer, size_t size) { -+ char *p = NULL; - int ch; -- char *p; - - REQUIRE(buffer != NULL); - REQUIRE(size > 0U); -@@ -457,11 +468,26 @@ resconf_parsesortlist(irs_resconf_t *conf, FILE *fp) { - return (ISC_R_SUCCESS); - } - -+static isc_result_t -+resconf_optionnumber(const char *word, uint8_t *number) { -+ char *p; -+ long n; -+ -+ n = strtol(word, &p, 10); -+ if (*p != '\0') { /* Bad string. */ -+ return (ISC_R_UNEXPECTEDTOKEN); -+ } -+ if (n < 0 || n > 0xff) { /* Out of range. */ -+ return (ISC_R_RANGE); -+ } -+ *number = n; -+ return (ISC_R_SUCCESS); -+} -+ - static isc_result_t - resconf_parseoption(irs_resconf_t *conf, FILE *fp) { - int delim; -- long ndots; -- char *p; -+ isc_result_t result = ISC_R_SUCCESS; - char word[RESCONFMAXLINELEN]; - - delim = getword(fp, word, sizeof(word)); -@@ -473,14 +499,11 @@ resconf_parseoption(irs_resconf_t *conf, FILE *fp) { - if (strcmp("debug", word) == 0) { - conf->resdebug = 1; - } else if (strncmp("ndots:", word, 6) == 0) { -- ndots = strtol(word + 6, &p, 10); -- if (*p != '\0') { /* Bad string. */ -- return (ISC_R_UNEXPECTEDTOKEN); -- } -- if (ndots < 0 || ndots > 0xff) { /* Out of range. */ -- return (ISC_R_RANGE); -- } -- conf->ndots = (uint8_t)ndots; -+ CHECK(resconf_optionnumber(word + 6, &conf->ndots)); -+ } else if (strncmp("attempts:", word, 9) == 0) { -+ CHECK(resconf_optionnumber(word + 9, &conf->attempts)); -+ } else if (strncmp("timeout:", word, 8) == 0) { -+ CHECK(resconf_optionnumber(word + 8, &conf->timeout)); - } - - if (delim == EOF || delim == '\n') { -@@ -490,7 +513,8 @@ resconf_parseoption(irs_resconf_t *conf, FILE *fp) { - } - } - -- return (ISC_R_SUCCESS); -+cleanup: -+ return (result); - } - - static isc_result_t -@@ -532,6 +556,8 @@ irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp) { - conf->sortlistnxt = 0; - conf->resdebug = 0; - conf->ndots = 1; -+ conf->attempts = 3; -+ conf->timeout = 0; - for (i = 0; i < RESCONFMAXSEARCH; i++) { - conf->search[i] = NULL; - } -@@ -687,3 +713,17 @@ irs_resconf_getndots(irs_resconf_t *conf) { - - return ((unsigned int)conf->ndots); - } -+ -+unsigned int -+irs_resconf_getattempts(irs_resconf_t *conf) { -+ REQUIRE(IRS_RESCONF_VALID(conf)); -+ -+ return ((unsigned int)conf->attempts); -+} -+ -+unsigned int -+irs_resconf_gettimeout(irs_resconf_t *conf) { -+ REQUIRE(IRS_RESCONF_VALID(conf)); -+ -+ return ((unsigned int)conf->timeout); -+} --- -2.35.3 - diff --git a/bind-9.5-PIE.patch b/bind-9.5-PIE.patch index d3c73ee..3f47a0a 100644 --- a/bind-9.5-PIE.patch +++ b/bind-9.5-PIE.patch @@ -1,30 +1,20 @@ -diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index eb622d1..37053a7 100644 ---- a/bin/named/Makefile.in -+++ b/bin/named/Makefile.in -@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \ - tkeyconf.c tsigconf.c zoneconf.c \ - ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} +diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am +index 7065a90..e2e485b 100644 +--- a/bin/named/Makefile.am ++++ b/bin/named/Makefile.am +@@ -32,6 +32,7 @@ AM_CPPFLAGS += \ + endif HAVE_LIBXML2 -+EXT_CFLAGS = -fpie + AM_CPPFLAGS += \ ++ -fpie \ + -DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \ + -DNAMED_SYSCONFDIR=\"${sysconfdir}\" + +@@ -122,5 +123,7 @@ named_LDADD += \ + $(LIBNGHTTP2_LIBS) + endif HAVE_LIBNGHTTP2 + ++AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack + - @BIND9_MAKE_RULES@ - -+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack -+ - main.@O@: main.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -DVERSION=\"${VERSION}\" \ -diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in -index fd9ca8d..f1c102c 100644 ---- a/bin/named/unix/Makefile.in -+++ b/bin/named/unix/Makefile.in -@@ -11,6 +11,8 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - -+EXT_CFLAGS = -fpie -+ - @BIND9_MAKE_INCLUDES@ - - CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ + MAINTAINERCLEANFILES = \ + named.conf.rst diff --git a/bind-9.5-dlz-64bit.patch b/bind-9.5-dlz-64bit.patch deleted file mode 100644 index ec064c6..0000000 --- a/bind-9.5-dlz-64bit.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in -index 47525af..eefe3c3 100644 ---- a/contrib/dlz/config.dlz.in -+++ b/contrib/dlz/config.dlz.in -@@ -17,6 +17,13 @@ - # - dlzdir='${DLZ_DRIVER_DIR}' - -+AC_MSG_CHECKING([for target libdir]) -+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}], -+ [target_lib=lib64], -+ [target_lib=lib], -+) -+AC_MSG_RESULT(["$target_lib"]) -+ - # - # Private autoconf macro to simplify configuring drivers: - # -@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in - then - break - fi -- elif test -f "$dd/lib/lib${d}.so" -+ elif test -f "$dd/${target_lib}/lib${d}.so" - then -- dlz_bdb_libs="-L${dd}/lib -l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" - break - fi - done -@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in - *) - DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver, - [-I$use_dlz_ldap/include], -- [-L$use_dlz_ldap/lib -lldap -llber]) -+ [-L$use_dlz_ldap/${target_lib} -lldap -llber]) - - AC_MSG_RESULT( - [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include]) -@@ -432,11 +439,11 @@ then - odbcdirs="/usr /usr/local /usr/pkg" - for d in $odbcdirs - do -- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a -+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a - then - use_dlz_odbc=$d - dlz_odbc_include="-I$use_dlz_odbc/include" -- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc" -+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc" - break - fi - done diff --git a/bind-9.9.1-P2-dlz-libdb.patch b/bind-9.9.1-P2-dlz-libdb.patch deleted file mode 100644 index 866ed8f..0000000 --- a/bind-9.9.1-P2-dlz-libdb.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in ---- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200 -+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200 -@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in - # Check other locations for includes. - # Order is important (sigh). - -- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db" -+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db" - # include a blank element first - for d in "" $bdb_incdirs - do -@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in - bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" - for d in $bdb_libnames - do -- if test "$dd" = "/usr" -+ if test -f "$dd/${target_lib}/lib${d}.so" - then -- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}") -- if test $dlz_bdb_libs != "yes" -- then -- break -- fi -- elif test -f "$dd/${target_lib}/lib${d}.so" -- then -- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}" -+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" - break - fi - done diff --git a/bind.spec b/bind.spec index cf76813..486f24a 100644 --- a/bind.spec +++ b/bind.spec @@ -9,15 +9,19 @@ %bcond_without GSSTSIG # it is not possible to build the package without PKCS11 sub-package # due to extensive changes to Makefiles -%bcond_without PKCS11 +%bcond_with PKCS11 # TODO: Remove %bcond_without JSON +# FIXME: Not ready. Should it be worked on? %bcond_without DLZ # New MaxMind GeoLite support %bcond_without GEOIP2 +# Disabled temporarily until kyua is fixed on rawhide, bug #1926779 %bcond_without UNITTEST %bcond_without DNSTAP %bcond_without LMDB %bcond_without DOC +# Because of issues with PDF rebuild, include only HTML pages +# Current error: unable top find isc-logo.pdf %if 0%{?fedora} # RHEL and ELN do not have all required packages %bcond_without DOCPDF @@ -47,18 +51,26 @@ # lib*.so.X versions of selected libraries no longer provided, # lib*-%%{version}-RH.so is provided as an internal implementation detail +# Upstream package name +%global upname bind +%define upname_compat() \ +%if "%{name}" != "%{upname}" \ +Provides: %1 = %{epoch}:%{version}-%{release} \ +Obsoletes: %1 < 32:9.17.0 \ +Conflicts: %1 \ +%endif Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPLv2.0 -Version: 9.16.30 +Version: 9.18.4 Release: 2%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # -Source0: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz +Source0: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz Source1: named.sysconfig -Source2: https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.asc +Source2: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz.asc Source3: named.logrotate Source4: https://downloads.isc.org/isc/pgpkeys/codesign2021.txt Source16: named.conf @@ -84,27 +96,11 @@ Source47: named-pkcs11.service Source48: setup-named-softhsm.sh Source49: named-chroot.files -# Make PKCS11 used only for pkcs11 parts -Patch1: bind-9.14-config-pkcs11.patch -# Fedora specific patch to distribute native-pkcs#11 functionality -Patch2: bind-9.10-dist-native-pkcs11.patch -# Do not use isc-pkcs11. -Patch3: bind-9.11-kyua-pkcs11.patch - # Common patches -Patch18: bind-9.5-PIE.patch -Patch19: bind-9.16-redhat_doc.patch -Patch20: bind-9.5-dlz-64bit.patch -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5601 -Patch21: bind93-rh490837.patch +# FIXME: Is this still required? +Patch10: bind-9.5-PIE.patch +Patch16: bind-9.16-redhat_doc.patch Patch22: bind-9.11-fips-tests.patch -Patch24: bind-9.9.1-P2-dlz-libdb.patch - -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689 -Patch25:bind-9.11-rh1666814.patch -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5273 -Patch27: bind-9.16-resolv.conf-options-timeout.patch -Patch28: bind-9.16-resolv.conf-options-timeout-test.patch %{?systemd_ordering} Requires: coreutils @@ -112,22 +108,23 @@ Requires(pre): shadow-utils Requires(post): shadow-utils Requires(post): glibc-common Requires(post): grep -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} # This wild require should satisfy %%selinux_set_boolean macro only # in case it needs to be used Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls)) Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls)) -Recommends: bind-utils bind-dnssec-utils +Recommends: %{name}-utils %{name}-dnssec-utils +%upname_compat %{upname} + BuildRequires: gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn2-devel, libxml2-devel BuildRequires: systemd-rpm-macros BuildRequires: selinux-policy -# needed for %%{__python3} macro -BuildRequires: python3-devel -BuildRequires: python3-ply BuildRequires: findutils sed +BuildRequires: libnghttp2-devel %if 0%{?fedora} +BuildRequires: jemalloc-devel BuildRequires: gnupg2 %endif BuildRequires: libuv-devel @@ -136,7 +133,7 @@ BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d %endif %if %{with UNITTEST} # make unit dependencies -BuildRequires: libcmocka-devel kyua +BuildRequires: libcmocka-devel %endif %if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) BuildRequires: softhsm @@ -185,9 +182,9 @@ tools for verifying that the DNS server is operating properly. %if %{with PKCS11} %package pkcs11 Summary: Bind with native PKCS#11 functionality for crypto -Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: softhsm %description pkcs11 @@ -195,21 +192,27 @@ This is a version of BIND server built with native PKCS#11 functionality. It is important to have SoftHSM v2+ installed and some token initialized. For other supported HSM modules please check the BIND documentation. +# TODO: Those utils can be used also without pkcs11 variant, but are not? %package pkcs11-utils Summary: Bind tools with native PKCS#11 for using DNSSEC -Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2 -Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2 +Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release} +%if %{with PKCS11} +Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +%endif %description pkcs11-utils This is a set of PKCS#11 utilities that when used together create rsa -keys in a PKCS11 keystore. Also utilities for working with DNSSEC +keys in a PKCS11 keystore. +%if %{with PKCS11} +Also utilities for working with DNSSEC compiled with native PKCS#11 functionality are included. +%endif %package pkcs11-libs Summary: Bind libraries compiled with native PKCS#11 -Requires: bind-license = %{epoch}:%{version}-%{release} -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-license = %{epoch}:%{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} %description pkcs11-libs This is a set of BIND libraries (dns, isc) compiled with native PKCS#11 @@ -217,8 +220,8 @@ functionality. %package pkcs11-devel Summary: Development files for Bind libraries compiled with native PKCS#11 -Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: bind-devel%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release} %description pkcs11-devel This a set of development files for BIND libraries (dns, isc) compiled @@ -227,13 +230,13 @@ with native PKCS#11 functionality. %package libs Summary: Libraries used by the BIND DNS packages -Requires: bind-license = %{epoch}:%{version}-%{release} -Provides: bind-libs-lite = %{epoch}:%{version}-%{release} -Obsoletes: bind-libs-lite < 32:9.16.13 +Requires: %{name}-license = %{epoch}:%{version}-%{release} +Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-libs-lite < 32:9.16.13 %description libs Contains heavyweight version of BIND suite libraries used by both named DNS -server and utilities in bind-utils package. +server and utilities in %{name}-utils package. %package license Summary: License of the BIND DNS suite @@ -244,9 +247,10 @@ Contains license of the BIND DNS suite. %package utils Summary: Utilities for querying DNS name servers -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} # For compatibility with Debian package Provides: dnsutils = %{epoch}:%{version}-%{release} +%upname_compat %{upname}-utils %description utils Bind-utils contains a collection of utilities for querying DNS (Domain @@ -255,37 +259,37 @@ hosts. These tools will provide you with the IP addresses for given host names, as well as other information about registered domains and network addresses. -You should install bind-utils if you need to get information from DNS name +You should install %{name}-utils if you need to get information from DNS name servers. %package dnssec-utils Summary: DNSSEC keys and zones management utilities -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} -Recommends: bind-utils -Requires: python3-bind = %{epoch}:%{version}-%{release} -Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +Recommends: %{name}-utils +Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release} +%upname_compat %{upname}-dnssec-utils %description dnssec-utils -Bind-dnssec-utils contains a collection of utilities for editing +%{name}-dnssec-utils contains a collection of utilities for editing DNSSEC keys and BIND zone files. These tools provide generation, revocation and verification of keys and DNSSEC signatures in zone files. -You should install bind-dnssec-utils if you need to sign a DNS zone +You should install %{name}-dnssec-utils if you need to sign a DNS zone or maintain keys for it. %package dnssec-doc Summary: Manual pages of DNSSEC utilities -Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: %{name}-license = %{epoch}:%{version}-%{release} BuildArch:noarch %description dnssec-doc -Bind-dnssec-doc contains manual pages for bind-dnssec-utils. +%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils. %package devel Summary: Header files and libraries needed for bind-dyndb-ldap -Provides: bind-lite-devel = %{epoch}:%{version}-%{release} -Obsoletes: bind-lite-devel < 32:9.16.6-3 -Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-lite-devel < 32:9.16.6-3 +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} Requires: libcap-devel%{?_isa} %if %{with GSSTSIG} @@ -305,7 +309,7 @@ Requires: libmaxminddb-devel%{?_isa} %endif %description devel -The bind-devel package contains full version of the header files and libraries +The %{name}-devel package contains full version of the header files and libraries required for building bind-dyndb-ldap. Upstream no longer supports nor recommends bind libraries for third party applications. @@ -314,7 +318,7 @@ Summary: A chroot runtime environment for the ISC BIND DNS server, named( Prefix: %{chroot_prefix} # grep is required due to setup-named-chroot.sh script Requires: grep -Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description chroot This package contains a tree of files which can be used as a @@ -325,21 +329,21 @@ Based on the code from Jan "Yenya" Kasprzak %if %{with DLZ} %package dlz-filesystem Summary: BIND server filesystem DLZ module -Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description dlz-filesystem Dynamic Loadable Zones filesystem module for BIND server. %package dlz-ldap Summary: BIND server ldap DLZ module -Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description dlz-ldap Dynamic Loadable Zones LDAP module for BIND server. %package dlz-mysql Summary: BIND server mysql and mysqldyn DLZ modules -Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release} Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3 @@ -349,28 +353,16 @@ Contains also mysqldyn module with dynamic DNS updates (DDNS) support. %package dlz-sqlite3 Summary: BIND server sqlite3 DLZ module -Requires: bind%{?_isa} = %{epoch}:%{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description dlz-sqlite3 Dynamic Loadable Zones sqlite3 module for BIND server. %endif - -%package -n python3-bind -Summary: A module allowing rndc commands to be sent from Python programs -Requires: bind-license = %{epoch}:%{version}-%{release} -Requires: python3 python3-ply %{?py3_dist:%py3_dist ply} -BuildArch: noarch -%{?python_provide:%python_provide python3-bind} -%{?python_provide:%python_provide python3-isc} - -%description -n python3-bind -This package provides a module which allows commands to be sent to rndc directly from Python programs. - %if %{with DOC} %package doc Summary: BIND 9 Administrator Reference Manual -Requires: bind-license = %{epoch}:%{version}-%{release} +Requires: %{name}-license = %{epoch}:%{version}-%{release} Requires: python3-sphinx_rtd_theme BuildArch: noarch @@ -392,25 +384,15 @@ in HTML and PDF format. # RHEL does not yet support this verification %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}' %endif -%autosetup -n %{name}-%{version} -N -%autopatch -p1 -m 18 -%if %{with PKCS11} -%autopatch -p1 -m 1 -M 1 -cp -r bin/named{,-pkcs11} -cp -r bin/dnssec{,-pkcs11} -cp -r lib/dns{,-pkcs11} -cp -r lib/ns{,-pkcs11} -%autopatch -p1 -m 2 -M 17 -%endif +%autosetup -n %{upname}-%{version} -p1 # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x -for i in bin/named/{,unix}/Makefile.in; do +for i in bin/named/Makefile.am; do sed -i 's|fpie|fPIE|g' $i done %endif -sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh :; @@ -420,15 +402,12 @@ sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/i # normal and pkcs11 unit tests %define unit_prepare_build() \ - cp -uv Kyuafile "%{1}/" \ find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \ - find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \ find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \ %define systemtest_prepare_build() \ cp -Tuav bin/tests "%{1}/bin/tests/" \ - cp -uv version "%{1}" \ CFLAGS="$CFLAGS $RPM_OPT_FLAGS" %if %{with TSAN} @@ -439,10 +418,10 @@ export STD_CDEFINES="$CPPFLAGS" sed -i -e \ -'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \ -version +'s/([bind_VERSION_EXTRA],\s*\([^)]*\))/([bind_VERSION_EXTRA], \1-RH)/' \ +configure.ac -libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f +autoreconf --force --install mkdir build @@ -456,8 +435,6 @@ pushd build LIBDIR_SUFFIX= export LIBDIR_SUFFIX %configure \ - --with-python=%{__python3} \ - --with-libtool \ --localstatedir=%{_var} \ --with-pic \ --disable-static \ @@ -471,7 +448,6 @@ export LIBDIR_SUFFIX --enable-native-pkcs11 \ --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ %endif - --with-dlopen=yes \ %if %{with GSSTSIG} --with-gssapi=yes \ %endif @@ -481,7 +457,7 @@ export LIBDIR_SUFFIX --with-lmdb=no \ %endif %if %{with JSON} - --without-libjson --with-json-c \ + --with-json-c \ %endif %if %{with DNSTAP} --enable-dnstap \ @@ -496,9 +472,6 @@ export LIBDIR_SUFFIX pushd lib SRCLIB="../../../lib" (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto) -%if %{with PKCS11} - (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto) -%endif popd %endif @@ -512,27 +485,14 @@ fmtutil-user --missing || : %make_build -# Regenerate dig.1 manpage -pushd bin/dig -make man -popd -pushd bin/python -make man -popd - %if %{with DOC} make doc %endif %if %{with DLZ} pushd contrib/dlz/modules - for DIR in mysql mysqldyn; do - sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \ - -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \ - $DIR/Makefile.in > $DIR/Makefile - done for DIR in filesystem ldap mysql mysqldyn sqlite3; do - make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS" + make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS -DPTHREADS=1" LDFLAGS="$LDFLAGS" done popd %endif @@ -639,11 +599,6 @@ install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} %if %{with PKCS11} install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir} -%else -# Not packaged without PKCS11 -find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \ - -name '*.h' \! -name site.h -delete - %endif mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} @@ -659,14 +614,22 @@ mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files +pushd ${RPM_BUILD_ROOT}%{_sbindir} +# Compatibility with previous major versions, only for selected binaries +for BIN in named-checkconf named-checkzone named-compilezone +do + ln -s ../bin/$BIN $BIN +done +popd + %if %{with DLZ} pushd build pushd contrib/dlz/modules for DIR in filesystem ldap mysql mysqldyn sqlite3; do - %make_install -C $DIR libdir=%{_libdir}/named + %make_install -C $DIR libdir=%{_libdir}/bind done - pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind - cp -s ../named/dlz_*.so . + pushd ${RPM_BUILD_ROOT}/%{_libdir}/named + cp -s ../bind/dlz_*.so . popd mkdir -p doc/{mysql,mysqldyn} cp -p mysqldyn/testing/README doc/mysqldyn/README.testing @@ -676,9 +639,6 @@ install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files popd %endif -# Install isc/errno2result.h header -install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc - # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; @@ -708,15 +668,15 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 ln -s ddns-confgen.8.gz tsig-keygen.8.gz -ln -s named-checkzone.8.gz named-compilezone.8.gz +popd +pushd ${RPM_BUILD_ROOT}%{_mandir}/man1 +ln -s named-checkzone.1.gz named-compilezone.1.gz popd %if %{with DOC} mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir} cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir} rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees} -# Backward compatible link to 9.11 documentation -(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html) # Share static data from original sphinx package for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/* do @@ -729,7 +689,7 @@ do done %endif %if %{with DOCPDF} -cp -a build/doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir} +cp -p build/doc/arm/_build/latex/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir} %endif # Ghost config files: @@ -795,7 +755,7 @@ else /sbin/usermod -s /sbin/nologin named fi # Checkconf will parse out comments - if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key + if /usr/bin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key then echo "Replacing obsolete named.iscdlv.key with named.root.key..." if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then @@ -880,10 +840,10 @@ fi; %files # TODO: Move from lib/bind to lib/named, as used by upstream +# FIXME: current build targets filters into %%_libdir/bind again? %dir %{_libdir}/bind +%{_libdir}/bind/filter*.so %dir %{_libdir}/named -%{_libdir}/named/*.so -%exclude %{_libdir}/named/dlz_*.so %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key %config(noreplace) %{_sysconfdir}/logrotate.d/named @@ -891,12 +851,13 @@ fi; %{_sysconfdir}/rwtab.d/named %{_unitdir}/named.service %{_unitdir}/named-setup-rndc.service -%{_sbindir}/named-journalprint -%{_sbindir}/named-checkconf +%{_bindir}/named-journalprint +%{_bindir}/named-checkconf %{_bindir}/named-rrchecker %{_bindir}/mdig %{_sbindir}/named %{_sbindir}/rndc* +%{_sbindir}/named-checkconf %{_libexecdir}/generate-rndc-key.sh %{_mandir}/man1/mdig.1* %{_mandir}/man1/named-rrchecker.1* @@ -904,11 +865,11 @@ fi; %{_mandir}/man5/rndc.conf.5* %{_mandir}/man8/rndc.8* %{_mandir}/man8/named.8* -%{_mandir}/man8/named-checkconf.8* +%{_mandir}/man1/named-checkconf.1* %{_mandir}/man8/rndc-confgen.8* -%{_mandir}/man8/named-journalprint.8* -%{_mandir}/man8/filter-aaaa.8.gz -%doc CHANGES README named.conf.default +%{_mandir}/man1/named-journalprint.1* +%{_mandir}/man8/filter-*.8.gz +%doc CHANGES README.md named.conf.default %doc sample/ # Hide configuration @@ -958,7 +919,9 @@ fi; %{_bindir}/arpaname %{_sbindir}/ddns-confgen %{_sbindir}/tsig-keygen -%{_sbindir}/nsec3hash +%{_bindir}/nsec3hash +%{_bindir}/named-checkzone +%{_bindir}/named-compilezone %{_sbindir}/named-checkzone %{_sbindir}/named-compilezone %if %{with DNSTAP} @@ -966,8 +929,8 @@ fi; %{_mandir}/man1/dnstap-read.1* %endif %if %{with LMDB} -%{_sbindir}/named-nzd2nzf -%{_mandir}/man8/named-nzd2nzf.8* +%{_bindir}/named-nzd2nzf +%{_mandir}/man1/named-nzd2nzf.1* %endif %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* @@ -977,21 +940,21 @@ fi; %{_mandir}/man1/arpaname.1* %{_mandir}/man8/ddns-confgen.8* %{_mandir}/man8/tsig-keygen.8* -%{_mandir}/man8/nsec3hash.8* -%{_mandir}/man8/named-checkzone.8* -%{_mandir}/man8/named-compilezone.8* +%{_mandir}/man1/nsec3hash.1* +%{_mandir}/man1/named-checkzone.1* +%{_mandir}/man1/named-compilezone.1* %{_sysconfdir}/trusted-key.key %files dnssec-utils -%{_sbindir}/dnssec* +%{_bindir}/dnssec* %if %{with PKCS11} %exclude %{_sbindir}/dnssec*pkcs11 %endif %files dnssec-doc -%{_mandir}/man8/dnssec*.8* +%{_mandir}/man1/dnssec*.1* %if %{with PKCS11} -%exclude %{_mandir}/man8/dnssec*-pkcs11.8* +%exclude %{_mandir}/man1/dnssec*-pkcs11.1* %endif %files devel @@ -1010,8 +973,6 @@ fi; %{_includedir}/bind9/dst %{_includedir}/bind9/irs %{_includedir}/bind9/isc -%dir %{_includedir}/bind9/pk11 -%{_includedir}/bind9/pk11/site.h %{_includedir}/bind9/isccfg %files chroot @@ -1059,22 +1020,21 @@ fi; %{_libexecdir}/setup-named-softhsm.sh %files pkcs11-utils -%{_sbindir}/dnssec*pkcs11 -%{_sbindir}/pkcs11-destroy -%{_sbindir}/pkcs11-keygen -%{_sbindir}/pkcs11-list -%{_sbindir}/pkcs11-tokens -%{_mandir}/man8/pkcs11*.8* -%{_mandir}/man8/dnssec*-pkcs11.8* +%{_bindir}/pkcs11-destroy +%{_bindir}/pkcs11-keygen +%{_bindir}/pkcs11-list +%{_bindir}/pkcs11-tokens +%{_mandir}/man1/pkcs11-*.1* +%if %{with PKCS11} +%{_bindir}/dnssec*pkcs11 +%{_mandir}/man1/dnssec*-pkcs11.1* +%endif %files pkcs11-libs %{_libdir}/libdns-pkcs11-%{version}*.so %{_libdir}/libns-pkcs11-%{version}*.so %files pkcs11-devel -%{_includedir}/bind9/pk11/*.h -%exclude %{_includedir}/bind9/pk11/site.h -%{_includedir}/bind9/pkcs11 %{_libdir}/libdns-pkcs11.so %{_libdir}/libns-pkcs11.so %endif @@ -1099,14 +1059,9 @@ fi; %endif -%files -n python3-bind -%{python3_sitelib}/*.egg-info -%{python3_sitelib}/isc/ - %if %{with DOC} %files doc %dir %{_pkgdocdir} -%doc %{_pkgdocdir}/Bv9ARM.html %doc %{_pkgdocdir}/html %endif %if %{with DOCPDF} @@ -1114,6 +1069,9 @@ fi; %endif %changelog +* Wed Jul 20 2022 Petr Menšík - 32:9.18.4-1 +- Update to 9.18.4 (#2057493) + * Wed Jul 20 2022 Fedora Release Engineering - 32:9.16.30-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch deleted file mode 100644 index 4b32b4d..0000000 --- a/bind93-rh490837.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/lib/isc/lex.c b/lib/isc/lex.c -index cd44fe3..5b7c539 100644 ---- a/lib/isc/lex.c -+++ b/lib/isc/lex.c -@@ -27,6 +27,8 @@ - #include - #include - -+#include "../errno2result.h" -+ - typedef struct inputsource { - isc_result_t result; - bool is_file; -@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) { - #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */ - if (c == EOF) { - if (ferror(stream)) { -- source->result = ISC_R_IOERROR; -+ source->result = isc__errno2result(errno); - result = source->result; - goto done; - } -diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c -index e3e2644..5e58600 100644 ---- a/lib/isc/unix/errno2result.c -+++ b/lib/isc/unix/errno2result.c -@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file, - case EINVAL: /* XXX sometimes this is not for files */ - case ENAMETOOLONG: - case EBADF: -+ case EISDIR: - return (ISC_R_INVALIDFILE); - case ENOENT: - return (ISC_R_FILENOTFOUND); diff --git a/codesign2019.txt b/codesign2019.txt new file mode 100644 index 0000000..1807b58 --- /dev/null +++ b/codesign2019.txt @@ -0,0 +1,252 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: GPGTools - http://gpgtools.org + +mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m +r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk +pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI +yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG +ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0 +/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh +qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF +UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv +SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D +o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt +LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB +tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 +LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln +EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA +1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj +tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+ +5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn +Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF +JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI +hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa +xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd +gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX +pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP +vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf +6f2op3tMiQEzBBABCAAdFiEEFcm6uMUTPAcGawLtlumWUDlMmawFAlwuSqAACgkQ +lumWUDlMmaz+igf/ZW8OY5aWjRk7QiXp93jkWRIbMi8kB9jW5u6tfYXFjMADpqiQ +yYdzEHFayRF92PQwj81UzIWzOWjErFWLDE2xol9sP5LdzeqoyED+XTqKggpVsIs+ +Lq672qnumQoZKp1YGb8MDocU2DNg/VsMdi7kCnEnPbcSuBxksmxGYomusXNrAF94 +1OJ2sqd9BuFamLIyn8XUCGGYlsvMoe4kTCg6Cc1sQvx0lDG8urKN57jBKWbP4alV ++JBV5KQcf74gzPmE3ypgY1tMEwxyH/WyS9ekDbai0qauX6eUAsM1bduH8fIcknLS +Zl5hrJTrzWFF9/DKOth8QOwhJ9zoIF1fcAsx9okBMwQQAQgAHRYhBHpqR7X54SM6 +0lUrXL2X3GOe6MR7BQJcLktcAAoJEL2X3GOe6MR7jwEH/iaolMeno1oeWAgzN6Mg +bx3maweh/9Vqty1fwk7Crq1G78X5i1OCkknEL2p0Bfle4ApwcC4HZVcqCgoYpRV3 +/EEXtwkMNy3plWdBbLCQSev/E1D39GzgAHiMnv7NUJnkoJbvMrvrAiUTXPTtARMM +gjEpvgEs60wuJxS8ESomRhe/KW4myxDoBxF+K+e5bOkOvvWVcAYJHWZ1BIZs4n6b ++C2vO8q5aKTkQ/XvNT7utbTOqj1SGhItRaAQKXHBdzkQ1Et3wTA4+uRg4gK12624 +9LperYs26w9X9UzApl+qVxQhtWUw3tnUXMastDfQrRcvJgq1xpv++OqX5Uc93RTf +SNWJAjMEEAEIAB0WIQS+DpdItxglOii7if/xsRvwXPAuVwUCXC5LlQAKCRDxsRvw +XPAuV29KEACEwlTVVKe4gnBYHnlAD7csoQ0+gJ6C+Ofzlw+UItRIcFeVCAknSGBs +NPxr9JStIvKpmsbSKpCNUEAYnRP2immh94y/C6BuTe1uUUmqBGr1f4OAUwZpmI29 +ixYeY/uUs9FZO3bS0/WtG46tdcJK41qtM0DYAGT3oeZhJMTW15dfvMGlFukauSOU ++BbR+6sZhqdbWl/AOTE/6x5otnAaW0GObY/BW240Xq/KTgBrzVdK5qNoYsMVsiTd +0im0JKvFG08ED+ZfcILhlO6G9jRhoTkhtYuf8CKN1dPf2IoB5FrRFf0xqRr9hNlk +X7ViNMP9OPb8i3BubWvRi5rNSquCwrFATSiAgaA9Yi1BNzQsmQxOql9lsh7eCH7m ++8zzUg9umWI6PkSv8vHBo2kPX73wmtEsF6vxJlk0yDBuQw7y0uuKh406tEEk4cP2 +8U4baq+ihpioupDhNuEII1h1Eh/RBE408RAOpcr+2F0m/fKOoJyz7u+AxyV81Ia6 +fyBnUfZnlfKo16w87c1HJRs9dKkRa5yGziBf9TcED3sru58Pftes2Nr80/iOh26i +P2pRihcIyrmeAqDWnneErVCmPMDTe6zkMrm/0iZ25/Jfq+M8IHEzFEw3Y1FBOeFg +9TyMDwYG2biJPTNTDO0BQ+Rrvs4SjFWEYSxgJSvG1jMfSPt5AR6MJrkCDQRcKvQU +ARAAufZX5WzJr0lZAhxaGpHY6JMBr4jVOCP4TrDZhwC2K4CXNM/PLLNisWzquiWa +FvUDhB89kCxrEhipwVFYhBr16CDQxrr8yhah3RIxrBMYhRTxgIAkANgkhGWfDJSE +zXauA7krYtS3rYwhfXe4cNsTkLPbnMUlyLJcqj2wnZcZIt97aL+NFRPyfIw1KfUb +9u3tB9seDYbvTEULeL07aTnHpWM5f3bTwJrJ2OFPzXseCCzPiVNh3Bv+YtJ1pMTr +c/UHO5DoJuHLsF0wicPSrpD0twspFdR/0rT6eNycsaCtV4GQzBcMPvY7qai5XrZm +Cqgluo1W6l6+F5YrKvRMtyyFkUNGcPywdjSlP44JyRrS2uzvFUViSsJArcmFG2TJ +LCohnse8wqjw0dIUVbmDbE4zjaG56zkvu0k+04Wwp3XPgOZrbl6cbhX3yLhu/Gt0 +dzd9EReoNfKXk32hBzKas/vdeB5DZejbOOOWYftqyZC1LvDvvrYFhFK6VGozfZ6L +Fml1hzn+xPahp5tRv93/T9zXeVPm9zilGMqm/gjRgh8ojWxNQoNzJyqTPWIvWmbu +EIP3T3cTFq6lJpJsg3+sfzofGWZCGnBZQGqm8rEOoUWiaKe1BvQCX1x8p4/x8/tX +TaVDpQCGoqxXt09plkDuGMuiDICxBlaHWUR2jLoHc2cLrB8AEQEAAYkCPAQYAQgA +JhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcKvQUAhsMBQkD7JcAAAoJEHS7a5pM +uz04pB8P/Amfg54IFeALiPOrKbjC3bVAQzrsf09IL8sUln/LCZIx9HgGAJj/f35S +Q35sK2ucjWiDX6qCxVrWmC6caQXFgXOFSKIlqladmmgj4sIdLM5wj4nbomHChpB5 +rqV/GgkFwWBQ3kPCatXvc8Bg+zKJ+wXgTuPFXefyE9R+SLuas2grQ9hAjvTGHYbq +iYxSlNDFc1aHLAQ3bS76351MHuMHOpLzoB0OkZDCVNW4GNEqrLbINdr50RAK+Loo +Z2UBIobEZjXYor9A2FWkSvdjyz6X1QKMdQMath6R91k/O0abBa7ly4/805eAGXM3 +w1Xf2eMlpiUs69BeYoJBklK8aNMntpDREunJjhiPU4JoDzSxl5Qv7LuXylyo0YJA +9YmydKhTTcRdwsKc//nGr/ckg4BRl+VbtJBYvd3xGB7IQ+pT/TOakv9qCospAhr3 +EQjVP/XpnWJRd+x+dq8UXqwWmTenWDE42cNr7BDFJdOqS5ZWy4sIz4sdjpSxXMB9 +8iiRtKSpKRCJgXScB7SYebh835EgG2YyQGdhJMO7C6ok9POYQBqL8sBqRzImJKoT +VDvOH42WArKwJWTHa4mPdiDHEIZlkONerec3JXtl4Mfv8cwZ5Lb8fSiB/x8AWvqs +puc/7hQtkus4TcgutS1fwhAwpnFItpVF6+73CMQrJsblBdTjW0T+uQINBFxbVHwB +EADebZOJbhPdhHeBPdlZYE3rRjB8scDpWdjrCupfmeTC9MM6JgCE4DEMBtBXk+h1 ++7wfpblYYNFwGVFvytG5nvGRDtHWxwd1Z9O8Fx4Zqu0Fx/wAn7ZL3ryE+tdHR7JK +7SLxOa2X49T/8LY0U8Q65I4ZRo/b4VMcXApCmncw3QSRqHT/mYdNnf+HHPvi3jza +md3iVptCS4Iaisc079DFda+htWXspBc13lmPi2vGQkWjjS3B4yO8JackyQPVhpsg +KYbRBzOH0Kii8bXmyA6O5uIJYEddp5Veged4FE/ej3CrgGP1D0Yk1epx8lLbi9RB +kwFS7DA5rQ23UnbSy1WyV1ZgPrWqQAWuGpjMTVTWN0ElI3AGxAnE8lZlSXyE+XyV +uHjjIVrayBjLKVqDuSLdKZeCvI4QsyHH6F0NKJQkngvXxLZYxO6s0c2EFFLzdVWT +1V9GMP8UsDrrb+JsZjUVmPR1tTP4xqEQG6KjfFoQm5XWpGtFwh91OK1lwf/Bx2/C +j+PquLLFcj7hEP79VDTUZPQAduTTxIeTzHXH+x1PCHFB10xxH3e82VSdJeBUrJxn +riXzK50SKTTmF+uYpHqE8Jg1N2Y1n5ksuxeYUy8PFjhAeBCqZ6ZcldUDf4999e/z +PT8bwfCDr8jRdqJHrq7RxTJiP5RsMudWpKeohzJGwQ5uZwARAQABiQRyBBgBCAAm +FiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVHwCGwIFCQO9IQACQAkQdLtrmky7 +PTjBdCAEGQEIAB0WIQSVztolaxygoV8wL7WVIaftXazpGAUCXFtUfAAKCRCVIaft +XazpGPeMEACm9nxA/VKf8RxDo2ZuTgyuSwlR8tCjAE4k3+UoiYUbamkW4pjx9Vgd +1zC5bNxSWZ5vlJ4CH8ArKFqNK5LBVDZqhYureAo/1Af2b9vRJw0/QQHhuXz/jqeT +wwrLuKpy796Gpt+aFfcmS0ZC4QXfxJERhAP6tu1p6YmAsSb+bjziQVkKrt9mhOrL +dtz6WP0Fg1joRj33FgnnLtayHvtgQrNFI3ztCjk/B2FjYZxqbBGfk5gyo0cTE2Fi +oLhG/XrxIoZepFMJkGYETnYQXrOt2KuJLvawV70YQmG8EqHYY8drKA0XDZs8TVdT +5cvGvtm8ERz5znsssRBxQMI5Ml6O2ahrXp8Eq4htCzlvO8t2MOtzvqAJRiyAd6bA +Uo+MGVRpnvePOR1SAgBXCd416rF0iCXc1utZxnqwdq9kJAZ+8mCLx4N4jk6AdGpX +zcNkLg7QmUzXn75RxZ6GrIUYZJNMlswXq5XhSW4o8ePlaxWjh9+QTtU964AZhpA1 +uoHsKGTBxHJs0w6McZm14kb2PuaO2/rpf8s8IZyc93+Y5O/gHZ6/agBjA9qN6wkQ +R1d5UhJC4QS/m35rBGBKK9X3fqQxaBCio6Qz+m4A3GchrztJpq+2P+ma5ylsTq5j +V4njky26WNtrV7+N0C4Moj3I4Qn6YU/eSManTXzHzoiPZCEH/IOxgXIiD/9Zm3Zz +I+h4NCfSGyP11/w1gEzlTHQ4at/FXIIDh0Y2ZNpWPffuFQLtcER2vyKPwhDYpGMy +NNHXks4azfrXVCv0wmSNBbeS8pJrYtopZpCEBrAbg/YLv9m5lpDSRHaR3gv/qMZ7 +QxY+NwqciqTwGq68PuF4mDSvtfuFmbEES9Iybiie+eL/6DU2knfBjgshUe6vElR+ +LYoPQ45GY2IxRTJ1pMXaZw1+evwH3UvseRGkRygiaBgoU/qR4prynvjMQcacCa+C +aRnXZJYp/usVBeY0xut9toc9/OcLGoBr5h9l5YjruO2vu8VHou8N0tarVQn3YbQR +Fi+YtNtclWJa8Pq1AsKRTCFwDwP6eODv6mNOrEFydNRcpiQmzp47VWF/YHRfHzCq +A1wHLxLUrpQTaVw6J4FqedAQ31aAO4faA7MS+ZMNBqZCZ7lTGC6TvojqqBAN2yX7 +AnnYpZHM+lGpi2/ukVzLqSkGmdNOgbu+UZvoej3YnHYig4yWP+z2xrlJl8bkhU/d +r9IQE5aRCEPB/JWhHJ2/GqYl9qjshlB52+6X2KDarwptOtzT9ooArYhpMwKIYh34 +c7X8tlAKYk7V5j7txIRFDKKAftC7dM82PntXJxSkWyR70GYnYjiXyrqqerqT7xIC +mDEQgFOPpy09zFW62paO9uiZw6qwybwqgGpoX7kCDQRcW1TbARAA3ERo2mPv2VVg +ZUFr4MtPDm4UG00YJW/LYa3D3k0e9tdSScACXprk1sAoxUlQx/CSdErPKwXG4rax +iN4t5nICUUNYSC0dh09G25jC7nwsWc0AYyZu+h/FzfvpOm3fBwmBlzILlGh0URwH +Ffj9fHt6hos4C+3PFZZ/X24aMJF/cov1oYi9rqFwt/l0mgtPE88Iyj2/Vp3Lergg +QMzKfEuyluj9fL2cgU0Qa7oAPXmaxhHtua4cvbM5SXGo3FXjIgzH9OfM+2orebeN +wH1M3ec6w+nPmRmCJLvPKGOeS7GVXL5/aOyPlDWzSXYnpCKS2ntw4K4nt0IA8n8z +1db109l/C2noDrDSJEqOo843ShNGTYOMVUrj3a+Y7o2ATc9pNZalf0PwnKas7NDb +IJ152PEQw665iYXcv2awjLF6W0yuSq8kfiaAxIrsie2Dto0zgqOs0Ot9Y74u11Hh +wBSHUO3mEZJScAAcI/yDF2PvjvCQSzu4mdXb77t6X2O6YHULz4A7bVQCMazcTDI9 +/S0W2+ixPnnJVnE3xgjK9zuizji8JDJw1hJCQM+yTLVqq9pfvcRfQ6uwpMRzz/O3 +S0zDRiA69/GyfNwkpgz5QaGpY02IK5WrQU1doRjIz4BHAYzoIOkMkRqTtjdElQZw +/D3wSO2uwsEMNwRzibR/Lz1JF2aGn6EAEQEAAYkEcgQYAQgAJhYhBK4/rHlnEexZ +/AB6pHS7a5pMuz04BQJcW1TbAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkBCAAd +FiEE1wyE5ktVjlvM7AchMuIXXx11eioFAlxbVNsACgkQMuIXXx11eiqCfQ//SFDf +rOIEoslp6n6vlCuavOg02wvjskKQGP1P1Q4v40Fw1Gl87n9uXAoMpeF4H+pzUxOi +BHYCQi+EemwocSThzaWfPzd3JG/0OcRymf+ZOcBb+58VJL7p88QdMFIAi5J+KMuA +fEG0zLkc9anEnXoVMmQJX5K+6PyeVDvBbYGjLjQAsWTZTiVuQI0w3WxFtDGWqQII +8e/qE0DA7c/auGn7j2hid308+FcdfpmLefW9YesWjE1yYvHoCRdFOJ/7Sft4MQCI +Re7UET3TRMBvtisP2DcqyzGPp22s4ZYFCCJJNiB92bXdEl5zXe4Ff7JTfNE/QrR7 +Wg5R9hZHgHdbp8p8bA3f0y29YCx3puYg7BbmQWiMh3rXWE5b090pSpw0K9BQU3vO +irr+5/2TaFOJXHl4VF03GrWsSncShCbdsdRIv4TB0lY2mN4q+e7bjlAzJJeoaS97 +GIqu3DBlAJyx/ZwWW23DXXwoQ4jNuJhpl2jaCE7rVQB0uLjbp0i9Zdd4SdYZxmO/ +Y+JfgoJz8eyx8wZi4eDz1ijN0WKsIGjxJH5VUK9STjijDMeG6ZZRLc6b1QCGhe97 +ZbDkEUTdQGoeu4L5Fiqoma13NEsf8ofBDv+myJm/O67Va9JI3gxhIrhmF7LMzQQp +lYx2peZC1CmhEnn83dtt83mhXvX6Dth657BW/Qd+GQ//SVuTPuNkBXfrTi4dbnv+ +cU6IsoIBodTF/WsQ6h4kbtsPhO5DbrsLNuNumrqVEN8jw+HUsEeNvFNeMrTPdG2V +87ShQ4BQGkCf+GFRBj0myxxXOFZYQx6RpY5fCe7yOcTzpkbnPWmm7V8HdOuZ0NnL +JNQ5YogOI6UvXVKv35R9qBo+G9jkhhb0eaAu6BERzKVANKfsGN7545ElZ1qlffMh +AQhXGb6TsvCeSg2cWGb2cnVL2d58uVukD4PDiq4qqwgClkF3bOO70SIgGrCteHbi +4Hseopex5m6GqqjoUYXr7QQBwSaQdc+gKtEjMHCsHbUyHRk0qEHdEe+2RmL0d0ra +QMJfKyYQjcCR7tnrgN4WD1h4NKRdC/KRW31MDmH9XVPrkOMQCUCnArXkOwdKWsKf +h8af9HqweXOT1FHJN/M3tWaBpv6KoduF2f2pj1VhPZ2EqFUycJ26lrHyOpsynQR6 ++TD+c1uXotDwKN5RW+YL1cydk6mhib64fdOyPUeTcHehjMAFgM2f5wi35Ujcj8id +37cWOqRsggSbMnGO4AUA/YtcVNG8TjZbakson8ENK7e8q4sEiNFUZ7/CtzNokwHQ +5uOG1+qB85Y4ImGnIZVeiBpjt73VVawg4Zvm/omtW50P9R+4rVhMJZZFAgrWg8BH +H/KNznW0vUuShG8B+2FA/eu5Ag0EXFtVDAEQAL5ftI1GgVJEFgX5VsuFnfBnH95c +zqmwEXaTP4s7Xm3O0Wy579EzRUD1eEw/UaD/q2OHScwvMP65cZYQ9w4hnCN6H96P +96Teo7LOMCssvSXIO7gqP33LKTqDzsIoAFHwWE3dq1jbyP6T1Je85mr0Edvk8kOC +B1hudswAARno/7X9zGulhhwuEHk5Iey7R59yRUQqBctdNcetGyaiFjjX0evuVADi +/z/s07XhDLDt7+3Vglh1/7XGC64QhB9QjZ8j0u7+0xfmLLjhi+7EpkDlAHIJXX1H +0wAsPOGKlYruQUmIsMNfBINZeulHEBZ4cAd30xsM296DzJ6QL9sAGfYMhRs0YHB/ +EJ10Zv0iw1pU2jCCUv/9Kf4F4nwgHQWQP7JAbfhOIUOUq/YlxjTLnkd25+7vD3KH +NQ6UiRDROR9Jwetpd/zokpf5O5iTBpVL+sCq+NsTZyDOjITve2sY0V8v10M+Z+pL +cp/cUZ4JEDS/WJ4/ovBNJP8b+YwN/RBgCjl8UBX/N+e7AA52eYP2H9GK9XPkzSCE +VxEf5PyjGrwedpoLkzagrHsDuWo3uBquLyneT/ozihqKQAuInUy5B7rWU4mpKHe5 +Vto5o6Zuj+6MgHgIQzRK6Da2ziMNEmroxwZibcYCtUPdvcvxGh+byclnzBclKjOw +kAalFPx0SxEbHmzPABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9 +OAUCXFtVDAIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBK7WIv4CB360 +tcFGwUKiedJIzcMQBQJcW1UMAAoJEEKiedJIzcMQH+cQAIQYXDnqi4Hl21LtAgky +pZxug+x/LECVlwkrIfaQF337+fG+H9J7SdU87Sn1Xe/YUgQnF0XP/fjIVFM0e/Tb +xVlmTFqiejLnIwJJDgUaHO3POT2sGEyO3tc0mqSzyRBxtMQ8yvApccBhL5QODv3h +hlRWgk5MXU0IPeXw134IWm+o/PRiPBoXPawvVfEVIBlUFaiSZASf4BAiSad4aJQe +P8PyP7FPvQB1xiib0iSetn6ZmNeN2OSUJPiPA8aE9JCKuFtomVQEDM0BqQDl5A7h +5O2uyf0Li+/ArqBvfBjrH03e5zbID02dO3D2BjsV3jUeVPQ5WDgVg8LH+nfg/rRy +wfCsx9zFp1mt3K4xN2v7IKwxGndApgCcx17gsjzMvLz0J7sSGov4MNjzqvGEDKCl +uUvNKXqy7je9xcQLpoyvWtoWFXWTbQAcK5Vv+hC67r9bHpjI1KuqA8hYqNKxsv7s +wiLZdd4SK9SIuwf0j8/XTZwmoFfGolJil0ZNxyqBF39+CMVpaHdLM1qKZz99TVzS +h4obOOjkUjK458xSo0XCbJ4qXYp7PgxyWK6GIbTozbbG/1ldw+LUnqxt8Shf797L +J9lbI3ICuR2P5PYlKJf3b6D9GyfqyrP387fKAKhHsYkZ1XD54/8wIgTrdfeNPtL0 +1mjWDjw5KvO9kuPBjcmzgt+NrtsQAJwKeZsiqLLcY8kJ9xP+/xtTlh2iVuZMfxwq +hwlo4MMCzpobLDZ/JKU398m77eboTKJSBfeUYxQd4ATn1L8NLKjLxKAaBkjEk0nN +8w9OUQbFlhQ/asLzzF7Z9IGGh9/SEgBZ8V67a0O3Qw9Xdi3ARK3bbZ8RIVJ0+P9G +CGrfq9j4ZmGA2L4irLjsvDAv7CSMb4WBKW8j0Jz5LFMwOMJgG1TT5c6lNqFj6y09 +rZcVLnt8+lUv2Bw3LC0oI1TjFkrrCzIdfg++mPi3K/ZFc50bvnWF4eCOjgZ5U9Vb +sxFZq3+vTRcIfI9z2lZ9CNDRA1O5jGvuVtEGLiSLF2aJ6kiNriLuuGTlXfg/Fpgh +GTvyppOTzF7PtHzHBQ/ZjnhWojnc/jyJRwLK8cCl6+EOc887v8BDmqgFWtmycsE2 +5fDJ7UFGP13g/eDL3ZUgMDty5dQaUOTX145t2KT+lMqpY6ZK2EC+eoqrnIGJ+tYy +0l4RRxi10mbNhuPIIDdph7X+mUHgCeA9gyF0Y+LqiB6CX+zFg7ovLvnCbMPxdGXq +z7AjfwqZBKI+BVuBeDtyW4onmElCu5cXNKsg3W0IlQlZf9PMDU6Ht0XLUs7EPfbQ +sH1Vqi1XE1W/tGnkmjcpG/qlt9Gx1uwFGLP6iomqUBc2c0GZ6R1xplXvd3w3yC8d +8lAgPGImuQINBFxbVToBEADkuxhQx9gxlzzCc0nUu2v82XsD+GzONp9irt14gslx +te96eKaTXTi0t5eya0X5TIY3wbREwjlfAeM9AfcAmWcsM4izrfPtANM6WOxB2Tbz +EY2cqv7NBQii7Z5aqPyjcIiT0b0Gs2evlDkn3xEBBqTSrNcnGSA29bZPIkaUb7Qo +p/Ani0S3/tgcR21gXsJwkgpfNKwvPT03Lz3/o5rXAyag0M/25adgk9SVKNcXc8h2 +HSGv5ENjwUKNNnowVbNLw4287mFUM2Vd6unGJ2MBj7aUwTrfBl7gNV96mMdDJWcB +hGKYkxUvibuHCa2KH7gTrnV6X7sdrgD5CbJMPq6OZNSP6n6bUVg22eHxoETplFwT +4NvV3clRMWIAG1XgXR1l99LAh7PPnPMM1pHQGPwYHQskoBFS4g5knzHpB9h9TfZ3 +MM4cDZR5NgWmE0fYVnWe5ax+wW0/IOklUoHv3qoL4yiN9wFJq2oLzUNQd9+tsqiy +vxSTh8iYmHegyn5KuBPsrMPgvqiKOdalTZKkak9DOx4cGQL2qHspKxiBOb6uox2v +fjMQ5bDeUn+4DYMdnZNHeywCUegJmDakUtlfvN+136IDHGwfdGcitqzswzd3+PI2 +qlwPE19gkrp9NUaD3Qj2ZtDP7sU2cThc6Gra5KRFW8f98bI77j1Wu6pCnYFLqPz4 +QQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVToCGwIF +CQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQR5HX64jryNAThDSqwz3zWa56YK +eQUCXFtVOgAKCRAz3zWa56YKeSWOEADK8u03LESGSQlZQqnnCAI8iYs1s+XRMEnG +2tAQ1OK7/4eNgr1yZckmaW4FBMgeEgYIBJ7v3SlW7Hf7dE10TYPNGbP6UxVW8HIP +rA4CINcGZXWWwpS374JNMS6A5eb6viuEgEMEi00jx0MmLvCMZKypmwXQUl5YJ5nB +ytpQ1681mCQxGBMhT1eKQt3B4nAsoEnP+HnqVM/nKxBemSBNXX+C0b/YeQoLC3sD +L+Z0NRI8U6PZl9Rokod3uynH0vfBYCEJd6MvsjtnJlVVaseYIA3ESNrFG12tw95I +wKNrVCANZ1DBSyK4ovmmWsDrH+uFTHSLNjlxIuVxUfmXcLfgcepVCmd/7Z7UrWYr +SXSvP0VG4ZmEPE7tNb8bfyADftO1cVsmcHBQeSrgvpSrTv9L8MocojpR5vJc1f+a +sBT7rAeGzZP9riz1GmryXawaZgdLfaaJfzRQkc1uTChb7kMN+UMhVUdCAXmho0XO +SfcsW84u/LpjdYh2Ww41xQO6EWvbZDNgD/Fdmp8Uh1MqJ1Dejri6kjNn6wPImXJd +Eu6nHqWDRdYsfT4XUB18tB+4aIpFzCyIgpf7p1uaVU7Oqip5sZkc/WXKr77lV23m +PQvpGRNCzgU2TJY7ktR3LOvUVN6wNfLMHzeQk18NdmcEGUrJ0YYtl9vE5/Eg9L6x +LBH9PKt17IQ8D/9DLwQX8pl3fuTM8ZbzIPLxiXhbgzBBTXKRE2u1888+RIq9xE7c +aVFjwq4qpgqZ5SFonTcG4Pi5ck3mFAzyA5zLRF+ckpmBpwSPMpLwCpv10369D1jh +AF3JsUwt6DIb2BISMhh2ThSUMSKO75q8GSotsKjJyjD6vl1x4L7WXubTWxEiNuwD +3kAjFWS1Z1VWtA9SURWAbsDaCV4VmwCCpSIwRr9OTbyu9XuMdMxGNpl8SwW7MVQb +x4aYNvR7Hl/wIR71AHAXoSfrKp3p12anXjYYASHmbm16ugP4H7HLMBfznKet2f76 +gIxJr1CsAMTSqypcC1UoVb6Gz8djeIR+GU+6efHI4TIUMy5uMIUx8tYbwSEeo/y6 +NnjpJFYYjJa671iSABInNxs4+X+1zrFa+wl45EnaFxziEet2Qzv/VsusoLvLwnYi +BZckclAS5xoVGFW0WJ01OfLUDHxGMt9GSheL8c+GLMaMtaCWunpmmt9zZ9WdpBOu +AGluMG1Cee50TrhXaGE8CdNr8nOdSeLNAveBAPmuVa0JDSe20/D/RuYJLKeG9Vsq +BZvjuGlOUsfl6UjtiGRbgS9OWpxeez5ugc9yyV+rBGIpmnIb+9quz2HmGxE65eA2 +cRNsZRIjFLzeAx/0RMaT1nlLFTBbUuZ+tJ+fgFtRGMhifZn1pb2dMQo0N7kCDQRc +W1VuARAAv4LYaNq2Zev/v7M5DnxLpgHRcMkG7TOQpycrlK5653llpZzTy3mh5peW +vcq3IDmdeUIJxQ+WDh2f0vS+NIKDC/HAddfHrZPbhO7zLxLcMW5KmV05ancaRSP0 +s0+IyQmvVxUNrgPinZiphlvRGoLXS6pdgfc4jIR9B2umPecfvfu/6EWFPnXZgG8K +yY3Z+mwrmEO0FaXHBQuu6nactiPe79N4bLe8hk9RW6yIxLBeJzIoOlIcJmuRHapt +nS2lV3mfhZdFnkAp1o6a2TL5BwgMY0wZUKZr78HEMKh6LbPN9rPepf0neUeq/k1l +NJU7V6XMS+rezF31vgSJ5KoNGYhxtWZ54uksH2rcw7+ltpSVtqY91G/vibpRCJG3 +LdX/kxHni1NEWyZlpS/6ntuH6HSoNYsR9IMsbESs3QVCH74ApK88CxYCRB0SEo0M +yAElbQ3bfEKCKl/FwC4IzAYAJ2arWKwBHRSJlsrNCtczrjG7j3EyJrn8+Tm5yjO6 +0THQjvc/nBxrNE09r1Lzz7jrDWC9Rl+BH6wqdniymoYyUAQsX2rZ+Jhah1Zkf+Gu +76qtY+EH494dPM+0FazcBlgBd6/J5mh3Wk9JuecXLTEUGtzd1GmI9CENPAklCauX +tNOWeTop27djuKWsZxuP1GyV6UYixFVOSWteyAbA32cncVv/2ZUAEQEAAYkEcgQY +AQgAJhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcW1VuAhsCBQkDvSEAAkAJEHS7 +a5pMuz04wXQgBBkBCAAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlxbVW4ACgkQ +F8xdsfAIhAd4jxAAiO9+VRQQ3eBOsJRgANdgL/l51kq7qE3u8xnSqNkrmdYDdT2H +TYH5W4n2AmGo50BDafdjd6tut0qtzA3/hGWCooydxKFOsnIYziUeoHvlICj3RkHO +y7utcFhAgRWi+kzFwnnXGf13dMU9iG7yvKrCrCEw44gzoQ1KnY1Xsj18n5JkqxeT +94bzcSbz20OpOSIMfSQPrpy18WrZYwHodcIZ3IUUACCpMZdfTa9c/qHRQ/rcwl+B +0JlHx0V4AYiSAsiMVgflO1Eqi7apPuwxPPd5nnHkrdDM9CYC3LdBORBXwncG3oZ5 +eTSXmsvFxHXH41JHsm/1QFcVmFAYhu9qJFCGiD+8UeTFtT+nnHU69BszgtUskqX8 +k9PqLdK7Vxkp16wc6WOp1NeIQ6Fd4PxTGrPqs9bJk7TlYtTFWpA0X+EMj/San+Ku +PxqLEa4Ab12R4vs1pCrn/g1z3C/6ujH4B70HOrRTIeTjULJ6xdwXGtwUA09hio0r +pHhtyZhAh5irUJNto4ZOk/Qyd+dfMsNvRJfbVIK2mmeRaBnp902AsQNgYVdi2Aki +0h4kz3bVLGw7iD/xV2hV69+JwLSijkkmOpz/EjMwj0hDDYrHH3Y3o0dV3dNdk/5i +6lQgcxSVsl9kWlHcoEllKbf0Hb1muKVwoGGYxFYna2jsLFVjG29M7iPSgrHjmg/+ +I3fmsLZ0VI9kmxniUlZ6gz5NB5PJ3RXmwKO9LkBgE5C1wpuZbNEQ1NsR2bprlJPm +++GNSo8HaheuTRJn42kkOgfIJwjuvXih3FE/NtRA/W8H2uF6YLDjBKGZJbxQcmsd +CTEuCRCVP8X7C5n3rl1YqzfWfNr8QFxvH7ivG7KOlSxvyTKcYatWb9uDUPrnr74f +ZaMljHGsNyKj70MzZcrrsmt61yWGR0h+02rmIKlskl4hkh+qF5ehI+Bkd7eblsBy +rxEREHq/ij2Vd7l0Z606YCE8vj8WfcsJj8JjwR3A+nND/oNJTTbQ3b8OvasvqIey +WqqmGg73nbHjd/VIAUsfvnsEYatDk4pAA/wQr9c4T4s5Q/QRwDrAsa4J89FrDjWC +hQBPL7TaP8Af/3Y3/86jLCN4lnW1qjPXv5rhBFeI0EVi1k1qdV06qr5HOk7CwQTT +uc4rCdFcEnw8kVKZa/yFnlJfRa0Z4IwSahdp5fdFEuad6LpOcFFnYxWtIWhcg4GT +RcMha/OZnsfqOqiAt6In+1IwuJBz3uMM7xw2AMaxzAejGEL63F81C5iJ6Ld6kQK+ +XblDW0G643bVbzkBb46MAT+UnLuWQUs3NDtk1FEioJyWUgbO/srMH4MoWM7rG8ZT +nQPohNmPBrqL2phmE27HQsQ0rTjH2Z2ol7iy9OFMtT0= +=MkGo +-----END PGP PUBLIC KEY BLOCK----- diff --git a/named-chroot.files b/named-chroot.files index 75e6aa1..08c21b2 100644 --- a/named-chroot.files +++ b/named-chroot.files @@ -16,8 +16,6 @@ /etc/named /usr/lib64/bind /usr/lib/bind -/usr/lib64/named -/usr/lib/named /usr/share/GeoIP /run/named /proc/sys/net/ipv4/ip_local_port_range diff --git a/named-chroot.service b/named-chroot.service index a49df15..ff793f2 100644 --- a/named-chroot.service +++ b/named-chroot.service @@ -17,7 +17,7 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/var/named/chroot/run/named/named.pid -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' diff --git a/named-pkcs11.service b/named-pkcs11.service index 27e0693..241cb7d 100644 --- a/named-pkcs11.service +++ b/named-pkcs11.service @@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/run/named/named.pid -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' diff --git a/named.root b/named.root index 532d4ff..cd808e8 100644 --- a/named.root +++ b/named.root @@ -1,61 +1,92 @@ - -; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net -; (2 servers found) -;; global options: +cmd -;; Got answer: -;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900 -;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 - -;; OPT PSEUDOSECTION: -; EDNS: version: 0, flags:; udp: 1472 -;; QUESTION SECTION: -;. IN NS - -;; ANSWER SECTION: -. 518400 IN NS a.root-servers.net. -. 518400 IN NS b.root-servers.net. -. 518400 IN NS c.root-servers.net. -. 518400 IN NS d.root-servers.net. -. 518400 IN NS e.root-servers.net. -. 518400 IN NS f.root-servers.net. -. 518400 IN NS g.root-servers.net. -. 518400 IN NS h.root-servers.net. -. 518400 IN NS i.root-servers.net. -. 518400 IN NS j.root-servers.net. -. 518400 IN NS k.root-servers.net. -. 518400 IN NS l.root-servers.net. -. 518400 IN NS m.root-servers.net. - -;; ADDITIONAL SECTION: -a.root-servers.net. 518400 IN A 198.41.0.4 -b.root-servers.net. 518400 IN A 199.9.14.201 -c.root-servers.net. 518400 IN A 192.33.4.12 -d.root-servers.net. 518400 IN A 199.7.91.13 -e.root-servers.net. 518400 IN A 192.203.230.10 -f.root-servers.net. 518400 IN A 192.5.5.241 -g.root-servers.net. 518400 IN A 192.112.36.4 -h.root-servers.net. 518400 IN A 198.97.190.53 -i.root-servers.net. 518400 IN A 192.36.148.17 -j.root-servers.net. 518400 IN A 192.58.128.30 -k.root-servers.net. 518400 IN A 193.0.14.129 -l.root-servers.net. 518400 IN A 199.7.83.42 -m.root-servers.net. 518400 IN A 202.12.27.33 -a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 -b.root-servers.net. 518400 IN AAAA 2001:500:200::b -c.root-servers.net. 518400 IN AAAA 2001:500:2::c -d.root-servers.net. 518400 IN AAAA 2001:500:2d::d -e.root-servers.net. 518400 IN AAAA 2001:500:a8::e -f.root-servers.net. 518400 IN AAAA 2001:500:2f::f -g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d -h.root-servers.net. 518400 IN AAAA 2001:500:1::53 -i.root-servers.net. 518400 IN AAAA 2001:7fe::53 -j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 -k.root-servers.net. 518400 IN AAAA 2001:7fd::1 -l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 -m.root-servers.net. 518400 IN AAAA 2001:dc3::35 - -;; Query time: 24 msec -;; SERVER: 198.41.0.4#53(198.41.0.4) -;; WHEN: Thu Apr 05 15:57:34 CEST 2018 -;; MSG SIZE rcvd: 811 - +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: June 24, 2021 +; related version of root zone: 2021062401 +; +; FORMERLY NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file \ No newline at end of file diff --git a/named.service b/named.service index 7cd6d34..252c9d5 100644 --- a/named.service +++ b/named.service @@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/named Environment=KRB5_KTNAME=/etc/named.keytab PIDFile=/run/named/named.pid -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh index da82cff..5e68915 100755 --- a/setup-named-chroot.sh +++ b/setup-named-chroot.sh @@ -10,7 +10,7 @@ usage() echo 'Usage: setup-named-chroot.sh ROOTDIR [chroot.files]' } -if ! [ "$#" -ge 2 ] && [ "$#" -le 3 ]; then +if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then echo 'Wrong number of arguments' usage exit 1 @@ -34,9 +34,9 @@ dev_create() DEVNAME="$ROOTDIR/dev/$1" shift if ! [ -e "$DEVNAME" ]; then - /bin/mknod -m 0664 "$DEVNAME" "$@" + /bin/mknod -m 0664 "$DEVNAME" $@ /bin/chgrp named "$DEVNAME" - if [ -x /usr/sbin/selinuxenabled ] && [ -x /sbin/restorecon ]; then + if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || : fi fi @@ -78,7 +78,7 @@ mount_chroot_conf() else # Mount source is a directory. Mount it only if directory in chroot is # empty. - if [ -e "$all" ] && [ `ls -1A "$ROOTDIR$all" | wc -l` -eq 0 ]; then + if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then mount --bind --make-private "$all" "$ROOTDIR$all" fi fi diff --git a/sources b/sources index 4bc717f..73a8b25 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.16.30.tar.xz) = cc9bcbedf63c2efe0a23f14db3e57fdae46f0509aac58e5840a6805ce4fbd76cad5bfde4d461442adb88c4d947f8d79bf979aeb24aeb9303b6adc8d169b7118c -SHA512 (bind-9.16.30.tar.xz.asc) = 943ff140aaa413f125d039748a0c10d7ae20b0fa4075227ab0b9d065816e7960a3c4e0fb2a4498946926409568c71076026cbd0be33a78db73966366d43bfdb1 +SHA512 (bind-9.18.4.tar.xz) = 5deb46f6549e42087734fe80f8cd8de8f3fa54590e4635f8c0e2e8d362f8756404e911e46d7fe1cd75f0f19217532ca402e7a5947111f16e412c8aaa754b9e16 +SHA512 (bind-9.18.4.tar.xz.asc) = dfe7b24c499e6e54bc836350b73ef24deb78e1394059d75acc434512b3a60ab44708d3e1faa861be161afa0e69f789fd6b75dd881777679e4845a56f2fd6ab9a