Import version from branch v9_18

Uses git checkout 38726e67340b2b60715fa2f342dc800273d3772f -- . Remove unused patches from distgit.
2022-07-12 15:40:10 +02:00 · 2022-07-12 15:40:10 +02:00 · 8a47aa2c75
commit 8a47aa2c75
parent d540d034df
23 changed files with 670 additions and 1631 deletions
--- a/.gitignore
+++ b/.gitignore
@ -176,3 +176,13 @@ bind-9.7.2b1.tar.gz
 /bind-9.16.29.tar.xz.asc
 /bind-9.16.30.tar.xz
 /bind-9.16.30.tar.xz.asc
 /bind-9.18.0.tar.xz
 /bind-9.18.0.tar.xz.asc
 /bind-9.18.1.tar.xz
 /bind-9.18.1.tar.xz.asc
 /bind-9.18.2.tar.xz
 /bind-9.18.2.tar.xz.asc
 /bind-9.18.3.tar.xz
 /bind-9.18.3.tar.xz.asc
 /bind-9.18.4.tar.xz
 /bind-9.18.4.tar.xz.asc
--- a/README.md
+++ b/README.md
@ -22,10 +22,8 @@ The package contains several subpackages, some of them can be disabled on rebuil
 * **bind-utils** -- set of tools to analyse DNS responses or update entries (dig, host)
 * **bind-doc** -- documentation for current bind, *BIND 9 Administrator Reference Manual*.
 * **bind-license** -- Shared license for all packages but bind-export-libs.
-* **bind-pkcs11** -- *named* daemon built with native PKCS#11 support. Can be disabled by `--without PKCS11`.
+* **bind-libs** -- Shared libraries used by some others programs
-* **bind-libs** and **bind-libs-lite** -- Shared libraries used by some others programs
+* **bind-devel** -- Development headers for libs. Can be disabled by `--without DEVEL`
 * **bind-devel** -- Development headers for libs.
 * **bind-dlz-\*** -- Dynamic loadable [DLZ plugins](http://bind-dlz.sourceforge.net/) with support for external databases
 ## Optional features
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@ -1,541 +0,0 @@
 From 1cbffe7e8b5bced9134abbae23a2a20c83d39a6a Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 21 Jan 2021 10:46:20 +0100
 Subject: [PATCH] Enable custom pkcs11 native build
 Share common parts like libisc, libcc and others. But provide native
 pkcs11 libraries as a new copy of libdns and libns.
 ---
 bin/Makefile.in                  |  2 +-
 bin/confgen/Makefile.in          |  2 +-
 bin/dnssec-pkcs11/Makefile.in    | 39 +++++++++++++++++---------------
 bin/named-pkcs11/Makefile.in     | 31 +++++++++++++------------
 configure.ac                     | 19 ++++++++++++++++
 lib/Makefile.in                  |  2 +-
 lib/dns-pkcs11/Makefile.in       | 22 +++++++++---------
 lib/dns-pkcs11/tests/Makefile.in |  8 +++----
 lib/ns-pkcs11/Makefile.in        | 26 ++++++++++-----------
 lib/ns-pkcs11/tests/Makefile.in  | 12 +++++-----
 make/includes.in                 |  7 ++++++
 11 files changed, 100 insertions(+), 70 deletions(-)
 diff --git a/bin/Makefile.in b/bin/Makefile.in
 index 9ad7f62..094775a 100644
 --- a/bin/Makefile.in
 +++ b/bin/Makefile.in
@@ -11,7 +11,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 -SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
 +SUBDIRS =	named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
 		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
 TARGETS =
 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
 index c126bf3..1b7512d 100644
 --- a/bin/confgen/Makefile.in
 +++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
 -CDEFINES = @USE_PKCS11@
 +CDEFINES =
 CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
 index ace0e5a..e0f6a00 100644
 --- a/bin/dnssec-pkcs11/Makefile.in
 +++ b/bin/dnssec-pkcs11/Makefile.in
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 -CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
 +CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
 		${OPENSSL_CFLAGS}
 -CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 +CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
 CWARNINGS =
 -DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 +DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
 -DNSDEPLIBS =	../../lib/dns/libdns.@A@
 +DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -36,12 +36,15 @@ LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
 NOSYMLIBS =	${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
 +# Add suffix to all targets
 +EXEEXT =	-pkcs11@EXEEXT@
 +
 # Alphabetically
 -TARGETS =	dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
 -		dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
 -		dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
 -		dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
 -		dnssec-verify@EXEEXT@
 +TARGETS =	dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
 +		dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
 +		dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
 +		dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
 +		dnssec-verify${EXEEXT}
 OBJS =		dnssectool.@O@
@@ -52,19 +55,19 @@ SRCS =		dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
 @BIND9_MAKE_RULES@
 -dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
 	export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
 -dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
 	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
 -dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
 	export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
 -dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
 	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-signzone.c
 -dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
 	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-verify.c
 -dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
 	export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
 -dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-revoke.@O@ ${OBJS} ${LIBS}
 -dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-settime.@O@ ${OBJS} ${LIBS}
 -dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
 +dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-importkey.@O@ ${OBJS} ${LIBS}
 diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
 index debb906..ecfdb6c 100644
 --- a/bin/named-pkcs11/Makefile.in
 +++ b/bin/named-pkcs11/Makefile.in
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
 DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
 -DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
 -DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
 -DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
 -DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
 +# Skip building on PKCS11 variant
 +DLZDRIVER_OBJS =
 +DLZDRIVER_SRCS =
 +DLZDRIVER_INCLUDES =
 +DLZDRIVER_LIBS =
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 -		${NS_INCLUDES} ${DNS_INCLUDES} \
 +		${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
 		${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
 		${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
 		${DBDRIVER_INCLUDES} \
@@ -56,24 +57,24 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${LIBXML2_CFLAGS} \
 		${MAXMINDDB_CFLAGS}
 -CDEFINES =      @CONTRIB_DLZ@
 +CDEFINES =
 CWARNINGS =
 -DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 +DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 -NSLIBS =	../../lib/ns/libns.@A@
 +NSLIBS =	../../lib/ns-pkcs11/libns-pkcs11.@A@
 -DNSDEPLIBS =	../../lib/dns/libdns.@A@
 +DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 -NSDEPLIBS =	../../lib/ns/libns.@A@
 +NSDEPLIBS =	../../lib/ns-pkcs11/libns-pkcs11.@A@
 DEPLIBS =	${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
@@ -93,7 +94,7 @@ NOSYMLIBS =	${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
 SUBDIRS =	unix
 -TARGETS =	named@EXEEXT@
 +TARGETS =	named-pkcs11@EXEEXT@
 GEOIP2LINKOBJS = geoip.@O@
@@ -151,7 +152,7 @@ server.@O@: server.c
 		-DPRODUCT=\"${PRODUCT}\" \
 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
 -named@EXEEXT@: ${OBJS} ${DEPLIBS}
 +named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
 	export MAKE_SYMTABLE="yes"; \
 	export BASEOBJS="${OBJS} ${UOBJS}"; \
 	${FINALBUILDCMD}
@@ -170,11 +171,11 @@ statschannel.@O@: bind9.xsl.h
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
 -install:: named@EXEEXT@ installdirs
 -	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
 +install:: named-pkcs11@EXEEXT@ installdirs
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
 uninstall::
 -	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
 +	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
 @DLZ_DRIVER_RULES@
 diff --git a/configure.ac b/configure.ac
 index e405eaf..efaa5a7 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1269,12 +1269,14 @@ AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
 AC_SUBST(DNS_GSSAPI_LIBS)
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
 +DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
 #
 # Applications linking with libdns also need to link with these libraries.
 #
 AC_SUBST(DNS_CRYPTO_LIBS)
 +AC_SUBST(DNS_CRYPTO_PK11_LIBS)
 #
 # was --with-lmdb specified?
@@ -2345,6 +2347,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
 AC_SUBST(BIND9_NS_BUILDINCLUDE)
 AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
 AC_SUBST(BIND9_IRS_BUILDINCLUDE)
 +AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
 +AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
 if test "X$srcdir" != "X"; then
 	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
 	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -2353,6 +2357,8 @@ if test "X$srcdir" != "X"; then
 	BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
 	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
 	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
 +	BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
 +	BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
 else
 	BIND9_ISC_BUILDINCLUDE=""
 	BIND9_ISCCC_BUILDINCLUDE=""
@@ -2361,6 +2367,8 @@ else
 	BIND9_NS_BUILDINCLUDE=""
 	BIND9_BIND9_BUILDINCLUDE=""
 	BIND9_IRS_BUILDINCLUDE=""
 +	BIND9_DNS_PKCS11_BUILDINCLUDE=""
 +	BIND9_NS_PKCS11_BUILDINCLUDE=""
 fi
 AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@@ -2816,8 +2824,11 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
 +	bin/dnssec-pkcs11/Makefile
 	bin/named/Makefile
 	bin/named/unix/Makefile
 +	bin/named-pkcs11/Makefile
 +	bin/named-pkcs11/unix/Makefile
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/plugins/Makefile
@@ -2879,6 +2890,10 @@ AC_CONFIG_FILES([
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
 	lib/dns/tests/Makefile
 +	lib/dns-pkcs11/Makefile
 +	lib/dns-pkcs11/include/Makefile
 +	lib/dns-pkcs11/include/dns/Makefile
 +	lib/dns-pkcs11/include/dst/Makefile
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
@@ -2911,6 +2926,10 @@ AC_CONFIG_FILES([
 	lib/ns/include/Makefile
 	lib/ns/include/ns/Makefile
 	lib/ns/tests/Makefile
 +	lib/ns-pkcs11/Makefile
 +	lib/ns-pkcs11/include/Makefile
 +	lib/ns-pkcs11/include/ns/Makefile
 +	lib/ns-pkcs11/tests/Makefile
 	make/Makefile
 	make/mkdep
 	unit/unittest.sh
 diff --git a/lib/Makefile.in b/lib/Makefile.in
 index 833964e..058ba2f 100644
 --- a/lib/Makefile.in
 +++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir =	@top_srcdir@
 # Attempt to disable parallel processing.
 .NOTPARALLEL:
 .NO_PARALLEL:
 -SUBDIRS =	isc isccc dns ns isccfg bind9 irs
 +SUBDIRS =	isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
 TARGETS =
 @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
 index 58bda3c..d6a45df 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 -CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
 +CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
 		${ISC_INCLUDES} \
 		${FSTRM_CFLAGS} \
 		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
@@ -32,7 +32,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
 		${LMDB_CFLAGS} \
 		${MAXMINDDB_CFLAGS}
 -CDEFINES =	@USE_GSSAPI@
 +CDEFINES =	@USE_GSSAPI@ @USE_PKCS11@
 CWARNINGS =
@@ -135,15 +135,15 @@ version.@O@: version.c
 		-DMAPAPI=\"${MAPAPI}\" \
 		-c ${srcdir}/version.c
 -libdns.@SA@: ${OBJS}
 +libdns-pkcs11.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@
 -libdns.la: ${OBJS}
 +libdns-pkcs11.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
 -		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
 +		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
 		-release "${VERSION}" \
 -		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
 +		${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
 include: gen
 	${MAKE} include/dns/enumtype.h
@@ -174,22 +174,22 @@ gen: gen.c
 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
 	${BUILD_LIBS} ${LFS_LIBS}
 -timestamp: include libdns.@A@
 +timestamp: include libdns-pkcs11.@A@
 	touch timestamp
 -testdirs: libdns.@A@
 +testdirs: libdns-pkcs11.@A@
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
 install:: timestamp installdirs
 -	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
 uninstall::
 -	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
 +	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
 clean distclean::
 -	rm -f libdns.@A@ timestamp
 +	rm -f libdns-pkcs11.@A@ timestamp
 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
 	rm -f include/dns/rdatastruct.h
 	rm -f dnstap.pb-c.c dnstap.pb-c.h
 diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
 index da91394..aadb73f 100644
 --- a/lib/dns-pkcs11/tests/Makefile.in
 +++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 -CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
 +CINCLUDES =	-I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
 		${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
 		${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
 -CDEFINES =	-DTESTS="\"${top_builddir}/lib/dns/tests/\""
 +CDEFINES =	@USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
 ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
 ISCDEPLIBS =	../../isc/libisc.@A@
 -DNSLIBS =	../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 -DNSDEPLIBS =	../libdns.@A@
 +DNSLIBS =	../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
 +DNSDEPLIBS =	../libdns-pkcs11.@A@
 LIBS =		@LIBS@ @CMOCKA_LIBS@
 diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
 index bc683ce..7a9d2f2 100644
 --- a/lib/ns-pkcs11/Makefile.in
 +++ b/lib/ns-pkcs11/Makefile.in
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 -CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
 -		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
 +CINCLUDES =	-I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
 +		${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
 		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
 		${FSTRM_CFLAGS}
 -CDEFINES =	-DNAMED_PLUGINDIR=\"${plugindir}\"
 +CDEFINES =	@USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
 CWARNINGS =
@@ -29,9 +29,9 @@ ISCLIBS =	../../lib/isc/libisc.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 -DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 +DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
 -DNSDEPLIBS =	../../lib/dns/libdns.@A@
 +DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
 LIBS =		@LIBS@
@@ -60,28 +60,28 @@ version.@O@: version.c
 		-DMAJOR=\"${MAJOR}\" \
 		-c ${srcdir}/version.c
 -libns.@SA@: ${OBJS}
 +libns-pkcs11.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@
 -libns.la: ${OBJS}
 +libns-pkcs11.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
 -		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
 +		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
 		-release "${VERSION}" \
 -		${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
 +		${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
 -timestamp: libns.@A@
 +timestamp: libns-pkcs11.@A@
 	touch timestamp
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
 install:: timestamp installdirs
 -	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
 		${DESTDIR}${libdir}
 uninstall::
 -	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
 +	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
 clean distclean::
 -	rm -f libns.@A@ timestamp
 +	rm -f libns-pkcs11.@A@ timestamp
 diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
 index 4c3e694..c1b6d99 100644
 --- a/lib/ns-pkcs11/tests/Makefile.in
 +++ b/lib/ns-pkcs11/tests/Makefile.in
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
 WRAP_OPTIONS =	-Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
 -CINCLUDES =	-I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
 +CINCLUDES =	-I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
 		${OPENSSL_CFLAGS} \
 		@CMOCKA_CFLAGS@
 -CDEFINES =	-DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
 +CDEFINES =	-DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
 ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
 ISCDEPLIBS =	../../isc/libisc.@A@
 -DNSLIBS =	../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
 -DNSDEPLIBS =	../../dns/libdns.@A@
 -NSLIBS =	../libns.@A@
 -NSDEPLIBS =	../libns.@A@
 +DNSLIBS =	../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
 +DNSDEPLIBS =	../../dns-pkcs11/libdns-pkcs11.@A@
 +NSLIBS =	../libns-pkcs11.@A@
 +NSDEPLIBS =	../libns-pkcs11.@A@
 LIBS =		@LIBS@ @CMOCKA_LIBS@
 diff --git a/make/includes.in b/make/includes.in
 index b8317d3..b73b0c4 100644
 --- a/make/includes.in
 +++ b/make/includes.in
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
 TEST_INCLUDES = \
 	-I${top_srcdir}/lib/tests/include
 +
 +DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
 +	-I${top_srcdir}/lib/dns-pkcs11/include
 +
 +NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
 +	-I${top_srcdir}/lib/ns-pkcs11/include
 +
 -- 
 2.31.1
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@ -1,4 +1,4 @@
-From 9575852be2344244ac182d7d019869406d3bd963 Mon Sep 17 00:00:00 2001
+From 8bbfacc1a90301a71a487e776db071fa2ef6c8dd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@ -73,8 +73,6 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
 .../system/allow-query/ns2/named40.conf.in    |  4 +-
 bin/tests/system/allow-query/tests.sh         | 18 ++---
 bin/tests/system/catz/ns1/named.conf.in       |  2 +-
 bin/tests/system/catz/ns2/named1.conf.in      |  2 +-
 bin/tests/system/catz/ns2/named2.conf.in      |  2 +-
 bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
 bin/tests/system/checkconf/good.conf          |  2 +-
 bin/tests/system/feature-test.c               | 14 ++++
@ -83,23 +81,21 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
 bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
 bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
 bin/tests/system/nsupdate/setup.sh            |  6 +-
- bin/tests/system/nsupdate/tests.sh            | 15 +++--
+ bin/tests/system/nsupdate/tests.sh            | 11 ++-
 bin/tests/system/rndc/setup.sh                |  2 +-
- bin/tests/system/rndc/tests.sh                | 23 ++++---
+ bin/tests/system/rndc/tests.sh                | 22 +++---
 bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
 bin/tests/system/tsig/ns1/rndc5.conf.in       | 10 +++
 bin/tests/system/tsig/setup.sh                |  5 ++
- bin/tests/system/tsig/tests.sh                | 65 ++++++++++++-------
+ bin/tests/system/tsig/tests.sh                | 67 ++++++++++++-------
 bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
 bin/tests/system/upforwd/tests.sh             |  2 +-
- 34 files changed, 163 insertions(+), 109 deletions(-)
+ 31 files changed, 149 insertions(+), 106 deletions(-)
 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
-index 60f22e1..249f672 100644
+index 745048a..93cb411 100644
 --- a/bin/tests/system/acl/ns2/named1.conf.in
 +++ b/bin/tests/system/acl/ns2/named1.conf.in
-@@ -33,12 +33,12 @@ options {
+@@ -35,12 +35,12 @@ options {
 };
 key one {
@ -115,10 +111,10 @@ index 60f22e1..249f672 100644
 };
 diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
-index ada97bc..f82d858 100644
+index 21aa991..78e71cc 100644
 --- a/bin/tests/system/acl/ns2/named2.conf.in
 +++ b/bin/tests/system/acl/ns2/named2.conf.in
-@@ -33,12 +33,12 @@ options {
+@@ -35,12 +35,12 @@ options {
 };
 key one {
@ -134,10 +130,10 @@ index ada97bc..f82d858 100644
 };
 diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
-index 97684e4..de6a2e9 100644
+index 3208c92..bed6325 100644
 --- a/bin/tests/system/acl/ns2/named3.conf.in
 +++ b/bin/tests/system/acl/ns2/named3.conf.in
-@@ -33,17 +33,17 @@ options {
+@@ -35,17 +35,17 @@ options {
 };
 key one {
@ -159,28 +155,9 @@ index 97684e4..de6a2e9 100644
 };
 diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
-index 462b3fa..994b35c 100644
+index 14e82ed..a22cafe 100644
 --- a/bin/tests/system/acl/ns2/named4.conf.in
 +++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -33,12 +33,12 @@ options {
 };
 key one {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 key two {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
 index 728da58..8f00d09 100644
 --- a/bin/tests/system/acl/ns2/named5.conf.in
 +++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -35,12 +35,12 @@ options {
 };
@ -196,11 +173,30 @@ index 728da58..8f00d09 100644
 	secret "1234abcd8765";
 };
 diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
 index f43f33c..f4a865a 100644
 --- a/bin/tests/system/acl/ns2/named5.conf.in
 +++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -37,12 +37,12 @@ options {
 };
 key one {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 key two {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
-index be59d64..13d5bdc 100644
+index 9ee3984..f7d4388 100644
 --- a/bin/tests/system/acl/tests.sh
 +++ b/bin/tests/system/acl/tests.sh
-@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
+@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing"
 # key "one" should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -217,7 +213,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
 copy_setports ns2/named2.conf.in ns2/named.conf
-@@ -39,18 +39,18 @@ sleep 5
+@@ -40,18 +40,18 @@ sleep 5
 # prefix 10/8 should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -239,7 +235,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
 echo_i "testing nested ACL processing"
-@@ -62,31 +62,31 @@ sleep 5
+@@ -63,31 +63,31 @@ sleep 5
 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -276,7 +272,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
 t=`expr $t + 1`
-@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
+@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
 # and other values? right out
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -285,7 +281,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
-@@ -108,31 +108,31 @@ sleep 5
+@@ -109,31 +109,31 @@ sleep 5
 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -323,10 +319,10 @@ index be59d64..13d5bdc 100644
 echo_i "testing allow-query-on ACL processing"
 diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
-index 7d43e36..f7b25f9 100644
+index b91d19a..7d777c2 100644
 --- a/bin/tests/system/allow-query/ns2/named10.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named10.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -336,10 +332,10 @@ index 7d43e36..f7b25f9 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
-index 2952518..121557e 100644
+index 308c4ca..00f6f40 100644
 --- a/bin/tests/system/allow-query/ns2/named11.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named11.conf.in
-@@ -10,12 +10,12 @@
+@@ -12,12 +12,12 @@
  */
 key one {
@ -355,10 +351,10 @@ index 2952518..121557e 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
-index 0c01071..ceabbb5 100644
+index 6b0fe55..491e514 100644
 --- a/bin/tests/system/allow-query/ns2/named12.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named12.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -368,10 +364,10 @@ index 0c01071..ceabbb5 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
-index 4c17292..9cd9d1f 100644
+index aefc474..7c06596 100644
 --- a/bin/tests/system/allow-query/ns2/named30.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named30.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -381,10 +377,10 @@ index 4c17292..9cd9d1f 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
-index a2690a4..f488730 100644
+index 27eccc2..eecb990 100644
 --- a/bin/tests/system/allow-query/ns2/named31.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named31.conf.in
-@@ -10,12 +10,12 @@
+@@ -12,12 +12,12 @@
  */
 key one {
@ -400,10 +396,10 @@ index a2690a4..f488730 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
-index a0708c8..51fa457 100644
+index adbb203..744d122 100644
 --- a/bin/tests/system/allow-query/ns2/named32.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named32.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -413,10 +409,10 @@ index a0708c8..51fa457 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
-index 687768e..d24d6d2 100644
+index 364f94b..9518f82 100644
 --- a/bin/tests/system/allow-query/ns2/named40.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named40.conf.in
-@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
+@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
 acl badaccept { 10.53.0.1; };
 key one {
@ -432,10 +428,10 @@ index 687768e..d24d6d2 100644
 };
 diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
-index fe40635..543c663 100644
+index bbffe07..80da0fe 100644
 --- a/bin/tests/system/allow-query/tests.sh
 +++ b/bin/tests/system/allow-query/tests.sh
-@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
+@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: key allowed - query allowed"
 ret=0
@ -444,25 +440,25 @@ index fe40635..543c663 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
+@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: key not allowed - query refused"
 ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: key disallowed - query refused"
 ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: views key allowed - query allowed"
 ret=0
@ -471,25 +467,25 @@ index fe40635..543c663 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
+@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: views key not allowed - query refused"
 ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: views key disallowed - query refused"
 ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -533,7 +533,7 @@ status=`expr $status + $ret`
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key allowed - query allowed"
 ret=0
@ -498,51 +494,29 @@ index fe40635..543c663 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -510,7 +510,7 @@ status=`expr $status + $ret`
+@@ -543,7 +543,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key not allowed - query refused"
 ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -554,7 +554,7 @@ status=`expr $status + $ret`
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key disallowed - query refused"
 ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
-index 1218669..e62715e 100644
+index 5a46d39..fc1bd07 100644
 --- a/bin/tests/system/catz/ns1/named.conf.in
 +++ b/bin/tests/system/catz/ns1/named.conf.in
-@@ -61,5 +61,5 @@ zone "catalog4.example" {
+@@ -63,5 +63,5 @@ zone "catalog4.example" {
 key tsig_key. {
 	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 };
 diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
 index 30333e6..4005152 100644
 --- a/bin/tests/system/catz/ns2/named1.conf.in
 +++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -70,5 +70,5 @@ zone "catalog4.example" {
 key tsig_key. {
 	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 };
 diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
 index fcd99ca..84c97ca 100644
 --- a/bin/tests/system/catz/ns2/named2.conf.in
 +++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -56,5 +56,5 @@ zone "catalog4.example" {
 key tsig_key. {
 	secret "LSAnCU+Z";
@ -550,10 +524,10 @@ index fcd99ca..84c97ca 100644
 +	algorithm hmac-sha256;
 };
 diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
-index 21be03e..e57c308 100644
+index 4af25b0..9f202d5 100644
 --- a/bin/tests/system/checkconf/bad-tsig.conf
 +++ b/bin/tests/system/checkconf/bad-tsig.conf
-@@ -11,7 +11,7 @@
+@@ -13,7 +13,7 @@
 /* Bad secret */
 key "badtsig" {
@ -563,10 +537,10 @@ index 21be03e..e57c308 100644
 };
 diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
-index 616a544..e3a59a5 100644
+index 897dc86..e4b6dc1 100644
 --- a/bin/tests/system/checkconf/good.conf
 +++ b/bin/tests/system/checkconf/good.conf
-@@ -268,6 +268,6 @@ dyndb "name" "library.so" {
+@@ -270,6 +270,6 @@ dyndb "name" "library.so" {
 	system;
 };
 key "mykey" {
@ -575,10 +549,10 @@ index 616a544..e3a59a5 100644
 	secret "qwertyuiopasdfgh";
 };
 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 877504f..577660a 100644
+index 30e6e14..ba7f98e 100644
 --- a/bin/tests/system/feature-test.c
 +++ b/bin/tests/system/feature-test.c
-@@ -14,6 +14,7 @@
+@@ -16,6 +16,7 @@
 #include <string.h>
 #include <unistd.h>
@ -586,8 +560,8 @@ index 877504f..577660a 100644
 #include <isc/net.h>
 #include <isc/print.h>
 #include <isc/util.h>
-@@ -186,6 +187,19 @@ main(int argc, char **argv) {
+@@ -140,6 +141,19 @@ main(int argc, char **argv) {
- #endif /* ifdef DLZ_FILESYSTEM */
+ #endif
 	}
 +	if (strcmp(argv[1], "--md5") == 0) {
@ -603,14 +577,14 @@ index 877504f..577660a 100644
 +		}
 +	}
 +
- 	if (strcmp(argv[1], "--with-idn") == 0) {
+ 	if (strcmp(argv[1], "--ipv6only=no") == 0) {
- #ifdef HAVE_LIBIDN2
+ #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
- 		return (0);
+ 		int s;
 diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
-index 1ee8df4..2b75d9a 100644
+index 5cab276..d4a7bf3 100644
 --- a/bin/tests/system/notify/ns5/named.conf.in
 +++ b/bin/tests/system/notify/ns5/named.conf.in
-@@ -10,17 +10,17 @@
+@@ -12,17 +12,17 @@
  */
 key "a" {
@ -632,10 +606,10 @@ index 1ee8df4..2b75d9a 100644
 };
 diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
-index 3d7e0b7..ec4d9a7 100644
+index 52d2f81..1fd02d4 100644
 --- a/bin/tests/system/notify/tests.sh
 +++ b/bin/tests/system/notify/tests.sh
-@@ -212,16 +212,16 @@ ret=0
+@@ -187,7 +187,7 @@ test_start "checking notify to multiple views using tsig"
 $NSUPDATE << EOF
 server 10.53.0.5 ${PORT}
 zone x21
@ -644,22 +618,23 @@ index 3d7e0b7..ec4d9a7 100644
 update add added.x21 0 in txt "test string"
 send
 EOF
- 
+@@ -195,9 +195,9 @@ fnb="dig.out.b.ns5.test$n"
 fnc="dig.out.c.ns5.test$n"
 for i in 1 2 3 4 5 6 7 8 9
 do
-	$DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+-	dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
-+	$DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+	dig_plus_opts added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
- 		txt > dig.out.b.ns5.test$n || ret=1
+ 		txt > "$fnb" || ret=1
-	$DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
+-	dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
-+	$DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
+	dig_plus_opts added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
- 		txt > dig.out.c.ns5.test$n || ret=1
+ 		txt > "$fnc" || ret=1
- 	grep "test string" dig.out.b.ns5.test$n > /dev/null &&
+ 	grep "test string" "$fnb" > /dev/null &&
- 	grep "test string" dig.out.c.ns5.test$n > /dev/null &&
+ 	grep "test string" "$fnc" > /dev/null &&
 diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
-index b51e700..436c97d 100644
+index 81d0c99..effbe2e 100644
 --- a/bin/tests/system/nsupdate/ns1/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns1/named.conf.in
-@@ -37,7 +37,7 @@ controls {
+@@ -39,7 +39,7 @@ controls {
 };
 key altkey {
@ -669,10 +644,10 @@ index b51e700..436c97d 100644
 };
 diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
-index da6b3b4..c547e47 100644
+index f1a1735..da2b3d1 100644
 --- a/bin/tests/system/nsupdate/ns2/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns2/named.conf.in
-@@ -32,7 +32,7 @@ controls {
+@@ -34,7 +34,7 @@ controls {
 };
 key altkey {
@ -682,27 +657,27 @@ index da6b3b4..c547e47 100644
 };
 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index 5593a2e..7cd1a74 100644
+index 50056dc..a4a1a3f 100644
 --- a/bin/tests/system/nsupdate/setup.sh
 +++ b/bin/tests/system/nsupdate/setup.sh
-@@ -71,7 +71,11 @@ EOF
+@@ -72,7 +72,11 @@ EOF
- $DDNSCONFGEN -q -z example.nil > ns1/ddns.key
+ $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
 +if $FEATURETEST --md5; then
-+	$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+	$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
 +else
 +	echo -n > ns1/md5.key
 +fi
- $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
+ $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
- $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
+ $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
- $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
+ $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 8839131..fde6135 100755
+index 0863d0a..559def7 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
-@@ -824,7 +824,14 @@ fi
+@@ -841,7 +841,14 @@ fi
 n=`expr $n + 1`
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
@ -718,7 +693,7 @@ index 8839131..fde6135 100755
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
-@@ -832,7 +839,7 @@ send
+@@ -849,7 +856,7 @@ send
 END
 done
 sleep 2
@ -727,29 +702,11 @@ index 8839131..fde6135 100755
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
 done
 if [ $ret -ne 0 ]; then
@@ -843,7 +850,7 @@ fi
 n=`expr $n + 1`
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do
 +for alg in $ALGS; do
     secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
     $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
@@ -852,7 +859,7 @@ send
 END
 done
 sleep 2
 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do
 +for alg in $ALGS; do
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
 done
 if [ $ret -ne 0 ]; then
 diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index 225722f..63ac938 100644
+index 4dd6fa7..1b79263 100644
 --- a/bin/tests/system/rndc/setup.sh
 +++ b/bin/tests/system/rndc/setup.sh
-@@ -38,7 +38,7 @@ make_key () {
+@@ -47,7 +47,7 @@ make_key () {
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
 }
@ -759,13 +716,13 @@ index 225722f..63ac938 100644
 make_key 3 ${EXTRAPORT3} hmac-sha224
 make_key 4 ${EXTRAPORT4} hmac-sha256
 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index 9bf86c6..b8a7a1f 100644
+index 85c271b..ac69f32 100644
 --- a/bin/tests/system/rndc/tests.sh
 +++ b/bin/tests/system/rndc/tests.sh
-@@ -349,15 +349,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
- status=`expr $status + $ret`
+ status=$((status+ret))
- n=`expr $n + 1`
+ n=$((n+1))
 -echo_i "testing rndc with hmac-md5 ($n)"
 -ret=0
 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
@ -774,29 +731,28 @@ index 9bf86c6..b8a7a1f 100644
 -        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
 -done
 -if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+-status=$((status+ret))
 +if $FEATURETEST --md5
 +then
 +	echo_i "testing rndc with hmac-md5 ($n)"
 +	ret=0
 +	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
 +	for i in 2 3 4 5 6
 +	do
-+		$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+	        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
 +	done
 +	if [ $ret != 0 ]; then echo_i "failed"; fi
-+	status=`expr $status + $ret`
+	status=$((status+ret))
 +else
 +	echo_i "skipping rndc with hmac-md5 ($n)"
 +fi
- n=`expr $n + 1`
+ n=$((n+1))
 echo_i "testing rndc with hmac-sha1 ($n)"
 diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
-index 3470c4f..cf539cd 100644
+index 76cf970..22637af 100644
 --- a/bin/tests/system/tsig/ns1/named.conf.in
 +++ b/bin/tests/system/tsig/ns1/named.conf.in
-@@ -21,10 +21,7 @@ options {
+@@ -23,10 +23,7 @@ options {
 	notify no;
 };
@ -808,7 +764,7 @@ index 3470c4f..cf539cd 100644
 key "sha1" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-@@ -51,10 +48,7 @@ key "sha512" {
+@@ -53,10 +50,7 @@ key "sha512" {
 	algorithm hmac-sha512;
 };
@ -820,27 +776,11 @@ index 3470c4f..cf539cd 100644
 key "sha1-trunc" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
 new file mode 100644
 index 0000000..0682194
 --- /dev/null
 +++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
 +# Conditionally included when support for MD5 is available
 +key "md5" {
 +	secret "97rnFx24Tfna4mHPfgnerA==";
 +	algorithm hmac-md5;
 +};
 +
 +key "md5-trunc" {
 +	secret "97rnFx24Tfna4mHPfgnerA==";
 +	algorithm hmac-md5-80;
 +};
 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index e3b4a45..ae21d04 100644
+index 34cc73b..d51ff21 100644
 --- a/bin/tests/system/tsig/setup.sh
 +++ b/bin/tests/system/tsig/setup.sh
-@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
+@@ -16,3 +16,8 @@
 $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
@ -850,10 +790,10 @@ index e3b4a45..ae21d04 100644
 +	cat ns1/rndc5.conf.in >> ns1/named.conf
 +fi
 diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
-index 38d842a..668aa6f 100644
+index 1067227..ee05e83 100644
 --- a/bin/tests/system/tsig/tests.sh
 +++ b/bin/tests/system/tsig/tests.sh
-@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
+@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
 status=0
@ -864,6 +804,13 @@ index 38d842a..668aa6f 100644
 -if [ $ret -eq 1 ] ; then
 -	echo_i "failed"; status=1
 -fi
 -
 -echo_i "fetching using hmac-md5 (new form)"
 -ret=0
 -$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
 -if [ $ret -eq 1 ] ; then
 -	echo_i "failed"; status=1
 +if $FEATURETEST --md5
 +then
 +	echo_i "fetching using hmac-md5 (old form)"
@ -873,13 +820,7 @@ index 38d842a..668aa6f 100644
 +	if [ $ret -eq 1 ] ; then
 +		echo_i "failed"; status=1
 +	fi
- 
+
 -echo_i "fetching using hmac-md5 (new form)"
 -ret=0
 -$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
 -if [ $ret -eq 1 ] ; then
 -	echo_i "failed"; status=1
 +	echo_i "fetching using hmac-md5 (new form)"
 +	ret=0
 +	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
@ -892,7 +833,7 @@ index 38d842a..668aa6f 100644
 fi
 echo_i "fetching using hmac-sha1"
-@@ -87,12 +92,17 @@ fi
+@@ -88,12 +93,17 @@ fi
 #	Truncated TSIG
 #
 #
@ -916,7 +857,7 @@ index 38d842a..668aa6f 100644
 fi
 echo_i "fetching using hmac-sha1 (trunc)"
-@@ -141,12 +151,17 @@ fi
+@@ -142,12 +152,17 @@ fi
 #	Check for bad truncation.
 #
 #
@ -941,10 +882,10 @@ index 38d842a..668aa6f 100644
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
 diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
-index 3873c7c..b359a5a 100644
+index c2b57dd..cb13aa1 100644
 --- a/bin/tests/system/upforwd/ns1/named.conf.in
 +++ b/bin/tests/system/upforwd/ns1/named.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key "update.example." {
@ -954,10 +895,10 @@ index 3873c7c..b359a5a 100644
 };
 diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
-index a50c896..8062d68 100644
+index a6de312..ebcadb1 100644
 --- a/bin/tests/system/upforwd/tests.sh
 +++ b/bin/tests/system/upforwd/tests.sh
-@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 echo_i "updating zone (signed) ($n)"
 ret=0
@ -967,5 +908,5 @@ index a50c896..8062d68 100644
 update add updated.example. 600 A 10.10.10.1
 update add updated.example. 600 TXT Foo
 -- 
-2.31.1
+2.34.1
--- a/bind-9.11-kyua-pkcs11.patch
+++ b/bind-9.11-kyua-pkcs11.patch
@ -1,58 +0,0 @@
 From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 2 Jan 2018 18:13:07 +0100
 Subject: [PATCH] Fix pkcs11 variants atf tests
 Add dns-pkcs11 tests Makefile to configure
 Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
 ---
 configure.ac                   | 1 +
 lib/Kyuafile                   | 2 ++
 lib/dns-pkcs11/tests/dh_test.c | 3 ++-
 3 files changed, 5 insertions(+), 1 deletion(-)
 diff --git a/configure.ac b/configure.ac
 index d80ae31..0fb9328 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
 	lib/dns-pkcs11/include/Makefile
 	lib/dns-pkcs11/include/dns/Makefile
 	lib/dns-pkcs11/include/dst/Makefile
 +	lib/dns-pkcs11/tests/Makefile
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
 diff --git a/lib/Kyuafile b/lib/Kyuafile
 index 39ce986..037e5ef 100644
 --- a/lib/Kyuafile
 +++ b/lib/Kyuafile
@@ -2,8 +2,10 @@ syntax(2)
 test_suite('bind9')
 include('dns/Kyuafile')
 +include('dns-pkcs11/Kyuafile')
 include('irs/Kyuafile')
 include('isc/Kyuafile')
 include('isccc/Kyuafile')
 include('isccfg/Kyuafile')
 include('ns/Kyuafile')
 +include('ns-pkcs11/Kyuafile')
 diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
 index 934e8fd..658d1af 100644
 --- a/lib/dns-pkcs11/tests/dh_test.c
 +++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
 	result = dst_key_computesecret(key, key, &buf);
 	assert_int_equal(result, DST_R_NOTPRIVATEKEY);
 	result = key->func->computesecret(key, key, &buf);
 -	assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
 +	/* PKCS11 variant gives different result, accept both */
 +	assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
 	dst_key_free(&key);
 }
 -- 
 2.20.1
--- a/bind-9.11-rh1666814.patch
+++ b/bind-9.11-rh1666814.patch
@ -1,29 +0,0 @@
 From d05d116da39c0a5c580ceaac6ba069899b82c5a0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 16 Jan 2019 16:27:33 +0100
 Subject: [PATCH] Fix possible crash when loading corrupted file
 Some values passes internal triggers by coincidence. Fix the check and
 check also first_node_offset before even passing it further.
 ---
 lib/dns/rbt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
 index 5aee5f6..7f2c2d2 100644
 --- a/lib/dns/rbt.c
 +++ b/lib/dns/rbt.c
@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
 	rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
 				      header->first_node_offset);
 -	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
 +	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
 +	    || header->first_node_offset > filesize) {
 +
 		result = ISC_R_INVALIDFILE;
 		goto cleanup;
 	}
 -- 
 2.31.1
--- a/bind-9.14-config-pkcs11.patch
+++ b/bind-9.14-config-pkcs11.patch
@ -1,83 +0,0 @@
 From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 18 Oct 2019 21:30:52 +0200
 Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
 Building two variants with the same common code requires to unset
 USE_PKCS11 on part of build. That is not possible with config.h value.
 Move it as normal define to CDEFINES.
 ---
 bin/confgen/Makefile.in |  2 +-
 configure.ac            |  8 ++++++--
 lib/dns/dst_internal.h  | 12 +++++++++---
 3 files changed, 16 insertions(+), 6 deletions(-)
 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
 index 1b7512d..c126bf3 100644
 --- a/bin/confgen/Makefile.in
 +++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
 -CDEFINES =
 +CDEFINES = @USE_PKCS11@
 CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 diff --git a/configure.ac b/configure.ac
 index f5483fe..08a7d8a 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
 AC_SUBST([PKCS11_TOOLS])
 AC_SUBST([PKCS11_MANS])
 +USE_PKCS11='-DUSE_PKCS11=0'
 +USE_OPENSSL='-DUSE_OPENSSL=0'
 AC_SUBST([CRYPTO])
 AS_CASE([$CRYPTO],
 -	[pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
 -	[AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
 +	[pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
 +	[USE_OPENSSL='-DUSE_OPENSSL=1'])
 +AC_SUBST(USE_PKCS11)
 +AC_SUBST(USE_OPENSSL)
 # preparation for automake
 # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
 diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
 index 2c3b4a3..55e9dc4 100644
 --- a/lib/dns/dst_internal.h
 +++ b/lib/dns/dst_internal.h
@@ -38,6 +38,13 @@
 #include <isc/stdtime.h>
 #include <isc/types.h>
 +#ifndef USE_PKCS11
 +#define USE_PKCS11 0
 +#endif
 +#ifndef USE_OPENSSL
 +#define USE_OPENSSL (! USE_PKCS11)
 +#endif
 +
 #if USE_PKCS11
 #include <pk11/pk11.h>
 #include <pk11/site.h>
@@ -116,11 +123,10 @@ struct dst_key {
 		void *generic;
 		dns_gss_ctx_id_t gssctx;
 		DH *dh;
 -#if USE_OPENSSL
 -		EVP_PKEY *pkey;
 -#endif /* if USE_OPENSSL */
 #if USE_PKCS11
 		pk11_object_t *pkey;
 +#else
 +		EVP_PKEY *pkey;
 #endif /* if USE_PKCS11 */
 		dst_hmac_key_t *hmac_key;
 	} keydata; /*%< pointer to key in crypto pkg fmt */
 -- 
 2.26.2
--- a/bind-9.16-redhat_doc.patch
+++ b/bind-9.16-redhat_doc.patch
@ -1,4 +1,4 @@
-From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
+From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Wed, 17 Jun 2020 23:17:13 +0200
 Subject: [PATCH] Update man named with Red Hat specifics
@ -6,15 +6,15 @@ Subject: [PATCH] Update man named with Red Hat specifics
 This is almost unmodified text and requires revalidation. Some of those
 statements are no longer correct.
 ---
- bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
+ bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 35 insertions(+)
+ 1 file changed, 41 insertions(+)
 diff --git a/bin/named/named.rst b/bin/named/named.rst
-index 6fd8f87..3cd6350 100644
+index ea440b2..fa51984 100644
 --- a/bin/named/named.rst
 +++ b/bin/named/named.rst
-@@ -228,6 +228,41 @@ Files
+@@ -212,6 +212,47 @@ Files
- ``/var/run/named/named.pid``
+ |named_pid|
    The default process-id file.
 +Notes
@ -24,7 +24,7 @@ index 6fd8f87..3cd6350 100644
 +
 +By default, Red Hat ships BIND with the most secure SELinux policy
 +that will not prevent normal BIND operation and will prevent exploitation
-+of all known BIND security vulnerabilities. See the selinux(8) man page
+of all known BIND security vulnerabilities . See the selinux(8) man page
 +for information about SElinux.
 +
 +It is not necessary to run named in a chroot environment if the Red Hat
@ -34,27 +34,33 @@ index 6fd8f87..3cd6350 100644
 +
 +*With this extra security comes some restrictions:*
 +
-+By default, the SELinux policy does not allow named to write outside directory
+By default, the SELinux policy does not allow named to write any master
-+/var/named. That directory used to be read-only for named, but write access is
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
-+enabled by default now.
+zone database file directory (the options { "directory" } option), where
 +$ROOTDIR is set in /etc/sysconfig/named.
 +
 +The "named" group must be granted read privelege to
 +these files in order for named to be enabled to read them.
 +Any file updated by named must be writeable by named user or named group.
 +
 +Any file created in the zone database file directory is automatically assigned
 +the SELinux file context *named_zone_t* .
 +
 +By default, SELinux prevents any role from modifying *named_zone_t* files; this
 +means that files in the zone database directory cannot be modified by dynamic
 +DNS (DDNS) updates or zone transfers.
 +
 +The Red Hat BIND distribution and SELinux policy creates three directories where
-+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
+named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
-+*/var/named/data*. The service is able to write and file under */var/named* with appropriate
+*/var/named/data*. By placing files you want named to modify, such as
-+permissions. They are used for better organisation of zones and backward compatibility.
+slave or DDNS updateable zone files and database / statistics dump files in
-+Files in these directories are automatically assigned the '*named_cache_t*'
+these directories, named will work normally and no further operator action is
-+file context, which SELinux always allows named to write.
+required. Files in these directories are automatically assigned the '*named_cache_t*'
 +file context, which SELinux allows named to write.
 +
 +
 See Also
 ~~~~~~~~
 -- 
-2.26.2
+2.34.1
--- a/bind-9.16-resolv.conf-options-timeout-test.patch
+++ b/bind-9.16-resolv.conf-options-timeout-test.patch
@ -1,113 +0,0 @@
 From 7270604440268bb17b39ae734ff33003a67c8343 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 20 Jul 2021 19:34:42 +0200
 Subject: [PATCH] Check parsed resconf values
 Add 'attempts' check, fix 'ndots' data. Create a bunch of verification
 functions and check parsed values, not just return codes.
 ---
 lib/irs/tests/resconf_test.c                 | 46 ++++++++++++++++++--
 lib/irs/tests/testdata/options-attempts.conf | 10 +++++
 lib/irs/tests/testdata/options-ndots.conf    |  2 +-
 3 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 lib/irs/tests/testdata/options-attempts.conf
 diff --git a/lib/irs/tests/resconf_test.c b/lib/irs/tests/resconf_test.c
 index 6951758..ce94345 100644
 --- a/lib/irs/tests/resconf_test.c
 +++ b/lib/irs/tests/resconf_test.c
@@ -45,6 +45,43 @@ setup_test() {
 	assert_return_code(chdir(TESTS), 0);
 }
 +static isc_result_t
 +check_number(unsigned int n, unsigned int expected) {
 +	return ((n == expected) ? ISC_R_SUCCESS : ISC_R_BADNUMBER);
 +}
 +
 +static isc_result_t
 +check_attempts(irs_resconf_t *resconf) {
 +	return (check_number(irs_resconf_getattempts(resconf), 4));
 +}
 +
 +static isc_result_t
 +check_timeout(irs_resconf_t *resconf) {
 +	return (check_number(irs_resconf_gettimeout(resconf), 1));
 +}
 +
 +static isc_result_t
 +check_ndots(irs_resconf_t *resconf) {
 +	return (check_number(irs_resconf_getndots(resconf), 2));
 +}
 +
 +static isc_result_t
 +check_options(irs_resconf_t *resconf) {
 +	if (irs_resconf_getattempts(resconf) != 3) {
 +		return ISC_R_BADNUMBER; /* default value only */
 +	}
 +
 +	if (irs_resconf_getndots(resconf) != 2) {
 +		return ISC_R_BADNUMBER;
 +	}
 +
 +	if (irs_resconf_gettimeout(resconf) != 1) {
 +		return ISC_R_BADNUMBER;
 +	}
 +
 +	return (ISC_R_SUCCESS);
 +}
 +
 /* test irs_resconf_load() */
 static void
 irs_resconf_load_test(void **state) {
@@ -64,15 +101,18 @@ irs_resconf_load_test(void **state) {
 		  ISC_R_SUCCESS },
 		{ "testdata/nameserver-v6-scoped.conf", ISC_R_SUCCESS, NULL,
 		  ISC_R_SUCCESS },
 +		{ "testdata/options-attempts.conf", ISC_R_SUCCESS,
 +		  check_attempts, ISC_R_SUCCESS },
 		{ "testdata/options-debug.conf", ISC_R_SUCCESS, NULL,
 		  ISC_R_SUCCESS },
 -		{ "testdata/options-ndots.conf", ISC_R_SUCCESS, NULL,
 +		{ "testdata/options-ndots.conf", ISC_R_SUCCESS, check_ndots,
 		  ISC_R_SUCCESS },
 -		{ "testdata/options-timeout.conf", ISC_R_SUCCESS, NULL,
 +		{ "testdata/options-timeout.conf", ISC_R_SUCCESS, check_timeout,
 		  ISC_R_SUCCESS },
 		{ "testdata/options-unknown.conf", ISC_R_SUCCESS, NULL,
 		  ISC_R_SUCCESS },
 -		{ "testdata/options.conf", ISC_R_SUCCESS, NULL, ISC_R_SUCCESS },
 +		{ "testdata/options.conf", ISC_R_SUCCESS, check_options,
 +		  ISC_R_SUCCESS },
 		{ "testdata/options-bad-ndots.conf", ISC_R_RANGE, NULL,
 		  ISC_R_SUCCESS },
 		{ "testdata/options-empty.conf", ISC_R_UNEXPECTEDEND, NULL,
 diff --git a/lib/irs/tests/testdata/options-attempts.conf b/lib/irs/tests/testdata/options-attempts.conf
 new file mode 100644
 index 0000000..4538643
 --- /dev/null
 +++ b/lib/irs/tests/testdata/options-attempts.conf
@@ -0,0 +1,10 @@
 +# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +#
 +# This Source Code Form is subject to the terms of the Mozilla Public
 +# License, v. 2.0. If a copy of the MPL was not distributed with this
 +# file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +#
 +# See the COPYRIGHT file distributed with this work for additional
 +# information regarding copyright ownership.
 +
 +options attempts:4
 diff --git a/lib/irs/tests/testdata/options-ndots.conf b/lib/irs/tests/testdata/options-ndots.conf
 index 5d18d26..f37c712 100644
 --- a/lib/irs/tests/testdata/options-ndots.conf
 +++ b/lib/irs/tests/testdata/options-ndots.conf
@@ -9,4 +9,4 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 -option ndots:2
 +options ndots:2
 -- 
 2.35.3
--- a/bind-9.16-resolv.conf-options-timeout.patch
+++ b/bind-9.16-resolv.conf-options-timeout.patch
@ -1,203 +0,0 @@
 From b0e79979672935ff07bf23703c675ee788940c59 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 22 Jun 2021 16:35:46 +0200
 Subject: [PATCH] Parse 'timeout' and 'attempts' from resolv.conf
 It was supported by lwres in BIND 9.11, and is still mentioned in
 the manual page. Restore support for it by adding it to libirs.
 ---
 bin/dig/dighost.c             | 13 ++++++-
 lib/irs/include/irs/resconf.h | 20 +++++++++++
 lib/irs/resconf.c             | 64 ++++++++++++++++++++++++++++-------
 3 files changed, 84 insertions(+), 13 deletions(-)
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
 index 0222454..274e894 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
@@ -133,7 +133,7 @@ int sendcount = 0;
 int recvcount = 0;
 int sockcount = 0;
 int ndots = -1;
 -int tries = 3;
 +int tries = -1;
 int lookup_counter = 0;
 static char servercookie[256];
@@ -1330,6 +1330,17 @@ setup_system(bool ipv4only, bool ipv6only) {
 		ndots = irs_resconf_getndots(resconf);
 		debug("ndots is %d.", ndots);
 	}
 +	if (timeout == 0) {
 +		timeout = irs_resconf_gettimeout(resconf);
 +		debug("timeout is %d.", timeout);
 +	}
 +	if (tries == -1) {
 +		tries = irs_resconf_getattempts(resconf);
 +		if (tries == 0) {
 +			tries = 3;
 +		}
 +		debug("retries is %d.", tries);
 +	}
 	/* If user doesn't specify server use nameservers from resolv.conf. */
 	if (ISC_LIST_EMPTY(server_list)) {
 diff --git a/lib/irs/include/irs/resconf.h b/lib/irs/include/irs/resconf.h
 index 424b795..74fc84a 100644
 --- a/lib/irs/include/irs/resconf.h
 +++ b/lib/irs/include/irs/resconf.h
@@ -113,6 +113,26 @@ irs_resconf_getndots(irs_resconf_t *conf);
  *\li	'conf' is a valid resconf object.
  */
 +unsigned int
 +irs_resconf_getattempts(irs_resconf_t *conf);
 +/*%<
 + * Return the 'attempts' value stored in 'conf'.
 + *
 + * Requires:
 + *
 + *\li	'conf' is a valid resconf object.
 + */
 +
 +unsigned int
 +irs_resconf_gettimeout(irs_resconf_t *conf);
 +/*%<
 + * Return the 'timeout' value stored in 'conf'.
 + *
 + * Requires:
 + *
 + *\li	'conf' is a valid resconf object.
 + */
 +
 ISC_LANG_ENDDECLS
 #endif /* IRS_RESCONF_H */
 diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
 index 096064b..dd51d71 100644
 --- a/lib/irs/resconf.c
 +++ b/lib/irs/resconf.c
@@ -80,6 +80,13 @@
 #define RESCONFMAXLINELEN     256U /*%< max size of a line */
 #define RESCONFMAXSORTLIST    10U  /*%< max 10 */
 +#define CHECK(op)                            \
 +	do {                                 \
 +		result = (op);               \
 +		if (result != ISC_R_SUCCESS) \
 +			goto cleanup;        \
 +	} while (0)
 +
 /*!
  * configuration data structure
  */
@@ -114,6 +121,10 @@ struct irs_resconf {
 	uint8_t resdebug;
 	/*%< set to n in 'options ndots:n' */
 	uint8_t ndots;
 +	/*%< set to n in 'options attempts:n' */
 +	uint8_t attempts;
 +	/*%< set to n in 'options timeout:n' */
 +	uint8_t timeout;
 };
 static isc_result_t
@@ -176,8 +187,8 @@ eatwhite(FILE *fp) {
  */
 static int
 getword(FILE *fp, char *buffer, size_t size) {
 +	char *p = NULL;
 	int ch;
 -	char *p;
 	REQUIRE(buffer != NULL);
 	REQUIRE(size > 0U);
@@ -457,11 +468,26 @@ resconf_parsesortlist(irs_resconf_t *conf, FILE *fp) {
 	return (ISC_R_SUCCESS);
 }
 +static isc_result_t
 +resconf_optionnumber(const char *word, uint8_t *number) {
 +	char *p;
 +	long n;
 +
 +	n = strtol(word, &p, 10);
 +	if (*p != '\0') { /* Bad string. */
 +		return (ISC_R_UNEXPECTEDTOKEN);
 +	}
 +	if (n < 0 || n > 0xff) { /* Out of range. */
 +		return (ISC_R_RANGE);
 +	}
 +	*number = n;
 +	return (ISC_R_SUCCESS);
 +}
 +
 static isc_result_t
 resconf_parseoption(irs_resconf_t *conf, FILE *fp) {
 	int delim;
 -	long ndots;
 -	char *p;
 +	isc_result_t result = ISC_R_SUCCESS;
 	char word[RESCONFMAXLINELEN];
 	delim = getword(fp, word, sizeof(word));
@@ -473,14 +499,11 @@ resconf_parseoption(irs_resconf_t *conf, FILE *fp) {
 		if (strcmp("debug", word) == 0) {
 			conf->resdebug = 1;
 		} else if (strncmp("ndots:", word, 6) == 0) {
 -			ndots = strtol(word + 6, &p, 10);
 -			if (*p != '\0') { /* Bad string. */
 -				return (ISC_R_UNEXPECTEDTOKEN);
 -			}
 -			if (ndots < 0 || ndots > 0xff) { /* Out of range. */
 -				return (ISC_R_RANGE);
 -			}
 -			conf->ndots = (uint8_t)ndots;
 +			CHECK(resconf_optionnumber(word + 6, &conf->ndots));
 +		} else if (strncmp("attempts:", word, 9) == 0) {
 +			CHECK(resconf_optionnumber(word + 9, &conf->attempts));
 +		} else if (strncmp("timeout:", word, 8) == 0) {
 +			CHECK(resconf_optionnumber(word + 8, &conf->timeout));
 		}
 		if (delim == EOF || delim == '\n') {
@@ -490,7 +513,8 @@ resconf_parseoption(irs_resconf_t *conf, FILE *fp) {
 		}
 	}
 -	return (ISC_R_SUCCESS);
 +cleanup:
 +	return (result);
 }
 static isc_result_t
@@ -532,6 +556,8 @@ irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp) {
 	conf->sortlistnxt = 0;
 	conf->resdebug = 0;
 	conf->ndots = 1;
 +	conf->attempts = 3;
 +	conf->timeout = 0;
 	for (i = 0; i < RESCONFMAXSEARCH; i++) {
 		conf->search[i] = NULL;
 	}
@@ -687,3 +713,17 @@ irs_resconf_getndots(irs_resconf_t *conf) {
 	return ((unsigned int)conf->ndots);
 }
 +
 +unsigned int
 +irs_resconf_getattempts(irs_resconf_t *conf) {
 +	REQUIRE(IRS_RESCONF_VALID(conf));
 +
 +	return ((unsigned int)conf->attempts);
 +}
 +
 +unsigned int
 +irs_resconf_gettimeout(irs_resconf_t *conf) {
 +	REQUIRE(IRS_RESCONF_VALID(conf));
 +
 +	return ((unsigned int)conf->timeout);
 +}
 -- 
 2.35.3
--- a/bind-9.5-PIE.patch
+++ b/bind-9.5-PIE.patch
@ -1,30 +1,20 @@
-diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
+diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
-index eb622d1..37053a7 100644
+index 7065a90..e2e485b 100644
--- a/bin/named/Makefile.in
+--- a/bin/named/Makefile.am
-+++ b/bin/named/Makefile.in
+++ b/bin/named/Makefile.am
-@@ -117,8 +117,12 @@ SRCS =		builtin.c config.c control.c \
+@@ -32,6 +32,7 @@ AM_CPPFLAGS +=				\
- 		tkeyconf.c tsigconf.c zoneconf.c \
+ endif HAVE_LIBXML2
 		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
-+EXT_CFLAGS = -fpie
+ AM_CPPFLAGS +=						\
 +	-fpie                                           \
 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
@@ -122,5 +123,7 @@ named_LDADD +=					\
 	$(LIBNGHTTP2_LIBS)
 endif HAVE_LIBNGHTTP2
 +AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
 +
- @BIND9_MAKE_RULES@
+ MAINTAINERCLEANFILES =				\
- 
+ 	named.conf.rst
 +LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
 +
 main.@O@: main.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
 diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
 index fd9ca8d..f1c102c 100644
 --- a/bin/named/unix/Makefile.in
 +++ b/bin/named/unix/Makefile.in
@@ -11,6 +11,8 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 +EXT_CFLAGS = -fpie
 +
 @BIND9_MAKE_INCLUDES@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
--- a/bind-9.5-dlz-64bit.patch
+++ b/bind-9.5-dlz-64bit.patch
@ -1,53 +0,0 @@
 diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
 index 47525af..eefe3c3 100644
 --- a/contrib/dlz/config.dlz.in
 +++ b/contrib/dlz/config.dlz.in
@@ -17,6 +17,13 @@
 #
 dlzdir='${DLZ_DRIVER_DIR}'
 +AC_MSG_CHECKING([for target libdir])
 +AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
 +	[target_lib=lib64],
 +	[target_lib=lib],
 +)
 +AC_MSG_RESULT(["$target_lib"])
 +
 #
 # Private autoconf macro to simplify configuring drivers:
 #
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
 					then
 						break
 					fi
 -				elif test -f "$dd/lib/lib${d}.so"
 +				elif test -f "$dd/${target_lib}/lib${d}.so"
 				then
 -					dlz_bdb_libs="-L${dd}/lib -l${d}"
 +					dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
 					break
 				fi
 			done
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
 	*)
 		DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
 				[-I$use_dlz_ldap/include],
 -				[-L$use_dlz_ldap/lib -lldap -llber])
 +				[-L$use_dlz_ldap/${target_lib} -lldap -llber])
 		AC_MSG_RESULT(
 [using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
@@ -432,11 +439,11 @@ then
 		odbcdirs="/usr /usr/local /usr/pkg"
 		for d in $odbcdirs
 		do
 -			if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
 +			if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
 			then
 				use_dlz_odbc=$d
 				dlz_odbc_include="-I$use_dlz_odbc/include"
 -				dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
 +				dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
 				break
 			fi
 		done
--- a/bind-9.9.1-P2-dlz-libdb.patch
+++ b/bind-9.9.1-P2-dlz-libdb.patch
@ -1,31 +0,0 @@
 diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
 --- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb	2014-08-04 12:33:09.320735111 +0200
 +++ bind-9.10.1b1/contrib/dlz/config.dlz.in	2014-08-04 12:41:46.888241910 +0200
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
 			# Check other locations for includes.
 			# Order is important (sigh).
 -			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
 +			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
 			# include a blank element first
 			for d in "" $bdb_incdirs
 			do
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
 			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
 			for d in $bdb_libnames
 			do
 -				if test "$dd" = "/usr"
 +				if test -f "$dd/${target_lib}/lib${d}.so"
 				then
 -					AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
 -					if test $dlz_bdb_libs != "yes"
 -					then
 -						break
 -					fi
 -				elif test -f "$dd/${target_lib}/lib${d}.so"
 -				then
 -					dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
 +					dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
 					break
 				fi
 			done
--- a/bind.spec
+++ b/bind.spec
@ -9,15 +9,19 @@
 %bcond_without GSSTSIG
 # it is not possible to build the package without PKCS11 sub-package
 # due to extensive changes to Makefiles
-%bcond_without PKCS11
+%bcond_with PKCS11 # TODO: Remove
 %bcond_without JSON
 # FIXME: Not ready. Should it be worked on?
 %bcond_without DLZ
 # New MaxMind GeoLite support
 %bcond_without GEOIP2
 # Disabled temporarily until kyua is fixed on rawhide, bug #1926779
 %bcond_without UNITTEST
 %bcond_without DNSTAP
 %bcond_without LMDB
 %bcond_without DOC
 # Because of issues with PDF rebuild, include only HTML pages
 # Current error: unable top find isc-logo.pdf
 %if 0%{?fedora}
 # RHEL and ELN do not have all required packages
 %bcond_without DOCPDF
@ -47,18 +51,26 @@
 # lib*.so.X versions of selected libraries no longer provided,
 # lib*-%%{version}-RH.so is provided as an internal implementation detail
 # Upstream package name
 %global upname bind
 %define upname_compat() \
 %if "%{name}" != "%{upname}" \
 Provides: %1 = %{epoch}:%{version}-%{release} \
 Obsoletes: %1 < 32:9.17.0 \
 Conflicts: %1 \
 %endif
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.16.30
+Version:  9.18.4
 Release:  2%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
-Source0:  https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
+Source0:  https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz
 Source1:  named.sysconfig
-Source2:  https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.asc
+Source2:  https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz.asc
 Source3:  named.logrotate
 Source4:  https://downloads.isc.org/isc/pgpkeys/codesign2021.txt
 Source16: named.conf
@ -84,27 +96,11 @@ Source47: named-pkcs11.service
 Source48: setup-named-softhsm.sh
 Source49: named-chroot.files
 # Make PKCS11 used only for pkcs11 parts
 Patch1:  bind-9.14-config-pkcs11.patch
 # Fedora specific patch to distribute native-pkcs#11 functionality
 Patch2:  bind-9.10-dist-native-pkcs11.patch
 # Do not use isc-pkcs11.
 Patch3:  bind-9.11-kyua-pkcs11.patch
 # Common patches
-Patch18: bind-9.5-PIE.patch
+# FIXME: Is this still required?
-Patch19: bind-9.16-redhat_doc.patch
+Patch10: bind-9.5-PIE.patch
-Patch20: bind-9.5-dlz-64bit.patch
+Patch16: bind-9.16-redhat_doc.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5601
 Patch21: bind93-rh490837.patch
 Patch22: bind-9.11-fips-tests.patch
 Patch24: bind-9.9.1-P2-dlz-libdb.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689
 Patch25:bind-9.11-rh1666814.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5273
 Patch27: bind-9.16-resolv.conf-options-timeout.patch
 Patch28: bind-9.16-resolv.conf-options-timeout-test.patch
 %{?systemd_ordering}
 Requires:       coreutils
@ -112,22 +108,23 @@ Requires(pre):  shadow-utils
 Requires(post): shadow-utils
 Requires(post): glibc-common
 Requires(post): grep
-Requires:       bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:       %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 # This wild require should satisfy %%selinux_set_boolean macro only
 # in case it needs to be used
 Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
 Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
-Recommends:     bind-utils bind-dnssec-utils
+Recommends:     %{name}-utils %{name}-dnssec-utils
 %upname_compat %{upname}
 BuildRequires:  gcc, make
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
 BuildRequires:  libidn2-devel, libxml2-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  selinux-policy
 # needed for %%{__python3} macro
 BuildRequires:  python3-devel
 BuildRequires:  python3-ply
 BuildRequires:  findutils sed
 BuildRequires:  libnghttp2-devel
 %if 0%{?fedora}
 BuildRequires:  jemalloc-devel
 BuildRequires:  gnupg2
 %endif
 BuildRequires:  libuv-devel
@ -136,7 +133,7 @@ BuildRequires:  openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d
 %endif
 %if %{with UNITTEST}
 # make unit dependencies
-BuildRequires:  libcmocka-devel kyua
+BuildRequires:  libcmocka-devel
 %endif
 %if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
 BuildRequires:  softhsm
@ -185,9 +182,9 @@ tools for verifying that the DNS server is operating properly.
 %if %{with PKCS11}
 %package pkcs11
 Summary: Bind with native PKCS#11 functionality for crypto
-Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Recommends: softhsm
 %description pkcs11
@ -195,21 +192,27 @@ This is a version of BIND server built with native PKCS#11 functionality.
 It is important to have SoftHSM v2+ installed and some token initialized.
 For other supported HSM modules please check the BIND documentation.
 # TODO: Those utils can be used also without pkcs11 variant, but are not?
 %package pkcs11-utils
 Summary: Bind tools with native PKCS#11 for using DNSSEC
-Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2
-Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2
+Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
-Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}
+%if %{with PKCS11}
 Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
 %endif
 %description pkcs11-utils
 This is a set of PKCS#11 utilities that when used together create rsa
-keys in a PKCS11 keystore. Also utilities for working with DNSSEC
+keys in a PKCS11 keystore.
 %if %{with PKCS11}
 Also utilities for working with DNSSEC
 compiled with native PKCS#11 functionality are included.
 %endif
 %package pkcs11-libs
 Summary: Bind libraries compiled with native PKCS#11
-Requires: bind-license = %{epoch}:%{version}-%{release}
+Requires: %{name}-license = %{epoch}:%{version}-%{release}
-Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 %description pkcs11-libs
 This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
@ -217,8 +220,8 @@ functionality.
 %package pkcs11-devel
 Summary: Development files for Bind libraries compiled with native PKCS#11
-Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
-Requires: bind-devel%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
 %description pkcs11-devel
 This a set of development files for BIND libraries (dns, isc) compiled
@ -227,13 +230,13 @@ with native PKCS#11 functionality.
 %package libs
 Summary: Libraries used by the BIND DNS packages
-Requires: bind-license = %{epoch}:%{version}-%{release}
+Requires: %{name}-license = %{epoch}:%{version}-%{release}
-Provides: bind-libs-lite = %{epoch}:%{version}-%{release}
+Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release}
-Obsoletes: bind-libs-lite < 32:9.16.13
+Obsoletes: %{name}-libs-lite < 32:9.16.13
 %description libs
 Contains heavyweight version of BIND suite libraries used by both named DNS
-server and utilities in bind-utils package.
+server and utilities in %{name}-utils package.
 %package license
 Summary:  License of the BIND DNS suite
@ -244,9 +247,10 @@ Contains license of the BIND DNS suite.
 %package utils
 Summary: Utilities for querying DNS name servers
-Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 # For compatibility with Debian package
 Provides: dnsutils = %{epoch}:%{version}-%{release}
 %upname_compat %{upname}-utils
 %description utils
 Bind-utils contains a collection of utilities for querying DNS (Domain
@ -255,37 +259,37 @@ hosts. These tools will provide you with the IP addresses for given
 host names, as well as other information about registered domains and
 network addresses.
-You should install bind-utils if you need to get information from DNS name
+You should install %{name}-utils if you need to get information from DNS name
 servers.
 %package dnssec-utils
 Summary: DNSSEC keys and zones management utilities
-Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
-Recommends: bind-utils
+Recommends: %{name}-utils
-Requires: python3-bind = %{epoch}:%{version}-%{release}
+Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
-Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}
+%upname_compat %{upname}-dnssec-utils
 %description dnssec-utils
-Bind-dnssec-utils contains a collection of utilities for editing
+%{name}-dnssec-utils contains a collection of utilities for editing
 DNSSEC keys and BIND zone files. These tools provide generation,
 revocation and verification of keys and DNSSEC signatures in zone files.
-You should install bind-dnssec-utils if you need to sign a DNS zone
+You should install %{name}-dnssec-utils if you need to sign a DNS zone
 or maintain keys for it.
 %package dnssec-doc
 Summary: Manual pages of DNSSEC utilities
-Requires: bind-license = %{epoch}:%{version}-%{release}
+Requires: %{name}-license = %{epoch}:%{version}-%{release}
 BuildArch:noarch
 %description dnssec-doc
-Bind-dnssec-doc contains manual pages for bind-dnssec-utils.
+%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils.
 %package devel
 Summary:  Header files and libraries needed for bind-dyndb-ldap
-Provides: bind-lite-devel = %{epoch}:%{version}-%{release}
+Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release}
-Obsoletes: bind-lite-devel < 32:9.16.6-3
+Obsoletes: %{name}-lite-devel < 32:9.16.6-3
-Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
 Requires: libcap-devel%{?_isa}
 %if %{with GSSTSIG}
@ -305,7 +309,7 @@ Requires:  libmaxminddb-devel%{?_isa}
 %endif
 %description devel
-The bind-devel package contains full version of the header files and libraries
+The %{name}-devel package contains full version of the header files and libraries
 required for building bind-dyndb-ldap. Upstream no longer supports nor recommends
 bind libraries for third party applications.
@ -314,7 +318,7 @@ Summary:        A chroot runtime environment for the ISC BIND DNS server, named(
 Prefix:         %{chroot_prefix}
 # grep is required due to setup-named-chroot.sh script
 Requires:       grep
-Requires:       bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 %description chroot
 This package contains a tree of files which can be used as a
@ -325,21 +329,21 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
 %if %{with DLZ}
 %package dlz-filesystem
 Summary: BIND server filesystem DLZ module
-Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 %description dlz-filesystem
 Dynamic Loadable Zones filesystem module for BIND server.
 %package dlz-ldap
 Summary: BIND server ldap DLZ module
-Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 %description dlz-ldap
 Dynamic Loadable Zones LDAP module for BIND server.
 %package dlz-mysql
 Summary: BIND server mysql and mysqldyn DLZ modules
-Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release}
 Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3
@ -349,28 +353,16 @@ Contains also mysqldyn module with dynamic DNS updates (DDNS) support.
 %package dlz-sqlite3
 Summary: BIND server sqlite3 DLZ module
-Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 %description dlz-sqlite3
 Dynamic Loadable Zones sqlite3 module for BIND server.
 %endif
 %package -n python3-bind
 Summary:   A module allowing rndc commands to be sent from Python programs
 Requires:  bind-license = %{epoch}:%{version}-%{release}
 Requires:  python3 python3-ply %{?py3_dist:%py3_dist ply}
 BuildArch: noarch
 %{?python_provide:%python_provide python3-bind}
 %{?python_provide:%python_provide python3-isc}
 %description -n python3-bind
 This package provides a module which allows commands to be sent to rndc directly from Python programs.
 %if %{with DOC}
 %package doc
 Summary:   BIND 9 Administrator Reference Manual
-Requires:  bind-license = %{epoch}:%{version}-%{release}
+Requires:  %{name}-license = %{epoch}:%{version}-%{release}
 Requires:  python3-sphinx_rtd_theme
 BuildArch: noarch
@ -392,25 +384,15 @@ in HTML and PDF format.
 # RHEL does not yet support this verification
 %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}'
 %endif
-%autosetup -n %{name}-%{version} -N
+%autosetup -n %{upname}-%{version} -p1
 %autopatch -p1 -m 18
 %if %{with PKCS11}
 %autopatch -p1 -m 1 -M 1
 cp -r bin/named{,-pkcs11}
 cp -r bin/dnssec{,-pkcs11}
 cp -r lib/dns{,-pkcs11}
 cp -r lib/ns{,-pkcs11}
 %autopatch -p1 -m 2 -M 17
 %endif
 # Sparc and s390 arches need to use -fPIE
 %ifarch sparcv9 sparc64 s390 s390x
-for i in bin/named/{,unix}/Makefile.in; do
+for i in bin/named/Makefile.am; do
  sed -i 's|fpie|fPIE|g' $i
 done
 %endif
 sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh
 :;
@ -420,15 +402,12 @@ sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/i
 # normal and pkcs11 unit tests
 %define unit_prepare_build() \
  cp -uv Kyuafile "%{1}/" \
  find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \
  find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \
  find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
  find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
 %define systemtest_prepare_build() \
  cp -Tuav bin/tests "%{1}/bin/tests/" \
  cp -uv version "%{1}" \
 CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
 %if %{with TSAN}
@ -439,10 +418,10 @@ export STD_CDEFINES="$CPPFLAGS"
 sed -i -e \
-'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \
+'s/([bind_VERSION_EXTRA],\s*\([^)]*\))/([bind_VERSION_EXTRA], \1-RH)/' \
-version
+configure.ac
-libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
+autoreconf --force --install
 mkdir build
@ -456,8 +435,6 @@ pushd build
 LIBDIR_SUFFIX=
 export LIBDIR_SUFFIX
 %configure \
  --with-python=%{__python3} \
  --with-libtool \
  --localstatedir=%{_var} \
  --with-pic \
  --disable-static \
@ -471,7 +448,6 @@ export LIBDIR_SUFFIX
  --enable-native-pkcs11 \
  --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
 %endif
  --with-dlopen=yes \
 %if %{with GSSTSIG}
  --with-gssapi=yes \
 %endif
@ -481,7 +457,7 @@ export LIBDIR_SUFFIX
  --with-lmdb=no \
 %endif
 %if %{with JSON}
-  --without-libjson --with-json-c \
+  --with-json-c \
 %endif
 %if %{with DNSTAP}
  --enable-dnstap \
@ -496,9 +472,6 @@ export LIBDIR_SUFFIX
  pushd lib
  SRCLIB="../../../lib"
  (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
 %if %{with PKCS11}
  (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
 %endif
  popd
 %endif
@ -512,27 +485,14 @@ fmtutil-user --missing || :
 %make_build
 # Regenerate dig.1 manpage
 pushd bin/dig
 make man
 popd
 pushd bin/python
 make man
 popd
 %if %{with DOC}
  make doc
 %endif
 %if %{with DLZ}
  pushd contrib/dlz/modules
  for DIR in mysql mysqldyn; do
    sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \
        -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \
        $DIR/Makefile.in > $DIR/Makefile
  done
  for DIR in filesystem ldap mysql mysqldyn sqlite3; do
-    make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
+    make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS -DPTHREADS=1" LDFLAGS="$LDFLAGS"
  done
  popd
 %endif
@ -639,11 +599,6 @@ install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
 %if %{with PKCS11}
 install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
 %else
 # Not packaged without PKCS11
 find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \
  -name '*.h' \! -name site.h -delete
 %endif
 mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
@ -659,14 +614,22 @@ mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
 install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
 install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
 pushd ${RPM_BUILD_ROOT}%{_sbindir}
 # Compatibility with previous major versions, only for selected binaries
 for BIN in named-checkconf named-checkzone named-compilezone
 do
  ln -s ../bin/$BIN $BIN
 done
 popd
 %if %{with DLZ}
  pushd build
  pushd contrib/dlz/modules
  for DIR in filesystem ldap mysql mysqldyn sqlite3; do
-    %make_install -C $DIR libdir=%{_libdir}/named
+    %make_install -C $DIR libdir=%{_libdir}/bind
  done
-  pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind
+  pushd ${RPM_BUILD_ROOT}/%{_libdir}/named
-    cp -s ../named/dlz_*.so .
+    cp -s ../bind/dlz_*.so .
  popd
  mkdir -p doc/{mysql,mysqldyn}
  cp -p mysqldyn/testing/README doc/mysqldyn/README.testing
@ -676,9 +639,6 @@ install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
  popd
 %endif
 # Install isc/errno2result.h header
 install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc
 # Remove libtool .la files:
 find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
@ -708,15 +668,15 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true
 pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
 ln -s ddns-confgen.8.gz tsig-keygen.8.gz
-ln -s named-checkzone.8.gz named-compilezone.8.gz
+popd
 pushd ${RPM_BUILD_ROOT}%{_mandir}/man1
 ln -s named-checkzone.1.gz named-compilezone.1.gz
 popd
 %if %{with DOC}
 mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
 cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir}
 rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees}
 # Backward compatible link to 9.11 documentation
 (cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html)
 # Share static data from original sphinx package
 for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/*
 do
@ -729,7 +689,7 @@ do
 done
 %endif
 %if %{with DOCPDF}
-cp -a build/doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
+cp -p build/doc/arm/_build/latex/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
 %endif
 # Ghost config files:
@ -795,7 +755,7 @@ else
    /sbin/usermod -s /sbin/nologin named
  fi
  # Checkconf will parse out comments
-  if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
+  if /usr/bin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
  then
    echo "Replacing obsolete named.iscdlv.key with named.root.key..."
    if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then
@ -880,10 +840,10 @@ fi;
 %files
 # TODO: Move from lib/bind to lib/named, as used by upstream
 # FIXME: current build targets filters into %%_libdir/bind again?
 %dir %{_libdir}/bind
 %{_libdir}/bind/filter*.so
 %dir %{_libdir}/named
 %{_libdir}/named/*.so
 %exclude %{_libdir}/named/dlz_*.so
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
 %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
 %config(noreplace) %{_sysconfdir}/logrotate.d/named
@ -891,12 +851,13 @@ fi;
 %{_sysconfdir}/rwtab.d/named
 %{_unitdir}/named.service
 %{_unitdir}/named-setup-rndc.service
-%{_sbindir}/named-journalprint
+%{_bindir}/named-journalprint
-%{_sbindir}/named-checkconf
+%{_bindir}/named-checkconf
 %{_bindir}/named-rrchecker
 %{_bindir}/mdig
 %{_sbindir}/named
 %{_sbindir}/rndc*
 %{_sbindir}/named-checkconf
 %{_libexecdir}/generate-rndc-key.sh
 %{_mandir}/man1/mdig.1*
 %{_mandir}/man1/named-rrchecker.1*
@ -904,11 +865,11 @@ fi;
 %{_mandir}/man5/rndc.conf.5*
 %{_mandir}/man8/rndc.8*
 %{_mandir}/man8/named.8*
-%{_mandir}/man8/named-checkconf.8*
+%{_mandir}/man1/named-checkconf.1*
 %{_mandir}/man8/rndc-confgen.8*
-%{_mandir}/man8/named-journalprint.8*
+%{_mandir}/man1/named-journalprint.1*
-%{_mandir}/man8/filter-aaaa.8.gz
+%{_mandir}/man8/filter-*.8.gz
-%doc CHANGES README named.conf.default
+%doc CHANGES README.md named.conf.default
 %doc sample/
 # Hide configuration
@ -958,7 +919,9 @@ fi;
 %{_bindir}/arpaname
 %{_sbindir}/ddns-confgen
 %{_sbindir}/tsig-keygen
-%{_sbindir}/nsec3hash
+%{_bindir}/nsec3hash
 %{_bindir}/named-checkzone
 %{_bindir}/named-compilezone
 %{_sbindir}/named-checkzone
 %{_sbindir}/named-compilezone
 %if %{with DNSTAP}
@ -966,8 +929,8 @@ fi;
 %{_mandir}/man1/dnstap-read.1*
 %endif
 %if %{with LMDB}
-%{_sbindir}/named-nzd2nzf
+%{_bindir}/named-nzd2nzf
-%{_mandir}/man8/named-nzd2nzf.8*
+%{_mandir}/man1/named-nzd2nzf.1*
 %endif
 %{_mandir}/man1/host.1*
 %{_mandir}/man1/nsupdate.1*
@ -977,21 +940,21 @@ fi;
 %{_mandir}/man1/arpaname.1*
 %{_mandir}/man8/ddns-confgen.8*
 %{_mandir}/man8/tsig-keygen.8*
-%{_mandir}/man8/nsec3hash.8*
+%{_mandir}/man1/nsec3hash.1*
-%{_mandir}/man8/named-checkzone.8*
+%{_mandir}/man1/named-checkzone.1*
-%{_mandir}/man8/named-compilezone.8*
+%{_mandir}/man1/named-compilezone.1*
 %{_sysconfdir}/trusted-key.key
 %files dnssec-utils
-%{_sbindir}/dnssec*
+%{_bindir}/dnssec*
 %if %{with PKCS11}
 %exclude %{_sbindir}/dnssec*pkcs11
 %endif
 %files dnssec-doc
-%{_mandir}/man8/dnssec*.8*
+%{_mandir}/man1/dnssec*.1*
 %if %{with PKCS11}
-%exclude %{_mandir}/man8/dnssec*-pkcs11.8*
+%exclude %{_mandir}/man1/dnssec*-pkcs11.1*
 %endif
 %files devel
@ -1010,8 +973,6 @@ fi;
 %{_includedir}/bind9/dst
 %{_includedir}/bind9/irs
 %{_includedir}/bind9/isc
 %dir %{_includedir}/bind9/pk11
 %{_includedir}/bind9/pk11/site.h
 %{_includedir}/bind9/isccfg
 %files chroot
@ -1059,22 +1020,21 @@ fi;
 %{_libexecdir}/setup-named-softhsm.sh
 %files pkcs11-utils
-%{_sbindir}/dnssec*pkcs11
+%{_bindir}/pkcs11-destroy
-%{_sbindir}/pkcs11-destroy
+%{_bindir}/pkcs11-keygen
-%{_sbindir}/pkcs11-keygen
+%{_bindir}/pkcs11-list
-%{_sbindir}/pkcs11-list
+%{_bindir}/pkcs11-tokens
-%{_sbindir}/pkcs11-tokens
+%{_mandir}/man1/pkcs11-*.1*
-%{_mandir}/man8/pkcs11*.8*
+%if %{with PKCS11}
-%{_mandir}/man8/dnssec*-pkcs11.8*
+%{_bindir}/dnssec*pkcs11
 %{_mandir}/man1/dnssec*-pkcs11.1*
 %endif
 %files pkcs11-libs
 %{_libdir}/libdns-pkcs11-%{version}*.so
 %{_libdir}/libns-pkcs11-%{version}*.so
 %files pkcs11-devel
 %{_includedir}/bind9/pk11/*.h
 %exclude %{_includedir}/bind9/pk11/site.h
 %{_includedir}/bind9/pkcs11
 %{_libdir}/libdns-pkcs11.so
 %{_libdir}/libns-pkcs11.so
 %endif
@ -1099,14 +1059,9 @@ fi;
 %endif
 %files -n python3-bind
 %{python3_sitelib}/*.egg-info
 %{python3_sitelib}/isc/
 %if %{with DOC}
 %files doc
 %dir %{_pkgdocdir}
 %doc %{_pkgdocdir}/Bv9ARM.html
 %doc %{_pkgdocdir}/html
 %endif
 %if %{with DOCPDF}
@ -1114,6 +1069,9 @@ fi;
 %endif
 %changelog
 * Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
 - Update to 9.18.4 (#2057493)
 * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.30-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
--- a/bind93-rh490837.patch
+++ b/bind93-rh490837.patch
@ -1,34 +0,0 @@
 diff --git a/lib/isc/lex.c b/lib/isc/lex.c
 index cd44fe3..5b7c539 100644
 --- a/lib/isc/lex.c
 +++ b/lib/isc/lex.c
@@ -27,6 +27,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 +#include "../errno2result.h"
 +
 typedef struct inputsource {
 	isc_result_t result;
 	bool is_file;
@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
 				if (c == EOF) {
 					if (ferror(stream)) {
 -						source->result = ISC_R_IOERROR;
 +						source->result = isc__errno2result(errno);
 						result = source->result;
 						goto done;
 					}
 diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
 index e3e2644..5e58600 100644
 --- a/lib/isc/unix/errno2result.c
 +++ b/lib/isc/unix/errno2result.c
@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
 	case EINVAL: /* XXX sometimes this is not for files */
 	case ENAMETOOLONG:
 	case EBADF:
 +	case EISDIR:
 		return (ISC_R_INVALIDFILE);
 	case ENOENT:
 		return (ISC_R_FILENOTFOUND);
--- a/codesign2019.txt
+++ b/codesign2019.txt
@ -0,0 +1,252 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: GPGTools - http://gpgtools.org
 mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
 r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
 pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
 yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
 ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
 /hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
 qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
 UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
 SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
 o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
 LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
 tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
 LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
 EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
 Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
 1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
 tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
 5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
 Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
 JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
 hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
 xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
 gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
 pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
 vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
 6f2op3tMiQEzBBABCAAdFiEEFcm6uMUTPAcGawLtlumWUDlMmawFAlwuSqAACgkQ
 lumWUDlMmaz+igf/ZW8OY5aWjRk7QiXp93jkWRIbMi8kB9jW5u6tfYXFjMADpqiQ
 yYdzEHFayRF92PQwj81UzIWzOWjErFWLDE2xol9sP5LdzeqoyED+XTqKggpVsIs+
 Lq672qnumQoZKp1YGb8MDocU2DNg/VsMdi7kCnEnPbcSuBxksmxGYomusXNrAF94
 1OJ2sqd9BuFamLIyn8XUCGGYlsvMoe4kTCg6Cc1sQvx0lDG8urKN57jBKWbP4alV
 +JBV5KQcf74gzPmE3ypgY1tMEwxyH/WyS9ekDbai0qauX6eUAsM1bduH8fIcknLS
 Zl5hrJTrzWFF9/DKOth8QOwhJ9zoIF1fcAsx9okBMwQQAQgAHRYhBHpqR7X54SM6
 0lUrXL2X3GOe6MR7BQJcLktcAAoJEL2X3GOe6MR7jwEH/iaolMeno1oeWAgzN6Mg
 bx3maweh/9Vqty1fwk7Crq1G78X5i1OCkknEL2p0Bfle4ApwcC4HZVcqCgoYpRV3
 /EEXtwkMNy3plWdBbLCQSev/E1D39GzgAHiMnv7NUJnkoJbvMrvrAiUTXPTtARMM
 gjEpvgEs60wuJxS8ESomRhe/KW4myxDoBxF+K+e5bOkOvvWVcAYJHWZ1BIZs4n6b
 +C2vO8q5aKTkQ/XvNT7utbTOqj1SGhItRaAQKXHBdzkQ1Et3wTA4+uRg4gK12624
 9LperYs26w9X9UzApl+qVxQhtWUw3tnUXMastDfQrRcvJgq1xpv++OqX5Uc93RTf
 SNWJAjMEEAEIAB0WIQS+DpdItxglOii7if/xsRvwXPAuVwUCXC5LlQAKCRDxsRvw
 XPAuV29KEACEwlTVVKe4gnBYHnlAD7csoQ0+gJ6C+Ofzlw+UItRIcFeVCAknSGBs
 NPxr9JStIvKpmsbSKpCNUEAYnRP2immh94y/C6BuTe1uUUmqBGr1f4OAUwZpmI29
 ixYeY/uUs9FZO3bS0/WtG46tdcJK41qtM0DYAGT3oeZhJMTW15dfvMGlFukauSOU
 +BbR+6sZhqdbWl/AOTE/6x5otnAaW0GObY/BW240Xq/KTgBrzVdK5qNoYsMVsiTd
 0im0JKvFG08ED+ZfcILhlO6G9jRhoTkhtYuf8CKN1dPf2IoB5FrRFf0xqRr9hNlk
 X7ViNMP9OPb8i3BubWvRi5rNSquCwrFATSiAgaA9Yi1BNzQsmQxOql9lsh7eCH7m
 +8zzUg9umWI6PkSv8vHBo2kPX73wmtEsF6vxJlk0yDBuQw7y0uuKh406tEEk4cP2
 8U4baq+ihpioupDhNuEII1h1Eh/RBE408RAOpcr+2F0m/fKOoJyz7u+AxyV81Ia6
 fyBnUfZnlfKo16w87c1HJRs9dKkRa5yGziBf9TcED3sru58Pftes2Nr80/iOh26i
 P2pRihcIyrmeAqDWnneErVCmPMDTe6zkMrm/0iZ25/Jfq+M8IHEzFEw3Y1FBOeFg
 9TyMDwYG2biJPTNTDO0BQ+Rrvs4SjFWEYSxgJSvG1jMfSPt5AR6MJrkCDQRcKvQU
 ARAAufZX5WzJr0lZAhxaGpHY6JMBr4jVOCP4TrDZhwC2K4CXNM/PLLNisWzquiWa
 FvUDhB89kCxrEhipwVFYhBr16CDQxrr8yhah3RIxrBMYhRTxgIAkANgkhGWfDJSE
 zXauA7krYtS3rYwhfXe4cNsTkLPbnMUlyLJcqj2wnZcZIt97aL+NFRPyfIw1KfUb
 9u3tB9seDYbvTEULeL07aTnHpWM5f3bTwJrJ2OFPzXseCCzPiVNh3Bv+YtJ1pMTr
 c/UHO5DoJuHLsF0wicPSrpD0twspFdR/0rT6eNycsaCtV4GQzBcMPvY7qai5XrZm
 Cqgluo1W6l6+F5YrKvRMtyyFkUNGcPywdjSlP44JyRrS2uzvFUViSsJArcmFG2TJ
 LCohnse8wqjw0dIUVbmDbE4zjaG56zkvu0k+04Wwp3XPgOZrbl6cbhX3yLhu/Gt0
 dzd9EReoNfKXk32hBzKas/vdeB5DZejbOOOWYftqyZC1LvDvvrYFhFK6VGozfZ6L
 Fml1hzn+xPahp5tRv93/T9zXeVPm9zilGMqm/gjRgh8ojWxNQoNzJyqTPWIvWmbu
 EIP3T3cTFq6lJpJsg3+sfzofGWZCGnBZQGqm8rEOoUWiaKe1BvQCX1x8p4/x8/tX
 TaVDpQCGoqxXt09plkDuGMuiDICxBlaHWUR2jLoHc2cLrB8AEQEAAYkCPAQYAQgA
 JhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcKvQUAhsMBQkD7JcAAAoJEHS7a5pM
 uz04pB8P/Amfg54IFeALiPOrKbjC3bVAQzrsf09IL8sUln/LCZIx9HgGAJj/f35S
 Q35sK2ucjWiDX6qCxVrWmC6caQXFgXOFSKIlqladmmgj4sIdLM5wj4nbomHChpB5
 rqV/GgkFwWBQ3kPCatXvc8Bg+zKJ+wXgTuPFXefyE9R+SLuas2grQ9hAjvTGHYbq
 iYxSlNDFc1aHLAQ3bS76351MHuMHOpLzoB0OkZDCVNW4GNEqrLbINdr50RAK+Loo
 Z2UBIobEZjXYor9A2FWkSvdjyz6X1QKMdQMath6R91k/O0abBa7ly4/805eAGXM3
 w1Xf2eMlpiUs69BeYoJBklK8aNMntpDREunJjhiPU4JoDzSxl5Qv7LuXylyo0YJA
 9YmydKhTTcRdwsKc//nGr/ckg4BRl+VbtJBYvd3xGB7IQ+pT/TOakv9qCospAhr3
 EQjVP/XpnWJRd+x+dq8UXqwWmTenWDE42cNr7BDFJdOqS5ZWy4sIz4sdjpSxXMB9
 8iiRtKSpKRCJgXScB7SYebh835EgG2YyQGdhJMO7C6ok9POYQBqL8sBqRzImJKoT
 VDvOH42WArKwJWTHa4mPdiDHEIZlkONerec3JXtl4Mfv8cwZ5Lb8fSiB/x8AWvqs
 puc/7hQtkus4TcgutS1fwhAwpnFItpVF6+73CMQrJsblBdTjW0T+uQINBFxbVHwB
 EADebZOJbhPdhHeBPdlZYE3rRjB8scDpWdjrCupfmeTC9MM6JgCE4DEMBtBXk+h1
 +7wfpblYYNFwGVFvytG5nvGRDtHWxwd1Z9O8Fx4Zqu0Fx/wAn7ZL3ryE+tdHR7JK
 7SLxOa2X49T/8LY0U8Q65I4ZRo/b4VMcXApCmncw3QSRqHT/mYdNnf+HHPvi3jza
 md3iVptCS4Iaisc079DFda+htWXspBc13lmPi2vGQkWjjS3B4yO8JackyQPVhpsg
 KYbRBzOH0Kii8bXmyA6O5uIJYEddp5Veged4FE/ej3CrgGP1D0Yk1epx8lLbi9RB
 kwFS7DA5rQ23UnbSy1WyV1ZgPrWqQAWuGpjMTVTWN0ElI3AGxAnE8lZlSXyE+XyV
 uHjjIVrayBjLKVqDuSLdKZeCvI4QsyHH6F0NKJQkngvXxLZYxO6s0c2EFFLzdVWT
 1V9GMP8UsDrrb+JsZjUVmPR1tTP4xqEQG6KjfFoQm5XWpGtFwh91OK1lwf/Bx2/C
 j+PquLLFcj7hEP79VDTUZPQAduTTxIeTzHXH+x1PCHFB10xxH3e82VSdJeBUrJxn
 riXzK50SKTTmF+uYpHqE8Jg1N2Y1n5ksuxeYUy8PFjhAeBCqZ6ZcldUDf4999e/z
 PT8bwfCDr8jRdqJHrq7RxTJiP5RsMudWpKeohzJGwQ5uZwARAQABiQRyBBgBCAAm
 FiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVHwCGwIFCQO9IQACQAkQdLtrmky7
 PTjBdCAEGQEIAB0WIQSVztolaxygoV8wL7WVIaftXazpGAUCXFtUfAAKCRCVIaft
 XazpGPeMEACm9nxA/VKf8RxDo2ZuTgyuSwlR8tCjAE4k3+UoiYUbamkW4pjx9Vgd
 1zC5bNxSWZ5vlJ4CH8ArKFqNK5LBVDZqhYureAo/1Af2b9vRJw0/QQHhuXz/jqeT
 wwrLuKpy796Gpt+aFfcmS0ZC4QXfxJERhAP6tu1p6YmAsSb+bjziQVkKrt9mhOrL
 dtz6WP0Fg1joRj33FgnnLtayHvtgQrNFI3ztCjk/B2FjYZxqbBGfk5gyo0cTE2Fi
 oLhG/XrxIoZepFMJkGYETnYQXrOt2KuJLvawV70YQmG8EqHYY8drKA0XDZs8TVdT
 5cvGvtm8ERz5znsssRBxQMI5Ml6O2ahrXp8Eq4htCzlvO8t2MOtzvqAJRiyAd6bA
 Uo+MGVRpnvePOR1SAgBXCd416rF0iCXc1utZxnqwdq9kJAZ+8mCLx4N4jk6AdGpX
 zcNkLg7QmUzXn75RxZ6GrIUYZJNMlswXq5XhSW4o8ePlaxWjh9+QTtU964AZhpA1
 uoHsKGTBxHJs0w6McZm14kb2PuaO2/rpf8s8IZyc93+Y5O/gHZ6/agBjA9qN6wkQ
 R1d5UhJC4QS/m35rBGBKK9X3fqQxaBCio6Qz+m4A3GchrztJpq+2P+ma5ylsTq5j
 V4njky26WNtrV7+N0C4Moj3I4Qn6YU/eSManTXzHzoiPZCEH/IOxgXIiD/9Zm3Zz
 I+h4NCfSGyP11/w1gEzlTHQ4at/FXIIDh0Y2ZNpWPffuFQLtcER2vyKPwhDYpGMy
 NNHXks4azfrXVCv0wmSNBbeS8pJrYtopZpCEBrAbg/YLv9m5lpDSRHaR3gv/qMZ7
 QxY+NwqciqTwGq68PuF4mDSvtfuFmbEES9Iybiie+eL/6DU2knfBjgshUe6vElR+
 LYoPQ45GY2IxRTJ1pMXaZw1+evwH3UvseRGkRygiaBgoU/qR4prynvjMQcacCa+C
 aRnXZJYp/usVBeY0xut9toc9/OcLGoBr5h9l5YjruO2vu8VHou8N0tarVQn3YbQR
 Fi+YtNtclWJa8Pq1AsKRTCFwDwP6eODv6mNOrEFydNRcpiQmzp47VWF/YHRfHzCq
 A1wHLxLUrpQTaVw6J4FqedAQ31aAO4faA7MS+ZMNBqZCZ7lTGC6TvojqqBAN2yX7
 AnnYpZHM+lGpi2/ukVzLqSkGmdNOgbu+UZvoej3YnHYig4yWP+z2xrlJl8bkhU/d
 r9IQE5aRCEPB/JWhHJ2/GqYl9qjshlB52+6X2KDarwptOtzT9ooArYhpMwKIYh34
 c7X8tlAKYk7V5j7txIRFDKKAftC7dM82PntXJxSkWyR70GYnYjiXyrqqerqT7xIC
 mDEQgFOPpy09zFW62paO9uiZw6qwybwqgGpoX7kCDQRcW1TbARAA3ERo2mPv2VVg
 ZUFr4MtPDm4UG00YJW/LYa3D3k0e9tdSScACXprk1sAoxUlQx/CSdErPKwXG4rax
 iN4t5nICUUNYSC0dh09G25jC7nwsWc0AYyZu+h/FzfvpOm3fBwmBlzILlGh0URwH
 Ffj9fHt6hos4C+3PFZZ/X24aMJF/cov1oYi9rqFwt/l0mgtPE88Iyj2/Vp3Lergg
 QMzKfEuyluj9fL2cgU0Qa7oAPXmaxhHtua4cvbM5SXGo3FXjIgzH9OfM+2orebeN
 wH1M3ec6w+nPmRmCJLvPKGOeS7GVXL5/aOyPlDWzSXYnpCKS2ntw4K4nt0IA8n8z
 1db109l/C2noDrDSJEqOo843ShNGTYOMVUrj3a+Y7o2ATc9pNZalf0PwnKas7NDb
 IJ152PEQw665iYXcv2awjLF6W0yuSq8kfiaAxIrsie2Dto0zgqOs0Ot9Y74u11Hh
 wBSHUO3mEZJScAAcI/yDF2PvjvCQSzu4mdXb77t6X2O6YHULz4A7bVQCMazcTDI9
 /S0W2+ixPnnJVnE3xgjK9zuizji8JDJw1hJCQM+yTLVqq9pfvcRfQ6uwpMRzz/O3
 S0zDRiA69/GyfNwkpgz5QaGpY02IK5WrQU1doRjIz4BHAYzoIOkMkRqTtjdElQZw
 /D3wSO2uwsEMNwRzibR/Lz1JF2aGn6EAEQEAAYkEcgQYAQgAJhYhBK4/rHlnEexZ
 /AB6pHS7a5pMuz04BQJcW1TbAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkBCAAd
 FiEE1wyE5ktVjlvM7AchMuIXXx11eioFAlxbVNsACgkQMuIXXx11eiqCfQ//SFDf
 rOIEoslp6n6vlCuavOg02wvjskKQGP1P1Q4v40Fw1Gl87n9uXAoMpeF4H+pzUxOi
 BHYCQi+EemwocSThzaWfPzd3JG/0OcRymf+ZOcBb+58VJL7p88QdMFIAi5J+KMuA
 fEG0zLkc9anEnXoVMmQJX5K+6PyeVDvBbYGjLjQAsWTZTiVuQI0w3WxFtDGWqQII
 8e/qE0DA7c/auGn7j2hid308+FcdfpmLefW9YesWjE1yYvHoCRdFOJ/7Sft4MQCI
 Re7UET3TRMBvtisP2DcqyzGPp22s4ZYFCCJJNiB92bXdEl5zXe4Ff7JTfNE/QrR7
 Wg5R9hZHgHdbp8p8bA3f0y29YCx3puYg7BbmQWiMh3rXWE5b090pSpw0K9BQU3vO
 irr+5/2TaFOJXHl4VF03GrWsSncShCbdsdRIv4TB0lY2mN4q+e7bjlAzJJeoaS97
 GIqu3DBlAJyx/ZwWW23DXXwoQ4jNuJhpl2jaCE7rVQB0uLjbp0i9Zdd4SdYZxmO/
 Y+JfgoJz8eyx8wZi4eDz1ijN0WKsIGjxJH5VUK9STjijDMeG6ZZRLc6b1QCGhe97
 ZbDkEUTdQGoeu4L5Fiqoma13NEsf8ofBDv+myJm/O67Va9JI3gxhIrhmF7LMzQQp
 lYx2peZC1CmhEnn83dtt83mhXvX6Dth657BW/Qd+GQ//SVuTPuNkBXfrTi4dbnv+
 cU6IsoIBodTF/WsQ6h4kbtsPhO5DbrsLNuNumrqVEN8jw+HUsEeNvFNeMrTPdG2V
 87ShQ4BQGkCf+GFRBj0myxxXOFZYQx6RpY5fCe7yOcTzpkbnPWmm7V8HdOuZ0NnL
 JNQ5YogOI6UvXVKv35R9qBo+G9jkhhb0eaAu6BERzKVANKfsGN7545ElZ1qlffMh
 AQhXGb6TsvCeSg2cWGb2cnVL2d58uVukD4PDiq4qqwgClkF3bOO70SIgGrCteHbi
 4Hseopex5m6GqqjoUYXr7QQBwSaQdc+gKtEjMHCsHbUyHRk0qEHdEe+2RmL0d0ra
 QMJfKyYQjcCR7tnrgN4WD1h4NKRdC/KRW31MDmH9XVPrkOMQCUCnArXkOwdKWsKf
 h8af9HqweXOT1FHJN/M3tWaBpv6KoduF2f2pj1VhPZ2EqFUycJ26lrHyOpsynQR6
 +TD+c1uXotDwKN5RW+YL1cydk6mhib64fdOyPUeTcHehjMAFgM2f5wi35Ujcj8id
 37cWOqRsggSbMnGO4AUA/YtcVNG8TjZbakson8ENK7e8q4sEiNFUZ7/CtzNokwHQ
 5uOG1+qB85Y4ImGnIZVeiBpjt73VVawg4Zvm/omtW50P9R+4rVhMJZZFAgrWg8BH
 H/KNznW0vUuShG8B+2FA/eu5Ag0EXFtVDAEQAL5ftI1GgVJEFgX5VsuFnfBnH95c
 zqmwEXaTP4s7Xm3O0Wy579EzRUD1eEw/UaD/q2OHScwvMP65cZYQ9w4hnCN6H96P
 96Teo7LOMCssvSXIO7gqP33LKTqDzsIoAFHwWE3dq1jbyP6T1Je85mr0Edvk8kOC
 B1hudswAARno/7X9zGulhhwuEHk5Iey7R59yRUQqBctdNcetGyaiFjjX0evuVADi
 /z/s07XhDLDt7+3Vglh1/7XGC64QhB9QjZ8j0u7+0xfmLLjhi+7EpkDlAHIJXX1H
 0wAsPOGKlYruQUmIsMNfBINZeulHEBZ4cAd30xsM296DzJ6QL9sAGfYMhRs0YHB/
 EJ10Zv0iw1pU2jCCUv/9Kf4F4nwgHQWQP7JAbfhOIUOUq/YlxjTLnkd25+7vD3KH
 NQ6UiRDROR9Jwetpd/zokpf5O5iTBpVL+sCq+NsTZyDOjITve2sY0V8v10M+Z+pL
 cp/cUZ4JEDS/WJ4/ovBNJP8b+YwN/RBgCjl8UBX/N+e7AA52eYP2H9GK9XPkzSCE
 VxEf5PyjGrwedpoLkzagrHsDuWo3uBquLyneT/ozihqKQAuInUy5B7rWU4mpKHe5
 Vto5o6Zuj+6MgHgIQzRK6Da2ziMNEmroxwZibcYCtUPdvcvxGh+byclnzBclKjOw
 kAalFPx0SxEbHmzPABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9
 OAUCXFtVDAIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBK7WIv4CB360
 tcFGwUKiedJIzcMQBQJcW1UMAAoJEEKiedJIzcMQH+cQAIQYXDnqi4Hl21LtAgky
 pZxug+x/LECVlwkrIfaQF337+fG+H9J7SdU87Sn1Xe/YUgQnF0XP/fjIVFM0e/Tb
 xVlmTFqiejLnIwJJDgUaHO3POT2sGEyO3tc0mqSzyRBxtMQ8yvApccBhL5QODv3h
 hlRWgk5MXU0IPeXw134IWm+o/PRiPBoXPawvVfEVIBlUFaiSZASf4BAiSad4aJQe
 P8PyP7FPvQB1xiib0iSetn6ZmNeN2OSUJPiPA8aE9JCKuFtomVQEDM0BqQDl5A7h
 5O2uyf0Li+/ArqBvfBjrH03e5zbID02dO3D2BjsV3jUeVPQ5WDgVg8LH+nfg/rRy
 wfCsx9zFp1mt3K4xN2v7IKwxGndApgCcx17gsjzMvLz0J7sSGov4MNjzqvGEDKCl
 uUvNKXqy7je9xcQLpoyvWtoWFXWTbQAcK5Vv+hC67r9bHpjI1KuqA8hYqNKxsv7s
 wiLZdd4SK9SIuwf0j8/XTZwmoFfGolJil0ZNxyqBF39+CMVpaHdLM1qKZz99TVzS
 h4obOOjkUjK458xSo0XCbJ4qXYp7PgxyWK6GIbTozbbG/1ldw+LUnqxt8Shf797L
 J9lbI3ICuR2P5PYlKJf3b6D9GyfqyrP387fKAKhHsYkZ1XD54/8wIgTrdfeNPtL0
 1mjWDjw5KvO9kuPBjcmzgt+NrtsQAJwKeZsiqLLcY8kJ9xP+/xtTlh2iVuZMfxwq
 hwlo4MMCzpobLDZ/JKU398m77eboTKJSBfeUYxQd4ATn1L8NLKjLxKAaBkjEk0nN
 8w9OUQbFlhQ/asLzzF7Z9IGGh9/SEgBZ8V67a0O3Qw9Xdi3ARK3bbZ8RIVJ0+P9G
 CGrfq9j4ZmGA2L4irLjsvDAv7CSMb4WBKW8j0Jz5LFMwOMJgG1TT5c6lNqFj6y09
 rZcVLnt8+lUv2Bw3LC0oI1TjFkrrCzIdfg++mPi3K/ZFc50bvnWF4eCOjgZ5U9Vb
 sxFZq3+vTRcIfI9z2lZ9CNDRA1O5jGvuVtEGLiSLF2aJ6kiNriLuuGTlXfg/Fpgh
 GTvyppOTzF7PtHzHBQ/ZjnhWojnc/jyJRwLK8cCl6+EOc887v8BDmqgFWtmycsE2
 5fDJ7UFGP13g/eDL3ZUgMDty5dQaUOTX145t2KT+lMqpY6ZK2EC+eoqrnIGJ+tYy
 0l4RRxi10mbNhuPIIDdph7X+mUHgCeA9gyF0Y+LqiB6CX+zFg7ovLvnCbMPxdGXq
 z7AjfwqZBKI+BVuBeDtyW4onmElCu5cXNKsg3W0IlQlZf9PMDU6Ht0XLUs7EPfbQ
 sH1Vqi1XE1W/tGnkmjcpG/qlt9Gx1uwFGLP6iomqUBc2c0GZ6R1xplXvd3w3yC8d
 8lAgPGImuQINBFxbVToBEADkuxhQx9gxlzzCc0nUu2v82XsD+GzONp9irt14gslx
 te96eKaTXTi0t5eya0X5TIY3wbREwjlfAeM9AfcAmWcsM4izrfPtANM6WOxB2Tbz
 EY2cqv7NBQii7Z5aqPyjcIiT0b0Gs2evlDkn3xEBBqTSrNcnGSA29bZPIkaUb7Qo
 p/Ani0S3/tgcR21gXsJwkgpfNKwvPT03Lz3/o5rXAyag0M/25adgk9SVKNcXc8h2
 HSGv5ENjwUKNNnowVbNLw4287mFUM2Vd6unGJ2MBj7aUwTrfBl7gNV96mMdDJWcB
 hGKYkxUvibuHCa2KH7gTrnV6X7sdrgD5CbJMPq6OZNSP6n6bUVg22eHxoETplFwT
 4NvV3clRMWIAG1XgXR1l99LAh7PPnPMM1pHQGPwYHQskoBFS4g5knzHpB9h9TfZ3
 MM4cDZR5NgWmE0fYVnWe5ax+wW0/IOklUoHv3qoL4yiN9wFJq2oLzUNQd9+tsqiy
 vxSTh8iYmHegyn5KuBPsrMPgvqiKOdalTZKkak9DOx4cGQL2qHspKxiBOb6uox2v
 fjMQ5bDeUn+4DYMdnZNHeywCUegJmDakUtlfvN+136IDHGwfdGcitqzswzd3+PI2
 qlwPE19gkrp9NUaD3Qj2ZtDP7sU2cThc6Gra5KRFW8f98bI77j1Wu6pCnYFLqPz4
 QQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVToCGwIF
 CQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQR5HX64jryNAThDSqwz3zWa56YK
 eQUCXFtVOgAKCRAz3zWa56YKeSWOEADK8u03LESGSQlZQqnnCAI8iYs1s+XRMEnG
 2tAQ1OK7/4eNgr1yZckmaW4FBMgeEgYIBJ7v3SlW7Hf7dE10TYPNGbP6UxVW8HIP
 rA4CINcGZXWWwpS374JNMS6A5eb6viuEgEMEi00jx0MmLvCMZKypmwXQUl5YJ5nB
 ytpQ1681mCQxGBMhT1eKQt3B4nAsoEnP+HnqVM/nKxBemSBNXX+C0b/YeQoLC3sD
 L+Z0NRI8U6PZl9Rokod3uynH0vfBYCEJd6MvsjtnJlVVaseYIA3ESNrFG12tw95I
 wKNrVCANZ1DBSyK4ovmmWsDrH+uFTHSLNjlxIuVxUfmXcLfgcepVCmd/7Z7UrWYr
 SXSvP0VG4ZmEPE7tNb8bfyADftO1cVsmcHBQeSrgvpSrTv9L8MocojpR5vJc1f+a
 sBT7rAeGzZP9riz1GmryXawaZgdLfaaJfzRQkc1uTChb7kMN+UMhVUdCAXmho0XO
 SfcsW84u/LpjdYh2Ww41xQO6EWvbZDNgD/Fdmp8Uh1MqJ1Dejri6kjNn6wPImXJd
 Eu6nHqWDRdYsfT4XUB18tB+4aIpFzCyIgpf7p1uaVU7Oqip5sZkc/WXKr77lV23m
 PQvpGRNCzgU2TJY7ktR3LOvUVN6wNfLMHzeQk18NdmcEGUrJ0YYtl9vE5/Eg9L6x
 LBH9PKt17IQ8D/9DLwQX8pl3fuTM8ZbzIPLxiXhbgzBBTXKRE2u1888+RIq9xE7c
 aVFjwq4qpgqZ5SFonTcG4Pi5ck3mFAzyA5zLRF+ckpmBpwSPMpLwCpv10369D1jh
 AF3JsUwt6DIb2BISMhh2ThSUMSKO75q8GSotsKjJyjD6vl1x4L7WXubTWxEiNuwD
 3kAjFWS1Z1VWtA9SURWAbsDaCV4VmwCCpSIwRr9OTbyu9XuMdMxGNpl8SwW7MVQb
 x4aYNvR7Hl/wIR71AHAXoSfrKp3p12anXjYYASHmbm16ugP4H7HLMBfznKet2f76
 gIxJr1CsAMTSqypcC1UoVb6Gz8djeIR+GU+6efHI4TIUMy5uMIUx8tYbwSEeo/y6
 NnjpJFYYjJa671iSABInNxs4+X+1zrFa+wl45EnaFxziEet2Qzv/VsusoLvLwnYi
 BZckclAS5xoVGFW0WJ01OfLUDHxGMt9GSheL8c+GLMaMtaCWunpmmt9zZ9WdpBOu
 AGluMG1Cee50TrhXaGE8CdNr8nOdSeLNAveBAPmuVa0JDSe20/D/RuYJLKeG9Vsq
 BZvjuGlOUsfl6UjtiGRbgS9OWpxeez5ugc9yyV+rBGIpmnIb+9quz2HmGxE65eA2
 cRNsZRIjFLzeAx/0RMaT1nlLFTBbUuZ+tJ+fgFtRGMhifZn1pb2dMQo0N7kCDQRc
 W1VuARAAv4LYaNq2Zev/v7M5DnxLpgHRcMkG7TOQpycrlK5653llpZzTy3mh5peW
 vcq3IDmdeUIJxQ+WDh2f0vS+NIKDC/HAddfHrZPbhO7zLxLcMW5KmV05ancaRSP0
 s0+IyQmvVxUNrgPinZiphlvRGoLXS6pdgfc4jIR9B2umPecfvfu/6EWFPnXZgG8K
 yY3Z+mwrmEO0FaXHBQuu6nactiPe79N4bLe8hk9RW6yIxLBeJzIoOlIcJmuRHapt
 nS2lV3mfhZdFnkAp1o6a2TL5BwgMY0wZUKZr78HEMKh6LbPN9rPepf0neUeq/k1l
 NJU7V6XMS+rezF31vgSJ5KoNGYhxtWZ54uksH2rcw7+ltpSVtqY91G/vibpRCJG3
 LdX/kxHni1NEWyZlpS/6ntuH6HSoNYsR9IMsbESs3QVCH74ApK88CxYCRB0SEo0M
 yAElbQ3bfEKCKl/FwC4IzAYAJ2arWKwBHRSJlsrNCtczrjG7j3EyJrn8+Tm5yjO6
 0THQjvc/nBxrNE09r1Lzz7jrDWC9Rl+BH6wqdniymoYyUAQsX2rZ+Jhah1Zkf+Gu
 76qtY+EH494dPM+0FazcBlgBd6/J5mh3Wk9JuecXLTEUGtzd1GmI9CENPAklCauX
 tNOWeTop27djuKWsZxuP1GyV6UYixFVOSWteyAbA32cncVv/2ZUAEQEAAYkEcgQY
 AQgAJhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcW1VuAhsCBQkDvSEAAkAJEHS7
 a5pMuz04wXQgBBkBCAAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlxbVW4ACgkQ
 F8xdsfAIhAd4jxAAiO9+VRQQ3eBOsJRgANdgL/l51kq7qE3u8xnSqNkrmdYDdT2H
 TYH5W4n2AmGo50BDafdjd6tut0qtzA3/hGWCooydxKFOsnIYziUeoHvlICj3RkHO
 y7utcFhAgRWi+kzFwnnXGf13dMU9iG7yvKrCrCEw44gzoQ1KnY1Xsj18n5JkqxeT
 94bzcSbz20OpOSIMfSQPrpy18WrZYwHodcIZ3IUUACCpMZdfTa9c/qHRQ/rcwl+B
 0JlHx0V4AYiSAsiMVgflO1Eqi7apPuwxPPd5nnHkrdDM9CYC3LdBORBXwncG3oZ5
 eTSXmsvFxHXH41JHsm/1QFcVmFAYhu9qJFCGiD+8UeTFtT+nnHU69BszgtUskqX8
 k9PqLdK7Vxkp16wc6WOp1NeIQ6Fd4PxTGrPqs9bJk7TlYtTFWpA0X+EMj/San+Ku
 PxqLEa4Ab12R4vs1pCrn/g1z3C/6ujH4B70HOrRTIeTjULJ6xdwXGtwUA09hio0r
 pHhtyZhAh5irUJNto4ZOk/Qyd+dfMsNvRJfbVIK2mmeRaBnp902AsQNgYVdi2Aki
 0h4kz3bVLGw7iD/xV2hV69+JwLSijkkmOpz/EjMwj0hDDYrHH3Y3o0dV3dNdk/5i
 6lQgcxSVsl9kWlHcoEllKbf0Hb1muKVwoGGYxFYna2jsLFVjG29M7iPSgrHjmg/+
 I3fmsLZ0VI9kmxniUlZ6gz5NB5PJ3RXmwKO9LkBgE5C1wpuZbNEQ1NsR2bprlJPm
 ++GNSo8HaheuTRJn42kkOgfIJwjuvXih3FE/NtRA/W8H2uF6YLDjBKGZJbxQcmsd
 CTEuCRCVP8X7C5n3rl1YqzfWfNr8QFxvH7ivG7KOlSxvyTKcYatWb9uDUPrnr74f
 ZaMljHGsNyKj70MzZcrrsmt61yWGR0h+02rmIKlskl4hkh+qF5ehI+Bkd7eblsBy
 rxEREHq/ij2Vd7l0Z606YCE8vj8WfcsJj8JjwR3A+nND/oNJTTbQ3b8OvasvqIey
 WqqmGg73nbHjd/VIAUsfvnsEYatDk4pAA/wQr9c4T4s5Q/QRwDrAsa4J89FrDjWC
 hQBPL7TaP8Af/3Y3/86jLCN4lnW1qjPXv5rhBFeI0EVi1k1qdV06qr5HOk7CwQTT
 uc4rCdFcEnw8kVKZa/yFnlJfRa0Z4IwSahdp5fdFEuad6LpOcFFnYxWtIWhcg4GT
 RcMha/OZnsfqOqiAt6In+1IwuJBz3uMM7xw2AMaxzAejGEL63F81C5iJ6Ld6kQK+
 XblDW0G643bVbzkBb46MAT+UnLuWQUs3NDtk1FEioJyWUgbO/srMH4MoWM7rG8ZT
 nQPohNmPBrqL2phmE27HQsQ0rTjH2Z2ol7iy9OFMtT0=
 =MkGo
 -----END PGP PUBLIC KEY BLOCK-----
--- a/named-chroot.files
+++ b/named-chroot.files
@ -16,8 +16,6 @@
 /etc/named
 /usr/lib64/bind
 /usr/lib/bind
 /usr/lib64/named
 /usr/lib/named
 /usr/share/GeoIP
 /run/named
 /proc/sys/net/ipv4/ip_local_port_range
--- a/named-chroot.service
+++ b/named-chroot.service
@ -17,7 +17,7 @@ EnvironmentFile=-/etc/sysconfig/named
 Environment=KRB5_KTNAME=/etc/named.keytab
 PIDFile=/var/named/chroot/run/named/named.pid
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
 ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
--- a/named-pkcs11.service
+++ b/named-pkcs11.service
@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/named
 Environment=KRB5_KTNAME=/etc/named.keytab
 PIDFile=/run/named/named.pid
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
 ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
--- a/named.root
+++ b/named.root
@ -1,61 +1,92 @@
-
+;       This file holds the information on root name servers needed to 
-; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
+;       initialize cache of Internet domain name servers
-; (2 servers found)
+;       (e.g. reference this file in the "cache  .  <file>"
-;; global options: +cmd
+;       configuration file of BIND domain name servers). 
-;; Got answer:
+; 
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
+;       This file is made available by InterNIC 
-;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
+;       under anonymous FTP as
-
+;           file                /domain/named.cache 
-;; OPT PSEUDOSECTION:
+;           on server           FTP.INTERNIC.NET
-; EDNS: version: 0, flags:; udp: 1472
+;       -OR-                    RS.INTERNIC.NET
-;; QUESTION SECTION:
+; 
-;.				IN	NS
+;       last update:     June 24, 2021 
-
+;       related version of root zone:     2021062401
-;; ANSWER SECTION:
+; 
-.			518400	IN	NS	a.root-servers.net.
+; FORMERLY NS.INTERNIC.NET 
-.			518400	IN	NS	b.root-servers.net.
+;
-.			518400	IN	NS	c.root-servers.net.
+.                        3600000      NS    A.ROOT-SERVERS.NET.
-.			518400	IN	NS	d.root-servers.net.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
-.			518400	IN	NS	e.root-servers.net.
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
-.			518400	IN	NS	f.root-servers.net.
+; 
-.			518400	IN	NS	g.root-servers.net.
+; FORMERLY NS1.ISI.EDU 
-.			518400	IN	NS	h.root-servers.net.
+;
-.			518400	IN	NS	i.root-servers.net.
+.                        3600000      NS    B.ROOT-SERVERS.NET.
-.			518400	IN	NS	j.root-servers.net.
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
-.			518400	IN	NS	k.root-servers.net.
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
-.			518400	IN	NS	l.root-servers.net.
+; 
-.			518400	IN	NS	m.root-servers.net.
+; FORMERLY C.PSI.NET 
-
+;
-;; ADDITIONAL SECTION:
+.                        3600000      NS    C.ROOT-SERVERS.NET.
-a.root-servers.net.	518400	IN	A	198.41.0.4
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
-b.root-servers.net.	518400	IN	A	199.9.14.201
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
-c.root-servers.net.	518400	IN	A	192.33.4.12
+; 
-d.root-servers.net.	518400	IN	A	199.7.91.13
+; FORMERLY TERP.UMD.EDU 
-e.root-servers.net.	518400	IN	A	192.203.230.10
+;
-f.root-servers.net.	518400	IN	A	192.5.5.241
+.                        3600000      NS    D.ROOT-SERVERS.NET.
-g.root-servers.net.	518400	IN	A	192.112.36.4
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
-h.root-servers.net.	518400	IN	A	198.97.190.53
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
-i.root-servers.net.	518400	IN	A	192.36.148.17
+; 
-j.root-servers.net.	518400	IN	A	192.58.128.30
+; FORMERLY NS.NASA.GOV
-k.root-servers.net.	518400	IN	A	193.0.14.129
+;
-l.root-servers.net.	518400	IN	A	199.7.83.42
+.                        3600000      NS    E.ROOT-SERVERS.NET.
-m.root-servers.net.	518400	IN	A	202.12.27.33
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
-a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
-b.root-servers.net.	518400	IN	AAAA	2001:500:200::b
+; 
-c.root-servers.net.	518400	IN	AAAA	2001:500:2::c
+; FORMERLY NS.ISC.ORG
-d.root-servers.net.	518400	IN	AAAA	2001:500:2d::d
+;
-e.root-servers.net.	518400	IN	AAAA	2001:500:a8::e
+.                        3600000      NS    F.ROOT-SERVERS.NET.
-f.root-servers.net.	518400	IN	AAAA	2001:500:2f::f
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
-g.root-servers.net.	518400	IN	AAAA	2001:500:12::d0d
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
-h.root-servers.net.	518400	IN	AAAA	2001:500:1::53
+; 
-i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
+; FORMERLY NS.NIC.DDN.MIL
-j.root-servers.net.	518400	IN	AAAA	2001:503:c27::2:30
+;
-k.root-servers.net.	518400	IN	AAAA	2001:7fd::1
+.                        3600000      NS    G.ROOT-SERVERS.NET.
-l.root-servers.net.	518400	IN	AAAA	2001:500:9f::42
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
-m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
-
+; 
-;; Query time: 24 msec
+; FORMERLY AOS.ARL.ARMY.MIL
-;; SERVER: 198.41.0.4#53(198.41.0.4)
+;
-;; WHEN: Thu Apr 05 15:57:34 CEST 2018
+.                        3600000      NS    H.ROOT-SERVERS.NET.
-;; MSG SIZE  rcvd: 811
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
-
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
 ; 
 ; FORMERLY NIC.NORDU.NET
 ;
 .                        3600000      NS    I.ROOT-SERVERS.NET.
 I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
 I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
 ; 
 ; OPERATED BY VERISIGN, INC.
 ;
 .                        3600000      NS    J.ROOT-SERVERS.NET.
 J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
 J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
 ; 
 ; OPERATED BY RIPE NCC
 ;
 .                        3600000      NS    K.ROOT-SERVERS.NET.
 K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
 K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
 ; 
 ; OPERATED BY ICANN
 ;
 .                        3600000      NS    L.ROOT-SERVERS.NET.
 L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
 L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
 ; 
 ; OPERATED BY WIDE
 ;
 .                        3600000      NS    M.ROOT-SERVERS.NET.
 M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
 M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
 ; End of file
--- a/named.service
+++ b/named.service
@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/named
 Environment=KRB5_KTNAME=/etc/named.keytab
 PIDFile=/run/named/named.pid
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
 ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
--- a/setup-named-chroot.sh
+++ b/setup-named-chroot.sh
@ -10,7 +10,7 @@ usage()
  echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
 }
-if ! [ "$#" -ge 2 ] && [ "$#" -le 3 ]; then
+if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
  echo 'Wrong number of arguments'
  usage
  exit 1
@ -34,9 +34,9 @@ dev_create()
  DEVNAME="$ROOTDIR/dev/$1"
  shift
  if ! [ -e "$DEVNAME" ]; then
-    /bin/mknod -m 0664 "$DEVNAME" "$@"
+    /bin/mknod -m 0664 "$DEVNAME" $@
    /bin/chgrp named "$DEVNAME"
-    if [ -x /usr/sbin/selinuxenabled ] && [ -x /sbin/restorecon ]; then
+    if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
      /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
    fi
  fi
@ -78,7 +78,7 @@ mount_chroot_conf()
      else
        # Mount source is a directory. Mount it only if directory in chroot is
        # empty.
-        if [ -e "$all" ] && [ `ls -1A "$ROOTDIR$all" | wc -l` -eq 0 ]; then
+        if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
          mount --bind --make-private "$all" "$ROOTDIR$all"
        fi
      fi
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (bind-9.16.30.tar.xz) = cc9bcbedf63c2efe0a23f14db3e57fdae46f0509aac58e5840a6805ce4fbd76cad5bfde4d461442adb88c4d947f8d79bf979aeb24aeb9303b6adc8d169b7118c
+SHA512 (bind-9.18.4.tar.xz) = 5deb46f6549e42087734fe80f8cd8de8f3fa54590e4635f8c0e2e8d362f8756404e911e46d7fe1cd75f0f19217532ca402e7a5947111f16e412c8aaa754b9e16
-SHA512 (bind-9.16.30.tar.xz.asc) = 943ff140aaa413f125d039748a0c10d7ae20b0fa4075227ab0b9d065816e7960a3c4e0fb2a4498946926409568c71076026cbd0be33a78db73966366d43bfdb1
+SHA512 (bind-9.18.4.tar.xz.asc) = dfe7b24c499e6e54bc836350b73ef24deb78e1394059d75acc434512b3a60ab44708d3e1faa861be161afa0e69f789fd6b75dd881777679e4845a56f2fd6ab9a
`@ -1,2 +1,2 @@`
	`SHA512 (bind-9.16.30.tar.xz) = cc9bcbedf63c2efe0a23f14db3e57fdae46f0509aac58e5840a6805ce4fbd76cad5bfde4d461442adb88c4d947f8d79bf979aeb24aeb9303b6adc8d169b7118c`	`SHA512 (bind-9.18.4.tar.xz) = 5deb46f6549e42087734fe80f8cd8de8f3fa54590e4635f8c0e2e8d362f8756404e911e46d7fe1cd75f0f19217532ca402e7a5947111f16e412c8aaa754b9e16`
	`SHA512 (bind-9.16.30.tar.xz.asc) = 943ff140aaa413f125d039748a0c10d7ae20b0fa4075227ab0b9d065816e7960a3c4e0fb2a4498946926409568c71076026cbd0be33a78db73966366d43bfdb1`	`SHA512 (bind-9.18.4.tar.xz.asc) = dfe7b24c499e6e54bc836350b73ef24deb78e1394059d75acc434512b3a60ab44708d3e1faa861be161afa0e69f789fd6b75dd881777679e4845a56f2fd6ab9a`