diff --git a/bind-9.18-partial-additional-records.patch b/bind-9.18-partial-additional-records.patch new file mode 100644 index 0000000..6834616 --- /dev/null +++ b/bind-9.18-partial-additional-records.patch @@ -0,0 +1,54 @@ +From 3f686891729c7d39d879e8b5bb1aa17d874d265d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 19 Jun 2025 19:51:43 +0200 +Subject: [PATCH] Limit number of additional records fetched + +Limit number of started fetches for additional zone instead of doing +none. Keep limit of NS filled with additional records, but present at +least some if possible. + +Might help broken implementations relying on receiving addresses in the +response for NS query in authoritative zone. +--- + lib/dns/rdataset.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c +index 532e49a..bfa8e37 100644 +--- a/lib/dns/rdataset.c ++++ b/lib/dns/rdataset.c +@@ -581,6 +581,7 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + size_t limit) { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; ++ size_t n = 0; + + /* + * For each rdata in rdataset, call 'add' for each name and type in the +@@ -590,10 +591,6 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); + +- if (limit != 0 && dns_rdataset_count(rdataset) > limit) { +- return DNS_R_TOOMANYRECORDS; +- } +- + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) { + return result; +@@ -603,7 +600,11 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_additionaldata(&rdata, owner_name, add, arg); + if (result == ISC_R_SUCCESS) { +- result = dns_rdataset_next(rdataset); ++ if (limit != 0 && ++n >= limit) { ++ result = DNS_R_TOOMANYRECORDS; ++ } else { ++ result = dns_rdataset_next(rdataset); ++ } + } + dns_rdata_reset(&rdata); + } while (result == ISC_R_SUCCESS); +-- +2.50.1 + diff --git a/bind.spec b/bind.spec index 910ddb4..8fc94bc 100644 --- a/bind.spec +++ b/bind.spec @@ -80,7 +80,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause # Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it. # Updating just bind will cause freeipa-dns-server package to be uninstallable. Version: 9.18.33 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -134,6 +134,8 @@ Patch31: bind-9.18-pkcs11-provider.patch Patch32: bind-9.21-resume-qmin-cname.patch # downstream only, extra check for above change, RHEL-30407 Patch33: bind-9.18-query-fname-relative.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10611 +Patch34: bind-9.18-partial-additional-records.patch %{?systemd_ordering} # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers @@ -919,6 +921,9 @@ fi; %endif %changelog +* Fri Jun 20 2025 Petr Menšík - 32:9.18.33-6 +- Change additional NS to be served partially (RHEL-84006) + * Tue Jun 10 2025 Petr Menšík - 32:9.18.33-5 - Backport support for OpenSSL provider required for PKCS11 labels